Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0108
Vulnerability from certfr_avis - Published: 2026-01-30 - Updated: 2026-01-30
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 15 SP5 | ||
| SUSE | N/A | Public Cloud Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Workstation Extension 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing 12 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 | ||
| SUSE | N/A | Legacy Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 LTSS | ||
| SUSE | N/A | SUSE Linux Enterprise Desktop 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP7 | ||
| SUSE | N/A | openSUSE Leap 15.5 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 12-SP5 | ||
| SUSE | N/A | SUSE Linux Micro 6.2 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Live Patching 15-SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP6 LTSS | ||
| SUSE | N/A | SUSE Linux Enterprise Real Time 15 SP6 | ||
| SUSE | N/A | openSUSE Leap 15.6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 16.0 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP5 LTSS | ||
| SUSE | N/A | SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 | ||
| SUSE | N/A | Development Tools Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 16.0 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 12 SP5 | ||
| SUSE | N/A | Basesystem Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise High Availability Extension 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server for SAP Applications 15 SP6 | ||
| SUSE | N/A | SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security | ||
| SUSE | N/A | SUSE Linux Enterprise Server 15 SP6 | ||
| SUSE | N/A | SUSE Real Time Module 15-SP7 | ||
| SUSE | N/A | SUSE Linux Enterprise Micro 5.5 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "SUSE Linux Enterprise High Performance Computing 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Public Cloud Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Workstation Extension 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Legacy Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Desktop 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 12-SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Micro 6.2",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Live Patching 15-SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing LTSS 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Real Time 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "openSUSE Leap 15.6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP5 LTSS",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Development Tools Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "Basesystem Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise High Availability Extension 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Server 15 SP6",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Real Time Module 15-SP7",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
},
{
"description": "SUSE Linux Enterprise Micro 5.5",
"product": {
"name": "N/A",
"vendor": {
"name": "SUSE",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-50669",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50669"
},
{
"name": "CVE-2023-53761",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53761"
},
{
"name": "CVE-2023-53814",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53814"
},
{
"name": "CVE-2025-40225",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40225"
},
{
"name": "CVE-2023-54076",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54076"
},
{
"name": "CVE-2025-40273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40273"
},
{
"name": "CVE-2023-54208",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54208"
},
{
"name": "CVE-2025-68230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68230"
},
{
"name": "CVE-2023-54039",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54039"
},
{
"name": "CVE-2025-40064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40064"
},
{
"name": "CVE-2023-53804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53804"
},
{
"name": "CVE-2023-54149",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54149"
},
{
"name": "CVE-2023-53797",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53797"
},
{
"name": "CVE-2022-50873",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50873"
},
{
"name": "CVE-2023-53863",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53863"
},
{
"name": "CVE-2023-54131",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54131"
},
{
"name": "CVE-2023-54142",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54142"
},
{
"name": "CVE-2022-50867",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50867"
},
{
"name": "CVE-2022-50779",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50779"
},
{
"name": "CVE-2023-54000",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54000"
},
{
"name": "CVE-2023-54052",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54052"
},
{
"name": "CVE-2023-54111",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54111"
},
{
"name": "CVE-2023-53809",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53809"
},
{
"name": "CVE-2023-54186",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54186"
},
{
"name": "CVE-2025-68286",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68286"
},
{
"name": "CVE-2025-68749",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68749"
},
{
"name": "CVE-2023-53803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53803"
},
{
"name": "CVE-2022-50641",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50641"
},
{
"name": "CVE-2023-53754",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53754"
},
{
"name": "CVE-2023-54091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54091"
},
{
"name": "CVE-2023-54083",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54083"
},
{
"name": "CVE-2022-50527",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50527"
},
{
"name": "CVE-2023-54280",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54280"
},
{
"name": "CVE-2025-38588",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38588"
},
{
"name": "CVE-2022-50834",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50834"
},
{
"name": "CVE-2025-40314",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40314"
},
{
"name": "CVE-2025-40306",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40306"
},
{
"name": "CVE-2022-50809",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50809"
},
{
"name": "CVE-2023-54270",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54270"
},
{
"name": "CVE-2023-53821",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53821"
},
{
"name": "CVE-2023-53799",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53799"
},
{
"name": "CVE-2023-54021",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54021"
},
{
"name": "CVE-2023-54201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54201"
},
{
"name": "CVE-2025-40219",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40219"
},
{
"name": "CVE-2025-68176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68176"
},
{
"name": "CVE-2023-53176",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53176"
},
{
"name": "CVE-2025-68204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68204"
},
{
"name": "CVE-2022-50630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50630"
},
{
"name": "CVE-2025-68380",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68380"
},
{
"name": "CVE-2022-50672",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50672"
},
{
"name": "CVE-2023-53833",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53833"
},
{
"name": "CVE-2023-54309",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54309"
},
{
"name": "CVE-2022-50776",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50776"
},
{
"name": "CVE-2025-68339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68339"
},
{
"name": "CVE-2025-40287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40287"
},
{
"name": "CVE-2023-53995",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53995"
},
{
"name": "CVE-2023-54255",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54255"
},
{
"name": "CVE-2023-54018",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54018"
},
{
"name": "CVE-2023-54271",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54271"
},
{
"name": "CVE-2022-50702",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50702"
},
{
"name": "CVE-2023-53786",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53786"
},
{
"name": "CVE-2022-50761",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50761"
},
{
"name": "CVE-2022-50866",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50866"
},
{
"name": "CVE-2023-54297",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54297"
},
{
"name": "CVE-2025-40019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40019"
},
{
"name": "CVE-2023-54112",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54112"
},
{
"name": "CVE-2025-68287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68287"
},
{
"name": "CVE-2025-40240",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40240"
},
{
"name": "CVE-2025-40081",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40081"
},
{
"name": "CVE-2023-54313",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54313"
},
{
"name": "CVE-2023-53759",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53759"
},
{
"name": "CVE-2025-68746",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68746"
},
{
"name": "CVE-2023-53845",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53845"
},
{
"name": "CVE-2023-53994",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53994"
},
{
"name": "CVE-2025-40153",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40153"
},
{
"name": "CVE-2022-50622",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50622"
},
{
"name": "CVE-2025-40294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40294"
},
{
"name": "CVE-2023-53765",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53765"
},
{
"name": "CVE-2025-40312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40312"
},
{
"name": "CVE-2025-40204",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40204"
},
{
"name": "CVE-2023-54095",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54095"
},
{
"name": "CVE-2022-50883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50883"
},
{
"name": "CVE-2023-54143",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54143"
},
{
"name": "CVE-2025-68302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68302"
},
{
"name": "CVE-2025-68238",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68238"
},
{
"name": "CVE-2023-53813",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53813"
},
{
"name": "CVE-2023-54227",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54227"
},
{
"name": "CVE-2022-50646",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50646"
},
{
"name": "CVE-2023-53855",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53855"
},
{
"name": "CVE-2022-50853",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50853"
},
{
"name": "CVE-2025-40139",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40139"
},
{
"name": "CVE-2023-54100",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54100"
},
{
"name": "CVE-2023-53864",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53864"
},
{
"name": "CVE-2025-40309",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40309"
},
{
"name": "CVE-2025-38336",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38336"
},
{
"name": "CVE-2025-40349",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40349"
},
{
"name": "CVE-2023-54246",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54246"
},
{
"name": "CVE-2025-40343",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40343"
},
{
"name": "CVE-2023-54001",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54001"
},
{
"name": "CVE-2023-54253",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54253"
},
{
"name": "CVE-2022-50619",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50619"
},
{
"name": "CVE-2025-68307",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68307"
},
{
"name": "CVE-2025-40308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40308"
},
{
"name": "CVE-2023-54324",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54324"
},
{
"name": "CVE-2023-54106",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54106"
},
{
"name": "CVE-2025-40187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40187"
},
{
"name": "CVE-2025-40315",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40315"
},
{
"name": "CVE-2023-53793",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53793"
},
{
"name": "CVE-2023-54213",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54213"
},
{
"name": "CVE-2023-54096",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54096"
},
{
"name": "CVE-2022-50636",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50636"
},
{
"name": "CVE-2025-40251",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40251"
},
{
"name": "CVE-2023-54283",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54283"
},
{
"name": "CVE-2025-68184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68184"
},
{
"name": "CVE-2023-53837",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53837"
},
{
"name": "CVE-2023-54049",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54049"
},
{
"name": "CVE-2023-54066",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54066"
},
{
"name": "CVE-2023-53020",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53020"
},
{
"name": "CVE-2023-54117",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54117"
},
{
"name": "CVE-2023-53999",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53999"
},
{
"name": "CVE-2023-54038",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54038"
},
{
"name": "CVE-2023-54315",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54315"
},
{
"name": "CVE-2023-54010",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54010"
},
{
"name": "CVE-2022-50774",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50774"
},
{
"name": "CVE-2025-38500",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38500"
},
{
"name": "CVE-2022-50878",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50878"
},
{
"name": "CVE-2023-54211",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54211"
},
{
"name": "CVE-2023-54251",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54251"
},
{
"name": "CVE-2022-50836",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50836"
},
{
"name": "CVE-2023-54156",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54156"
},
{
"name": "CVE-2022-50644",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50644"
},
{
"name": "CVE-2022-50846",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50846"
},
{
"name": "CVE-2023-54098",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54098"
},
{
"name": "CVE-2023-53750",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53750"
},
{
"name": "CVE-2022-50842",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50842"
},
{
"name": "CVE-2025-40347",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40347"
},
{
"name": "CVE-2023-54037",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54037"
},
{
"name": "CVE-2023-54275",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54275"
},
{
"name": "CVE-2023-53815",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53815"
},
{
"name": "CVE-2025-40198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40198"
},
{
"name": "CVE-2022-50668",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50668"
},
{
"name": "CVE-2025-68257",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68257"
},
{
"name": "CVE-2023-53818",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53818"
},
{
"name": "CVE-2023-54132",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54132"
},
{
"name": "CVE-2023-54031",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54031"
},
{
"name": "CVE-2022-50840",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50840"
},
{
"name": "CVE-2023-54305",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54305"
},
{
"name": "CVE-2025-40190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40190"
},
{
"name": "CVE-2022-50756",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50756"
},
{
"name": "CVE-2023-53989",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53989"
},
{
"name": "CVE-2023-54150",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54150"
},
{
"name": "CVE-2023-54199",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54199"
},
{
"name": "CVE-2025-68347",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68347"
},
{
"name": "CVE-2025-68235",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68235"
},
{
"name": "CVE-2025-40311",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40311"
},
{
"name": "CVE-2023-54254",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54254"
},
{
"name": "CVE-2023-53780",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53780"
},
{
"name": "CVE-2023-54312",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54312"
},
{
"name": "CVE-2023-54094",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54094"
},
{
"name": "CVE-2022-50700",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50700"
},
{
"name": "CVE-2022-50821",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50821"
},
{
"name": "CVE-2023-54128",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54128"
},
{
"name": "CVE-2025-40167",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40167"
},
{
"name": "CVE-2023-54110",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54110"
},
{
"name": "CVE-2022-50881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50881"
},
{
"name": "CVE-2023-54205",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54205"
},
{
"name": "CVE-2023-53846",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53846"
},
{
"name": "CVE-2023-53866",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53866"
},
{
"name": "CVE-2023-53792",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53792"
},
{
"name": "CVE-2023-54164",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54164"
},
{
"name": "CVE-2025-40256",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40256"
},
{
"name": "CVE-2025-40360",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40360"
},
{
"name": "CVE-2025-40332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40332"
},
{
"name": "CVE-2025-68354",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68354"
},
{
"name": "CVE-2023-54316",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54316"
},
{
"name": "CVE-2022-49975",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49975"
},
{
"name": "CVE-2022-50724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50724"
},
{
"name": "CVE-2022-50633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50633"
},
{
"name": "CVE-2025-68258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68258"
},
{
"name": "CVE-2023-54089",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54089"
},
{
"name": "CVE-2022-50859",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50859"
},
{
"name": "CVE-2022-50750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50750"
},
{
"name": "CVE-2022-50726",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50726"
},
{
"name": "CVE-2023-54016",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54016"
},
{
"name": "CVE-2025-40035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40035"
},
{
"name": "CVE-2023-54035",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54035"
},
{
"name": "CVE-2025-40322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40322"
},
{
"name": "CVE-2025-68209",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68209"
},
{
"name": "CVE-2022-50814",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50814"
},
{
"name": "CVE-2023-20569",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20569"
},
{
"name": "CVE-2023-54074",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54074"
},
{
"name": "CVE-2023-54040",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54040"
},
{
"name": "CVE-2022-50705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50705"
},
{
"name": "CVE-2023-54214",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54214"
},
{
"name": "CVE-2025-40233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40233"
},
{
"name": "CVE-2023-54322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54322"
},
{
"name": "CVE-2023-54155",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54155"
},
{
"name": "CVE-2023-54088",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54088"
},
{
"name": "CVE-2023-54090",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54090"
},
{
"name": "CVE-2025-40271",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40271"
},
{
"name": "CVE-2023-54276",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54276"
},
{
"name": "CVE-2025-40359",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40359"
},
{
"name": "CVE-2025-68306",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68306"
},
{
"name": "CVE-2023-53755",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53755"
},
{
"name": "CVE-2023-42752",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42752"
},
{
"name": "CVE-2023-54079",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54079"
},
{
"name": "CVE-2023-54048",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54048"
},
{
"name": "CVE-2023-54202",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54202"
},
{
"name": "CVE-2023-54007",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54007"
},
{
"name": "CVE-2023-54278",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54278"
},
{
"name": "CVE-2023-54215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54215"
},
{
"name": "CVE-2025-68308",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68308"
},
{
"name": "CVE-2023-54024",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54024"
},
{
"name": "CVE-2023-53777",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53777"
},
{
"name": "CVE-2022-50781",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50781"
},
{
"name": "CVE-2023-54133",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54133"
},
{
"name": "CVE-2022-50860",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50860"
},
{
"name": "CVE-2025-40242",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40242"
},
{
"name": "CVE-2022-50833",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50833"
},
{
"name": "CVE-2025-40212",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40212"
},
{
"name": "CVE-2022-50649",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50649"
},
{
"name": "CVE-2023-54148",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54148"
},
{
"name": "CVE-2025-68190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68190"
},
{
"name": "CVE-2022-50829",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50829"
},
{
"name": "CVE-2023-54064",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54064"
},
{
"name": "CVE-2023-54153",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54153"
},
{
"name": "CVE-2022-50830",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50830"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2022-49546",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49546"
},
{
"name": "CVE-2022-50673",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50673"
},
{
"name": "CVE-2023-53791",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53791"
},
{
"name": "CVE-2025-68218",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68218"
},
{
"name": "CVE-2023-53848",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53848"
},
{
"name": "CVE-2025-68255",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68255"
},
{
"name": "CVE-2023-54081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54081"
},
{
"name": "CVE-2023-54274",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54274"
},
{
"name": "CVE-2023-53828",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53828"
},
{
"name": "CVE-2025-40024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40024"
},
{
"name": "CVE-2022-50666",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50666"
},
{
"name": "CVE-2023-54185",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54185"
},
{
"name": "CVE-2023-54108",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54108"
},
{
"name": "CVE-2022-50745",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50745"
},
{
"name": "CVE-2025-40277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40277"
},
{
"name": "CVE-2023-54317",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54317"
},
{
"name": "CVE-2022-50736",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50736"
},
{
"name": "CVE-2022-50740",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50740"
},
{
"name": "CVE-2023-53753",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53753"
},
{
"name": "CVE-2025-40272",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40272"
},
{
"name": "CVE-2023-54298",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54298"
},
{
"name": "CVE-2022-50822",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50822"
},
{
"name": "CVE-2025-68759",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68759"
},
{
"name": "CVE-2023-53834",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53834"
},
{
"name": "CVE-2023-54053",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54053"
},
{
"name": "CVE-2022-50843",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50843"
},
{
"name": "CVE-2022-50769",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50769"
},
{
"name": "CVE-2025-40345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40345"
},
{
"name": "CVE-2023-54295",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54295"
},
{
"name": "CVE-2022-50752",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50752"
},
{
"name": "CVE-2025-40354",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40354"
},
{
"name": "CVE-2023-54170",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54170"
},
{
"name": "CVE-2023-53781",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53781"
},
{
"name": "CVE-2025-40033",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40033"
},
{
"name": "CVE-2025-40269",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40269"
},
{
"name": "CVE-2025-68335",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68335"
},
{
"name": "CVE-2023-54223",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54223"
},
{
"name": "CVE-2023-54175",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54175"
},
{
"name": "CVE-2022-50716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50716"
},
{
"name": "CVE-2025-40075",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40075"
},
{
"name": "CVE-2022-50698",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50698"
},
{
"name": "CVE-2022-50844",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50844"
},
{
"name": "CVE-2025-39977",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39977"
},
{
"name": "CVE-2023-54045",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54045"
},
{
"name": "CVE-2025-68330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68330"
},
{
"name": "CVE-2023-54101",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54101"
},
{
"name": "CVE-2023-54107",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54107"
},
{
"name": "CVE-2023-54179",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54179"
},
{
"name": "CVE-2022-50773",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50773"
},
{
"name": "CVE-2022-50758",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50758"
},
{
"name": "CVE-2022-50848",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50848"
},
{
"name": "CVE-2025-68180",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68180"
},
{
"name": "CVE-2023-54289",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54289"
},
{
"name": "CVE-2022-50662",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50662"
},
{
"name": "CVE-2022-50738",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50738"
},
{
"name": "CVE-2023-54177",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54177"
},
{
"name": "CVE-2025-68201",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68201"
},
{
"name": "CVE-2023-54078",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54078"
},
{
"name": "CVE-2022-50819",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50819"
},
{
"name": "CVE-2025-40289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40289"
},
{
"name": "CVE-2024-57849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57849"
},
{
"name": "CVE-2023-54102",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54102"
},
{
"name": "CVE-2022-50723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50723"
},
{
"name": "CVE-2025-68223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68223"
},
{
"name": "CVE-2025-40292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40292"
},
{
"name": "CVE-2025-68181",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68181"
},
{
"name": "CVE-2023-54093",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54093"
},
{
"name": "CVE-2023-53839",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53839"
},
{
"name": "CVE-2023-53752",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53752"
},
{
"name": "CVE-2023-53802",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53802"
},
{
"name": "CVE-2022-50887",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50887"
},
{
"name": "CVE-2025-68724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68724"
},
{
"name": "CVE-2023-54318",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54318"
},
{
"name": "CVE-2022-50710",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50710"
},
{
"name": "CVE-2022-50757",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50757"
},
{
"name": "CVE-2022-0854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0854"
},
{
"name": "CVE-2022-50827",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50827"
},
{
"name": "CVE-2025-68252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68252"
},
{
"name": "CVE-2023-54166",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54166"
},
{
"name": "CVE-2025-40274",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40274"
},
{
"name": "CVE-2023-53820",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53820"
},
{
"name": "CVE-2023-54136",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54136"
},
{
"name": "CVE-2023-54225",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54225"
},
{
"name": "CVE-2022-50679",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50679"
},
{
"name": "CVE-2025-40220",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40220"
},
{
"name": "CVE-2025-68237",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68237"
},
{
"name": "CVE-2023-54194",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54194"
},
{
"name": "CVE-2023-53748",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53748"
},
{
"name": "CVE-2025-68259",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68259"
},
{
"name": "CVE-2022-50839",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50839"
},
{
"name": "CVE-2023-54301",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54301"
},
{
"name": "CVE-2025-68312",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68312"
},
{
"name": "CVE-2023-53843",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53843"
},
{
"name": "CVE-2025-68194",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68194"
},
{
"name": "CVE-2024-53164",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53164"
},
{
"name": "CVE-2022-50744",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50744"
},
{
"name": "CVE-2023-54277",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54277"
},
{
"name": "CVE-2025-40006",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40006"
},
{
"name": "CVE-2023-53844",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53844"
},
{
"name": "CVE-2025-68183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68183"
},
{
"name": "CVE-2023-54046",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54046"
},
{
"name": "CVE-2025-40263",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40263"
},
{
"name": "CVE-2022-50717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50717"
},
{
"name": "CVE-2023-54120",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54120"
},
{
"name": "CVE-2025-38616",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38616"
},
{
"name": "CVE-2022-50621",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50621"
},
{
"name": "CVE-2023-54026",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54026"
},
{
"name": "CVE-2025-68244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68244"
},
{
"name": "CVE-2025-40231",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40231"
},
{
"name": "CVE-2022-50742",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50742"
},
{
"name": "CVE-2025-40278",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40278"
},
{
"name": "CVE-2023-53783",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53783"
},
{
"name": "CVE-2025-40342",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40342"
},
{
"name": "CVE-2023-54057",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54057"
},
{
"name": "CVE-2022-50714",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50714"
},
{
"name": "CVE-2023-54028",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54028"
},
{
"name": "CVE-2023-53858",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53858"
},
{
"name": "CVE-2023-53992",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53992"
},
{
"name": "CVE-2022-50722",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50722"
},
{
"name": "CVE-2022-50709",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50709"
},
{
"name": "CVE-2022-50728",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50728"
},
{
"name": "CVE-2022-50677",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50677"
},
{
"name": "CVE-2023-54266",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54266"
},
{
"name": "CVE-2025-68222",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68222"
},
{
"name": "CVE-2025-68765",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68765"
},
{
"name": "CVE-2023-53825",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53825"
},
{
"name": "CVE-2025-38664",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38664"
},
{
"name": "CVE-2023-53454",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53454"
},
{
"name": "CVE-2023-54003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54003"
},
{
"name": "CVE-2023-54072",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54072"
},
{
"name": "CVE-2023-54134",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54134"
},
{
"name": "CVE-2025-38554",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38554"
},
{
"name": "CVE-2023-54291",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54291"
},
{
"name": "CVE-2023-54321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54321"
},
{
"name": "CVE-2025-40279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40279"
},
{
"name": "CVE-2023-53865",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53865"
},
{
"name": "CVE-2025-68328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68328"
},
{
"name": "CVE-2023-54041",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54041"
},
{
"name": "CVE-2023-53744",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53744"
},
{
"name": "CVE-2023-23559",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23559"
},
{
"name": "CVE-2023-53823",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53823"
},
{
"name": "CVE-2022-50718",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50718"
},
{
"name": "CVE-2022-50658",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50658"
},
{
"name": "CVE-2023-54009",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54009"
},
{
"name": "CVE-2023-54023",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54023"
},
{
"name": "CVE-2022-50660",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50660"
},
{
"name": "CVE-2025-68744",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68744"
},
{
"name": "CVE-2023-54241",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54241"
},
{
"name": "CVE-2023-54017",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54017"
},
{
"name": "CVE-2023-53787",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53787"
},
{
"name": "CVE-2022-50886",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50886"
},
{
"name": "CVE-2025-68172",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68172"
},
{
"name": "CVE-2023-54097",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54097"
},
{
"name": "CVE-2022-50626",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50626"
},
{
"name": "CVE-2025-40338",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40338"
},
{
"name": "CVE-2022-50767",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50767"
},
{
"name": "CVE-2025-40134",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40134"
},
{
"name": "CVE-2023-53801",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53801"
},
{
"name": "CVE-2023-54154",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54154"
},
{
"name": "CVE-2022-50880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50880"
},
{
"name": "CVE-2023-54141",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54141"
},
{
"name": "CVE-2022-50885",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50885"
},
{
"name": "CVE-2025-40302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40302"
},
{
"name": "CVE-2023-53766",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53766"
},
{
"name": "CVE-2023-53840",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53840"
},
{
"name": "CVE-2025-40357",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40357"
},
{
"name": "CVE-2023-53785",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53785"
},
{
"name": "CVE-2025-40328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40328"
},
{
"name": "CVE-2025-40340",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40340"
},
{
"name": "CVE-2022-50661",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50661"
},
{
"name": "CVE-2025-68332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68332"
},
{
"name": "CVE-2023-54263",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54263"
},
{
"name": "CVE-2025-40283",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40283"
},
{
"name": "CVE-2023-54284",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54284"
},
{
"name": "CVE-2025-40324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40324"
},
{
"name": "CVE-2023-54181",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54181"
},
{
"name": "CVE-2022-50818",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50818"
},
{
"name": "CVE-2025-68378",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68378"
},
{
"name": "CVE-2022-50824",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50824"
},
{
"name": "CVE-2023-53849",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53849"
},
{
"name": "CVE-2023-53795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53795"
},
{
"name": "CVE-2022-50623",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50623"
},
{
"name": "CVE-2025-40250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40250"
},
{
"name": "CVE-2025-38728",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38728"
},
{
"name": "CVE-2023-53788",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53788"
},
{
"name": "CVE-2025-40074",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40074"
},
{
"name": "CVE-2025-38608",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38608"
},
{
"name": "CVE-2025-40321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40321"
},
{
"name": "CVE-2024-56590",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56590"
},
{
"name": "CVE-2023-54207",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54207"
},
{
"name": "CVE-2025-68249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68249"
},
{
"name": "CVE-2025-68740",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68740"
},
{
"name": "CVE-2022-50864",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50864"
},
{
"name": "CVE-2025-40158",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40158"
},
{
"name": "CVE-2025-40179",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40179"
},
{
"name": "CVE-2025-68742",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68742"
},
{
"name": "CVE-2023-53832",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53832"
},
{
"name": "CVE-2023-54226",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54226"
},
{
"name": "CVE-2025-40282",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40282"
},
{
"name": "CVE-2023-53819",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53819"
},
{
"name": "CVE-2022-50715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50715"
},
{
"name": "CVE-2025-40168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40168"
},
{
"name": "CVE-2022-50665",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50665"
},
{
"name": "CVE-2023-54210",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54210"
},
{
"name": "CVE-2025-40053",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40053"
},
{
"name": "CVE-2025-38085",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38085"
},
{
"name": "CVE-2022-50735",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50735"
},
{
"name": "CVE-2023-54030",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54030"
},
{
"name": "CVE-2025-68192",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68192"
},
{
"name": "CVE-2023-54092",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54092"
},
{
"name": "CVE-2023-53997",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53997"
},
{
"name": "CVE-2023-54015",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54015"
},
{
"name": "CVE-2025-40301",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40301"
},
{
"name": "CVE-2023-54224",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54224"
},
{
"name": "CVE-2025-68298",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68298"
},
{
"name": "CVE-2025-68207",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68207"
},
{
"name": "CVE-2023-54235",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54235"
},
{
"name": "CVE-2023-54122",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54122"
},
{
"name": "CVE-2023-54119",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54119"
},
{
"name": "CVE-2025-68747",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68747"
},
{
"name": "CVE-2025-38617",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38617"
},
{
"name": "CVE-2022-50675",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50675"
},
{
"name": "CVE-2023-54159",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54159"
},
{
"name": "CVE-2022-50751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50751"
},
{
"name": "CVE-2023-54245",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54245"
},
{
"name": "CVE-2023-54032",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54032"
},
{
"name": "CVE-2023-54168",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54168"
},
{
"name": "CVE-2023-54262",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54262"
},
{
"name": "CVE-2023-53856",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53856"
},
{
"name": "CVE-2025-40318",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40318"
},
{
"name": "CVE-2022-50889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50889"
},
{
"name": "CVE-2023-54146",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54146"
},
{
"name": "CVE-2023-54118",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54118"
},
{
"name": "CVE-2023-53782",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53782"
},
{
"name": "CVE-2023-54115",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54115"
},
{
"name": "CVE-2023-54069",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54069"
},
{
"name": "CVE-2022-50699",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50699"
},
{
"name": "CVE-2023-53990",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53990"
},
{
"name": "CVE-2023-54104",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54104"
},
{
"name": "CVE-2025-40135",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40135"
},
{
"name": "CVE-2023-54027",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54027"
},
{
"name": "CVE-2022-50870",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50870"
},
{
"name": "CVE-2025-68734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68734"
},
{
"name": "CVE-2023-54058",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54058"
},
{
"name": "CVE-2023-54238",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54238"
},
{
"name": "CVE-2023-54114",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54114"
},
{
"name": "CVE-2023-53806",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53806"
},
{
"name": "CVE-2023-53851",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53851"
},
{
"name": "CVE-2025-68345",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68345"
},
{
"name": "CVE-2022-50838",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50838"
},
{
"name": "CVE-2023-54311",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54311"
},
{
"name": "CVE-2023-54183",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54183"
},
{
"name": "CVE-2023-54126",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54126"
},
{
"name": "CVE-2023-53841",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53841"
},
{
"name": "CVE-2023-54326",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54326"
},
{
"name": "CVE-2023-54267",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54267"
},
{
"name": "CVE-2023-54282",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54282"
},
{
"name": "CVE-2022-50879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50879"
},
{
"name": "CVE-2025-40310",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40310"
},
{
"name": "CVE-2022-50733",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50733"
},
{
"name": "CVE-2023-54006",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54006"
},
{
"name": "CVE-2023-53784",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53784"
},
{
"name": "CVE-2023-54084",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54084"
},
{
"name": "CVE-2023-54067",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54067"
},
{
"name": "CVE-2022-50731",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50731"
},
{
"name": "CVE-2023-54264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54264"
},
{
"name": "CVE-2025-40331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40331"
},
{
"name": "CVE-2025-68351",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68351"
},
{
"name": "CVE-2023-54304",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54304"
},
{
"name": "CVE-2022-50851",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50851"
},
{
"name": "CVE-2022-50615",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50615"
},
{
"name": "CVE-2022-50667",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50667"
},
{
"name": "CVE-2025-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40149"
},
{
"name": "CVE-2022-50704",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50704"
},
{
"name": "CVE-2023-53747",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53747"
},
{
"name": "CVE-2025-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40164"
},
{
"name": "CVE-2022-50730",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50730"
},
{
"name": "CVE-2023-54125",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54125"
},
{
"name": "CVE-2022-50617",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50617"
},
{
"name": "CVE-2023-53718",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53718"
},
{
"name": "CVE-2023-54173",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54173"
},
{
"name": "CVE-2023-53751",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53751"
},
{
"name": "CVE-2023-53743",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53743"
},
{
"name": "CVE-2022-50656",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50656"
},
{
"name": "CVE-2023-54036",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54036"
},
{
"name": "CVE-2023-54190",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54190"
},
{
"name": "CVE-2022-49604",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49604"
},
{
"name": "CVE-2023-53842",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53842"
},
{
"name": "CVE-2022-50768",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50768"
},
{
"name": "CVE-2025-68208",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68208"
},
{
"name": "CVE-2025-68362",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68362"
},
{
"name": "CVE-2022-50823",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50823"
},
{
"name": "CVE-2022-50719",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50719"
},
{
"name": "CVE-2022-50703",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50703"
},
{
"name": "CVE-2022-50763",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50763"
},
{
"name": "CVE-2022-50727",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50727"
},
{
"name": "CVE-2022-50629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50629"
},
{
"name": "CVE-2023-53762",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53762"
},
{
"name": "CVE-2022-50872",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50872"
},
{
"name": "CVE-2025-68290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68290"
},
{
"name": "CVE-2025-40280",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40280"
},
{
"name": "CVE-2025-40293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40293"
},
{
"name": "CVE-2025-40330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40330"
},
{
"name": "CVE-2025-68750",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68750"
},
{
"name": "CVE-2023-54127",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54127"
},
{
"name": "CVE-2023-53861",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53861"
},
{
"name": "CVE-2023-54197",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54197"
},
{
"name": "CVE-2025-68331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68331"
},
{
"name": "CVE-2023-54137",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54137"
},
{
"name": "CVE-2023-54244",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54244"
},
{
"name": "CVE-2022-50862",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50862"
},
{
"name": "CVE-2023-54319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54319"
},
{
"name": "CVE-2025-68305",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68305"
},
{
"name": "CVE-2022-50845",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50845"
},
{
"name": "CVE-2025-40320",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40320"
},
{
"name": "CVE-2025-39963",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39963"
},
{
"name": "CVE-2022-50754",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50754"
},
{
"name": "CVE-2025-68753",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68753"
},
{
"name": "CVE-2023-54140",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54140"
},
{
"name": "CVE-2022-50856",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50856"
},
{
"name": "CVE-2023-54285",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54285"
},
{
"name": "CVE-2023-54055",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54055"
},
{
"name": "CVE-2023-54025",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54025"
},
{
"name": "CVE-2023-53991",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53991"
},
{
"name": "CVE-2023-54229",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54229"
},
{
"name": "CVE-2022-50861",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50861"
},
{
"name": "CVE-2022-50882",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50882"
},
{
"name": "CVE-2025-40200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40200"
},
{
"name": "CVE-2023-54300",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54300"
},
{
"name": "CVE-2023-54042",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54042"
},
{
"name": "CVE-2022-50832",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50832"
},
{
"name": "CVE-2023-53807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53807"
},
{
"name": "CVE-2022-50638",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50638"
},
{
"name": "CVE-2025-40102",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40102"
},
{
"name": "CVE-2023-54302",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54302"
},
{
"name": "CVE-2025-40170",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40170"
},
{
"name": "CVE-2023-53811",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53811"
},
{
"name": "CVE-2025-40160",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40160"
},
{
"name": "CVE-2025-40284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40284"
},
{
"name": "CVE-2023-54178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54178"
},
{
"name": "CVE-2023-54051",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54051"
},
{
"name": "CVE-2023-54286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54286"
},
{
"name": "CVE-2023-54269",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54269"
},
{
"name": "CVE-2023-53808",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53808"
},
{
"name": "CVE-2022-50849",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50849"
},
{
"name": "CVE-2023-54234",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54234"
},
{
"name": "CVE-2022-50760",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50760"
},
{
"name": "CVE-2023-54008",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54008"
},
{
"name": "CVE-2023-54014",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54014"
},
{
"name": "CVE-2022-50858",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50858"
},
{
"name": "CVE-2025-40215",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40215"
},
{
"name": "CVE-2025-40307",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40307"
},
{
"name": "CVE-2025-68346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68346"
},
{
"name": "CVE-2022-50888",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50888"
},
{
"name": "CVE-2025-40211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40211"
},
{
"name": "CVE-2025-40042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40042"
},
{
"name": "CVE-2023-54258",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54258"
},
{
"name": "CVE-2025-39890",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39890"
},
{
"name": "CVE-2022-50640",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50640"
},
{
"name": "CVE-2023-54221",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54221"
},
{
"name": "CVE-2025-40248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40248"
},
{
"name": "CVE-2022-50747",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50747"
},
{
"name": "CVE-2025-68303",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68303"
},
{
"name": "CVE-2023-53827",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53827"
},
{
"name": "CVE-2025-68757",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68757"
},
{
"name": "CVE-2023-54293",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54293"
},
{
"name": "CVE-2025-40329",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40329"
},
{
"name": "CVE-2022-50782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50782"
},
{
"name": "CVE-2022-50826",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50826"
},
{
"name": "CVE-2025-38618",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38618"
},
{
"name": "CVE-2023-54060",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54060"
},
{
"name": "CVE-2022-48853",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48853"
},
{
"name": "CVE-2022-50635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50635"
},
{
"name": "CVE-2025-68766",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68766"
},
{
"name": "CVE-2023-53778",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53778"
},
{
"name": "CVE-2023-53746",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53746"
},
{
"name": "CVE-2023-54145",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54145"
},
{
"name": "CVE-2023-54171",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54171"
},
{
"name": "CVE-2022-50749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50749"
},
{
"name": "CVE-2022-50706",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50706"
},
{
"name": "CVE-2023-54240",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54240"
},
{
"name": "CVE-2022-50618",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50618"
},
{
"name": "CVE-2025-68168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68168"
},
{
"name": "CVE-2025-68206",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68206"
},
{
"name": "CVE-2022-50678",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50678"
},
{
"name": "CVE-2023-54247",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54247"
},
{
"name": "CVE-2025-68170",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68170"
},
{
"name": "CVE-2023-54070",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54070"
},
{
"name": "CVE-2023-54204",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54204"
},
{
"name": "CVE-2025-68313",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68313"
},
{
"name": "CVE-2023-53676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53676"
},
{
"name": "CVE-2023-53850",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53850"
},
{
"name": "CVE-2023-54303",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54303"
},
{
"name": "CVE-2025-68197",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68197"
},
{
"name": "CVE-2025-40123",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40123"
},
{
"name": "CVE-2023-53998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53998"
},
{
"name": "CVE-2023-53816",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53816"
},
{
"name": "CVE-2025-40297",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40297"
},
{
"name": "CVE-2025-68217",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68217"
},
{
"name": "CVE-2025-40178",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40178"
},
{
"name": "CVE-2023-54242",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54242"
},
{
"name": "CVE-2025-68289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68289"
},
{
"name": "CVE-2023-53852",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53852"
},
{
"name": "CVE-2022-50777",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50777"
},
{
"name": "CVE-2023-53862",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53862"
},
{
"name": "CVE-2025-40276",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40276"
},
{
"name": "CVE-2022-50664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50664"
},
{
"name": "CVE-2022-50701",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50701"
},
{
"name": "CVE-2022-50643",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50643"
},
{
"name": "CVE-2025-40317",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40317"
},
{
"name": "CVE-2023-53254",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53254"
},
{
"name": "CVE-2023-54020",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54020"
},
{
"name": "CVE-2023-54135",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54135"
},
{
"name": "CVE-2023-4132",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4132"
},
{
"name": "CVE-2023-53996",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53996"
},
{
"name": "CVE-2025-68233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68233"
},
{
"name": "CVE-2024-26944",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26944"
},
{
"name": "CVE-2025-38321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38321"
},
{
"name": "CVE-2025-40316",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40316"
},
{
"name": "CVE-2023-54130",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54130"
},
{
"name": "CVE-2023-54314",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54314"
},
{
"name": "CVE-2022-50625",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50625"
},
{
"name": "CVE-2025-68758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68758"
},
{
"name": "CVE-2023-54292",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54292"
},
{
"name": "CVE-2023-54172",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54172"
},
{
"name": "CVE-2023-54113",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54113"
},
{
"name": "CVE-2025-68340",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68340"
},
{
"name": "CVE-2023-54320",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54320"
},
{
"name": "CVE-2023-53836",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53836"
},
{
"name": "CVE-2025-40288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40288"
},
{
"name": "CVE-2025-68239",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68239"
},
{
"name": "CVE-2025-40258",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40258"
},
{
"name": "CVE-2023-53857",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53857"
},
{
"name": "CVE-2023-53860",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53860"
},
{
"name": "CVE-2025-68185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68185"
},
{
"name": "CVE-2025-40304",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40304"
},
{
"name": "CVE-2025-40110",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40110"
},
{
"name": "CVE-2023-54169",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54169"
},
{
"name": "CVE-2025-40268",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40268"
},
{
"name": "CVE-2023-54281",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54281"
},
{
"name": "CVE-2023-54044",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54044"
},
{
"name": "CVE-2023-54080",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54080"
},
{
"name": "CVE-2023-54294",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54294"
},
{
"name": "CVE-2023-53794",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53794"
},
{
"name": "CVE-2025-40337",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40337"
},
{
"name": "CVE-2022-50614",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50614"
},
{
"name": "CVE-2025-40346",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40346"
},
{
"name": "CVE-2025-39682",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39682"
},
{
"name": "CVE-2023-54050",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54050"
},
{
"name": "CVE-2025-40262",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40262"
},
{
"name": "CVE-2022-50828",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50828"
},
{
"name": "CVE-2024-36933",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36933"
},
{
"name": "CVE-2022-50670",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50670"
},
{
"name": "CVE-2023-54022",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54022"
},
{
"name": "CVE-2022-50868",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50868"
},
{
"name": "CVE-2023-54296",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54296"
},
{
"name": "CVE-2025-40244",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40244"
},
{
"name": "CVE-2023-54287",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54287"
},
{
"name": "CVE-2025-68732",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68732"
},
{
"name": "CVE-2023-53769",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53769"
},
{
"name": "CVE-2022-50876",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50876"
},
{
"name": "CVE-2025-40323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40323"
},
{
"name": "CVE-2022-50652",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50652"
},
{
"name": "CVE-2022-50732",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50732"
},
{
"name": "CVE-2023-54220",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54220"
},
{
"name": "CVE-2023-54198",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54198"
},
{
"name": "CVE-2022-50671",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50671"
},
{
"name": "CVE-2023-54138",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54138"
},
{
"name": "CVE-2023-54047",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54047"
},
{
"name": "CVE-2023-54144",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54144"
},
{
"name": "CVE-2023-54209",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54209"
},
{
"name": "CVE-2022-50653",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50653"
},
{
"name": "CVE-2025-40275",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40275"
},
{
"name": "CVE-2022-50712",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50712"
},
{
"name": "CVE-2023-54252",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54252"
},
{
"name": "CVE-2023-54019",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54019"
},
{
"name": "CVE-2023-54123",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54123"
},
{
"name": "CVE-2023-54236",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54236"
},
{
"name": "CVE-2022-50835",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50835"
},
{
"name": "CVE-2023-54189",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54189"
},
{
"name": "CVE-2025-38476",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38476"
},
{
"name": "CVE-2025-40339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40339"
},
{
"name": "CVE-2023-54260",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54260"
},
{
"name": "CVE-2023-54116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54116"
},
{
"name": "CVE-2025-40223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40223"
},
{
"name": "CVE-2022-50884",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50884"
},
{
"name": "CVE-2025-38572",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38572"
},
{
"name": "CVE-2023-54230",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54230"
},
{
"name": "CVE-2023-53831",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53831"
},
{
"name": "CVE-2025-68195",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68195"
},
{
"name": "CVE-2025-40213",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40213"
},
{
"name": "CVE-2023-54299",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54299"
},
{
"name": "CVE-2023-53768",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53768"
},
{
"name": "CVE-2023-53830",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53830"
},
{
"name": "CVE-2022-50850",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50850"
},
{
"name": "CVE-2023-54099",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54099"
},
{
"name": "CVE-2025-40319",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40319"
},
{
"name": "CVE-2022-50847",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50847"
},
{
"name": "CVE-2023-54219",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54219"
},
{
"name": "CVE-2023-53847",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53847"
},
{
"name": "CVE-2024-53093",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53093"
},
{
"name": "CVE-2023-54325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54325"
},
{
"name": "CVE-2023-54121",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54121"
},
{
"name": "CVE-2023-54261",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54261"
},
{
"name": "CVE-2023-54005",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-54005"
},
{
"name": "CVE-2022-50770",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50770"
},
{
"name": "CVE-2025-40351",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40351"
},
{
"name": "CVE-2025-68264",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68264"
},
{
"name": "CVE-2022-50755",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50755"
}
],
"initial_release_date": "2026-01-30T00:00:00",
"last_revision_date": "2026-01-30T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0108",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-30T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de SUSE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de SUSE",
"vendor_advisories": [
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0269-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260269-1"
},
{
"published_at": "2026-01-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0293-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260293-1"
},
{
"published_at": "2026-01-28",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0315-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260315-1"
},
{
"published_at": "2026-01-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20168-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620168-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0278-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260278-1"
},
{
"published_at": "2026-01-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20169-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620169-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0283-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260283-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20163-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620163-1"
},
{
"published_at": "2026-01-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20164-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620164-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0267-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260267-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20148-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620148-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0284-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260284-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0270-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260270-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0274-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260274-1"
},
{
"published_at": "2026-01-28",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0317-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260317-1"
},
{
"published_at": "2026-01-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20149-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620149-1"
},
{
"published_at": "2026-01-27",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0305-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260305-1"
},
{
"published_at": "2026-01-22",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0263-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260263-1"
},
{
"published_at": "2026-01-26",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:20165-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620165-1"
},
{
"published_at": "2026-01-28",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0316-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260316-1"
},
{
"published_at": "2026-01-23",
"title": "Bulletin de s\u00e9curit\u00e9 SUSE SUSE-SU-2026:0281-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260281-1"
}
]
}
CVE-2022-50730 (GCVE-0-2022-50730)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
ext4: silence the warning when evicting inode with dioread_nolock
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: silence the warning when evicting inode with dioread_nolock
When evicting an inode with default dioread_nolock, it could be raced by
the unwritten extents converting kworker after writeback some new
allocated dirty blocks. It convert unwritten extents to written, the
extents could be merged to upper level and free extent blocks, so it
could mark the inode dirty again even this inode has been marked
I_FREEING. But the inode->i_io_list check and warning in
ext4_evict_inode() missing this corner case. Fortunately,
ext4_evict_inode() will wait all extents converting finished before this
check, so it will not lead to inode use-after-free problem, every thing
is OK besides this warning. The WARN_ON_ONCE was originally designed
for finding inode use-after-free issues in advance, but if we add
current dioread_nolock case in, it will become not quite useful, so fix
this warning by just remove this check.
======
WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227
ext4_evict_inode+0x875/0xc60
...
RIP: 0010:ext4_evict_inode+0x875/0xc60
...
Call Trace:
<TASK>
evict+0x11c/0x2b0
iput+0x236/0x3a0
do_unlinkat+0x1b4/0x490
__x64_sys_unlinkat+0x4c/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa933c1115b
======
rm kworker
ext4_end_io_end()
vfs_unlink()
ext4_unlink()
ext4_convert_unwritten_io_end_vec()
ext4_convert_unwritten_extents()
ext4_map_blocks()
ext4_ext_map_blocks()
ext4_ext_try_to_merge_up()
__mark_inode_dirty()
check !I_FREEING
locked_inode_to_wb_and_lock_list()
iput()
iput_final()
evict()
ext4_evict_inode()
truncate_inode_pages_final() //wait release io_end
inode_io_list_move_locked()
ext4_release_io_end()
trigger WARN_ON_ONCE()
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < bdc698ce91f232fd5eb11d2373e9f82f687314b8
(git)
Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < 0d041b7251c13679a0f6c7926751ce1d8a7237c1 (git) Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < 3b893cc9a8d8b4e486a6639f5e107b56b7197d2e (git) Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < b085fb43feede48ebf80ab7e2dd150c8d9902932 (git) Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < bc12ac98ea2e1b70adc6478c8b473a0003b659d3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bdc698ce91f232fd5eb11d2373e9f82f687314b8",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
},
{
"lessThan": "0d041b7251c13679a0f6c7926751ce1d8a7237c1",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
},
{
"lessThan": "3b893cc9a8d8b4e486a6639f5e107b56b7197d2e",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
},
{
"lessThan": "b085fb43feede48ebf80ab7e2dd150c8d9902932",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
},
{
"lessThan": "bc12ac98ea2e1b70adc6478c8b473a0003b659d3",
"status": "affected",
"version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: silence the warning when evicting inode with dioread_nolock\n\nWhen evicting an inode with default dioread_nolock, it could be raced by\nthe unwritten extents converting kworker after writeback some new\nallocated dirty blocks. It convert unwritten extents to written, the\nextents could be merged to upper level and free extent blocks, so it\ncould mark the inode dirty again even this inode has been marked\nI_FREEING. But the inode-\u003ei_io_list check and warning in\next4_evict_inode() missing this corner case. Fortunately,\next4_evict_inode() will wait all extents converting finished before this\ncheck, so it will not lead to inode use-after-free problem, every thing\nis OK besides this warning. The WARN_ON_ONCE was originally designed\nfor finding inode use-after-free issues in advance, but if we add\ncurrent dioread_nolock case in, it will become not quite useful, so fix\nthis warning by just remove this check.\n\n ======\n WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227\n ext4_evict_inode+0x875/0xc60\n ...\n RIP: 0010:ext4_evict_inode+0x875/0xc60\n ...\n Call Trace:\n \u003cTASK\u003e\n evict+0x11c/0x2b0\n iput+0x236/0x3a0\n do_unlinkat+0x1b4/0x490\n __x64_sys_unlinkat+0x4c/0xb0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fa933c1115b\n ======\n\nrm kworker\n ext4_end_io_end()\nvfs_unlink()\n ext4_unlink()\n ext4_convert_unwritten_io_end_vec()\n ext4_convert_unwritten_extents()\n ext4_map_blocks()\n ext4_ext_map_blocks()\n ext4_ext_try_to_merge_up()\n __mark_inode_dirty()\n check !I_FREEING\n locked_inode_to_wb_and_lock_list()\n iput()\n iput_final()\n evict()\n ext4_evict_inode()\n truncate_inode_pages_final() //wait release io_end\n inode_io_list_move_locked()\n ext4_release_io_end()\n trigger WARN_ON_ONCE()"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:50.416Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8"
},
{
"url": "https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1"
},
{
"url": "https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e"
},
{
"url": "https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932"
},
{
"url": "https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3"
}
],
"title": "ext4: silence the warning when evicting inode with dioread_nolock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50730",
"datePublished": "2025-12-24T12:22:50.416Z",
"dateReserved": "2025-12-24T12:20:40.330Z",
"dateUpdated": "2025-12-24T12:22:50.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54185 (GCVE-0-2023-54185)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2026-01-05 10:51
VLAI?
EPSS
Title
btrfs: remove BUG_ON()'s in add_new_free_space()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: remove BUG_ON()'s in add_new_free_space()
At add_new_free_space() we have these BUG_ON()'s that are there to deal
with any failure to add free space to the in memory free space cache.
Such failures are mostly -ENOMEM that should be very rare. However there's
no need to have these BUG_ON()'s, we can just return any error to the
caller and all callers and their upper call chain are already dealing with
errors.
So just make add_new_free_space() return any errors, while removing the
BUG_ON()'s, and returning the total amount of added free space to an
optional u64 pointer argument.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0f9dd46cda36b8de3b9f48bc42bd09d20b9c3b52 , < 23e72231f8281505883514b23709076e234d4f27
(git)
Affected: 0f9dd46cda36b8de3b9f48bc42bd09d20b9c3b52 , < f775ceb0cb530e4a469b718fb2a24843071087f5 (git) Affected: 0f9dd46cda36b8de3b9f48bc42bd09d20b9c3b52 , < d8ccbd21918fd7fa6ce3226cffc22c444228e8ad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/block-group.h",
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23e72231f8281505883514b23709076e234d4f27",
"status": "affected",
"version": "0f9dd46cda36b8de3b9f48bc42bd09d20b9c3b52",
"versionType": "git"
},
{
"lessThan": "f775ceb0cb530e4a469b718fb2a24843071087f5",
"status": "affected",
"version": "0f9dd46cda36b8de3b9f48bc42bd09d20b9c3b52",
"versionType": "git"
},
{
"lessThan": "d8ccbd21918fd7fa6ce3226cffc22c444228e8ad",
"status": "affected",
"version": "0f9dd46cda36b8de3b9f48bc42bd09d20b9c3b52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c",
"fs/btrfs/block-group.h",
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: remove BUG_ON()\u0027s in add_new_free_space()\n\nAt add_new_free_space() we have these BUG_ON()\u0027s that are there to deal\nwith any failure to add free space to the in memory free space cache.\nSuch failures are mostly -ENOMEM that should be very rare. However there\u0027s\nno need to have these BUG_ON()\u0027s, we can just return any error to the\ncaller and all callers and their upper call chain are already dealing with\nerrors.\n\nSo just make add_new_free_space() return any errors, while removing the\nBUG_ON()\u0027s, and returning the total amount of added free space to an\noptional u64 pointer argument."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:51:22.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23e72231f8281505883514b23709076e234d4f27"
},
{
"url": "https://git.kernel.org/stable/c/f775ceb0cb530e4a469b718fb2a24843071087f5"
},
{
"url": "https://git.kernel.org/stable/c/d8ccbd21918fd7fa6ce3226cffc22c444228e8ad"
}
],
"title": "btrfs: remove BUG_ON()\u0027s in add_new_free_space()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54185",
"datePublished": "2025-12-30T12:08:55.218Z",
"dateReserved": "2025-12-30T12:06:44.497Z",
"dateUpdated": "2026-01-05T10:51:22.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50768 (GCVE-0-2022-50768)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
scsi: smartpqi: Correct device removal for multi-actuator devices
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: smartpqi: Correct device removal for multi-actuator devices
Correct device count for multi-actuator drives which can cause kernel
panics.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d80f4054f7f901b8ad97358a9069616ac8524c7 , < e8e9e0c28901d34beb193b5ece52eb7c656f4042
(git)
Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < d1c8b86b4ab7e8588a8cfadbdd6f20adbb15c938 (git) Affected: 2d80f4054f7f901b8ad97358a9069616ac8524c7 , < cc9befcbbb5ebce77726f938508700d913530035 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi.h",
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8e9e0c28901d34beb193b5ece52eb7c656f4042",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "d1c8b86b4ab7e8588a8cfadbdd6f20adbb15c938",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
},
{
"lessThan": "cc9befcbbb5ebce77726f938508700d913530035",
"status": "affected",
"version": "2d80f4054f7f901b8ad97358a9069616ac8524c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/smartpqi/smartpqi.h",
"drivers/scsi/smartpqi/smartpqi_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Correct device removal for multi-actuator devices\n\nCorrect device count for multi-actuator drives which can cause kernel\npanics."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:32.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8e9e0c28901d34beb193b5ece52eb7c656f4042"
},
{
"url": "https://git.kernel.org/stable/c/d1c8b86b4ab7e8588a8cfadbdd6f20adbb15c938"
},
{
"url": "https://git.kernel.org/stable/c/cc9befcbbb5ebce77726f938508700d913530035"
}
],
"title": "scsi: smartpqi: Correct device removal for multi-actuator devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50768",
"datePublished": "2025-12-24T13:05:58.304Z",
"dateReserved": "2025-12-24T13:02:21.546Z",
"dateUpdated": "2026-01-02T15:04:32.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53807 (GCVE-0-2023-53807)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()
Smatch detected this potential error pointer dereference
clk_wzrd_register_divider(). If devm_clk_hw_register() fails then
it sets "hw" to an error pointer and then dereferences it on the
next line. Return the error directly instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5a853722eb32188647a541802d51d0db423b9baf , < 2f276dd9c0f835242836d9f6823035158ce2585c
(git)
Affected: 5a853722eb32188647a541802d51d0db423b9baf , < b35cb0c05b8dafe23ae5e8b605a91b88bcf4aba7 (git) Affected: 5a853722eb32188647a541802d51d0db423b9baf , < 25dbdfb7b71ef8601d00c6d9a2b1a96de28b30c5 (git) Affected: 5a853722eb32188647a541802d51d0db423b9baf , < f078a65ebf930f4305e3c415a8338d22391642c9 (git) Affected: 5a853722eb32188647a541802d51d0db423b9baf , < 9c632a6396505a019ea6d12b5ab45e659a542a93 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/xilinx/clk-xlnx-clock-wizard.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f276dd9c0f835242836d9f6823035158ce2585c",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
},
{
"lessThan": "b35cb0c05b8dafe23ae5e8b605a91b88bcf4aba7",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
},
{
"lessThan": "25dbdfb7b71ef8601d00c6d9a2b1a96de28b30c5",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
},
{
"lessThan": "f078a65ebf930f4305e3c415a8338d22391642c9",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
},
{
"lessThan": "9c632a6396505a019ea6d12b5ab45e659a542a93",
"status": "affected",
"version": "5a853722eb32188647a541802d51d0db423b9baf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/xilinx/clk-xlnx-clock-wizard.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()\n\nSmatch detected this potential error pointer dereference\nclk_wzrd_register_divider(). If devm_clk_hw_register() fails then\nit sets \"hw\" to an error pointer and then dereferences it on the\nnext line. Return the error directly instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:05.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f276dd9c0f835242836d9f6823035158ce2585c"
},
{
"url": "https://git.kernel.org/stable/c/b35cb0c05b8dafe23ae5e8b605a91b88bcf4aba7"
},
{
"url": "https://git.kernel.org/stable/c/25dbdfb7b71ef8601d00c6d9a2b1a96de28b30c5"
},
{
"url": "https://git.kernel.org/stable/c/f078a65ebf930f4305e3c415a8338d22391642c9"
},
{
"url": "https://git.kernel.org/stable/c/9c632a6396505a019ea6d12b5ab45e659a542a93"
}
],
"title": "clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53807",
"datePublished": "2025-12-09T00:01:05.301Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T00:01:05.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54286 (GCVE-0-2023-54286)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
A received TKIP key may be up to 32 bytes because it may contain
MIC rx/tx keys too. These are not used by iwl and copying these
over overflows the iwl_keyinfo.key field.
Add a check to not copy more data to iwl_keyinfo.key then will fit.
This fixes backtraces like this one:
memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16)
WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm]
<snip>
Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017
RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm]
<snip>
Call Trace:
<TASK>
iwl_set_dynamic_key+0x1f0/0x220 [iwldvm]
iwlagn_mac_set_key+0x1e4/0x280 [iwldvm]
drv_set_key+0xa4/0x1b0 [mac80211]
ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211]
ieee80211_key_replace+0x22d/0x8e0 [mac80211]
<snip>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 , < 76b5ea43ad2fb4f726ddfaff839430a706e7d7c2
(git)
Affected: 5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 , < 3ed3c1c2fc3482b72e755820261779cd2e2c5a3e (git) Affected: 5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 , < fa57021262e998e2229d6383b1081638df2fe238 (git) Affected: 5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 , < 91ad1ab3cc7e981cb6d6ee100686baed64e1277e (git) Affected: 5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 , < 87940e4030e4705e1f3fd2bbb1854eae8308314b (git) Affected: 5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 , < 57189c885149825be8eb8c3524b5af017fdeb941 (git) Affected: 5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 , < 6cd644f66b43709816561d63e0173cb0c7aab159 (git) Affected: 5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5 , < ef16799640865f937719f0771c93be5dca18adc6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/dvm/sta.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76b5ea43ad2fb4f726ddfaff839430a706e7d7c2",
"status": "affected",
"version": "5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5",
"versionType": "git"
},
{
"lessThan": "3ed3c1c2fc3482b72e755820261779cd2e2c5a3e",
"status": "affected",
"version": "5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5",
"versionType": "git"
},
{
"lessThan": "fa57021262e998e2229d6383b1081638df2fe238",
"status": "affected",
"version": "5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5",
"versionType": "git"
},
{
"lessThan": "91ad1ab3cc7e981cb6d6ee100686baed64e1277e",
"status": "affected",
"version": "5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5",
"versionType": "git"
},
{
"lessThan": "87940e4030e4705e1f3fd2bbb1854eae8308314b",
"status": "affected",
"version": "5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5",
"versionType": "git"
},
{
"lessThan": "57189c885149825be8eb8c3524b5af017fdeb941",
"status": "affected",
"version": "5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5",
"versionType": "git"
},
{
"lessThan": "6cd644f66b43709816561d63e0173cb0c7aab159",
"status": "affected",
"version": "5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5",
"versionType": "git"
},
{
"lessThan": "ef16799640865f937719f0771c93be5dca18adc6",
"status": "affected",
"version": "5a3d9882b84edf5fa8e8ca33a5d6df25e2e727a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/dvm/sta.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace\n\nA received TKIP key may be up to 32 bytes because it may contain\nMIC rx/tx keys too. These are not used by iwl and copying these\nover overflows the iwl_keyinfo.key field.\n\nAdd a check to not copy more data to iwl_keyinfo.key then will fit.\n\nThis fixes backtraces like this one:\n\n memcpy: detected field-spanning write (size 32) of single field \"sta_cmd.key.key\" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16)\n WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm]\n \u003csnip\u003e\n Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017\n RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm]\n \u003csnip\u003e\n Call Trace:\n \u003cTASK\u003e\n iwl_set_dynamic_key+0x1f0/0x220 [iwldvm]\n iwlagn_mac_set_key+0x1e4/0x280 [iwldvm]\n drv_set_key+0xa4/0x1b0 [mac80211]\n ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211]\n ieee80211_key_replace+0x22d/0x8e0 [mac80211]\n \u003csnip\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:18.665Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76b5ea43ad2fb4f726ddfaff839430a706e7d7c2"
},
{
"url": "https://git.kernel.org/stable/c/3ed3c1c2fc3482b72e755820261779cd2e2c5a3e"
},
{
"url": "https://git.kernel.org/stable/c/fa57021262e998e2229d6383b1081638df2fe238"
},
{
"url": "https://git.kernel.org/stable/c/91ad1ab3cc7e981cb6d6ee100686baed64e1277e"
},
{
"url": "https://git.kernel.org/stable/c/87940e4030e4705e1f3fd2bbb1854eae8308314b"
},
{
"url": "https://git.kernel.org/stable/c/57189c885149825be8eb8c3524b5af017fdeb941"
},
{
"url": "https://git.kernel.org/stable/c/6cd644f66b43709816561d63e0173cb0c7aab159"
},
{
"url": "https://git.kernel.org/stable/c/ef16799640865f937719f0771c93be5dca18adc6"
}
],
"title": "wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54286",
"datePublished": "2025-12-30T12:23:26.421Z",
"dateReserved": "2025-12-30T12:06:44.526Z",
"dateUpdated": "2026-01-05T11:37:18.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68328 (GCVE-0-2025-68328)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
EPSS
Title
firmware: stratix10-svc: fix bug in saving controller data
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: stratix10-svc: fix bug in saving controller data
Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They
both are of the same data and overrides each other. This resulted in the
rmmod of the svc driver to fail and throw a kernel panic for kthread_stop
and fifo free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 9d0a330abd9e49bcebf6307aac185081bde49a43
(git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 354fb03002da0970d337f0d3edbeb46cc4fa6f41 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < b359df793f609b1efce31dadfe6883ec73852619 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 71796c91ee8e33faf4434a9e210b5063c28ea907 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 60ab1851614e6007344042b66da6e31d1cc26cb3 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < bd226fa02ed6db6fce0fae010802f0950fd14fb9 (git) Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d0a330abd9e49bcebf6307aac185081bde49a43",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "354fb03002da0970d337f0d3edbeb46cc4fa6f41",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "b359df793f609b1efce31dadfe6883ec73852619",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "71796c91ee8e33faf4434a9e210b5063c28ea907",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "60ab1851614e6007344042b66da6e31d1cc26cb3",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "bd226fa02ed6db6fce0fae010802f0950fd14fb9",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
},
{
"lessThan": "d0fcf70c680e4d1669fcb3a8632f41400b9a73c2",
"status": "affected",
"version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/stratix10-svc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: fix bug in saving controller data\n\nFix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They\nboth are of the same data and overrides each other. This resulted in the\nrmmod of the svc driver to fail and throw a kernel panic for kthread_stop\nand fifo free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:00.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d0a330abd9e49bcebf6307aac185081bde49a43"
},
{
"url": "https://git.kernel.org/stable/c/354fb03002da0970d337f0d3edbeb46cc4fa6f41"
},
{
"url": "https://git.kernel.org/stable/c/b359df793f609b1efce31dadfe6883ec73852619"
},
{
"url": "https://git.kernel.org/stable/c/71796c91ee8e33faf4434a9e210b5063c28ea907"
},
{
"url": "https://git.kernel.org/stable/c/60ab1851614e6007344042b66da6e31d1cc26cb3"
},
{
"url": "https://git.kernel.org/stable/c/bd226fa02ed6db6fce0fae010802f0950fd14fb9"
},
{
"url": "https://git.kernel.org/stable/c/d0fcf70c680e4d1669fcb3a8632f41400b9a73c2"
}
],
"title": "firmware: stratix10-svc: fix bug in saving controller data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68328",
"datePublished": "2025-12-22T16:12:22.218Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:00.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50621 (GCVE-0-2022-50621)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
dm: verity-loadpin: Only trust verity targets with enforcement
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: verity-loadpin: Only trust verity targets with enforcement
Verity targets can be configured to ignore corrupted data blocks.
LoadPin must only trust verity targets that are configured to
perform some kind of enforcement when data corruption is detected,
like returning an error, restarting the system or triggering a
panic.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-verity-loadpin.c",
"drivers/md/dm-verity-target.c",
"drivers/md/dm-verity.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb1f5b76e39d86c98722696bdf632987aa777b83",
"status": "affected",
"version": "b6c1c5745ccc68ac5d57c7ffb51ea25a86d0e97b",
"versionType": "git"
},
{
"lessThan": "916ef6232cc4b84db7082b4c3d3cf1753d9462ba",
"status": "affected",
"version": "b6c1c5745ccc68ac5d57c7ffb51ea25a86d0e97b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-verity-loadpin.c",
"drivers/md/dm-verity-target.c",
"drivers/md/dm-verity.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: verity-loadpin: Only trust verity targets with enforcement\n\nVerity targets can be configured to ignore corrupted data blocks.\nLoadPin must only trust verity targets that are configured to\nperform some kind of enforcement when data corruption is detected,\nlike returning an error, restarting the system or triggering a\npanic."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:34.861Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb1f5b76e39d86c98722696bdf632987aa777b83"
},
{
"url": "https://git.kernel.org/stable/c/916ef6232cc4b84db7082b4c3d3cf1753d9462ba"
}
],
"title": "dm: verity-loadpin: Only trust verity targets with enforcement",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50621",
"datePublished": "2025-12-08T01:16:34.861Z",
"dateReserved": "2025-12-08T01:14:55.189Z",
"dateUpdated": "2025-12-08T01:16:34.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53811 (GCVE-0-2023-53811)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
RDMA/irdma: Cap MSIX used to online CPUs + 1
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Cap MSIX used to online CPUs + 1
The irdma driver can use a maximum number of msix vectors equal
to num_online_cpus() + 1 and the kernel warning stack below is shown
if that number is exceeded.
The kernel throws a warning as the driver tries to update the affinity
hint with a CPU mask greater than the max CPU IDs. Fix this by capping
the MSIX vectors to num_online_cpus() + 1.
WARNING: CPU: 7 PID: 23655 at include/linux/cpumask.h:106 irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]
RIP: 0010:irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]
Call Trace:
irdma_rt_init_hw+0xa62/0x1290 [irdma]
? irdma_alloc_local_mac_entry+0x1a0/0x1a0 [irdma]
? __is_kernel_percpu_address+0x63/0x310
? rcu_read_lock_held_common+0xe/0xb0
? irdma_lan_unregister_qset+0x280/0x280 [irdma]
? irdma_request_reset+0x80/0x80 [irdma]
? ice_get_qos_params+0x84/0x390 [ice]
irdma_probe+0xa40/0xfc0 [irdma]
? rcu_read_lock_bh_held+0xd0/0xd0
? irdma_remove+0x140/0x140 [irdma]
? rcu_read_lock_sched_held+0x62/0xe0
? down_write+0x187/0x3d0
? auxiliary_match_id+0xf0/0x1a0
? irdma_remove+0x140/0x140 [irdma]
auxiliary_bus_probe+0xa6/0x100
__driver_probe_device+0x4a4/0xd50
? __device_attach_driver+0x2c0/0x2c0
driver_probe_device+0x4a/0x110
__driver_attach+0x1aa/0x350
bus_for_each_dev+0x11d/0x1b0
? subsys_dev_iter_init+0xe0/0xe0
bus_add_driver+0x3b1/0x610
driver_register+0x18e/0x410
? 0xffffffffc0b88000
irdma_init_module+0x50/0xaa [irdma]
do_one_initcall+0x103/0x5f0
? perf_trace_initcall_level+0x420/0x420
? do_init_module+0x4e/0x700
? __kasan_kmalloc+0x7d/0xa0
? kmem_cache_alloc_trace+0x188/0x2b0
? kasan_unpoison+0x21/0x50
do_init_module+0x1d1/0x700
load_module+0x3867/0x5260
? layout_and_allocate+0x3990/0x3990
? rcu_read_lock_held_common+0xe/0xb0
? rcu_read_lock_sched_held+0x62/0xe0
? rcu_read_lock_bh_held+0xd0/0xd0
? __vmalloc_node_range+0x46b/0x890
? lock_release+0x5c8/0xba0
? alloc_vm_area+0x120/0x120
? selinux_kernel_module_from_file+0x2a5/0x300
? __inode_security_revalidate+0xf0/0xf0
? __do_sys_init_module+0x1db/0x260
__do_sys_init_module+0x1db/0x260
? load_module+0x5260/0x5260
? do_syscall_64+0x22/0x450
do_syscall_64+0xa5/0x450
entry_SYSCALL_64_after_hwframe+0x66/0xdb
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
44d9e52977a1b90b0db1c7f8b197c218e9226520 , < 87674a359ad173a3b8cd484e92e4f1901666da4c
(git)
Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < b3bd44bf20cb3a6a47aa4373e1817147efb4be04 (git) Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < 209e4aa9a7b636d8aaa1297e1d089ee2ed91d73f (git) Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < 9cd9842c46996ef62173c36619c746f57416bcb0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87674a359ad173a3b8cd484e92e4f1901666da4c",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "b3bd44bf20cb3a6a47aa4373e1817147efb4be04",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "209e4aa9a7b636d8aaa1297e1d089ee2ed91d73f",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "9cd9842c46996ef62173c36619c746f57416bcb0",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Cap MSIX used to online CPUs + 1\n\nThe irdma driver can use a maximum number of msix vectors equal\nto num_online_cpus() + 1 and the kernel warning stack below is shown\nif that number is exceeded.\n\nThe kernel throws a warning as the driver tries to update the affinity\nhint with a CPU mask greater than the max CPU IDs. Fix this by capping\nthe MSIX vectors to num_online_cpus() + 1.\n\n WARNING: CPU: 7 PID: 23655 at include/linux/cpumask.h:106 irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]\n RIP: 0010:irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma]\n Call Trace:\n irdma_rt_init_hw+0xa62/0x1290 [irdma]\n ? irdma_alloc_local_mac_entry+0x1a0/0x1a0 [irdma]\n ? __is_kernel_percpu_address+0x63/0x310\n ? rcu_read_lock_held_common+0xe/0xb0\n ? irdma_lan_unregister_qset+0x280/0x280 [irdma]\n ? irdma_request_reset+0x80/0x80 [irdma]\n ? ice_get_qos_params+0x84/0x390 [ice]\n irdma_probe+0xa40/0xfc0 [irdma]\n ? rcu_read_lock_bh_held+0xd0/0xd0\n ? irdma_remove+0x140/0x140 [irdma]\n ? rcu_read_lock_sched_held+0x62/0xe0\n ? down_write+0x187/0x3d0\n ? auxiliary_match_id+0xf0/0x1a0\n ? irdma_remove+0x140/0x140 [irdma]\n auxiliary_bus_probe+0xa6/0x100\n __driver_probe_device+0x4a4/0xd50\n ? __device_attach_driver+0x2c0/0x2c0\n driver_probe_device+0x4a/0x110\n __driver_attach+0x1aa/0x350\n bus_for_each_dev+0x11d/0x1b0\n ? subsys_dev_iter_init+0xe0/0xe0\n bus_add_driver+0x3b1/0x610\n driver_register+0x18e/0x410\n ? 0xffffffffc0b88000\n irdma_init_module+0x50/0xaa [irdma]\n do_one_initcall+0x103/0x5f0\n ? perf_trace_initcall_level+0x420/0x420\n ? do_init_module+0x4e/0x700\n ? __kasan_kmalloc+0x7d/0xa0\n ? kmem_cache_alloc_trace+0x188/0x2b0\n ? kasan_unpoison+0x21/0x50\n do_init_module+0x1d1/0x700\n load_module+0x3867/0x5260\n ? layout_and_allocate+0x3990/0x3990\n ? rcu_read_lock_held_common+0xe/0xb0\n ? rcu_read_lock_sched_held+0x62/0xe0\n ? rcu_read_lock_bh_held+0xd0/0xd0\n ? __vmalloc_node_range+0x46b/0x890\n ? lock_release+0x5c8/0xba0\n ? alloc_vm_area+0x120/0x120\n ? selinux_kernel_module_from_file+0x2a5/0x300\n ? __inode_security_revalidate+0xf0/0xf0\n ? __do_sys_init_module+0x1db/0x260\n __do_sys_init_module+0x1db/0x260\n ? load_module+0x5260/0x5260\n ? do_syscall_64+0x22/0x450\n do_syscall_64+0xa5/0x450\n entry_SYSCALL_64_after_hwframe+0x66/0xdb"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:09.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87674a359ad173a3b8cd484e92e4f1901666da4c"
},
{
"url": "https://git.kernel.org/stable/c/b3bd44bf20cb3a6a47aa4373e1817147efb4be04"
},
{
"url": "https://git.kernel.org/stable/c/209e4aa9a7b636d8aaa1297e1d089ee2ed91d73f"
},
{
"url": "https://git.kernel.org/stable/c/9cd9842c46996ef62173c36619c746f57416bcb0"
}
],
"title": "RDMA/irdma: Cap MSIX used to online CPUs + 1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53811",
"datePublished": "2025-12-09T00:01:09.005Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:09.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68742 (GCVE-0-2025-68742)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
bpf: Fix invalid prog->stats access when update_effective_progs fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix invalid prog->stats access when update_effective_progs fails
Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:
__cgroup_bpf_detach
update_effective_progs
compute_effective_progs
bpf_prog_array_alloc <-- fault inject
purge_effective_progs
/* change to dummy_bpf_prog */
array->items[index] = &dummy_bpf_prog.prog
---softirq start---
__do_softirq
...
__cgroup_bpf_run_filter_skb
__bpf_prog_run_save_cb
bpf_prog_run
stats = this_cpu_ptr(prog->stats)
/* invalid memory access */
flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---
static_branch_dec(&cgroup_bpf_enabled_key[atype])
The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the members of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.
To fix it, skip updating stats when stats is NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 93d1964773ff513c9bd530f7686d3e48b786fa6b
(git)
Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < bf2c990b012100610c0f1ec5c4ea434da2d080c2 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 539137e3038ce6f953efd72110110f03c14c7d97 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 56905bb70c8b88421709bb4e32fcba617aa37d41 (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 2579c356ccd35d06238b176e4b460978186d804b (git) Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 7dc211c1159d991db609bdf4b0fb9033c04adcbc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d1964773ff513c9bd530f7686d3e48b786fa6b",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "bf2c990b012100610c0f1ec5c4ea434da2d080c2",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "539137e3038ce6f953efd72110110f03c14c7d97",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "56905bb70c8b88421709bb4e32fcba617aa37d41",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "2579c356ccd35d06238b176e4b460978186d804b",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
},
{
"lessThan": "7dc211c1159d991db609bdf4b0fb9033c04adcbc",
"status": "affected",
"version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/filter.h",
"kernel/bpf/syscall.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix invalid prog-\u003estats access when update_effective_progs fails\n\nSyzkaller triggers an invalid memory access issue following fault\ninjection in update_effective_progs. The issue can be described as\nfollows:\n\n__cgroup_bpf_detach\n update_effective_progs\n compute_effective_progs\n bpf_prog_array_alloc \u003c-- fault inject\n purge_effective_progs\n /* change to dummy_bpf_prog */\n array-\u003eitems[index] = \u0026dummy_bpf_prog.prog\n\n---softirq start---\n__do_softirq\n ...\n __cgroup_bpf_run_filter_skb\n __bpf_prog_run_save_cb\n bpf_prog_run\n stats = this_cpu_ptr(prog-\u003estats)\n /* invalid memory access */\n flags = u64_stats_update_begin_irqsave(\u0026stats-\u003esyncp)\n---softirq end---\n\n static_branch_dec(\u0026cgroup_bpf_enabled_key[atype])\n\nThe reason is that fault injection caused update_effective_progs to fail\nand then changed the original prog into dummy_bpf_prog.prog in\npurge_effective_progs. Then a softirq came, and accessing the members of\ndummy_bpf_prog.prog in the softirq triggers invalid mem access.\n\nTo fix it, skip updating stats when stats is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:20.922Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d1964773ff513c9bd530f7686d3e48b786fa6b"
},
{
"url": "https://git.kernel.org/stable/c/bf2c990b012100610c0f1ec5c4ea434da2d080c2"
},
{
"url": "https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97"
},
{
"url": "https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41"
},
{
"url": "https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b"
},
{
"url": "https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc"
}
],
"title": "bpf: Fix invalid prog-\u003estats access when update_effective_progs fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68742",
"datePublished": "2025-12-24T12:09:39.341Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-01-11T16:30:20.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53830 (GCVE-0-2023-53830)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
platform/x86: think-lmi: Fix memory leak when showing current settings
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: think-lmi: Fix memory leak when showing current settings
When retriving a item string with tlmi_setting(), the result has to be
freed using kfree(). In current_value_show() however, malformed
item strings are not freed, causing a memory leak.
Fix this by eliminating the early return responsible for this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0fdf10e5fc964c315cf131a2eaab9cc531a9f40f , < b9396d991abe8d1ac31a043274ab20b49f92c2e6
(git)
Affected: 0fdf10e5fc964c315cf131a2eaab9cc531a9f40f , < 9071525bfcb1f5674117dbed3eca0cd7b122813b (git) Affected: 0fdf10e5fc964c315cf131a2eaab9cc531a9f40f , < 5f99014c19fa50a5719c0bb78143282632675893 (git) Affected: 0fdf10e5fc964c315cf131a2eaab9cc531a9f40f , < a3c4c053014585dcf20f4df954791b74d8a8afcd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/think-lmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9396d991abe8d1ac31a043274ab20b49f92c2e6",
"status": "affected",
"version": "0fdf10e5fc964c315cf131a2eaab9cc531a9f40f",
"versionType": "git"
},
{
"lessThan": "9071525bfcb1f5674117dbed3eca0cd7b122813b",
"status": "affected",
"version": "0fdf10e5fc964c315cf131a2eaab9cc531a9f40f",
"versionType": "git"
},
{
"lessThan": "5f99014c19fa50a5719c0bb78143282632675893",
"status": "affected",
"version": "0fdf10e5fc964c315cf131a2eaab9cc531a9f40f",
"versionType": "git"
},
{
"lessThan": "a3c4c053014585dcf20f4df954791b74d8a8afcd",
"status": "affected",
"version": "0fdf10e5fc964c315cf131a2eaab9cc531a9f40f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/think-lmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix memory leak when showing current settings\n\nWhen retriving a item string with tlmi_setting(), the result has to be\nfreed using kfree(). In current_value_show() however, malformed\nitem strings are not freed, causing a memory leak.\nFix this by eliminating the early return responsible for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:44.966Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9396d991abe8d1ac31a043274ab20b49f92c2e6"
},
{
"url": "https://git.kernel.org/stable/c/9071525bfcb1f5674117dbed3eca0cd7b122813b"
},
{
"url": "https://git.kernel.org/stable/c/5f99014c19fa50a5719c0bb78143282632675893"
},
{
"url": "https://git.kernel.org/stable/c/a3c4c053014585dcf20f4df954791b74d8a8afcd"
}
],
"title": "platform/x86: think-lmi: Fix memory leak when showing current settings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53830",
"datePublished": "2025-12-09T01:29:44.966Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:44.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54324 (GCVE-0-2023-54324)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
dm: fix a race condition in retrieve_deps
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix a race condition in retrieve_deps
There's a race condition in the multipath target when retrieve_deps
races with multipath_message calling dm_get_device and dm_put_device.
retrieve_deps walks the list of open devices without holding any lock
but multipath may add or remove devices to the list while it is
running. The end result may be memory corruption or use-after-free
memory access.
See this description of a UAF with multipath_message():
https://listman.redhat.com/archives/dm-devel/2022-October/052373.html
Fix this bug by introducing a new rw semaphore "devices_lock". We grab
devices_lock for read in retrieve_deps and we grab it for write in
dm_get_device and dm_put_device.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dbf1a719850577bb51fc7512a3972994b797a17b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f6007dce0cd35d634d9be91ef3515a6385dcee16 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-core.h",
"drivers/md/dm-ioctl.c",
"drivers/md/dm-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf1a719850577bb51fc7512a3972994b797a17b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6007dce0cd35d634d9be91ef3515a6385dcee16",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-core.h",
"drivers/md/dm-ioctl.c",
"drivers/md/dm-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix a race condition in retrieve_deps\n\nThere\u0027s a race condition in the multipath target when retrieve_deps\nraces with multipath_message calling dm_get_device and dm_put_device.\nretrieve_deps walks the list of open devices without holding any lock\nbut multipath may add or remove devices to the list while it is\nrunning. The end result may be memory corruption or use-after-free\nmemory access.\n\nSee this description of a UAF with multipath_message():\nhttps://listman.redhat.com/archives/dm-devel/2022-October/052373.html\n\nFix this bug by introducing a new rw semaphore \"devices_lock\". We grab\ndevices_lock for read in retrieve_deps and we grab it for write in\ndm_get_device and dm_put_device."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:27.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf1a719850577bb51fc7512a3972994b797a17b"
},
{
"url": "https://git.kernel.org/stable/c/38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf"
},
{
"url": "https://git.kernel.org/stable/c/f6007dce0cd35d634d9be91ef3515a6385dcee16"
}
],
"title": "dm: fix a race condition in retrieve_deps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54324",
"datePublished": "2025-12-30T12:37:08.337Z",
"dateReserved": "2025-12-30T12:35:56.209Z",
"dateUpdated": "2026-01-05T11:37:27.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40024 (GCVE-0-2025-40024)
Vulnerability from cvelistv5 – Published: 2025-10-24 12:24 – Updated: 2025-10-24 12:24
VLAI?
EPSS
Title
vhost: Take a reference on the task in struct vhost_task.
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost: Take a reference on the task in struct vhost_task.
vhost_task_create() creates a task and keeps a reference to its
task_struct. That task may exit early via a signal and its task_struct
will be released.
A pending vhost_task_wake() will then attempt to wake the task and
access a task_struct which is no longer there.
Acquire a reference on the task_struct while creating the thread and
release the reference while the struct vhost_task itself is removed.
If the task exits early due to a signal, then the vhost_task_wake() will
still access a valid task_struct. The wake is safe and will be skipped
in this case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f9010dbdce911ee1f1af1398a24b1f9f992e0080 , < 82a1463c968b1a6ae598a4f2fcef17b71bb7d3a0
(git)
Affected: f9010dbdce911ee1f1af1398a24b1f9f992e0080 , < d2be773a92874a070215b51b730cb2b1eaa8fae2 (git) Affected: f9010dbdce911ee1f1af1398a24b1f9f992e0080 , < 7ce635b3d3aba43296b62b5a2d97c008bc51cbd2 (git) Affected: f9010dbdce911ee1f1af1398a24b1f9f992e0080 , < afe16653e05db07d658b55245c7a2e0603f136c0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/vhost_task.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82a1463c968b1a6ae598a4f2fcef17b71bb7d3a0",
"status": "affected",
"version": "f9010dbdce911ee1f1af1398a24b1f9f992e0080",
"versionType": "git"
},
{
"lessThan": "d2be773a92874a070215b51b730cb2b1eaa8fae2",
"status": "affected",
"version": "f9010dbdce911ee1f1af1398a24b1f9f992e0080",
"versionType": "git"
},
{
"lessThan": "7ce635b3d3aba43296b62b5a2d97c008bc51cbd2",
"status": "affected",
"version": "f9010dbdce911ee1f1af1398a24b1f9f992e0080",
"versionType": "git"
},
{
"lessThan": "afe16653e05db07d658b55245c7a2e0603f136c0",
"status": "affected",
"version": "f9010dbdce911ee1f1af1398a24b1f9f992e0080",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/vhost_task.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost: Take a reference on the task in struct vhost_task.\n\nvhost_task_create() creates a task and keeps a reference to its\ntask_struct. That task may exit early via a signal and its task_struct\nwill be released.\nA pending vhost_task_wake() will then attempt to wake the task and\naccess a task_struct which is no longer there.\n\nAcquire a reference on the task_struct while creating the thread and\nrelease the reference while the struct vhost_task itself is removed.\nIf the task exits early due to a signal, then the vhost_task_wake() will\nstill access a valid task_struct. The wake is safe and will be skipped\nin this case."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T12:24:59.199Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82a1463c968b1a6ae598a4f2fcef17b71bb7d3a0"
},
{
"url": "https://git.kernel.org/stable/c/d2be773a92874a070215b51b730cb2b1eaa8fae2"
},
{
"url": "https://git.kernel.org/stable/c/7ce635b3d3aba43296b62b5a2d97c008bc51cbd2"
},
{
"url": "https://git.kernel.org/stable/c/afe16653e05db07d658b55245c7a2e0603f136c0"
}
],
"title": "vhost: Take a reference on the task in struct vhost_task.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40024",
"datePublished": "2025-10-24T12:24:59.199Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-10-24T12:24:59.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-54168 (GCVE-0-2023-54168)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()
The ucmd->log_sq_bb_count variable is controlled by the user so this
shift can wrap. Fix it by using check_shl_overflow() in the same way
that it was done in commit 515f60004ed9 ("RDMA/hns: Prevent undefined
behavior in hns_roce_set_user_sq_size()").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
839041329fd3410e07d614f81e75bb43367d8f89 , < 3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff
(git)
Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 8feca625900777e02a449e53fe4121339934c38a (git) Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 9ad3221c86cc9c6305594b742d4a72dfbd4ea579 (git) Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 9911be2155720221a4f1f722b22bd0e2388d8bcf (git) Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 3ce0df3493277b9df275cb8455d9c677ae701230 (git) Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 196a6df08b08699ace4ce70e1efcdd9081b6565f (git) Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < a183905869e692b6b7805b7472235585eff8e429 (git) Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx4/qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff",
"status": "affected",
"version": "839041329fd3410e07d614f81e75bb43367d8f89",
"versionType": "git"
},
{
"lessThan": "8feca625900777e02a449e53fe4121339934c38a",
"status": "affected",
"version": "839041329fd3410e07d614f81e75bb43367d8f89",
"versionType": "git"
},
{
"lessThan": "9ad3221c86cc9c6305594b742d4a72dfbd4ea579",
"status": "affected",
"version": "839041329fd3410e07d614f81e75bb43367d8f89",
"versionType": "git"
},
{
"lessThan": "9911be2155720221a4f1f722b22bd0e2388d8bcf",
"status": "affected",
"version": "839041329fd3410e07d614f81e75bb43367d8f89",
"versionType": "git"
},
{
"lessThan": "3ce0df3493277b9df275cb8455d9c677ae701230",
"status": "affected",
"version": "839041329fd3410e07d614f81e75bb43367d8f89",
"versionType": "git"
},
{
"lessThan": "196a6df08b08699ace4ce70e1efcdd9081b6565f",
"status": "affected",
"version": "839041329fd3410e07d614f81e75bb43367d8f89",
"versionType": "git"
},
{
"lessThan": "a183905869e692b6b7805b7472235585eff8e429",
"status": "affected",
"version": "839041329fd3410e07d614f81e75bb43367d8f89",
"versionType": "git"
},
{
"lessThan": "d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb",
"status": "affected",
"version": "839041329fd3410e07d614f81e75bb43367d8f89",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx4/qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx4: Prevent shift wrapping in set_user_sq_size()\n\nThe ucmd-\u003elog_sq_bb_count variable is controlled by the user so this\nshift can wrap. Fix it by using check_shl_overflow() in the same way\nthat it was done in commit 515f60004ed9 (\"RDMA/hns: Prevent undefined\nbehavior in hns_roce_set_user_sq_size()\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:43.394Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff"
},
{
"url": "https://git.kernel.org/stable/c/8feca625900777e02a449e53fe4121339934c38a"
},
{
"url": "https://git.kernel.org/stable/c/9ad3221c86cc9c6305594b742d4a72dfbd4ea579"
},
{
"url": "https://git.kernel.org/stable/c/9911be2155720221a4f1f722b22bd0e2388d8bcf"
},
{
"url": "https://git.kernel.org/stable/c/3ce0df3493277b9df275cb8455d9c677ae701230"
},
{
"url": "https://git.kernel.org/stable/c/196a6df08b08699ace4ce70e1efcdd9081b6565f"
},
{
"url": "https://git.kernel.org/stable/c/a183905869e692b6b7805b7472235585eff8e429"
},
{
"url": "https://git.kernel.org/stable/c/d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb"
}
],
"title": "RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54168",
"datePublished": "2025-12-30T12:08:43.394Z",
"dateReserved": "2025-12-30T12:06:44.495Z",
"dateUpdated": "2025-12-30T12:08:43.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68168 (GCVE-0-2025-68168)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
jfs: fix uninitialized waitqueue in transaction manager
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: fix uninitialized waitqueue in transaction manager
The transaction manager initialization in txInit() was not properly
initializing TxBlock[0].waitor waitqueue, causing a crash when
txEnd(0) is called on read-only filesystems.
When a filesystem is mounted read-only, txBegin() returns tid=0 to
indicate no transaction. However, txEnd(0) still gets called and
tries to access TxBlock[0].waitor via tid_to_tblock(0), but this
waitqueue was never initialized because the initialization loop
started at index 1 instead of 0.
This causes a 'non-static key' lockdep warning and system crash:
INFO: trying to register non-static key in txEnd
Fix by ensuring all transaction blocks including TxBlock[0] have
their waitqueues properly initialized during txInit().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2a8807f9f511c64de0c7cc9900a1683e3d72a3e5 , < d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64
(git)
Affected: 5c094ca994824e038b6a97835ded4e5d1d808504 , < 8cae9cf23e0bd424ac904e753639a587543ce03a (git) Affected: 2febd5f81e4bfba61d9f374dcca628aff374cc56 , < a2aa97cde9857f881920635a2e3d3b11769619c5 (git) Affected: aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c , < d2dd7ca05a11685c314e62802a55e8d67a90e974 (git) Affected: 95e2b352c03b0a86c5717ba1d24ea20969abcacc , < 2a9575a372182ca075070b3cd77490dcf0c951e7 (git) Affected: 95e2b352c03b0a86c5717ba1d24ea20969abcacc , < cbf2f527ae4ca7c7dabce42e85e8deb58588a37e (git) Affected: 95e2b352c03b0a86c5717ba1d24ea20969abcacc , < 038861414ab383b41dd35abbf9ff0ef715592d53 (git) Affected: 95e2b352c03b0a86c5717ba1d24ea20969abcacc , < 300b072df72694ea330c4c673c035253e07827b8 (git) Affected: a88efca805bea93cea9187dfd00835aa7093bf1b (git) Affected: 97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7 (git) Affected: b0ed8ed0428ee96092da6fefa5cfacbe4abed701 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_txnmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64",
"status": "affected",
"version": "2a8807f9f511c64de0c7cc9900a1683e3d72a3e5",
"versionType": "git"
},
{
"lessThan": "8cae9cf23e0bd424ac904e753639a587543ce03a",
"status": "affected",
"version": "5c094ca994824e038b6a97835ded4e5d1d808504",
"versionType": "git"
},
{
"lessThan": "a2aa97cde9857f881920635a2e3d3b11769619c5",
"status": "affected",
"version": "2febd5f81e4bfba61d9f374dcca628aff374cc56",
"versionType": "git"
},
{
"lessThan": "d2dd7ca05a11685c314e62802a55e8d67a90e974",
"status": "affected",
"version": "aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c",
"versionType": "git"
},
{
"lessThan": "2a9575a372182ca075070b3cd77490dcf0c951e7",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "cbf2f527ae4ca7c7dabce42e85e8deb58588a37e",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "038861414ab383b41dd35abbf9ff0ef715592d53",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"lessThan": "300b072df72694ea330c4c673c035253e07827b8",
"status": "affected",
"version": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"versionType": "git"
},
{
"status": "affected",
"version": "a88efca805bea93cea9187dfd00835aa7093bf1b",
"versionType": "git"
},
{
"status": "affected",
"version": "97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7",
"versionType": "git"
},
{
"status": "affected",
"version": "b0ed8ed0428ee96092da6fefa5cfacbe4abed701",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_txnmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix uninitialized waitqueue in transaction manager\n\nThe transaction manager initialization in txInit() was not properly\ninitializing TxBlock[0].waitor waitqueue, causing a crash when\ntxEnd(0) is called on read-only filesystems.\n\nWhen a filesystem is mounted read-only, txBegin() returns tid=0 to\nindicate no transaction. However, txEnd(0) still gets called and\ntries to access TxBlock[0].waitor via tid_to_tblock(0), but this\nwaitqueue was never initialized because the initialization loop\nstarted at index 1 instead of 0.\n\nThis causes a \u0027non-static key\u0027 lockdep warning and system crash:\n INFO: trying to register non-static key in txEnd\n\nFix by ensuring all transaction blocks including TxBlock[0] have\ntheir waitqueues properly initialized during txInit()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:58.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64"
},
{
"url": "https://git.kernel.org/stable/c/8cae9cf23e0bd424ac904e753639a587543ce03a"
},
{
"url": "https://git.kernel.org/stable/c/a2aa97cde9857f881920635a2e3d3b11769619c5"
},
{
"url": "https://git.kernel.org/stable/c/d2dd7ca05a11685c314e62802a55e8d67a90e974"
},
{
"url": "https://git.kernel.org/stable/c/2a9575a372182ca075070b3cd77490dcf0c951e7"
},
{
"url": "https://git.kernel.org/stable/c/cbf2f527ae4ca7c7dabce42e85e8deb58588a37e"
},
{
"url": "https://git.kernel.org/stable/c/038861414ab383b41dd35abbf9ff0ef715592d53"
},
{
"url": "https://git.kernel.org/stable/c/300b072df72694ea330c4c673c035253e07827b8"
}
],
"title": "jfs: fix uninitialized waitqueue in transaction manager",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68168",
"datePublished": "2025-12-16T13:42:48.350Z",
"dateReserved": "2025-12-16T13:41:40.250Z",
"dateUpdated": "2026-01-02T15:33:58.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54255 (GCVE-0-2023-54255)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
sh: dma: Fix DMA channel offset calculation
Summary
In the Linux kernel, the following vulnerability has been resolved:
sh: dma: Fix DMA channel offset calculation
Various SoCs of the SH3, SH4 and SH4A family, which use this driver,
feature a differing number of DMA channels, which can be distributed
between up to two DMAC modules. The existing implementation fails to
correctly accommodate for all those variations, resulting in wrong
channel offset calculations and leading to kernel panics.
Rewrite dma_base_addr() in order to properly calculate channel offsets
in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that
the correct DMAC module base is selected for the DMAOR register.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7f47c7189b3e8f19a589f77a3ad169d7b691b582 , < bca700b48c72f4ffeee977a2ed0eb4a6b4b7b8ad
(git)
Affected: 7f47c7189b3e8f19a589f77a3ad169d7b691b582 , < 479380acfa63247b5ac62476138f847aefc62692 (git) Affected: 7f47c7189b3e8f19a589f77a3ad169d7b691b582 , < 4989627157735c1f1619f08e5bc1592418e7c878 (git) Affected: 7f47c7189b3e8f19a589f77a3ad169d7b691b582 , < d1c946552af299f4fa85bf7da15e328123771128 (git) Affected: 7f47c7189b3e8f19a589f77a3ad169d7b691b582 , < 196f6c71905aa384c0177acf194a1144d480333b (git) Affected: 7f47c7189b3e8f19a589f77a3ad169d7b691b582 , < 8fb11fa4805699c6b73a9c8a9d45807f9874abe3 (git) Affected: 7f47c7189b3e8f19a589f77a3ad169d7b691b582 , < e9e33faea104381bac80ac79328f0540fc2969f2 (git) Affected: 7f47c7189b3e8f19a589f77a3ad169d7b691b582 , < e82e47584847129a20b8c9f4a1dcde09374fb0e0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/sh/drivers/dma/dma-sh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bca700b48c72f4ffeee977a2ed0eb4a6b4b7b8ad",
"status": "affected",
"version": "7f47c7189b3e8f19a589f77a3ad169d7b691b582",
"versionType": "git"
},
{
"lessThan": "479380acfa63247b5ac62476138f847aefc62692",
"status": "affected",
"version": "7f47c7189b3e8f19a589f77a3ad169d7b691b582",
"versionType": "git"
},
{
"lessThan": "4989627157735c1f1619f08e5bc1592418e7c878",
"status": "affected",
"version": "7f47c7189b3e8f19a589f77a3ad169d7b691b582",
"versionType": "git"
},
{
"lessThan": "d1c946552af299f4fa85bf7da15e328123771128",
"status": "affected",
"version": "7f47c7189b3e8f19a589f77a3ad169d7b691b582",
"versionType": "git"
},
{
"lessThan": "196f6c71905aa384c0177acf194a1144d480333b",
"status": "affected",
"version": "7f47c7189b3e8f19a589f77a3ad169d7b691b582",
"versionType": "git"
},
{
"lessThan": "8fb11fa4805699c6b73a9c8a9d45807f9874abe3",
"status": "affected",
"version": "7f47c7189b3e8f19a589f77a3ad169d7b691b582",
"versionType": "git"
},
{
"lessThan": "e9e33faea104381bac80ac79328f0540fc2969f2",
"status": "affected",
"version": "7f47c7189b3e8f19a589f77a3ad169d7b691b582",
"versionType": "git"
},
{
"lessThan": "e82e47584847129a20b8c9f4a1dcde09374fb0e0",
"status": "affected",
"version": "7f47c7189b3e8f19a589f77a3ad169d7b691b582",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/sh/drivers/dma/dma-sh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: dma: Fix DMA channel offset calculation\n\nVarious SoCs of the SH3, SH4 and SH4A family, which use this driver,\nfeature a differing number of DMA channels, which can be distributed\nbetween up to two DMAC modules. The existing implementation fails to\ncorrectly accommodate for all those variations, resulting in wrong\nchannel offset calculations and leading to kernel panics.\n\nRewrite dma_base_addr() in order to properly calculate channel offsets\nin a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that\nthe correct DMAC module base is selected for the DMAOR register."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:50.822Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bca700b48c72f4ffeee977a2ed0eb4a6b4b7b8ad"
},
{
"url": "https://git.kernel.org/stable/c/479380acfa63247b5ac62476138f847aefc62692"
},
{
"url": "https://git.kernel.org/stable/c/4989627157735c1f1619f08e5bc1592418e7c878"
},
{
"url": "https://git.kernel.org/stable/c/d1c946552af299f4fa85bf7da15e328123771128"
},
{
"url": "https://git.kernel.org/stable/c/196f6c71905aa384c0177acf194a1144d480333b"
},
{
"url": "https://git.kernel.org/stable/c/8fb11fa4805699c6b73a9c8a9d45807f9874abe3"
},
{
"url": "https://git.kernel.org/stable/c/e9e33faea104381bac80ac79328f0540fc2969f2"
},
{
"url": "https://git.kernel.org/stable/c/e82e47584847129a20b8c9f4a1dcde09374fb0e0"
}
],
"title": "sh: dma: Fix DMA channel offset calculation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54255",
"datePublished": "2025-12-30T12:15:50.822Z",
"dateReserved": "2025-12-30T12:06:44.515Z",
"dateUpdated": "2025-12-30T12:15:50.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68204 (GCVE-0-2025-68204)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48
VLAI?
EPSS
Title
pmdomain: arm: scmi: Fix genpd leak on provider registration failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: arm: scmi: Fix genpd leak on provider registration failure
If of_genpd_add_provider_onecell() fails during probe, the previously
created generic power domains are not removed, leading to a memory leak
and potential kernel crash later in genpd_debug_add().
Add proper error handling to unwind the initialized domains before
returning from probe to ensure all resources are correctly released on
failure.
Example crash trace observed without this fix:
| Unable to handle kernel paging request at virtual address fffffffffffffc70
| CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT
| Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform
| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
| pc : genpd_debug_add+0x2c/0x160
| lr : genpd_debug_init+0x74/0x98
| Call trace:
| genpd_debug_add+0x2c/0x160 (P)
| genpd_debug_init+0x74/0x98
| do_one_initcall+0xd0/0x2d8
| do_initcall_level+0xa0/0x140
| do_initcalls+0x60/0xa8
| do_basic_setup+0x28/0x40
| kernel_init_freeable+0xe8/0x170
| kernel_init+0x2c/0x140
| ret_from_fork+0x10/0x20
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
898216c97ed2ebfffda659ce12388da43534de6c , < 18249a167ffd91b4b4fbd92afd4ddcbf3af81f35
(git)
Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 582f48d22eb5676fe7be3589b986ddd29f7bf4d1 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 7f569197f7ad09319af960bd7e43109de5c67c04 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < ad120c08b89a81d41d091490bbe150343473b659 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 921b090841ae7a08b19ab14495bdf8636dc31e21 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 983e91da82ec3e331600108f9be3ea61236f5c75 (git) Affected: 898216c97ed2ebfffda659ce12388da43534de6c , < 7458f72cc28f9eb0de811effcb5376d0ec19094a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/arm/scmi_pm_domain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18249a167ffd91b4b4fbd92afd4ddcbf3af81f35",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "582f48d22eb5676fe7be3589b986ddd29f7bf4d1",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "7f569197f7ad09319af960bd7e43109de5c67c04",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "ad120c08b89a81d41d091490bbe150343473b659",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "921b090841ae7a08b19ab14495bdf8636dc31e21",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "983e91da82ec3e331600108f9be3ea61236f5c75",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
},
{
"lessThan": "7458f72cc28f9eb0de811effcb5376d0ec19094a",
"status": "affected",
"version": "898216c97ed2ebfffda659ce12388da43534de6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/arm/scmi_pm_domain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: arm: scmi: Fix genpd leak on provider registration failure\n\nIf of_genpd_add_provider_onecell() fails during probe, the previously\ncreated generic power domains are not removed, leading to a memory leak\nand potential kernel crash later in genpd_debug_add().\n\nAdd proper error handling to unwind the initialized domains before\nreturning from probe to ensure all resources are correctly released on\nfailure.\n\nExample crash trace observed without this fix:\n\n | Unable to handle kernel paging request at virtual address fffffffffffffc70\n | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT\n | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform\n | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n | pc : genpd_debug_add+0x2c/0x160\n | lr : genpd_debug_init+0x74/0x98\n | Call trace:\n | genpd_debug_add+0x2c/0x160 (P)\n | genpd_debug_init+0x74/0x98\n | do_one_initcall+0xd0/0x2d8\n | do_initcall_level+0xa0/0x140\n | do_initcalls+0x60/0xa8\n | do_basic_setup+0x28/0x40\n | kernel_init_freeable+0xe8/0x170\n | kernel_init+0x2c/0x140\n | ret_from_fork+0x10/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:31.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18249a167ffd91b4b4fbd92afd4ddcbf3af81f35"
},
{
"url": "https://git.kernel.org/stable/c/c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a"
},
{
"url": "https://git.kernel.org/stable/c/582f48d22eb5676fe7be3589b986ddd29f7bf4d1"
},
{
"url": "https://git.kernel.org/stable/c/7f569197f7ad09319af960bd7e43109de5c67c04"
},
{
"url": "https://git.kernel.org/stable/c/ad120c08b89a81d41d091490bbe150343473b659"
},
{
"url": "https://git.kernel.org/stable/c/921b090841ae7a08b19ab14495bdf8636dc31e21"
},
{
"url": "https://git.kernel.org/stable/c/983e91da82ec3e331600108f9be3ea61236f5c75"
},
{
"url": "https://git.kernel.org/stable/c/7458f72cc28f9eb0de811effcb5376d0ec19094a"
}
],
"title": "pmdomain: arm: scmi: Fix genpd leak on provider registration failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68204",
"datePublished": "2025-12-16T13:48:31.850Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2025-12-16T13:48:31.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68209 (GCVE-0-2025-68209)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48
VLAI?
EPSS
Title
mlx5: Fix default values in create CQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlx5: Fix default values in create CQ
Currently, CQs without a completion function are assigned the
mlx5_add_cq_to_tasklet function by default. This is problematic since
only user CQs created through the mlx5_ib driver are intended to use
this function.
Additionally, all CQs that will use doorbells instead of polling for
completions must call mlx5_cq_arm. However, the default CQ creation flow
leaves a valid value in the CQ's arm_db field, allowing FW to send
interrupts to polling-only CQs in certain corner cases.
These two factors would allow a polling-only kernel CQ to be triggered
by an EQ interrupt and call a completion function intended only for user
CQs, causing a null pointer exception.
Some areas in the driver have prevented this issue with one-off fixes
but did not address the root cause.
This patch fixes the described issue by adding defaults to the create CQ
flow. It adds a default dummy completion function to protect against
null pointer exceptions, and it sets an invalid command sequence number
by default in kernel CQs to prevent the FW from sending an interrupt to
the CQ until it is armed. User CQs are responsible for their own
initialization values.
Callers of mlx5_core_create_cq are responsible for changing the
completion function and arming the CQ per their needs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/cq.c",
"drivers/net/ethernet/mellanox/mlx5/core/cq.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c",
"drivers/net/ethernet/mellanox/mlx5/core/steering/hws/send.c",
"drivers/net/ethernet/mellanox/mlx5/core/steering/sws/dr_send.c",
"drivers/vdpa/mlx5/net/mlx5_vnet.c",
"include/linux/mlx5/cq.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08469f5393a1a39f26a6e2eb2e8c33187665c1f4",
"status": "affected",
"version": "cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa",
"versionType": "git"
},
{
"lessThan": "e5eba42f01340f73888dfe560be2806057c25913",
"status": "affected",
"version": "cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/cq.c",
"drivers/net/ethernet/mellanox/mlx5/core/cq.c",
"drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
"drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c",
"drivers/net/ethernet/mellanox/mlx5/core/steering/hws/send.c",
"drivers/net/ethernet/mellanox/mlx5/core/steering/sws/dr_send.c",
"drivers/vdpa/mlx5/net/mlx5_vnet.c",
"include/linux/mlx5/cq.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlx5: Fix default values in create CQ\n\nCurrently, CQs without a completion function are assigned the\nmlx5_add_cq_to_tasklet function by default. This is problematic since\nonly user CQs created through the mlx5_ib driver are intended to use\nthis function.\n\nAdditionally, all CQs that will use doorbells instead of polling for\ncompletions must call mlx5_cq_arm. However, the default CQ creation flow\nleaves a valid value in the CQ\u0027s arm_db field, allowing FW to send\ninterrupts to polling-only CQs in certain corner cases.\n\nThese two factors would allow a polling-only kernel CQ to be triggered\nby an EQ interrupt and call a completion function intended only for user\nCQs, causing a null pointer exception.\n\nSome areas in the driver have prevented this issue with one-off fixes\nbut did not address the root cause.\n\nThis patch fixes the described issue by adding defaults to the create CQ\nflow. It adds a default dummy completion function to protect against\nnull pointer exceptions, and it sets an invalid command sequence number\nby default in kernel CQs to prevent the FW from sending an interrupt to\nthe CQ until it is armed. User CQs are responsible for their own\ninitialization values.\n\nCallers of mlx5_core_create_cq are responsible for changing the\ncompletion function and arming the CQ per their needs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:36.098Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08469f5393a1a39f26a6e2eb2e8c33187665c1f4"
},
{
"url": "https://git.kernel.org/stable/c/e5eba42f01340f73888dfe560be2806057c25913"
}
],
"title": "mlx5: Fix default values in create CQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68209",
"datePublished": "2025-12-16T13:48:36.098Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2025-12-16T13:48:36.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54154 (GCVE-0-2023-54154)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:07 – Updated: 2025-12-24 13:07
VLAI?
EPSS
Title
scsi: target: core: Fix target_cmd_counter leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: core: Fix target_cmd_counter leak
The target_cmd_counter struct allocated via target_alloc_cmd_counter() is
never freed, resulting in leaks across various transport types, e.g.:
unreferenced object 0xffff88801f920120 (size 96):
comm "sh", pid 102, jiffies 4294892535 (age 713.412s)
hex dump (first 32 bytes):
07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8.......
backtrace:
[<00000000e58a6252>] kmalloc_trace+0x11/0x20
[<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod]
[<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod]
[<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop]
[<000000006a80e021>] configfs_write_iter+0xb1/0x120
[<00000000e9f4d860>] vfs_write+0x2e4/0x3c0
[<000000008143433b>] ksys_write+0x80/0xb0
[<00000000a7df29b2>] do_syscall_64+0x42/0x90
[<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Free the structure alongside the corresponding iscsit_conn / se_sess
parent.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
76b77646f17118f5babe93c032e6b7a53bbde3b9 , < 1cd41d1669bcbc5052afa897f85608a62ff3fb30
(git)
Affected: becd9be6069e7b183c084f460f0eb363e43cc487 , < f84639c5ac5f4f95b3992da1af4ff382ebf2e819 (git) Affected: becd9be6069e7b183c084f460f0eb363e43cc487 , < d14e3e553e05cb763964c991fe6acb0a6a1c6f9c (git) Affected: bc5ebf93ae23a928303b3643c6f4c4da2f769e7c (git) Affected: 1eaaf1b828cdaa58abccc68962d24005fd5e8852 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1cd41d1669bcbc5052afa897f85608a62ff3fb30",
"status": "affected",
"version": "76b77646f17118f5babe93c032e6b7a53bbde3b9",
"versionType": "git"
},
{
"lessThan": "f84639c5ac5f4f95b3992da1af4ff382ebf2e819",
"status": "affected",
"version": "becd9be6069e7b183c084f460f0eb363e43cc487",
"versionType": "git"
},
{
"lessThan": "d14e3e553e05cb763964c991fe6acb0a6a1c6f9c",
"status": "affected",
"version": "becd9be6069e7b183c084f460f0eb363e43cc487",
"versionType": "git"
},
{
"status": "affected",
"version": "bc5ebf93ae23a928303b3643c6f4c4da2f769e7c",
"versionType": "git"
},
{
"status": "affected",
"version": "1eaaf1b828cdaa58abccc68962d24005fd5e8852",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/target_core_transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "6.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Fix target_cmd_counter leak\n\nThe target_cmd_counter struct allocated via target_alloc_cmd_counter() is\nnever freed, resulting in leaks across various transport types, e.g.:\n\n unreferenced object 0xffff88801f920120 (size 96):\n comm \"sh\", pid 102, jiffies 4294892535 (age 713.412s)\n hex dump (first 32 bytes):\n 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8.......\n backtrace:\n [\u003c00000000e58a6252\u003e] kmalloc_trace+0x11/0x20\n [\u003c0000000043af4b2f\u003e] target_alloc_cmd_counter+0x17/0x90 [target_core_mod]\n [\u003c000000007da2dfa7\u003e] target_setup_session+0x2d/0x140 [target_core_mod]\n [\u003c0000000068feef86\u003e] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop]\n [\u003c000000006a80e021\u003e] configfs_write_iter+0xb1/0x120\n [\u003c00000000e9f4d860\u003e] vfs_write+0x2e4/0x3c0\n [\u003c000000008143433b\u003e] ksys_write+0x80/0xb0\n [\u003c00000000a7df29b2\u003e] do_syscall_64+0x42/0x90\n [\u003c0000000053f45fb8\u003e] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFree the structure alongside the corresponding iscsit_conn / se_sess\nparent."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:07:04.721Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1cd41d1669bcbc5052afa897f85608a62ff3fb30"
},
{
"url": "https://git.kernel.org/stable/c/f84639c5ac5f4f95b3992da1af4ff382ebf2e819"
},
{
"url": "https://git.kernel.org/stable/c/d14e3e553e05cb763964c991fe6acb0a6a1c6f9c"
}
],
"title": "scsi: target: core: Fix target_cmd_counter leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54154",
"datePublished": "2025-12-24T13:07:04.721Z",
"dateReserved": "2025-12-24T13:02:52.529Z",
"dateUpdated": "2025-12-24T13:07:04.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53857 (GCVE-0-2023-53857)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
bpf: bpf_sk_storage: Fix invalid wait context lockdep report
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: bpf_sk_storage: Fix invalid wait context lockdep report
'./test_progs -t test_local_storage' reported a splat:
[ 27.137569] =============================
[ 27.138122] [ BUG: Invalid wait context ]
[ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O
[ 27.139542] -----------------------------
[ 27.140106] test_progs/1729 is trying to lock:
[ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130
[ 27.141834] other info that might help us debug this:
[ 27.142437] context-{5:5}
[ 27.142856] 2 locks held by test_progs/1729:
[ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40
[ 27.144492] #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0
[ 27.145855] stack backtrace:
[ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247
[ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[ 27.149127] Call Trace:
[ 27.149490] <TASK>
[ 27.149867] dump_stack_lvl+0x130/0x1d0
[ 27.152609] dump_stack+0x14/0x20
[ 27.153131] __lock_acquire+0x1657/0x2220
[ 27.153677] lock_acquire+0x1b8/0x510
[ 27.157908] local_lock_acquire+0x29/0x130
[ 27.159048] obj_cgroup_charge+0xf4/0x3c0
[ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0
[ 27.161931] __kmem_cache_alloc_node+0x51/0x210
[ 27.163557] __kmalloc+0xaa/0x210
[ 27.164593] bpf_map_kzalloc+0xbc/0x170
[ 27.165147] bpf_selem_alloc+0x130/0x510
[ 27.166295] bpf_local_storage_update+0x5aa/0x8e0
[ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0
[ 27.169199] bpf_map_update_value+0x415/0x4f0
[ 27.169871] map_update_elem+0x413/0x550
[ 27.170330] __sys_bpf+0x5e9/0x640
[ 27.174065] __x64_sys_bpf+0x80/0x90
[ 27.174568] do_syscall_64+0x48/0xa0
[ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 27.175932] RIP: 0033:0x7effb40e41ad
[ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8
[ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141
[ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad
[ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002
[ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788
[ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000
[ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000
[ 27.184958] </TASK>
It complains about acquiring a local_lock while holding a raw_spin_lock.
It means it should not allocate memory while holding a raw_spin_lock
since it is not safe for RT.
raw_spin_lock is needed because bpf_local_storage supports tracing
context. In particular for task local storage, it is easy to
get a "current" task PTR_TO_BTF_ID in tracing bpf prog.
However, task (and cgroup) local storage has already been moved to
bpf mem allocator which can be used after raw_spin_lock.
The splat is for the sk storage. For sk (and inode) storage,
it has not been moved to bpf mem allocator. Using raw_spin_lock or not,
kzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.
However, the local storage helper requires a verifier accepted
sk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running
a bpf prog in a kzalloc unsafe context and also able to hold a verifier
accepted sk pointer) could happen.
This patch avoids kzalloc after raw_spin_lock to silent the splat.
There is an existing kzalloc before the raw_spin_lock. At that point,
a kzalloc is very likely required because a lookup has just been done
before. Thus, this patch always does the kzalloc before acq
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/bpf_local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "300415caa373a07782fcbc2f8d9429bc2dc27a47",
"status": "affected",
"version": "b00fa38a9c1cba044a32a601b49a55a18ed719d1",
"versionType": "git"
},
{
"lessThan": "a96a44aba556c42b432929d37d60158aca21ad4c",
"status": "affected",
"version": "b00fa38a9c1cba044a32a601b49a55a18ed719d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/bpf_local_storage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: bpf_sk_storage: Fix invalid wait context lockdep report\n\n\u0027./test_progs -t test_local_storage\u0027 reported a splat:\n\n[ 27.137569] =============================\n[ 27.138122] [ BUG: Invalid wait context ]\n[ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O\n[ 27.139542] -----------------------------\n[ 27.140106] test_progs/1729 is trying to lock:\n[ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130\n[ 27.141834] other info that might help us debug this:\n[ 27.142437] context-{5:5}\n[ 27.142856] 2 locks held by test_progs/1729:\n[ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40\n[ 27.144492] #1: ffff888107deb2c0 (\u0026storage-\u003elock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0\n[ 27.145855] stack backtrace:\n[ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247\n[ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 27.149127] Call Trace:\n[ 27.149490] \u003cTASK\u003e\n[ 27.149867] dump_stack_lvl+0x130/0x1d0\n[ 27.152609] dump_stack+0x14/0x20\n[ 27.153131] __lock_acquire+0x1657/0x2220\n[ 27.153677] lock_acquire+0x1b8/0x510\n[ 27.157908] local_lock_acquire+0x29/0x130\n[ 27.159048] obj_cgroup_charge+0xf4/0x3c0\n[ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0\n[ 27.161931] __kmem_cache_alloc_node+0x51/0x210\n[ 27.163557] __kmalloc+0xaa/0x210\n[ 27.164593] bpf_map_kzalloc+0xbc/0x170\n[ 27.165147] bpf_selem_alloc+0x130/0x510\n[ 27.166295] bpf_local_storage_update+0x5aa/0x8e0\n[ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0\n[ 27.169199] bpf_map_update_value+0x415/0x4f0\n[ 27.169871] map_update_elem+0x413/0x550\n[ 27.170330] __sys_bpf+0x5e9/0x640\n[ 27.174065] __x64_sys_bpf+0x80/0x90\n[ 27.174568] do_syscall_64+0x48/0xa0\n[ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[ 27.175932] RIP: 0033:0x7effb40e41ad\n[ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d8\n[ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141\n[ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad\n[ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002\n[ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788\n[ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000\n[ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000\n[ 27.184958] \u003c/TASK\u003e\n\nIt complains about acquiring a local_lock while holding a raw_spin_lock.\nIt means it should not allocate memory while holding a raw_spin_lock\nsince it is not safe for RT.\n\nraw_spin_lock is needed because bpf_local_storage supports tracing\ncontext. In particular for task local storage, it is easy to\nget a \"current\" task PTR_TO_BTF_ID in tracing bpf prog.\nHowever, task (and cgroup) local storage has already been moved to\nbpf mem allocator which can be used after raw_spin_lock.\n\nThe splat is for the sk storage. For sk (and inode) storage,\nit has not been moved to bpf mem allocator. Using raw_spin_lock or not,\nkzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context.\nHowever, the local storage helper requires a verifier accepted\nsk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running\na bpf prog in a kzalloc unsafe context and also able to hold a verifier\naccepted sk pointer) could happen.\n\nThis patch avoids kzalloc after raw_spin_lock to silent the splat.\nThere is an existing kzalloc before the raw_spin_lock. At that point,\na kzalloc is very likely required because a lookup has just been done\nbefore. Thus, this patch always does the kzalloc before acq\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:23.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/300415caa373a07782fcbc2f8d9429bc2dc27a47"
},
{
"url": "https://git.kernel.org/stable/c/a96a44aba556c42b432929d37d60158aca21ad4c"
}
],
"title": "bpf: bpf_sk_storage: Fix invalid wait context lockdep report",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53857",
"datePublished": "2025-12-09T01:30:23.593Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:23.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40357 (GCVE-0-2025-40357)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30
VLAI?
EPSS
Title
net/smc: fix general protection fault in __smc_diag_dump
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix general protection fault in __smc_diag_dump
The syzbot report a crash:
Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]
CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89
Call Trace:
<TASK>
smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217
smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234
netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327
__netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442
netlink_dump_start include/linux/netlink.h:341 [inline]
smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251
__sock_diag_cmd net/core/sock_diag.c:249 [inline]
sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg net/socket.c:729 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
__sys_sendmsg+0x16d/0x220 net/socket.c:2700
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
The process like this:
(CPU1) | (CPU2)
---------------------------------|-------------------------------
inet_create() |
// init clcsock to NULL |
sk = sk_alloc() |
|
// unexpectedly change clcsock |
inet_init_csk_locks() |
|
// add sk to hash table |
smc_inet_init_sock() |
smc_sk_init() |
smc_hash_sk() |
| // traverse the hash table
| smc_diag_dump_proto
| __smc_diag_dump()
| // visit wrong clcsock
| smc_diag_msg_common_fill()
// alloc clcsock |
smc_create_clcsk |
sock_create_kern |
With CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed
in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,
just remove it.
After removing the INET_PROTOSW_ICSK flag, this patch alse revert
commit 6fd27ea183c2 ("net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC")
to avoid casting smc_sock to inet_connection_sock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d25a92ccae6bed02327b63d138e12e7806830f78 , < 5b6fc95c4a161326567bdf12a333768565b638f2
(git)
Affected: d25a92ccae6bed02327b63d138e12e7806830f78 , < 99b5b3faf3220ba1cdab8e6e42be4f3f993937c3 (git) Affected: d25a92ccae6bed02327b63d138e12e7806830f78 , < f584239a9ed25057496bf397c370cc5163dde419 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_inet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b6fc95c4a161326567bdf12a333768565b638f2",
"status": "affected",
"version": "d25a92ccae6bed02327b63d138e12e7806830f78",
"versionType": "git"
},
{
"lessThan": "99b5b3faf3220ba1cdab8e6e42be4f3f993937c3",
"status": "affected",
"version": "d25a92ccae6bed02327b63d138e12e7806830f78",
"versionType": "git"
},
{
"lessThan": "f584239a9ed25057496bf397c370cc5163dde419",
"status": "affected",
"version": "d25a92ccae6bed02327b63d138e12e7806830f78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_inet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix general protection fault in __smc_diag_dump\n\nThe syzbot report a crash:\n\n Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI\n KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]\n CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]\n RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89\n Call Trace:\n \u003cTASK\u003e\n smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217\n smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234\n netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327\n __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442\n netlink_dump_start include/linux/netlink.h:341 [inline]\n smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251\n __sock_diag_cmd net/core/sock_diag.c:249 [inline]\n sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg net/socket.c:729 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668\n __sys_sendmsg+0x16d/0x220 net/socket.c:2700\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nThe process like this:\n\n (CPU1) | (CPU2)\n ---------------------------------|-------------------------------\n inet_create() |\n // init clcsock to NULL |\n sk = sk_alloc() |\n |\n // unexpectedly change clcsock |\n inet_init_csk_locks() |\n |\n // add sk to hash table |\n smc_inet_init_sock() |\n smc_sk_init() |\n smc_hash_sk() |\n | // traverse the hash table\n | smc_diag_dump_proto\n | __smc_diag_dump()\n | // visit wrong clcsock\n | smc_diag_msg_common_fill()\n // alloc clcsock |\n smc_create_clcsk |\n sock_create_kern |\n\nWith CONFIG_DEBUG_LOCK_ALLOC=y, the smc-\u003eclcsock is unexpectedly changed\nin inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,\njust remove it.\n\nAfter removing the INET_PROTOSW_ICSK flag, this patch alse revert\ncommit 6fd27ea183c2 (\"net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\")\nto avoid casting smc_sock to inet_connection_sock."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:30:29.758Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2"
},
{
"url": "https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3"
},
{
"url": "https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419"
}
],
"title": "net/smc: fix general protection fault in __smc_diag_dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40357",
"datePublished": "2025-12-16T13:30:29.758Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:30:29.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40320 (GCVE-0-2025-40320)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
smb: client: fix potential cfid UAF in smb2_query_info_compound
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential cfid UAF in smb2_query_info_compound
When smb2_query_info_compound() retries, a previously allocated cfid may
have been freed in the first attempt.
Because cfid wasn't reset on replay, later cleanup could act on a stale
pointer, leading to a potential use-after-free.
Reinitialize cfid to NULL under the replay label.
Example trace (trimmed):
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110
[...]
RIP: 0010:refcount_warn_saturate+0x9c/0x110
[...]
Call Trace:
<TASK>
smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
? step_into+0x10d/0x690
? __legitimize_path+0x28/0x60
smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
? kmem_cache_alloc+0x18a/0x340
? getname_flags+0x46/0x1e0
cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]
statfs_by_dentry+0x67/0x90
vfs_statfs+0x16/0xd0
user_statfs+0x54/0xa0
__do_sys_statfs+0x20/0x50
do_syscall_64+0x58/0x80
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
433042a91f9373241307725b52de573933ffedbf , < 939c4e33005e2a56ea8fcedddf0da92df864bd3b
(git)
Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < 327f89c21601ebb7889f8c97754b76f08ce95a0c (git) Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < b556c278d43f4707a9073ca74d55581b4f279806 (git) Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < 5c76f9961c170552c1d07c830b5e145475151600 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "939c4e33005e2a56ea8fcedddf0da92df864bd3b",
"status": "affected",
"version": "433042a91f9373241307725b52de573933ffedbf",
"versionType": "git"
},
{
"lessThan": "327f89c21601ebb7889f8c97754b76f08ce95a0c",
"status": "affected",
"version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
"versionType": "git"
},
{
"lessThan": "b556c278d43f4707a9073ca74d55581b4f279806",
"status": "affected",
"version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
"versionType": "git"
},
{
"lessThan": "5c76f9961c170552c1d07c830b5e145475151600",
"status": "affected",
"version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential cfid UAF in smb2_query_info_compound\n\nWhen smb2_query_info_compound() retries, a previously allocated cfid may\nhave been freed in the first attempt.\nBecause cfid wasn\u0027t reset on replay, later cleanup could act on a stale\npointer, leading to a potential use-after-free.\n\nReinitialize cfid to NULL under the replay label.\n\nExample trace (trimmed):\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110\n[...]\nRIP: 0010:refcount_warn_saturate+0x9c/0x110\n[...]\nCall Trace:\n \u003cTASK\u003e\n smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? step_into+0x10d/0x690\n ? __legitimize_path+0x28/0x60\n smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? kmem_cache_alloc+0x18a/0x340\n ? getname_flags+0x46/0x1e0\n cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n statfs_by_dentry+0x67/0x90\n vfs_statfs+0x16/0xd0\n user_statfs+0x54/0xa0\n __do_sys_statfs+0x20/0x50\n do_syscall_64+0x58/0x80"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:47.670Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/939c4e33005e2a56ea8fcedddf0da92df864bd3b"
},
{
"url": "https://git.kernel.org/stable/c/327f89c21601ebb7889f8c97754b76f08ce95a0c"
},
{
"url": "https://git.kernel.org/stable/c/b556c278d43f4707a9073ca74d55581b4f279806"
},
{
"url": "https://git.kernel.org/stable/c/5c76f9961c170552c1d07c830b5e145475151600"
}
],
"title": "smb: client: fix potential cfid UAF in smb2_query_info_compound",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40320",
"datePublished": "2025-12-08T00:46:47.670Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:47.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54101 (GCVE-0-2023-54101)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
driver: soc: xilinx: use _safe loop iterator to avoid a use after free
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver: soc: xilinx: use _safe loop iterator to avoid a use after free
The hash_for_each_possible() loop dereferences "eve_data" to get the
next item on the list. However the loop frees eve_data so it leads to
a use after free. Use hash_for_each_possible_safe() instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c7fdb2404f66131bc9c22e06f712717288826487 , < 49fca83f6f3f0cafe5bf5b43e8ee81cf73c2d5e0
(git)
Affected: c7fdb2404f66131bc9c22e06f712717288826487 , < f16599e638073ef0b2828bb64f5e99138e9381b5 (git) Affected: c7fdb2404f66131bc9c22e06f712717288826487 , < 256aace3a5d8c987183ba4832dffb36f48ea7d3b (git) Affected: c7fdb2404f66131bc9c22e06f712717288826487 , < c58da0ba3e5c86e51e2c1557afaf6f71e00c4533 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/xilinx/xlnx_event_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49fca83f6f3f0cafe5bf5b43e8ee81cf73c2d5e0",
"status": "affected",
"version": "c7fdb2404f66131bc9c22e06f712717288826487",
"versionType": "git"
},
{
"lessThan": "f16599e638073ef0b2828bb64f5e99138e9381b5",
"status": "affected",
"version": "c7fdb2404f66131bc9c22e06f712717288826487",
"versionType": "git"
},
{
"lessThan": "256aace3a5d8c987183ba4832dffb36f48ea7d3b",
"status": "affected",
"version": "c7fdb2404f66131bc9c22e06f712717288826487",
"versionType": "git"
},
{
"lessThan": "c58da0ba3e5c86e51e2c1557afaf6f71e00c4533",
"status": "affected",
"version": "c7fdb2404f66131bc9c22e06f712717288826487",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/xilinx/xlnx_event_manager.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver: soc: xilinx: use _safe loop iterator to avoid a use after free\n\nThe hash_for_each_possible() loop dereferences \"eve_data\" to get the\nnext item on the list. However the loop frees eve_data so it leads to\na use after free. Use hash_for_each_possible_safe() instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:27.234Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49fca83f6f3f0cafe5bf5b43e8ee81cf73c2d5e0"
},
{
"url": "https://git.kernel.org/stable/c/f16599e638073ef0b2828bb64f5e99138e9381b5"
},
{
"url": "https://git.kernel.org/stable/c/256aace3a5d8c987183ba4832dffb36f48ea7d3b"
},
{
"url": "https://git.kernel.org/stable/c/c58da0ba3e5c86e51e2c1557afaf6f71e00c4533"
}
],
"title": "driver: soc: xilinx: use _safe loop iterator to avoid a use after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54101",
"datePublished": "2025-12-24T13:06:27.234Z",
"dateReserved": "2025-12-24T13:02:52.517Z",
"dateUpdated": "2025-12-24T13:06:27.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54089 (GCVE-0-2023-54089)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
virtio_pmem: add the missing REQ_OP_WRITE for flush bio
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_pmem: add the missing REQ_OP_WRITE for flush bio
When doing mkfs.xfs on a pmem device, the following warning was
------------[ cut here ]------------
WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct
Modules linked in:
CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:submit_bio_noacct+0x340/0x520
......
Call Trace:
<TASK>
? submit_bio_noacct+0xd5/0x520
submit_bio+0x37/0x60
async_pmem_flush+0x79/0xa0
nvdimm_flush+0x17/0x40
pmem_submit_bio+0x370/0x390
__submit_bio+0xbc/0x190
submit_bio_noacct_nocheck+0x14d/0x370
submit_bio_noacct+0x1ef/0x520
submit_bio+0x55/0x60
submit_bio_wait+0x5a/0xc0
blkdev_issue_flush+0x44/0x60
The root cause is that submit_bio_noacct() needs bio_op() is either
WRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn't assign
REQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail
the flush bio.
Simply fix it by adding the missing REQ_OP_WRITE for flush bio. And we
could fix the flush order issue and do flush optimization later.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b4a6bb3a67aa0c37b2b6cd47efc326eb455de674 , < e39e870e1e683a71d3d2e63e661a5695f60931a7
(git)
Affected: b4a6bb3a67aa0c37b2b6cd47efc326eb455de674 , < c7ab7e45ccef209809f8c2b00f497deec06b29c0 (git) Affected: b4a6bb3a67aa0c37b2b6cd47efc326eb455de674 , < c1dbd8a849183b9c12d257ad3043ecec50db50b3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/nd_virtio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e39e870e1e683a71d3d2e63e661a5695f60931a7",
"status": "affected",
"version": "b4a6bb3a67aa0c37b2b6cd47efc326eb455de674",
"versionType": "git"
},
{
"lessThan": "c7ab7e45ccef209809f8c2b00f497deec06b29c0",
"status": "affected",
"version": "b4a6bb3a67aa0c37b2b6cd47efc326eb455de674",
"versionType": "git"
},
{
"lessThan": "c1dbd8a849183b9c12d257ad3043ecec50db50b3",
"status": "affected",
"version": "b4a6bb3a67aa0c37b2b6cd47efc326eb455de674",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvdimm/nd_virtio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_pmem: add the missing REQ_OP_WRITE for flush bio\n\nWhen doing mkfs.xfs on a pmem device, the following warning was\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct\n Modules linked in:\n CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:submit_bio_noacct+0x340/0x520\n ......\n Call Trace:\n \u003cTASK\u003e\n ? submit_bio_noacct+0xd5/0x520\n submit_bio+0x37/0x60\n async_pmem_flush+0x79/0xa0\n nvdimm_flush+0x17/0x40\n pmem_submit_bio+0x370/0x390\n __submit_bio+0xbc/0x190\n submit_bio_noacct_nocheck+0x14d/0x370\n submit_bio_noacct+0x1ef/0x520\n submit_bio+0x55/0x60\n submit_bio_wait+0x5a/0xc0\n blkdev_issue_flush+0x44/0x60\n\nThe root cause is that submit_bio_noacct() needs bio_op() is either\nWRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn\u0027t assign\nREQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail\nthe flush bio.\n\nSimply fix it by adding the missing REQ_OP_WRITE for flush bio. And we\ncould fix the flush order issue and do flush optimization later."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:18.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e39e870e1e683a71d3d2e63e661a5695f60931a7"
},
{
"url": "https://git.kernel.org/stable/c/c7ab7e45ccef209809f8c2b00f497deec06b29c0"
},
{
"url": "https://git.kernel.org/stable/c/c1dbd8a849183b9c12d257ad3043ecec50db50b3"
}
],
"title": "virtio_pmem: add the missing REQ_OP_WRITE for flush bio",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54089",
"datePublished": "2025-12-24T13:06:18.904Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:18.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54183 (GCVE-0-2023-54183)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
If fwnode_graph_get_remote_endpoint() fails, 'fwnode' is known to be NULL,
so fwnode_handle_put() is a no-op.
Release the reference taken from a previous fwnode_graph_get_port_parent()
call instead.
Also handle fwnode_graph_get_port_parent() failures.
In order to fix these issues, add an error handling path to the function
and the needed gotos.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ca50c197bd9610ea984cfc0dc6855f183cbb46f8 , < 2342942331e1f034ff58f293e10d0d9b7581601f
(git)
Affected: ca50c197bd9610ea984cfc0dc6855f183cbb46f8 , < 4bc5ffaf8ac4f3e7a1fcd10a0a0e7b022b694877 (git) Affected: ca50c197bd9610ea984cfc0dc6855f183cbb46f8 , < d8a8f75fce049bdb3144b607deefe51e996b9660 (git) Affected: ca50c197bd9610ea984cfc0dc6855f183cbb46f8 , < caf058833b6f3fe7beabf738110f79bb987c8fff (git) Affected: ca50c197bd9610ea984cfc0dc6855f183cbb46f8 , < 25afb3e03bf8ab02567af4b6ffbfd6250a91a9f8 (git) Affected: ca50c197bd9610ea984cfc0dc6855f183cbb46f8 , < ed1696f7f92e8404940d51dec80a123aa18163a8 (git) Affected: ca50c197bd9610ea984cfc0dc6855f183cbb46f8 , < e8a1cd87bb9fa3149ee112ecb8058908dc9b520e (git) Affected: ca50c197bd9610ea984cfc0dc6855f183cbb46f8 , < d7b13edd4cb4bfa335b6008ab867ac28582d3e5c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/v4l2-core/v4l2-fwnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2342942331e1f034ff58f293e10d0d9b7581601f",
"status": "affected",
"version": "ca50c197bd9610ea984cfc0dc6855f183cbb46f8",
"versionType": "git"
},
{
"lessThan": "4bc5ffaf8ac4f3e7a1fcd10a0a0e7b022b694877",
"status": "affected",
"version": "ca50c197bd9610ea984cfc0dc6855f183cbb46f8",
"versionType": "git"
},
{
"lessThan": "d8a8f75fce049bdb3144b607deefe51e996b9660",
"status": "affected",
"version": "ca50c197bd9610ea984cfc0dc6855f183cbb46f8",
"versionType": "git"
},
{
"lessThan": "caf058833b6f3fe7beabf738110f79bb987c8fff",
"status": "affected",
"version": "ca50c197bd9610ea984cfc0dc6855f183cbb46f8",
"versionType": "git"
},
{
"lessThan": "25afb3e03bf8ab02567af4b6ffbfd6250a91a9f8",
"status": "affected",
"version": "ca50c197bd9610ea984cfc0dc6855f183cbb46f8",
"versionType": "git"
},
{
"lessThan": "ed1696f7f92e8404940d51dec80a123aa18163a8",
"status": "affected",
"version": "ca50c197bd9610ea984cfc0dc6855f183cbb46f8",
"versionType": "git"
},
{
"lessThan": "e8a1cd87bb9fa3149ee112ecb8058908dc9b520e",
"status": "affected",
"version": "ca50c197bd9610ea984cfc0dc6855f183cbb46f8",
"versionType": "git"
},
{
"lessThan": "d7b13edd4cb4bfa335b6008ab867ac28582d3e5c",
"status": "affected",
"version": "ca50c197bd9610ea984cfc0dc6855f183cbb46f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/v4l2-core/v4l2-fwnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()\n\nIf fwnode_graph_get_remote_endpoint() fails, \u0027fwnode\u0027 is known to be NULL,\nso fwnode_handle_put() is a no-op.\n\nRelease the reference taken from a previous fwnode_graph_get_port_parent()\ncall instead.\n\nAlso handle fwnode_graph_get_port_parent() failures.\n\nIn order to fix these issues, add an error handling path to the function\nand the needed gotos."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:53.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2342942331e1f034ff58f293e10d0d9b7581601f"
},
{
"url": "https://git.kernel.org/stable/c/4bc5ffaf8ac4f3e7a1fcd10a0a0e7b022b694877"
},
{
"url": "https://git.kernel.org/stable/c/d8a8f75fce049bdb3144b607deefe51e996b9660"
},
{
"url": "https://git.kernel.org/stable/c/caf058833b6f3fe7beabf738110f79bb987c8fff"
},
{
"url": "https://git.kernel.org/stable/c/25afb3e03bf8ab02567af4b6ffbfd6250a91a9f8"
},
{
"url": "https://git.kernel.org/stable/c/ed1696f7f92e8404940d51dec80a123aa18163a8"
},
{
"url": "https://git.kernel.org/stable/c/e8a1cd87bb9fa3149ee112ecb8058908dc9b520e"
},
{
"url": "https://git.kernel.org/stable/c/d7b13edd4cb4bfa335b6008ab867ac28582d3e5c"
}
],
"title": "media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54183",
"datePublished": "2025-12-30T12:08:53.888Z",
"dateReserved": "2025-12-30T12:06:44.497Z",
"dateUpdated": "2025-12-30T12:08:53.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54261 (GCVE-0-2023-54261)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
drm/amdkfd: Add missing gfx11 MQD manager callbacks
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Add missing gfx11 MQD manager callbacks
mqd_stride function was introduced in commit 2f77b9a242a2
("drm/amdkfd: Update MQD management on multi XCC setup")
but not assigned for gfx11. Fixes a NULL dereference in debugfs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "399b73d6b7720a9eae68a333193b53ed4f432fe5",
"status": "affected",
"version": "2f77b9a242a2e01822efc80c8b63eaa31df0f8b4",
"versionType": "git"
},
{
"lessThan": "e9dca969b2426702a73719ab9207e43c6d80b581",
"status": "affected",
"version": "2f77b9a242a2e01822efc80c8b63eaa31df0f8b4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Add missing gfx11 MQD manager callbacks\n\nmqd_stride function was introduced in commit 2f77b9a242a2\n(\"drm/amdkfd: Update MQD management on multi XCC setup\")\nbut not assigned for gfx11. Fixes a NULL dereference in debugfs."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:08.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/399b73d6b7720a9eae68a333193b53ed4f432fe5"
},
{
"url": "https://git.kernel.org/stable/c/e9dca969b2426702a73719ab9207e43c6d80b581"
}
],
"title": "drm/amdkfd: Add missing gfx11 MQD manager callbacks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54261",
"datePublished": "2025-12-30T12:15:54.870Z",
"dateReserved": "2025-12-30T12:06:44.516Z",
"dateUpdated": "2026-01-05T11:37:08.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54247 (GCVE-0-2023-54247)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
bpf: Silence a warning in btf_type_id_size()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Silence a warning in btf_type_id_size()
syzbot reported a warning in [1] with the following stacktrace:
WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
...
RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
...
Call Trace:
<TASK>
map_check_btf kernel/bpf/syscall.c:1024 [inline]
map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198
__sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040
__do_sys_bpf kernel/bpf/syscall.c:5162 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5160 [inline]
__x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
With the following btf
[1] DECL_TAG 'a' type_id=4 component_idx=-1
[2] PTR '(anon)' type_id=0
[3] TYPE_TAG 'a' type_id=2
[4] VAR 'a' type_id=3, linkage=static
and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG),
the following WARN_ON_ONCE in btf_type_id_size() is triggered:
if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) &&
!btf_type_is_var(size_type)))
return NULL;
Note that 'return NULL' is the correct behavior as we don't want
a DECL_TAG type to be used as a btf_{key,value}_type_id even
for the case like 'DECL_TAG -> STRUCT'. So there
is no correctness issue here, we just want to silence warning.
To silence the warning, I added DECL_TAG as one of kinds in
btf_type_nosize() which will cause btf_type_id_size() returning
NULL earlier without the warning.
[1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef , < 61f4bd46a03a81865aca3bcbad2f7b7032fb3160
(git)
Affected: b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef , < 7c4f5ab63e7962812505cbd38cc765168a223acb (git) Affected: b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef , < e6c2f594ed961273479505b42040782820190305 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61f4bd46a03a81865aca3bcbad2f7b7032fb3160",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
},
{
"lessThan": "7c4f5ab63e7962812505cbd38cc765168a223acb",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
},
{
"lessThan": "e6c2f594ed961273479505b42040782820190305",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.110",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Silence a warning in btf_type_id_size()\n\nsyzbot reported a warning in [1] with the following stacktrace:\n WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988\n ...\n RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988\n ...\n Call Trace:\n \u003cTASK\u003e\n map_check_btf kernel/bpf/syscall.c:1024 [inline]\n map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198\n __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040\n __do_sys_bpf kernel/bpf/syscall.c:5162 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5160 [inline]\n __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nWith the following btf\n [1] DECL_TAG \u0027a\u0027 type_id=4 component_idx=-1\n [2] PTR \u0027(anon)\u0027 type_id=0\n [3] TYPE_TAG \u0027a\u0027 type_id=2\n [4] VAR \u0027a\u0027 type_id=3, linkage=static\nand when the bpf_attr.btf_key_type_id = 1 (DECL_TAG),\nthe following WARN_ON_ONCE in btf_type_id_size() is triggered:\n if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) \u0026\u0026\n !btf_type_is_var(size_type)))\n return NULL;\n\nNote that \u0027return NULL\u0027 is the correct behavior as we don\u0027t want\na DECL_TAG type to be used as a btf_{key,value}_type_id even\nfor the case like \u0027DECL_TAG -\u003e STRUCT\u0027. So there\nis no correctness issue here, we just want to silence warning.\n\nTo silence the warning, I added DECL_TAG as one of kinds in\nbtf_type_nosize() which will cause btf_type_id_size() returning\nNULL earlier without the warning.\n\n [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:03.497Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61f4bd46a03a81865aca3bcbad2f7b7032fb3160"
},
{
"url": "https://git.kernel.org/stable/c/7c4f5ab63e7962812505cbd38cc765168a223acb"
},
{
"url": "https://git.kernel.org/stable/c/e6c2f594ed961273479505b42040782820190305"
}
],
"title": "bpf: Silence a warning in btf_type_id_size()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54247",
"datePublished": "2025-12-30T12:15:45.395Z",
"dateReserved": "2025-12-30T12:06:44.513Z",
"dateUpdated": "2026-01-05T11:37:03.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53718 (GCVE-0-2023-53718)
Vulnerability from cvelistv5 – Published: 2025-10-22 13:23 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
ring-buffer: Do not swap cpu_buffer during resize process
Summary
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Do not swap cpu_buffer during resize process
When ring_buffer_swap_cpu was called during resize process,
the cpu buffer was swapped in the middle, resulting in incorrect state.
Continuing to run in the wrong state will result in oops.
This issue can be easily reproduced using the following two scripts:
/tmp # cat test1.sh
//#! /bin/sh
for i in `seq 0 100000`
do
echo 2000 > /sys/kernel/debug/tracing/buffer_size_kb
sleep 0.5
echo 5000 > /sys/kernel/debug/tracing/buffer_size_kb
sleep 0.5
done
/tmp # cat test2.sh
//#! /bin/sh
for i in `seq 0 100000`
do
echo irqsoff > /sys/kernel/debug/tracing/current_tracer
sleep 1
echo nop > /sys/kernel/debug/tracing/current_tracer
sleep 1
done
/tmp # ./test1.sh &
/tmp # ./test2.sh &
A typical oops log is as follows, sometimes with other different oops logs.
[ 231.711293] WARNING: CPU: 0 PID: 9 at kernel/trace/ring_buffer.c:2026 rb_update_pages+0x378/0x3f8
[ 231.713375] Modules linked in:
[ 231.714735] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15
[ 231.716750] Hardware name: linux,dummy-virt (DT)
[ 231.718152] Workqueue: events update_pages_handler
[ 231.719714] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 231.721171] pc : rb_update_pages+0x378/0x3f8
[ 231.722212] lr : rb_update_pages+0x25c/0x3f8
[ 231.723248] sp : ffff800082b9bd50
[ 231.724169] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 0000000000000000
[ 231.726102] x26: 0000000000000001 x25: fffffffffffff010 x24: 0000000000000ff0
[ 231.728122] x23: ffff0000c3a0b600 x22: ffff0000c3a0b5c0 x21: fffffffffffffe0a
[ 231.730203] x20: ffff0000c3a0b600 x19: ffff0000c0102400 x18: 0000000000000000
[ 231.732329] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe7aa8510
[ 231.734212] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000002
[ 231.736291] x11: ffff8000826998a8 x10: ffff800082b9baf0 x9 : ffff800081137558
[ 231.738195] x8 : fffffc00030e82c8 x7 : 0000000000000000 x6 : 0000000000000001
[ 231.740192] x5 : ffff0000ffbafe00 x4 : 0000000000000000 x3 : 0000000000000000
[ 231.742118] x2 : 00000000000006aa x1 : 0000000000000001 x0 : ffff0000c0007208
[ 231.744196] Call trace:
[ 231.744892] rb_update_pages+0x378/0x3f8
[ 231.745893] update_pages_handler+0x1c/0x38
[ 231.746893] process_one_work+0x1f0/0x468
[ 231.747852] worker_thread+0x54/0x410
[ 231.748737] kthread+0x124/0x138
[ 231.749549] ret_from_fork+0x10/0x20
[ 231.750434] ---[ end trace 0000000000000000 ]---
[ 233.720486] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 233.721696] Mem abort info:
[ 233.721935] ESR = 0x0000000096000004
[ 233.722283] EC = 0x25: DABT (current EL), IL = 32 bits
[ 233.722596] SET = 0, FnV = 0
[ 233.722805] EA = 0, S1PTW = 0
[ 233.723026] FSC = 0x04: level 0 translation fault
[ 233.723458] Data abort info:
[ 233.723734] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 233.724176] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 233.724589] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 233.725075] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104943000
[ 233.725592] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[ 233.726231] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 233.726720] Modules linked in:
[ 233.727007] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15
[ 233.727777] Hardware name: linux,dummy-virt (DT)
[ 233.728225] Workqueue: events update_pages_handler
[ 233.728655] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 233.729054] pc : rb_update_pages+0x1a8/0x3f8
[ 233.729334] lr : rb_update_pages+0x154/0x3f8
[ 233.729592] sp : ffff800082b9bd50
[ 233.729792] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 00000000
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
83f40318dab00e3298a1f6d0b12ac025e84e478d , < 66a3b2a121386702663065d5c9e5a33c03d3f4a2
(git)
Affected: 83f40318dab00e3298a1f6d0b12ac025e84e478d , < 49b830d75f03d5dd41146d10e4d3e2a8211c4b94 (git) Affected: 83f40318dab00e3298a1f6d0b12ac025e84e478d , < 128c06a34cfe55212632533a706b050d54552741 (git) Affected: 83f40318dab00e3298a1f6d0b12ac025e84e478d , < 02e52d7daaa3f0f48819f198092cf4871065bbf7 (git) Affected: 83f40318dab00e3298a1f6d0b12ac025e84e478d , < 8a96c0288d0737ad77882024974c075345c72011 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c",
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66a3b2a121386702663065d5c9e5a33c03d3f4a2",
"status": "affected",
"version": "83f40318dab00e3298a1f6d0b12ac025e84e478d",
"versionType": "git"
},
{
"lessThan": "49b830d75f03d5dd41146d10e4d3e2a8211c4b94",
"status": "affected",
"version": "83f40318dab00e3298a1f6d0b12ac025e84e478d",
"versionType": "git"
},
{
"lessThan": "128c06a34cfe55212632533a706b050d54552741",
"status": "affected",
"version": "83f40318dab00e3298a1f6d0b12ac025e84e478d",
"versionType": "git"
},
{
"lessThan": "02e52d7daaa3f0f48819f198092cf4871065bbf7",
"status": "affected",
"version": "83f40318dab00e3298a1f6d0b12ac025e84e478d",
"versionType": "git"
},
{
"lessThan": "8a96c0288d0737ad77882024974c075345c72011",
"status": "affected",
"version": "83f40318dab00e3298a1f6d0b12ac025e84e478d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/ring_buffer.c",
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not swap cpu_buffer during resize process\n\nWhen ring_buffer_swap_cpu was called during resize process,\nthe cpu buffer was swapped in the middle, resulting in incorrect state.\nContinuing to run in the wrong state will result in oops.\n\nThis issue can be easily reproduced using the following two scripts:\n/tmp # cat test1.sh\n//#! /bin/sh\nfor i in `seq 0 100000`\ndo\n echo 2000 \u003e /sys/kernel/debug/tracing/buffer_size_kb\n sleep 0.5\n echo 5000 \u003e /sys/kernel/debug/tracing/buffer_size_kb\n sleep 0.5\ndone\n/tmp # cat test2.sh\n//#! /bin/sh\nfor i in `seq 0 100000`\ndo\n echo irqsoff \u003e /sys/kernel/debug/tracing/current_tracer\n sleep 1\n echo nop \u003e /sys/kernel/debug/tracing/current_tracer\n sleep 1\ndone\n/tmp # ./test1.sh \u0026\n/tmp # ./test2.sh \u0026\n\nA typical oops log is as follows, sometimes with other different oops logs.\n\n[ 231.711293] WARNING: CPU: 0 PID: 9 at kernel/trace/ring_buffer.c:2026 rb_update_pages+0x378/0x3f8\n[ 231.713375] Modules linked in:\n[ 231.714735] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15\n[ 231.716750] Hardware name: linux,dummy-virt (DT)\n[ 231.718152] Workqueue: events update_pages_handler\n[ 231.719714] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 231.721171] pc : rb_update_pages+0x378/0x3f8\n[ 231.722212] lr : rb_update_pages+0x25c/0x3f8\n[ 231.723248] sp : ffff800082b9bd50\n[ 231.724169] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 0000000000000000\n[ 231.726102] x26: 0000000000000001 x25: fffffffffffff010 x24: 0000000000000ff0\n[ 231.728122] x23: ffff0000c3a0b600 x22: ffff0000c3a0b5c0 x21: fffffffffffffe0a\n[ 231.730203] x20: ffff0000c3a0b600 x19: ffff0000c0102400 x18: 0000000000000000\n[ 231.732329] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe7aa8510\n[ 231.734212] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000002\n[ 231.736291] x11: ffff8000826998a8 x10: ffff800082b9baf0 x9 : ffff800081137558\n[ 231.738195] x8 : fffffc00030e82c8 x7 : 0000000000000000 x6 : 0000000000000001\n[ 231.740192] x5 : ffff0000ffbafe00 x4 : 0000000000000000 x3 : 0000000000000000\n[ 231.742118] x2 : 00000000000006aa x1 : 0000000000000001 x0 : ffff0000c0007208\n[ 231.744196] Call trace:\n[ 231.744892] rb_update_pages+0x378/0x3f8\n[ 231.745893] update_pages_handler+0x1c/0x38\n[ 231.746893] process_one_work+0x1f0/0x468\n[ 231.747852] worker_thread+0x54/0x410\n[ 231.748737] kthread+0x124/0x138\n[ 231.749549] ret_from_fork+0x10/0x20\n[ 231.750434] ---[ end trace 0000000000000000 ]---\n[ 233.720486] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n[ 233.721696] Mem abort info:\n[ 233.721935] ESR = 0x0000000096000004\n[ 233.722283] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 233.722596] SET = 0, FnV = 0\n[ 233.722805] EA = 0, S1PTW = 0\n[ 233.723026] FSC = 0x04: level 0 translation fault\n[ 233.723458] Data abort info:\n[ 233.723734] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 233.724176] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 233.724589] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 233.725075] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104943000\n[ 233.725592] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ 233.726231] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 233.726720] Modules linked in:\n[ 233.727007] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15\n[ 233.727777] Hardware name: linux,dummy-virt (DT)\n[ 233.728225] Workqueue: events update_pages_handler\n[ 233.728655] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 233.729054] pc : rb_update_pages+0x1a8/0x3f8\n[ 233.729334] lr : rb_update_pages+0x154/0x3f8\n[ 233.729592] sp : ffff800082b9bd50\n[ 233.729792] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 00000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:32.910Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66a3b2a121386702663065d5c9e5a33c03d3f4a2"
},
{
"url": "https://git.kernel.org/stable/c/49b830d75f03d5dd41146d10e4d3e2a8211c4b94"
},
{
"url": "https://git.kernel.org/stable/c/128c06a34cfe55212632533a706b050d54552741"
},
{
"url": "https://git.kernel.org/stable/c/02e52d7daaa3f0f48819f198092cf4871065bbf7"
},
{
"url": "https://git.kernel.org/stable/c/8a96c0288d0737ad77882024974c075345c72011"
}
],
"title": "ring-buffer: Do not swap cpu_buffer during resize process",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53718",
"datePublished": "2025-10-22T13:23:50.809Z",
"dateReserved": "2025-10-22T13:21:37.347Z",
"dateUpdated": "2026-01-05T10:32:32.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54309 (GCVE-0-2023-54309)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
/dev/vtpmx is made visible before 'workqueue' is initialized, which can
lead to a memory corruption in the worst case scenario.
Address this by initializing 'workqueue' as the very first step of the
driver initialization.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f99612e250041a2402d3b1694bccb149cd424a4 , < 509d21f1c4bb9d35d397fca3226165b156a7639f
(git)
Affected: 6f99612e250041a2402d3b1694bccb149cd424a4 , < 04e8697d26613ccea760cf57eb20a5a27f788c0f (git) Affected: 6f99612e250041a2402d3b1694bccb149cd424a4 , < 86b9820395f226b8f33cbae9599deebf8af1ce72 (git) Affected: 6f99612e250041a2402d3b1694bccb149cd424a4 , < 9ff7fcb3a2ed0e9b895bb5b4c13872d584a8815b (git) Affected: 6f99612e250041a2402d3b1694bccb149cd424a4 , < e08295290c53a3cf174c236721747a01b9550ae2 (git) Affected: 6f99612e250041a2402d3b1694bccb149cd424a4 , < 99b998fb9d7d2d2d9dbb3e19db2d0ade02f5a604 (git) Affected: 6f99612e250041a2402d3b1694bccb149cd424a4 , < 092db954e2c3c5ba6c0ce990c7da72cf8f3b9c51 (git) Affected: 6f99612e250041a2402d3b1694bccb149cd424a4 , < f4032d615f90970d6c3ac1d9c0bce3351eb4445c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm_vtpm_proxy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "509d21f1c4bb9d35d397fca3226165b156a7639f",
"status": "affected",
"version": "6f99612e250041a2402d3b1694bccb149cd424a4",
"versionType": "git"
},
{
"lessThan": "04e8697d26613ccea760cf57eb20a5a27f788c0f",
"status": "affected",
"version": "6f99612e250041a2402d3b1694bccb149cd424a4",
"versionType": "git"
},
{
"lessThan": "86b9820395f226b8f33cbae9599deebf8af1ce72",
"status": "affected",
"version": "6f99612e250041a2402d3b1694bccb149cd424a4",
"versionType": "git"
},
{
"lessThan": "9ff7fcb3a2ed0e9b895bb5b4c13872d584a8815b",
"status": "affected",
"version": "6f99612e250041a2402d3b1694bccb149cd424a4",
"versionType": "git"
},
{
"lessThan": "e08295290c53a3cf174c236721747a01b9550ae2",
"status": "affected",
"version": "6f99612e250041a2402d3b1694bccb149cd424a4",
"versionType": "git"
},
{
"lessThan": "99b998fb9d7d2d2d9dbb3e19db2d0ade02f5a604",
"status": "affected",
"version": "6f99612e250041a2402d3b1694bccb149cd424a4",
"versionType": "git"
},
{
"lessThan": "092db954e2c3c5ba6c0ce990c7da72cf8f3b9c51",
"status": "affected",
"version": "6f99612e250041a2402d3b1694bccb149cd424a4",
"versionType": "git"
},
{
"lessThan": "f4032d615f90970d6c3ac1d9c0bce3351eb4445c",
"status": "affected",
"version": "6f99612e250041a2402d3b1694bccb149cd424a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm_vtpm_proxy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation\n\n/dev/vtpmx is made visible before \u0027workqueue\u0027 is initialized, which can\nlead to a memory corruption in the worst case scenario.\n\nAddress this by initializing \u0027workqueue\u0027 as the very first step of the\ndriver initialization."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:41.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/509d21f1c4bb9d35d397fca3226165b156a7639f"
},
{
"url": "https://git.kernel.org/stable/c/04e8697d26613ccea760cf57eb20a5a27f788c0f"
},
{
"url": "https://git.kernel.org/stable/c/86b9820395f226b8f33cbae9599deebf8af1ce72"
},
{
"url": "https://git.kernel.org/stable/c/9ff7fcb3a2ed0e9b895bb5b4c13872d584a8815b"
},
{
"url": "https://git.kernel.org/stable/c/e08295290c53a3cf174c236721747a01b9550ae2"
},
{
"url": "https://git.kernel.org/stable/c/99b998fb9d7d2d2d9dbb3e19db2d0ade02f5a604"
},
{
"url": "https://git.kernel.org/stable/c/092db954e2c3c5ba6c0ce990c7da72cf8f3b9c51"
},
{
"url": "https://git.kernel.org/stable/c/f4032d615f90970d6c3ac1d9c0bce3351eb4445c"
}
],
"title": "tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54309",
"datePublished": "2025-12-30T12:23:41.834Z",
"dateReserved": "2025-12-30T12:06:44.530Z",
"dateUpdated": "2025-12-30T12:23:41.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53852 (GCVE-0-2023-53852)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
nvme-core: fix memory leak in dhchap_secret_store
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-core: fix memory leak in dhchap_secret_store
Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return
fix following kmemleack:-
unreferenced object 0xffff8886376ea800 (size 64):
comm "check", pid 22048, jiffies 4344316705 (age 92.199s)
hex dump (first 32 bytes):
44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg
75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL
backtrace:
[<0000000030ce5d4b>] __kmalloc+0x4b/0x130
[<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]
[<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0
[<00000000437e7ced>] vfs_write+0x2ba/0x3c0
[<00000000f9491baf>] ksys_write+0x5f/0xe0
[<000000001c46513d>] do_syscall_64+0x3b/0x90
[<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
unreferenced object 0xffff8886376eaf00 (size 64):
comm "check", pid 22048, jiffies 4344316736 (age 92.168s)
hex dump (first 32 bytes):
44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg
75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL
backtrace:
[<0000000030ce5d4b>] __kmalloc+0x4b/0x130
[<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]
[<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0
[<00000000437e7ced>] vfs_write+0x2ba/0x3c0
[<00000000f9491baf>] ksys_write+0x5f/0xe0
[<000000001c46513d>] do_syscall_64+0x3b/0x90
[<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 2e9b141307554521d60fecf6bf1d2edc8dd0181d
(git)
Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 6a5eda5017959541ab82c5d56bcf784b8294e298 (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < a836ca33c5b07d34dd5347af9f64d25651d12674 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e9b141307554521d60fecf6bf1d2edc8dd0181d",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "6a5eda5017959541ab82c5d56bcf784b8294e298",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "a836ca33c5b07d34dd5347af9f64d25651d12674",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix memory leak in dhchap_secret_store\n\nFree dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return\nfix following kmemleack:-\n\nunreferenced object 0xffff8886376ea800 (size 64):\n comm \"check\", pid 22048, jiffies 4344316705 (age 92.199s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg\n 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL\n backtrace:\n [\u003c0000000030ce5d4b\u003e] __kmalloc+0x4b/0x130\n [\u003c000000009be1cdc1\u003e] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]\n [\u003c00000000ac06c96a\u003e] kernfs_fop_write_iter+0x12b/0x1c0\n [\u003c00000000437e7ced\u003e] vfs_write+0x2ba/0x3c0\n [\u003c00000000f9491baf\u003e] ksys_write+0x5f/0xe0\n [\u003c000000001c46513d\u003e] do_syscall_64+0x3b/0x90\n [\u003c00000000ecf348fe\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc\nunreferenced object 0xffff8886376eaf00 (size 64):\n comm \"check\", pid 22048, jiffies 4344316736 (age 92.168s)\n hex dump (first 32 bytes):\n 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg\n 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL\n backtrace:\n [\u003c0000000030ce5d4b\u003e] __kmalloc+0x4b/0x130\n [\u003c000000009be1cdc1\u003e] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core]\n [\u003c00000000ac06c96a\u003e] kernfs_fop_write_iter+0x12b/0x1c0\n [\u003c00000000437e7ced\u003e] vfs_write+0x2ba/0x3c0\n [\u003c00000000f9491baf\u003e] ksys_write+0x5f/0xe0\n [\u003c000000001c46513d\u003e] do_syscall_64+0x3b/0x90\n [\u003c00000000ecf348fe\u003e] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:17.449Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e9b141307554521d60fecf6bf1d2edc8dd0181d"
},
{
"url": "https://git.kernel.org/stable/c/c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa"
},
{
"url": "https://git.kernel.org/stable/c/6a5eda5017959541ab82c5d56bcf784b8294e298"
},
{
"url": "https://git.kernel.org/stable/c/a836ca33c5b07d34dd5347af9f64d25651d12674"
}
],
"title": "nvme-core: fix memory leak in dhchap_secret_store",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53852",
"datePublished": "2025-12-09T01:30:17.449Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:17.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50757 (GCVE-0-2022-50757)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
media: camss: Clean up received buffers on failed start of streaming
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: camss: Clean up received buffers on failed start of streaming
It is required to return the received buffers, if streaming can not be
started. For instance media_pipeline_start() may fail with EPIPE, if
a link validation between entities is not passed, and in such a case
a user gets a kernel warning:
WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160
<snip>
Call trace:
vb2_start_streaming+0xec/0x160
vb2_core_streamon+0x9c/0x1a0
vb2_ioctl_streamon+0x68/0xbc
v4l_streamon+0x30/0x3c
__video_do_ioctl+0x184/0x3e0
video_usercopy+0x37c/0x7b0
video_ioctl2+0x24/0x40
v4l2_ioctl+0x4c/0x70
The fix is to correct the error path in video_start_streaming() of camss.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0ac2586c410fe00d58dd09bf270a22f25d5287b8 , < 75954cde8a5ca84003b24b6bf83197240935bd74
(git)
Affected: 0ac2586c410fe00d58dd09bf270a22f25d5287b8 , < 04c734c716a97f1493b1edac41316aaed1d2a9d9 (git) Affected: 0ac2586c410fe00d58dd09bf270a22f25d5287b8 , < fe443b3fe36cd23d4f5dc6d825d34322e7c89f0c (git) Affected: 0ac2586c410fe00d58dd09bf270a22f25d5287b8 , < 3d5cab726e3b370fea1b6e67183f0e13c409ce5c (git) Affected: 0ac2586c410fe00d58dd09bf270a22f25d5287b8 , < d1c44928bb3ca0ec88e7ad5937a2a26a259aede6 (git) Affected: 0ac2586c410fe00d58dd09bf270a22f25d5287b8 , < f05326a440dc31b91b688b2f3f15b7347894a50b (git) Affected: 0ac2586c410fe00d58dd09bf270a22f25d5287b8 , < 24df4fa3e795fb4b15fd4d3c036596e0978d265a (git) Affected: 0ac2586c410fe00d58dd09bf270a22f25d5287b8 , < c8f3582345e6a69da65ab588f7c4c2d1685b0e80 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/camss/camss-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75954cde8a5ca84003b24b6bf83197240935bd74",
"status": "affected",
"version": "0ac2586c410fe00d58dd09bf270a22f25d5287b8",
"versionType": "git"
},
{
"lessThan": "04c734c716a97f1493b1edac41316aaed1d2a9d9",
"status": "affected",
"version": "0ac2586c410fe00d58dd09bf270a22f25d5287b8",
"versionType": "git"
},
{
"lessThan": "fe443b3fe36cd23d4f5dc6d825d34322e7c89f0c",
"status": "affected",
"version": "0ac2586c410fe00d58dd09bf270a22f25d5287b8",
"versionType": "git"
},
{
"lessThan": "3d5cab726e3b370fea1b6e67183f0e13c409ce5c",
"status": "affected",
"version": "0ac2586c410fe00d58dd09bf270a22f25d5287b8",
"versionType": "git"
},
{
"lessThan": "d1c44928bb3ca0ec88e7ad5937a2a26a259aede6",
"status": "affected",
"version": "0ac2586c410fe00d58dd09bf270a22f25d5287b8",
"versionType": "git"
},
{
"lessThan": "f05326a440dc31b91b688b2f3f15b7347894a50b",
"status": "affected",
"version": "0ac2586c410fe00d58dd09bf270a22f25d5287b8",
"versionType": "git"
},
{
"lessThan": "24df4fa3e795fb4b15fd4d3c036596e0978d265a",
"status": "affected",
"version": "0ac2586c410fe00d58dd09bf270a22f25d5287b8",
"versionType": "git"
},
{
"lessThan": "c8f3582345e6a69da65ab588f7c4c2d1685b0e80",
"status": "affected",
"version": "0ac2586c410fe00d58dd09bf270a22f25d5287b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/qcom/camss/camss-video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: camss: Clean up received buffers on failed start of streaming\n\nIt is required to return the received buffers, if streaming can not be\nstarted. For instance media_pipeline_start() may fail with EPIPE, if\na link validation between entities is not passed, and in such a case\na user gets a kernel warning:\n\n WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160\n \u003csnip\u003e\n Call trace:\n vb2_start_streaming+0xec/0x160\n vb2_core_streamon+0x9c/0x1a0\n vb2_ioctl_streamon+0x68/0xbc\n v4l_streamon+0x30/0x3c\n __video_do_ioctl+0x184/0x3e0\n video_usercopy+0x37c/0x7b0\n video_ioctl2+0x24/0x40\n v4l2_ioctl+0x4c/0x70\n\nThe fix is to correct the error path in video_start_streaming() of camss."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:50.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75954cde8a5ca84003b24b6bf83197240935bd74"
},
{
"url": "https://git.kernel.org/stable/c/04c734c716a97f1493b1edac41316aaed1d2a9d9"
},
{
"url": "https://git.kernel.org/stable/c/fe443b3fe36cd23d4f5dc6d825d34322e7c89f0c"
},
{
"url": "https://git.kernel.org/stable/c/3d5cab726e3b370fea1b6e67183f0e13c409ce5c"
},
{
"url": "https://git.kernel.org/stable/c/d1c44928bb3ca0ec88e7ad5937a2a26a259aede6"
},
{
"url": "https://git.kernel.org/stable/c/f05326a440dc31b91b688b2f3f15b7347894a50b"
},
{
"url": "https://git.kernel.org/stable/c/24df4fa3e795fb4b15fd4d3c036596e0978d265a"
},
{
"url": "https://git.kernel.org/stable/c/c8f3582345e6a69da65ab588f7c4c2d1685b0e80"
}
],
"title": "media: camss: Clean up received buffers on failed start of streaming",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50757",
"datePublished": "2025-12-24T13:05:50.399Z",
"dateReserved": "2025-12-24T13:02:21.545Z",
"dateUpdated": "2025-12-24T13:05:50.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54263 (GCVE-0-2023-54263)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP
Fixes OOPS on boards with ANX9805 DP encoders.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/dispnv50/disp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92d48ce21645267c574268678131cd2b648dad0f",
"status": "affected",
"version": "a0922278f83eae085fdf73d06f71bbdfb9d6789e",
"versionType": "git"
},
{
"lessThan": "ea293f823a8805735d9e00124df81a8f448ed1ae",
"status": "affected",
"version": "a0922278f83eae085fdf73d06f71bbdfb9d6789e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/dispnv50/disp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP\n\nFixes OOPS on boards with ANX9805 DP encoders."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:09.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92d48ce21645267c574268678131cd2b648dad0f"
},
{
"url": "https://git.kernel.org/stable/c/ea293f823a8805735d9e00124df81a8f448ed1ae"
}
],
"title": "drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54263",
"datePublished": "2025-12-30T12:15:56.231Z",
"dateReserved": "2025-12-30T12:06:44.517Z",
"dateUpdated": "2026-01-05T11:37:09.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50658 (GCVE-0-2022-50658)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
cpufreq: qcom: fix memory leak in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: qcom: fix memory leak in error path
If for some reason the speedbin length is incorrect, then there is a
memory leak in the error path because we never free the speedbin buffer.
This commit fixes the error path to always free the speedbin buffer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a8811ec764f95a04ba82f6f457e28c5e9e36e36b , < e55feb31df3fc78b880d6e9d4b5853f05c974833
(git)
Affected: a8811ec764f95a04ba82f6f457e28c5e9e36e36b , < b5606e3ab1f7cc00d89903f4a11fe57747bb3a68 (git) Affected: a8811ec764f95a04ba82f6f457e28c5e9e36e36b , < b6ea267e0c6bdf5463358e2a2e5280cfa6cacc48 (git) Affected: a8811ec764f95a04ba82f6f457e28c5e9e36e36b , < 9f42cf54403a42cb092636804d2628d8ecf71e75 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/qcom-cpufreq-nvmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e55feb31df3fc78b880d6e9d4b5853f05c974833",
"status": "affected",
"version": "a8811ec764f95a04ba82f6f457e28c5e9e36e36b",
"versionType": "git"
},
{
"lessThan": "b5606e3ab1f7cc00d89903f4a11fe57747bb3a68",
"status": "affected",
"version": "a8811ec764f95a04ba82f6f457e28c5e9e36e36b",
"versionType": "git"
},
{
"lessThan": "b6ea267e0c6bdf5463358e2a2e5280cfa6cacc48",
"status": "affected",
"version": "a8811ec764f95a04ba82f6f457e28c5e9e36e36b",
"versionType": "git"
},
{
"lessThan": "9f42cf54403a42cb092636804d2628d8ecf71e75",
"status": "affected",
"version": "a8811ec764f95a04ba82f6f457e28c5e9e36e36b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/qcom-cpufreq-nvmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: qcom: fix memory leak in error path\n\nIf for some reason the speedbin length is incorrect, then there is a\nmemory leak in the error path because we never free the speedbin buffer.\nThis commit fixes the error path to always free the speedbin buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:06.106Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e55feb31df3fc78b880d6e9d4b5853f05c974833"
},
{
"url": "https://git.kernel.org/stable/c/b5606e3ab1f7cc00d89903f4a11fe57747bb3a68"
},
{
"url": "https://git.kernel.org/stable/c/b6ea267e0c6bdf5463358e2a2e5280cfa6cacc48"
},
{
"url": "https://git.kernel.org/stable/c/9f42cf54403a42cb092636804d2628d8ecf71e75"
}
],
"title": "cpufreq: qcom: fix memory leak in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50658",
"datePublished": "2025-12-09T01:29:06.106Z",
"dateReserved": "2025-12-09T01:26:45.989Z",
"dateUpdated": "2025-12-09T01:29:06.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50666 (GCVE-0-2022-50666)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
RDMA/siw: Fix QP destroy to wait for all references dropped.
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix QP destroy to wait for all references dropped.
Delay QP destroy completion until all siw references to QP are
dropped. The calling RDMA core will free QP structure after
successful return from siw_qp_destroy() call, so siw must not
hold any remaining reference to the QP upon return.
A use-after-free was encountered in xfstest generic/460, while
testing NFSoRDMA. Here, after a TCP connection drop by peer,
the triggered siw_cm_work_handler got delayed until after
QP destroy call, referencing a QP which has already freed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 5c75d608fad58301b63e7d69200c13c3a1d411da
(git)
Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 74ad141e995a730760b1bcfa14854b7f1057d6bc (git) Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737 (git) Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < a3c278807a459e6f50afee6971cabe74cccfb490 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw.h",
"drivers/infiniband/sw/siw/siw_qp.c",
"drivers/infiniband/sw/siw/siw_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c75d608fad58301b63e7d69200c13c3a1d411da",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "74ad141e995a730760b1bcfa14854b7f1057d6bc",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "a3c278807a459e6f50afee6971cabe74cccfb490",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw.h",
"drivers/infiniband/sw/siw/siw_qp.c",
"drivers/infiniband/sw/siw/siw_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix QP destroy to wait for all references dropped.\n\nDelay QP destroy completion until all siw references to QP are\ndropped. The calling RDMA core will free QP structure after\nsuccessful return from siw_qp_destroy() call, so siw must not\nhold any remaining reference to the QP upon return.\nA use-after-free was encountered in xfstest generic/460, while\ntesting NFSoRDMA. Here, after a TCP connection drop by peer,\nthe triggered siw_cm_work_handler got delayed until after\nQP destroy call, referencing a QP which has already freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:16.813Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c75d608fad58301b63e7d69200c13c3a1d411da"
},
{
"url": "https://git.kernel.org/stable/c/74ad141e995a730760b1bcfa14854b7f1057d6bc"
},
{
"url": "https://git.kernel.org/stable/c/0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737"
},
{
"url": "https://git.kernel.org/stable/c/a3c278807a459e6f50afee6971cabe74cccfb490"
}
],
"title": "RDMA/siw: Fix QP destroy to wait for all references dropped.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50666",
"datePublished": "2025-12-09T01:29:16.813Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:16.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53801 (GCVE-0-2023-53801)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
iommu/sprd: Release dma buffer to avoid memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/sprd: Release dma buffer to avoid memory leak
When attaching to a domain, the driver would alloc a DMA buffer which
is used to store address mapping table, and it need to be released
when the IOMMU domain is freed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b23e4fc4e3faed0b8b604079c44a244da3ec941a , < 92c089a931fd3939cd32318cf4f54e69e8f51a19
(git)
Affected: b23e4fc4e3faed0b8b604079c44a244da3ec941a , < 8745f3592ee4a7b49ede16ddd3f12a41ecaa23c9 (git) Affected: b23e4fc4e3faed0b8b604079c44a244da3ec941a , < d0a917fd5e3b3ed9d9306b4260ba684b982da9f3 (git) Affected: b23e4fc4e3faed0b8b604079c44a244da3ec941a , < 9afea57384d4ae7b2034593eac7fa76c7122762a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/sprd-iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92c089a931fd3939cd32318cf4f54e69e8f51a19",
"status": "affected",
"version": "b23e4fc4e3faed0b8b604079c44a244da3ec941a",
"versionType": "git"
},
{
"lessThan": "8745f3592ee4a7b49ede16ddd3f12a41ecaa23c9",
"status": "affected",
"version": "b23e4fc4e3faed0b8b604079c44a244da3ec941a",
"versionType": "git"
},
{
"lessThan": "d0a917fd5e3b3ed9d9306b4260ba684b982da9f3",
"status": "affected",
"version": "b23e4fc4e3faed0b8b604079c44a244da3ec941a",
"versionType": "git"
},
{
"lessThan": "9afea57384d4ae7b2034593eac7fa76c7122762a",
"status": "affected",
"version": "b23e4fc4e3faed0b8b604079c44a244da3ec941a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/sprd-iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.81",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/sprd: Release dma buffer to avoid memory leak\n\nWhen attaching to a domain, the driver would alloc a DMA buffer which\nis used to store address mapping table, and it need to be released\nwhen the IOMMU domain is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:22.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92c089a931fd3939cd32318cf4f54e69e8f51a19"
},
{
"url": "https://git.kernel.org/stable/c/8745f3592ee4a7b49ede16ddd3f12a41ecaa23c9"
},
{
"url": "https://git.kernel.org/stable/c/d0a917fd5e3b3ed9d9306b4260ba684b982da9f3"
},
{
"url": "https://git.kernel.org/stable/c/9afea57384d4ae7b2034593eac7fa76c7122762a"
}
],
"title": "iommu/sprd: Release dma buffer to avoid memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53801",
"datePublished": "2025-12-09T00:00:57.388Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-20T08:51:22.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54018 (GCVE-0-2023-54018)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
Add check for the return value of alloc_ordered_workqueue as it may return
NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and
`hdmi_hpd.c`.
Patchwork: https://patchwork.freedesktop.org/patch/517211/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < b479485b24da1d572a0ce875537af31b02d2f915
(git)
Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < 392f7eb3946ab3780b931af723033e19f82c9134 (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09 (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < 1bab31a0969ca4ac90907a5d3b44af104229eafd (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < 9a01ecc312e764ec4527ad49105a3ca799f1860c (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < e55f93d674314f2fb69eba0dc24acfdf72805611 (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f (git) Affected: c6a57a50ad562a2e6fc6ac3218b710caea73a58b , < afe4cb96153a0d8003e4e4ebd91b5c543e10df84 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b479485b24da1d572a0ce875537af31b02d2f915",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "392f7eb3946ab3780b931af723033e19f82c9134",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "1bab31a0969ca4ac90907a5d3b44af104229eafd",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "9a01ecc312e764ec4527ad49105a3ca799f1860c",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "e55f93d674314f2fb69eba0dc24acfdf72805611",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
},
{
"lessThan": "afe4cb96153a0d8003e4e4ebd91b5c543e10df84",
"status": "affected",
"version": "c6a57a50ad562a2e6fc6ac3218b710caea73a58b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/hdmi/hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/hdmi: Add missing check for alloc_ordered_workqueue\n\nAdd check for the return value of alloc_ordered_workqueue as it may return\nNULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and\n`hdmi_hpd.c`.\n\nPatchwork: https://patchwork.freedesktop.org/patch/517211/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:49.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b479485b24da1d572a0ce875537af31b02d2f915"
},
{
"url": "https://git.kernel.org/stable/c/392f7eb3946ab3780b931af723033e19f82c9134"
},
{
"url": "https://git.kernel.org/stable/c/fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09"
},
{
"url": "https://git.kernel.org/stable/c/1bab31a0969ca4ac90907a5d3b44af104229eafd"
},
{
"url": "https://git.kernel.org/stable/c/9a01ecc312e764ec4527ad49105a3ca799f1860c"
},
{
"url": "https://git.kernel.org/stable/c/e55f93d674314f2fb69eba0dc24acfdf72805611"
},
{
"url": "https://git.kernel.org/stable/c/ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f"
},
{
"url": "https://git.kernel.org/stable/c/afe4cb96153a0d8003e4e4ebd91b5c543e10df84"
}
],
"title": "drm/msm/hdmi: Add missing check for alloc_ordered_workqueue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54018",
"datePublished": "2025-12-24T10:55:49.081Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:49.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54282 (GCVE-0-2023-54282)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
media: tuners: qt1010: replace BUG_ON with a regular error
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: tuners: qt1010: replace BUG_ON with a regular error
BUG_ON is unnecessary here, and in addition it confuses smatch.
Replacing this with an error return help resolve this smatch
warning:
drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4682b58e5af01ee856a706083eac71238fb69cd0 , < 6cae780862d221106626b2b5fb21a197f398c6ec
(git)
Affected: 4682b58e5af01ee856a706083eac71238fb69cd0 , < f844bc3a47d8d1c55a4a9cfca38c538e9df7e678 (git) Affected: 4682b58e5af01ee856a706083eac71238fb69cd0 , < 641e60223971e95472a2a9646b1e7f94d441de45 (git) Affected: 4682b58e5af01ee856a706083eac71238fb69cd0 , < 2ae53dd15eef90d34fc084b5b2305a67bb675a26 (git) Affected: 4682b58e5af01ee856a706083eac71238fb69cd0 , < 48bb6a9fa5cb150ac2a22b3c779c96bc0ed21071 (git) Affected: 4682b58e5af01ee856a706083eac71238fb69cd0 , < 257092cb544c7843376b3e161f789e666ef06c98 (git) Affected: 4682b58e5af01ee856a706083eac71238fb69cd0 , < 1a6bf53fffe0b7ebe2a0f402b44f14f90cffd164 (git) Affected: 4682b58e5af01ee856a706083eac71238fb69cd0 , < ee630b29ea44d1851bb6c903f400956604834463 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/tuners/qt1010.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cae780862d221106626b2b5fb21a197f398c6ec",
"status": "affected",
"version": "4682b58e5af01ee856a706083eac71238fb69cd0",
"versionType": "git"
},
{
"lessThan": "f844bc3a47d8d1c55a4a9cfca38c538e9df7e678",
"status": "affected",
"version": "4682b58e5af01ee856a706083eac71238fb69cd0",
"versionType": "git"
},
{
"lessThan": "641e60223971e95472a2a9646b1e7f94d441de45",
"status": "affected",
"version": "4682b58e5af01ee856a706083eac71238fb69cd0",
"versionType": "git"
},
{
"lessThan": "2ae53dd15eef90d34fc084b5b2305a67bb675a26",
"status": "affected",
"version": "4682b58e5af01ee856a706083eac71238fb69cd0",
"versionType": "git"
},
{
"lessThan": "48bb6a9fa5cb150ac2a22b3c779c96bc0ed21071",
"status": "affected",
"version": "4682b58e5af01ee856a706083eac71238fb69cd0",
"versionType": "git"
},
{
"lessThan": "257092cb544c7843376b3e161f789e666ef06c98",
"status": "affected",
"version": "4682b58e5af01ee856a706083eac71238fb69cd0",
"versionType": "git"
},
{
"lessThan": "1a6bf53fffe0b7ebe2a0f402b44f14f90cffd164",
"status": "affected",
"version": "4682b58e5af01ee856a706083eac71238fb69cd0",
"versionType": "git"
},
{
"lessThan": "ee630b29ea44d1851bb6c903f400956604834463",
"status": "affected",
"version": "4682b58e5af01ee856a706083eac71238fb69cd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/tuners/qt1010.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tuners: qt1010: replace BUG_ON with a regular error\n\nBUG_ON is unnecessary here, and in addition it confuses smatch.\nReplacing this with an error return help resolve this smatch\nwarning:\n\ndrivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow \u0027i2c_data\u0027 34 \u003c= 34"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:15.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cae780862d221106626b2b5fb21a197f398c6ec"
},
{
"url": "https://git.kernel.org/stable/c/f844bc3a47d8d1c55a4a9cfca38c538e9df7e678"
},
{
"url": "https://git.kernel.org/stable/c/641e60223971e95472a2a9646b1e7f94d441de45"
},
{
"url": "https://git.kernel.org/stable/c/2ae53dd15eef90d34fc084b5b2305a67bb675a26"
},
{
"url": "https://git.kernel.org/stable/c/48bb6a9fa5cb150ac2a22b3c779c96bc0ed21071"
},
{
"url": "https://git.kernel.org/stable/c/257092cb544c7843376b3e161f789e666ef06c98"
},
{
"url": "https://git.kernel.org/stable/c/1a6bf53fffe0b7ebe2a0f402b44f14f90cffd164"
},
{
"url": "https://git.kernel.org/stable/c/ee630b29ea44d1851bb6c903f400956604834463"
}
],
"title": "media: tuners: qt1010: replace BUG_ON with a regular error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54282",
"datePublished": "2025-12-30T12:23:23.792Z",
"dateReserved": "2025-12-30T12:06:44.525Z",
"dateUpdated": "2026-01-05T11:37:15.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54260 (GCVE-0-2023-54260)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
cifs: Fix lost destroy smbd connection when MR allocate failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix lost destroy smbd connection when MR allocate failed
If the MR allocate failed, the smb direct connection info is NULL,
then smbd_destroy() will directly return, then the connection info
will be leaked.
Let's set the smb direct connection info to the server before call
smbd_destroy().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c7398583340a6d82b8bb7f7f21edcde27dc6a898 , < d303e25887127364a6765eaf7ac68aa2bac518a9
(git)
Affected: c7398583340a6d82b8bb7f7f21edcde27dc6a898 , < 324c0c34fff1affd436e509325cb46739209704e (git) Affected: c7398583340a6d82b8bb7f7f21edcde27dc6a898 , < caac205e0d5b44c4c23a10c6c0976d50ebe16ac2 (git) Affected: c7398583340a6d82b8bb7f7f21edcde27dc6a898 , < 46cd6c639cddba2bd2d810ceb16bb20374ad75b0 (git) Affected: c7398583340a6d82b8bb7f7f21edcde27dc6a898 , < c51ae01104b318bf15f3c5097faba5c72addba7a (git) Affected: c7398583340a6d82b8bb7f7f21edcde27dc6a898 , < 04b7e13b8a13264282f874db5378fc3d3253cfac (git) Affected: c7398583340a6d82b8bb7f7f21edcde27dc6a898 , < e9d3401d95d62a9531082cd2453ed42f2740e3fd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d303e25887127364a6765eaf7ac68aa2bac518a9",
"status": "affected",
"version": "c7398583340a6d82b8bb7f7f21edcde27dc6a898",
"versionType": "git"
},
{
"lessThan": "324c0c34fff1affd436e509325cb46739209704e",
"status": "affected",
"version": "c7398583340a6d82b8bb7f7f21edcde27dc6a898",
"versionType": "git"
},
{
"lessThan": "caac205e0d5b44c4c23a10c6c0976d50ebe16ac2",
"status": "affected",
"version": "c7398583340a6d82b8bb7f7f21edcde27dc6a898",
"versionType": "git"
},
{
"lessThan": "46cd6c639cddba2bd2d810ceb16bb20374ad75b0",
"status": "affected",
"version": "c7398583340a6d82b8bb7f7f21edcde27dc6a898",
"versionType": "git"
},
{
"lessThan": "c51ae01104b318bf15f3c5097faba5c72addba7a",
"status": "affected",
"version": "c7398583340a6d82b8bb7f7f21edcde27dc6a898",
"versionType": "git"
},
{
"lessThan": "04b7e13b8a13264282f874db5378fc3d3253cfac",
"status": "affected",
"version": "c7398583340a6d82b8bb7f7f21edcde27dc6a898",
"versionType": "git"
},
{
"lessThan": "e9d3401d95d62a9531082cd2453ed42f2740e3fd",
"status": "affected",
"version": "c7398583340a6d82b8bb7f7f21edcde27dc6a898",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix lost destroy smbd connection when MR allocate failed\n\nIf the MR allocate failed, the smb direct connection info is NULL,\nthen smbd_destroy() will directly return, then the connection info\nwill be leaked.\n\nLet\u0027s set the smb direct connection info to the server before call\nsmbd_destroy()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:54.205Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d303e25887127364a6765eaf7ac68aa2bac518a9"
},
{
"url": "https://git.kernel.org/stable/c/324c0c34fff1affd436e509325cb46739209704e"
},
{
"url": "https://git.kernel.org/stable/c/caac205e0d5b44c4c23a10c6c0976d50ebe16ac2"
},
{
"url": "https://git.kernel.org/stable/c/46cd6c639cddba2bd2d810ceb16bb20374ad75b0"
},
{
"url": "https://git.kernel.org/stable/c/c51ae01104b318bf15f3c5097faba5c72addba7a"
},
{
"url": "https://git.kernel.org/stable/c/04b7e13b8a13264282f874db5378fc3d3253cfac"
},
{
"url": "https://git.kernel.org/stable/c/e9d3401d95d62a9531082cd2453ed42f2740e3fd"
}
],
"title": "cifs: Fix lost destroy smbd connection when MR allocate failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54260",
"datePublished": "2025-12-30T12:15:54.205Z",
"dateReserved": "2025-12-30T12:06:44.516Z",
"dateUpdated": "2025-12-30T12:15:54.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50858 (GCVE-0-2022-50858)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
mmc: alcor: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: alcor: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and calling mmc_free_host() in the
error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c5413ad815a675b5c98a002353d8e96b44b164e9 , < 289c964fe182ce755044a6cd57698072e12ffa6f
(git)
Affected: c5413ad815a675b5c98a002353d8e96b44b164e9 , < 4a6e5d0222804a3eaf2ea4cf893f412e7cf98cb2 (git) Affected: c5413ad815a675b5c98a002353d8e96b44b164e9 , < 29c5b4da41f35108136d843c7432885c78cf8272 (git) Affected: c5413ad815a675b5c98a002353d8e96b44b164e9 , < 48dc06333d75f41c2ce9ba954bc3231324b45914 (git) Affected: c5413ad815a675b5c98a002353d8e96b44b164e9 , < 60fafcf2fb7ee9a4125dc9a86eeb9d490acf23e2 (git) Affected: c5413ad815a675b5c98a002353d8e96b44b164e9 , < e93d1468f429475a753d6baa79b853b7ee5ef8c0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/alcor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "289c964fe182ce755044a6cd57698072e12ffa6f",
"status": "affected",
"version": "c5413ad815a675b5c98a002353d8e96b44b164e9",
"versionType": "git"
},
{
"lessThan": "4a6e5d0222804a3eaf2ea4cf893f412e7cf98cb2",
"status": "affected",
"version": "c5413ad815a675b5c98a002353d8e96b44b164e9",
"versionType": "git"
},
{
"lessThan": "29c5b4da41f35108136d843c7432885c78cf8272",
"status": "affected",
"version": "c5413ad815a675b5c98a002353d8e96b44b164e9",
"versionType": "git"
},
{
"lessThan": "48dc06333d75f41c2ce9ba954bc3231324b45914",
"status": "affected",
"version": "c5413ad815a675b5c98a002353d8e96b44b164e9",
"versionType": "git"
},
{
"lessThan": "60fafcf2fb7ee9a4125dc9a86eeb9d490acf23e2",
"status": "affected",
"version": "c5413ad815a675b5c98a002353d8e96b44b164e9",
"versionType": "git"
},
{
"lessThan": "e93d1468f429475a753d6baa79b853b7ee5ef8c0",
"status": "affected",
"version": "c5413ad815a675b5c98a002353d8e96b44b164e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/alcor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: alcor: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and calling mmc_free_host() in the\nerror path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:32.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/289c964fe182ce755044a6cd57698072e12ffa6f"
},
{
"url": "https://git.kernel.org/stable/c/4a6e5d0222804a3eaf2ea4cf893f412e7cf98cb2"
},
{
"url": "https://git.kernel.org/stable/c/29c5b4da41f35108136d843c7432885c78cf8272"
},
{
"url": "https://git.kernel.org/stable/c/48dc06333d75f41c2ce9ba954bc3231324b45914"
},
{
"url": "https://git.kernel.org/stable/c/60fafcf2fb7ee9a4125dc9a86eeb9d490acf23e2"
},
{
"url": "https://git.kernel.org/stable/c/e93d1468f429475a753d6baa79b853b7ee5ef8c0"
}
],
"title": "mmc: alcor: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50858",
"datePublished": "2025-12-30T12:15:32.534Z",
"dateReserved": "2025-12-30T12:06:07.135Z",
"dateUpdated": "2025-12-30T12:15:32.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54227 (GCVE-0-2023-54227)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-05 11:36
VLAI?
EPSS
Title
blk-mq: fix tags leak when shrink nr_hw_queues
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-mq: fix tags leak when shrink nr_hw_queues
Although we don't need to realloc set->tags[] when shrink nr_hw_queues,
we need to free them. Or these tags will be leaked.
How to reproduce:
1. mount -t configfs configfs /mnt
2. modprobe null_blk nr_devices=0 submit_queues=8
3. mkdir /mnt/nullb/nullb0
4. echo 1 > /mnt/nullb/nullb0/power
5. echo 4 > /mnt/nullb/nullb0/submit_queues
6. rmdir /mnt/nullb/nullb0
In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then
in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue).
At last in step 6, only these 5 tags are freed, the other 4 tags leaked.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0ef7493e68b8896806a2f598fcffbaa97333405",
"status": "affected",
"version": "a846a8e6c9a5949582c5a6a8bbc83a7d27fd891e",
"versionType": "git"
},
{
"lessThan": "e1dd7bc93029024af5688253b0c05181d6e01f8e",
"status": "affected",
"version": "a846a8e6c9a5949582c5a6a8bbc83a7d27fd891e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-mq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix tags leak when shrink nr_hw_queues\n\nAlthough we don\u0027t need to realloc set-\u003etags[] when shrink nr_hw_queues,\nwe need to free them. Or these tags will be leaked.\n\nHow to reproduce:\n1. mount -t configfs configfs /mnt\n2. modprobe null_blk nr_devices=0 submit_queues=8\n3. mkdir /mnt/nullb/nullb0\n4. echo 1 \u003e /mnt/nullb/nullb0/power\n5. echo 4 \u003e /mnt/nullb/nullb0/submit_queues\n6. rmdir /mnt/nullb/nullb0\n\nIn step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then\nin step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue).\nAt last in step 6, only these 5 tags are freed, the other 4 tags leaked."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:36:53.997Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0ef7493e68b8896806a2f598fcffbaa97333405"
},
{
"url": "https://git.kernel.org/stable/c/e1dd7bc93029024af5688253b0c05181d6e01f8e"
}
],
"title": "blk-mq: fix tags leak when shrink nr_hw_queues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54227",
"datePublished": "2025-12-30T12:11:20.207Z",
"dateReserved": "2025-12-30T12:06:44.502Z",
"dateUpdated": "2026-01-05T11:36:53.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50745 (GCVE-0-2022-50745)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
staging: media: tegra-video: fix device_node use after free
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: media: tegra-video: fix device_node use after free
At probe time this code path is followed:
* tegra_csi_init
* tegra_csi_channels_alloc
* for_each_child_of_node(node, channel) -- iterates over channels
* automatically gets 'channel'
* tegra_csi_channel_alloc()
* saves into chan->of_node a pointer to the channel OF node
* automatically gets and puts 'channel'
* now the node saved in chan->of_node has refcount 0, can disappear
* tegra_csi_channels_init
* iterates over channels
* tegra_csi_channel_init -- uses chan->of_node
After that, chan->of_node keeps storing the node until the device is
removed.
of_node_get() the node and of_node_put() it during teardown to avoid any
risk.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1ebaeb09830f36c1111b72a95420814225bd761c , < 5451efb2ca30f3c42b9efb8327ce35b62870dbd3
(git)
Affected: 1ebaeb09830f36c1111b72a95420814225bd761c , < ce50c612458091d926ccb05d7db11d9f93532db2 (git) Affected: 1ebaeb09830f36c1111b72a95420814225bd761c , < 6512c9498fcb97e7c760e3ef86b2272f2c0f765f (git) Affected: 1ebaeb09830f36c1111b72a95420814225bd761c , < 0fd003d3c708c80350a815eaf37b8e1114b976cf (git) Affected: 1ebaeb09830f36c1111b72a95420814225bd761c , < c4d344163c3a7f90712525f931a6c016bbb35e18 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/tegra-video/csi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5451efb2ca30f3c42b9efb8327ce35b62870dbd3",
"status": "affected",
"version": "1ebaeb09830f36c1111b72a95420814225bd761c",
"versionType": "git"
},
{
"lessThan": "ce50c612458091d926ccb05d7db11d9f93532db2",
"status": "affected",
"version": "1ebaeb09830f36c1111b72a95420814225bd761c",
"versionType": "git"
},
{
"lessThan": "6512c9498fcb97e7c760e3ef86b2272f2c0f765f",
"status": "affected",
"version": "1ebaeb09830f36c1111b72a95420814225bd761c",
"versionType": "git"
},
{
"lessThan": "0fd003d3c708c80350a815eaf37b8e1114b976cf",
"status": "affected",
"version": "1ebaeb09830f36c1111b72a95420814225bd761c",
"versionType": "git"
},
{
"lessThan": "c4d344163c3a7f90712525f931a6c016bbb35e18",
"status": "affected",
"version": "1ebaeb09830f36c1111b72a95420814225bd761c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/tegra-video/csi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: media: tegra-video: fix device_node use after free\n\nAt probe time this code path is followed:\n\n * tegra_csi_init\n * tegra_csi_channels_alloc\n * for_each_child_of_node(node, channel) -- iterates over channels\n * automatically gets \u0027channel\u0027\n * tegra_csi_channel_alloc()\n * saves into chan-\u003eof_node a pointer to the channel OF node\n * automatically gets and puts \u0027channel\u0027\n * now the node saved in chan-\u003eof_node has refcount 0, can disappear\n * tegra_csi_channels_init\n * iterates over channels\n * tegra_csi_channel_init -- uses chan-\u003eof_node\n\nAfter that, chan-\u003eof_node keeps storing the node until the device is\nremoved.\n\nof_node_get() the node and of_node_put() it during teardown to avoid any\nrisk."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:41.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5451efb2ca30f3c42b9efb8327ce35b62870dbd3"
},
{
"url": "https://git.kernel.org/stable/c/ce50c612458091d926ccb05d7db11d9f93532db2"
},
{
"url": "https://git.kernel.org/stable/c/6512c9498fcb97e7c760e3ef86b2272f2c0f765f"
},
{
"url": "https://git.kernel.org/stable/c/0fd003d3c708c80350a815eaf37b8e1114b976cf"
},
{
"url": "https://git.kernel.org/stable/c/c4d344163c3a7f90712525f931a6c016bbb35e18"
}
],
"title": "staging: media: tegra-video: fix device_node use after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50745",
"datePublished": "2025-12-24T13:05:41.858Z",
"dateReserved": "2025-12-24T13:02:21.543Z",
"dateUpdated": "2025-12-24T13:05:41.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53865 (GCVE-0-2023-53865)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
btrfs: fix warning when putting transaction with qgroups enabled after abort
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix warning when putting transaction with qgroups enabled after abort
If we have a transaction abort with qgroups enabled we get a warning
triggered when doing the final put on the transaction, like this:
[552.6789] ------------[ cut here ]------------
[552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6817] Modules linked in: btrfs blake2b_generic xor (...)
[552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6821] Code: bd a0 01 00 (...)
[552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286
[552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000
[552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010
[552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20
[552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70
[552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028
[552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000
[552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0
[552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[552.6822] Call Trace:
[552.6822] <TASK>
[552.6822] ? __warn+0x80/0x130
[552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6824] ? report_bug+0x1f4/0x200
[552.6824] ? handle_bug+0x42/0x70
[552.6824] ? exc_invalid_op+0x14/0x70
[552.6824] ? asm_exc_invalid_op+0x16/0x20
[552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]
[552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]
[552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40
[552.6828] ? try_to_wake_up+0x94/0x5e0
[552.6828] ? __pfx_process_timeout+0x10/0x10
[552.6828] transaction_kthread+0x103/0x1d0 [btrfs]
[552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]
[552.6832] kthread+0xee/0x120
[552.6832] ? __pfx_kthread+0x10/0x10
[552.6832] ret_from_fork+0x29/0x50
[552.6832] </TASK>
[552.6832] ---[ end trace 0000000000000000 ]---
This corresponds to this line of code:
void btrfs_put_transaction(struct btrfs_transaction *transaction)
{
(...)
WARN_ON(!RB_EMPTY_ROOT(
&transaction->delayed_refs.dirty_extent_root));
(...)
}
The warning happens because btrfs_qgroup_destroy_extent_records(), called
in the transaction abort path, we free all entries from the rbtree
"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we
don't actually empty the rbtree - it's still pointing to nodes that were
freed.
So set the rbtree's root node to NULL to avoid this warning (assign
RB_ROOT).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
40ea30638d20c92b44107247415842b72c460459 , < ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0
(git)
Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < d2c667cc18314c9bad3ec86ae071c0342132aa09 (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < c9060caab4135dd660c4676d1ea33a6e0d3fc09d (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < 89e994688e965813ec0a09fb30b87fb8cee06474 (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < 62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb (git) Affected: 81f7eb00ff5bb8326e82503a32809421d14abb8a , < aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 (git) Affected: 4e2e49d4211db43e0ec932579dab6a969e7e8df1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0",
"status": "affected",
"version": "40ea30638d20c92b44107247415842b72c460459",
"versionType": "git"
},
{
"lessThan": "d2c667cc18314c9bad3ec86ae071c0342132aa09",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "c9060caab4135dd660c4676d1ea33a6e0d3fc09d",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "89e994688e965813ec0a09fb30b87fb8cee06474",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"lessThan": "aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6",
"status": "affected",
"version": "81f7eb00ff5bb8326e82503a32809421d14abb8a",
"versionType": "git"
},
{
"status": "affected",
"version": "4e2e49d4211db43e0ec932579dab6a969e7e8df1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix warning when putting transaction with qgroups enabled after abort\n\nIf we have a transaction abort with qgroups enabled we get a warning\ntriggered when doing the final put on the transaction, like this:\n\n [552.6789] ------------[ cut here ]------------\n [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6817] Modules linked in: btrfs blake2b_generic xor (...)\n [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6821] Code: bd a0 01 00 (...)\n [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286\n [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000\n [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010\n [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20\n [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70\n [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028\n [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000\n [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0\n [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [552.6822] Call Trace:\n [552.6822] \u003cTASK\u003e\n [552.6822] ? __warn+0x80/0x130\n [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6824] ? report_bug+0x1f4/0x200\n [552.6824] ? handle_bug+0x42/0x70\n [552.6824] ? exc_invalid_op+0x14/0x70\n [552.6824] ? asm_exc_invalid_op+0x16/0x20\n [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs]\n [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs]\n [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40\n [552.6828] ? try_to_wake_up+0x94/0x5e0\n [552.6828] ? __pfx_process_timeout+0x10/0x10\n [552.6828] transaction_kthread+0x103/0x1d0 [btrfs]\n [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs]\n [552.6832] kthread+0xee/0x120\n [552.6832] ? __pfx_kthread+0x10/0x10\n [552.6832] ret_from_fork+0x29/0x50\n [552.6832] \u003c/TASK\u003e\n [552.6832] ---[ end trace 0000000000000000 ]---\n\nThis corresponds to this line of code:\n\n void btrfs_put_transaction(struct btrfs_transaction *transaction)\n {\n (...)\n WARN_ON(!RB_EMPTY_ROOT(\n \u0026transaction-\u003edelayed_refs.dirty_extent_root));\n (...)\n }\n\nThe warning happens because btrfs_qgroup_destroy_extent_records(), called\nin the transaction abort path, we free all entries from the rbtree\n\"dirty_extent_root\" with rbtree_postorder_for_each_entry_safe(), but we\ndon\u0027t actually empty the rbtree - it\u0027s still pointing to nodes that were\nfreed.\n\nSo set the rbtree\u0027s root node to NULL to avoid this warning (assign\nRB_ROOT)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:34.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0"
},
{
"url": "https://git.kernel.org/stable/c/d2c667cc18314c9bad3ec86ae071c0342132aa09"
},
{
"url": "https://git.kernel.org/stable/c/c9060caab4135dd660c4676d1ea33a6e0d3fc09d"
},
{
"url": "https://git.kernel.org/stable/c/89e994688e965813ec0a09fb30b87fb8cee06474"
},
{
"url": "https://git.kernel.org/stable/c/62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb"
},
{
"url": "https://git.kernel.org/stable/c/aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6"
}
],
"title": "btrfs: fix warning when putting transaction with qgroups enabled after abort",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53865",
"datePublished": "2025-12-09T01:30:34.588Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:34.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54127 (GCVE-0-2023-54127)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
Syzkaller reported the following issue:
==================================================================
BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]
BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800
Free of addr ffff888086408000 by task syz-executor.4/12750
[...]
Call Trace:
<TASK>
[...]
kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482
____kasan_slab_free+0xfb/0x120
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0x71/0x110 mm/slub.c:3800
dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264
jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87
jfs_put_super+0x86/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x310 fs/super.c:492
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
</TASK>
Allocated by task 13352:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164
jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121
jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556
mount_bdev+0x26c/0x3a0 fs/super.c:1359
legacy_get_tree+0xea/0x180 fs/fs_context.c:610
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 13352:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0x71/0x110 mm/slub.c:3800
dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264
jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247
jfs_remount+0x3db/0x710 fs/jfs/super.c:454
reconfigure_super+0x3bc/0x7b0 fs/super.c:935
vfs_fsconfig_locked fs/fsopen.c:254 [inline]
__do_sys_fsconfig fs/fsopen.c:439 [inline]
__se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in
dbUnmount().
Syzkaller uses faultinject to reproduce this KASAN double-free
warning. The issue is triggered if either diMount() or dbMount() fail
in jfs_remount(), since diUnmount() or dbUnmount() already happened in
such a case - they will do double-free on next execution: jfs_umount
or jfs_remount.
Tested on both upstream and jfs-next by syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 798c5f6f98bc9045593d4b3a65c32f05d97bd0e6
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aef6507e85475e30831c30405d785c7ed976ea4a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b12ccbfdf6539ef0157868f69fcae0b7f7a072b3 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2f7a36448f51d08d3a83f1514abcca4b680bcd3c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cade5397e5461295f3cb87880534b6a07cafa427 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "798c5f6f98bc9045593d4b3a65c32f05d97bd0e6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aef6507e85475e30831c30405d785c7ed976ea4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b12ccbfdf6539ef0157868f69fcae0b7f7a072b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2f7a36448f51d08d3a83f1514abcca4b680bcd3c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cade5397e5461295f3cb87880534b6a07cafa427",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_dmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()\n\nSyzkaller reported the following issue:\n==================================================================\nBUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]\nBUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800\nFree of addr ffff888086408000 by task syz-executor.4/12750\n[...]\nCall Trace:\n \u003cTASK\u003e\n[...]\n kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482\n ____kasan_slab_free+0xfb/0x120\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1781 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807\n slab_free mm/slub.c:3787 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3800\n dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264\n jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87\n jfs_put_super+0x86/0x190 fs/jfs/super.c:194\n generic_shutdown_super+0x130/0x310 fs/super.c:492\n kill_block_super+0x79/0xd0 fs/super.c:1386\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n cleanup_mnt+0x494/0x520 fs/namespace.c:1291\n task_work_run+0x243/0x300 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296\n do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n \u003c/TASK\u003e\n\nAllocated by task 13352:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n ____kasan_kmalloc mm/kasan/common.c:371 [inline]\n __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\n kmalloc include/linux/slab.h:580 [inline]\n dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164\n jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121\n jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556\n mount_bdev+0x26c/0x3a0 fs/super.c:1359\n legacy_get_tree+0xea/0x180 fs/fs_context.c:610\n vfs_get_tree+0x88/0x270 fs/super.c:1489\n do_new_mount+0x289/0xad0 fs/namespace.c:3145\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 13352:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518\n ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1781 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807\n slab_free mm/slub.c:3787 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3800\n dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264\n jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247\n jfs_remount+0x3db/0x710 fs/jfs/super.c:454\n reconfigure_super+0x3bc/0x7b0 fs/super.c:935\n vfs_fsconfig_locked fs/fsopen.c:254 [inline]\n __do_sys_fsconfig fs/fsopen.c:439 [inline]\n __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n\nJFS_SBI(ipbmap-\u003ei_sb)-\u003ebmap wasn\u0027t set to NULL after kfree() in\ndbUnmount().\n\nSyzkaller uses faultinject to reproduce this KASAN double-free\nwarning. The issue is triggered if either diMount() or dbMount() fail\nin jfs_remount(), since diUnmount() or dbUnmount() already happened in\nsuch a case - they will do double-free on next execution: jfs_umount\nor jfs_remount.\n\nTested on both upstream and jfs-next by syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:57.714Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/798c5f6f98bc9045593d4b3a65c32f05d97bd0e6"
},
{
"url": "https://git.kernel.org/stable/c/aef6507e85475e30831c30405d785c7ed976ea4a"
},
{
"url": "https://git.kernel.org/stable/c/b12ccbfdf6539ef0157868f69fcae0b7f7a072b3"
},
{
"url": "https://git.kernel.org/stable/c/6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27"
},
{
"url": "https://git.kernel.org/stable/c/aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b"
},
{
"url": "https://git.kernel.org/stable/c/2f7a36448f51d08d3a83f1514abcca4b680bcd3c"
},
{
"url": "https://git.kernel.org/stable/c/f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f"
},
{
"url": "https://git.kernel.org/stable/c/cade5397e5461295f3cb87880534b6a07cafa427"
}
],
"title": "fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54127",
"datePublished": "2025-12-24T13:06:45.380Z",
"dateReserved": "2025-12-24T13:02:52.521Z",
"dateUpdated": "2026-01-05T10:33:57.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54240 (GCVE-0-2023-54240)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
rule_locs is allocated in ethtool_get_rxnfc and the size is determined by
rule_cnt from user space. So rule_cnt needs to be check before using
rule_locs to avoid NULL pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd , < 7776591e5ae2befff86579f68916a171971c6aab
(git)
Affected: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd , < 751b2e22a188b0c306029d094da29b6b8de31430 (git) Affected: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd , < 653fbddbdfc6673bba01b13dae5a4384ad8f92ec (git) Affected: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd , < 75f2de75c1182e80708c932418e4895dbc88b68f (git) Affected: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd , < 072324cfab9b96071c0782f51f53cc5aea1e9d5b (git) Affected: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd , < ff5faed5f5487b0fd2b640ba1304f82a5ebaab42 (git) Affected: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd , < fe0195fe48f85182bc7e7eabcad925bd3cbc10f5 (git) Affected: 7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd , < e4c79810755f66c9a933ca810da2724133b1165a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7776591e5ae2befff86579f68916a171971c6aab",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "751b2e22a188b0c306029d094da29b6b8de31430",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "653fbddbdfc6673bba01b13dae5a4384ad8f92ec",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "75f2de75c1182e80708c932418e4895dbc88b68f",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "072324cfab9b96071c0782f51f53cc5aea1e9d5b",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "ff5faed5f5487b0fd2b640ba1304f82a5ebaab42",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "fe0195fe48f85182bc7e7eabcad925bd3cbc10f5",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
},
{
"lessThan": "e4c79810755f66c9a933ca810da2724133b1165a",
"status": "affected",
"version": "7aab747e5563ecbc9f3cb64ddea13fe7b9fee2bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mediatek/mtk_eth_soc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()\n\nrule_locs is allocated in ethtool_get_rxnfc and the size is determined by\nrule_cnt from user space. So rule_cnt needs to be check before using\nrule_locs to avoid NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:29.039Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7776591e5ae2befff86579f68916a171971c6aab"
},
{
"url": "https://git.kernel.org/stable/c/751b2e22a188b0c306029d094da29b6b8de31430"
},
{
"url": "https://git.kernel.org/stable/c/653fbddbdfc6673bba01b13dae5a4384ad8f92ec"
},
{
"url": "https://git.kernel.org/stable/c/75f2de75c1182e80708c932418e4895dbc88b68f"
},
{
"url": "https://git.kernel.org/stable/c/072324cfab9b96071c0782f51f53cc5aea1e9d5b"
},
{
"url": "https://git.kernel.org/stable/c/ff5faed5f5487b0fd2b640ba1304f82a5ebaab42"
},
{
"url": "https://git.kernel.org/stable/c/fe0195fe48f85182bc7e7eabcad925bd3cbc10f5"
},
{
"url": "https://git.kernel.org/stable/c/e4c79810755f66c9a933ca810da2724133b1165a"
}
],
"title": "net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54240",
"datePublished": "2025-12-30T12:11:29.039Z",
"dateReserved": "2025-12-30T12:06:44.509Z",
"dateUpdated": "2025-12-30T12:11:29.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53752 (GCVE-0-2023-53752)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
net: deal with integer overflows in kmalloc_reserve()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: deal with integer overflows in kmalloc_reserve()
Blamed commit changed:
ptr = kmalloc(size);
if (ptr)
size = ksize(ptr);
size = kmalloc_size_roundup(size);
ptr = kmalloc(size);
This allowed various crash as reported by syzbot [1]
and Kyle Zeng.
Problem is that if @size is bigger than 0x80000001,
kmalloc_size_roundup(size) returns 2^32.
kmalloc_reserve() uses a 32bit variable (obj_size),
so 2^32 is truncated to 0.
kmalloc(0) returns ZERO_SIZE_PTR which is not handled by
skb allocations.
Following trace can be triggered if a netdev->mtu is set
close to 0x7fffffff
We might in the future limit netdev->mtu to more sensible
limit (like KMALLOC_MAX_SIZE).
This patch is based on a syzbot report, and also a report
and tentative fix from Kyle Zeng.
[1]
BUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]
BUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527
Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554
CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106
print_report+0xe4/0x4b4 mm/kasan/report.c:398
kasan_report+0x150/0x1ac mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memset+0x40/0x70 mm/kasan/shadow.c:44
__build_skb_around net/core/skbuff.c:294 [inline]
__alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527
alloc_skb include/linux/skbuff.h:1316 [inline]
igmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359
add_grec+0x81c/0x1124 net/ipv4/igmp.c:534
igmpv3_send_cr net/ipv4/igmp.c:667 [inline]
igmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810
call_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers+0x54c/0x710 kernel/time/timer.c:1790
run_timer_softirq+0x28/0x4c kernel/time/timer.c:1803
_stext+0x380/0xfbc
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79
call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84
invoke_softirq kernel/softirq.c:437 [inline]
__irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683
irq_exit_rcu+0x14/0x78 kernel/softirq.c:695
el0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717
__el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724
el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729
el0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0dbc898f5917c5a3bec6be19d9f5469cbc351a7d , < 31cf7853a940181593e4472fc56f46574123f9f6
(git)
Affected: 12d6c1d3a2ad0c199ec57c201cdc71e8e157a232 , < e4ffc47a1c3e5d11a853aa178c9a5136e79412e9 (git) Affected: 12d6c1d3a2ad0c199ec57c201cdc71e8e157a232 , < bf7da02d2b8faf324206e1cbe64a4813ff903cc1 (git) Affected: 12d6c1d3a2ad0c199ec57c201cdc71e8e157a232 , < 915d975b2ffa58a14bfcf16fafe00c41315949ff (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31cf7853a940181593e4472fc56f46574123f9f6",
"status": "affected",
"version": "0dbc898f5917c5a3bec6be19d9f5469cbc351a7d",
"versionType": "git"
},
{
"lessThan": "e4ffc47a1c3e5d11a853aa178c9a5136e79412e9",
"status": "affected",
"version": "12d6c1d3a2ad0c199ec57c201cdc71e8e157a232",
"versionType": "git"
},
{
"lessThan": "bf7da02d2b8faf324206e1cbe64a4813ff903cc1",
"status": "affected",
"version": "12d6c1d3a2ad0c199ec57c201cdc71e8e157a232",
"versionType": "git"
},
{
"lessThan": "915d975b2ffa58a14bfcf16fafe00c41315949ff",
"status": "affected",
"version": "12d6c1d3a2ad0c199ec57c201cdc71e8e157a232",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "6.1.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: deal with integer overflows in kmalloc_reserve()\n\nBlamed commit changed:\n ptr = kmalloc(size);\n if (ptr)\n size = ksize(ptr);\n\n size = kmalloc_size_roundup(size);\n ptr = kmalloc(size);\n\nThis allowed various crash as reported by syzbot [1]\nand Kyle Zeng.\n\nProblem is that if @size is bigger than 0x80000001,\nkmalloc_size_roundup(size) returns 2^32.\n\nkmalloc_reserve() uses a 32bit variable (obj_size),\nso 2^32 is truncated to 0.\n\nkmalloc(0) returns ZERO_SIZE_PTR which is not handled by\nskb allocations.\n\nFollowing trace can be triggered if a netdev-\u003emtu is set\nclose to 0x7fffffff\n\nWe might in the future limit netdev-\u003emtu to more sensible\nlimit (like KMALLOC_MAX_SIZE).\n\nThis patch is based on a syzbot report, and also a report\nand tentative fix from Kyle Zeng.\n\n[1]\nBUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline]\nBUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nWrite of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554\n\nCPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\nCall trace:\ndump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279\nshow_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106\nprint_report+0xe4/0x4b4 mm/kasan/report.c:398\nkasan_report+0x150/0x1ac mm/kasan/report.c:495\nkasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\nmemset+0x40/0x70 mm/kasan/shadow.c:44\n__build_skb_around net/core/skbuff.c:294 [inline]\n__alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527\nalloc_skb include/linux/skbuff.h:1316 [inline]\nigmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359\nadd_grec+0x81c/0x1124 net/ipv4/igmp.c:534\nigmpv3_send_cr net/ipv4/igmp.c:667 [inline]\nigmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810\ncall_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474\nexpire_timers kernel/time/timer.c:1519 [inline]\n__run_timers+0x54c/0x710 kernel/time/timer.c:1790\nrun_timer_softirq+0x28/0x4c kernel/time/timer.c:1803\n_stext+0x380/0xfbc\n____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79\ncall_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891\ndo_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84\ninvoke_softirq kernel/softirq.c:437 [inline]\n__irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683\nirq_exit_rcu+0x14/0x78 kernel/softirq.c:695\nel0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717\n__el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724\nel0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729\nel0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:12.407Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31cf7853a940181593e4472fc56f46574123f9f6"
},
{
"url": "https://git.kernel.org/stable/c/e4ffc47a1c3e5d11a853aa178c9a5136e79412e9"
},
{
"url": "https://git.kernel.org/stable/c/bf7da02d2b8faf324206e1cbe64a4813ff903cc1"
},
{
"url": "https://git.kernel.org/stable/c/915d975b2ffa58a14bfcf16fafe00c41315949ff"
}
],
"title": "net: deal with integer overflows in kmalloc_reserve()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53752",
"datePublished": "2025-12-08T01:19:12.407Z",
"dateReserved": "2025-12-08T01:18:04.279Z",
"dateUpdated": "2025-12-08T01:19:12.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50723 (GCVE-0-2022-50723)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
bnxt_en: fix memory leak in bnxt_nvm_test()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: fix memory leak in bnxt_nvm_test()
Free the kzalloc'ed buffer before returning in the success path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "be083d97031712a2e16fd915ddb8fe1a6cb1fbc5",
"status": "affected",
"version": "5b6ff128fdf60b08c67b9b50addadc8fb8da4410",
"versionType": "git"
},
{
"lessThan": "ba077d683d45190afc993c1ce45bcdbfda741a40",
"status": "affected",
"version": "5b6ff128fdf60b08c67b9b50addadc8fb8da4410",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: fix memory leak in bnxt_nvm_test()\n\nFree the kzalloc\u0027ed buffer before returning in the success path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:45.480Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/be083d97031712a2e16fd915ddb8fe1a6cb1fbc5"
},
{
"url": "https://git.kernel.org/stable/c/ba077d683d45190afc993c1ce45bcdbfda741a40"
}
],
"title": "bnxt_en: fix memory leak in bnxt_nvm_test()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50723",
"datePublished": "2025-12-24T12:22:45.480Z",
"dateReserved": "2025-12-24T12:20:40.330Z",
"dateUpdated": "2025-12-24T12:22:45.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54108 (GCVE-0-2023-54108)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests
The following message and call trace was seen with debug kernels:
DMA-API: qla2xxx 0000:41:00.0: device driver failed to check map
error [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as
single]
WARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017
check_unmap+0xf42/0x1990
Call Trace:
debug_dma_unmap_page+0xc9/0x100
qla_nvme_ls_unmap+0x141/0x210 [qla2xxx]
Remove DMA mapping from the driver altogether, as it is already done by FC
layer. This prevents the warning.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d087c7e55db420107c3ea97b228e067a7b488a1 , < 3a564de3a299856f2cbd289649cea2e20d671a43
(git)
Affected: 0910a791a6d7fd331f231f48200e18babb519769 , < e596253113b69b4018818260bd5da40c201bee73 (git) Affected: c9d6081a5f18286ad62afc1e9e06a90cfd626902 , < 77302fb0e357da666d5249a6e91078feeef3dade (git) Affected: c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523 , < 3ee4f1991c54c6707aa9df47e51c02ea25bb63e3 (git) Affected: c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523 , < ad6af23593594402c826eefdf43ae174e5f0f202 (git) Affected: c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523 , < c75e6aef5039830cce5d4cf764dd204522f89e6b (git) Affected: 9765319079131d6a6019caec661825808c6405f1 (git) Affected: c05f4f6485726faae08073f947368ee10439d3f0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3a564de3a299856f2cbd289649cea2e20d671a43",
"status": "affected",
"version": "2d087c7e55db420107c3ea97b228e067a7b488a1",
"versionType": "git"
},
{
"lessThan": "e596253113b69b4018818260bd5da40c201bee73",
"status": "affected",
"version": "0910a791a6d7fd331f231f48200e18babb519769",
"versionType": "git"
},
{
"lessThan": "77302fb0e357da666d5249a6e91078feeef3dade",
"status": "affected",
"version": "c9d6081a5f18286ad62afc1e9e06a90cfd626902",
"versionType": "git"
},
{
"lessThan": "3ee4f1991c54c6707aa9df47e51c02ea25bb63e3",
"status": "affected",
"version": "c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523",
"versionType": "git"
},
{
"lessThan": "ad6af23593594402c826eefdf43ae174e5f0f202",
"status": "affected",
"version": "c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523",
"versionType": "git"
},
{
"lessThan": "c75e6aef5039830cce5d4cf764dd204522f89e6b",
"status": "affected",
"version": "c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523",
"versionType": "git"
},
{
"status": "affected",
"version": "9765319079131d6a6019caec661825808c6405f1",
"versionType": "git"
},
{
"status": "affected",
"version": "c05f4f6485726faae08073f947368ee10439d3f0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_nvme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.4.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests\n\nThe following message and call trace was seen with debug kernels:\n\nDMA-API: qla2xxx 0000:41:00.0: device driver failed to check map\nerror [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as\nsingle]\nWARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017\n\t check_unmap+0xf42/0x1990\n\nCall Trace:\n\tdebug_dma_unmap_page+0xc9/0x100\n\tqla_nvme_ls_unmap+0x141/0x210 [qla2xxx]\n\nRemove DMA mapping from the driver altogether, as it is already done by FC\nlayer. This prevents the warning."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:32.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3a564de3a299856f2cbd289649cea2e20d671a43"
},
{
"url": "https://git.kernel.org/stable/c/e596253113b69b4018818260bd5da40c201bee73"
},
{
"url": "https://git.kernel.org/stable/c/77302fb0e357da666d5249a6e91078feeef3dade"
},
{
"url": "https://git.kernel.org/stable/c/3ee4f1991c54c6707aa9df47e51c02ea25bb63e3"
},
{
"url": "https://git.kernel.org/stable/c/ad6af23593594402c826eefdf43ae174e5f0f202"
},
{
"url": "https://git.kernel.org/stable/c/c75e6aef5039830cce5d4cf764dd204522f89e6b"
}
],
"title": "scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54108",
"datePublished": "2025-12-24T13:06:32.184Z",
"dateReserved": "2025-12-24T13:02:52.518Z",
"dateUpdated": "2025-12-24T13:06:32.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54292 (GCVE-0-2023-54292)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
RDMA/irdma: Fix data race on CQP request done
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix data race on CQP request done
KCSAN detects a data race on cqp_request->request_done memory location
which is accessed locklessly in irdma_handle_cqp_op while being
updated in irdma_cqp_ce_handler.
Annotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any
compiler optimizations like load fusing and/or KCSAN warning.
[222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma]
[222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5:
[222808.417610] irdma_cqp_ce_handler+0x21e/0x270 [irdma]
[222808.417725] cqp_compl_worker+0x1b/0x20 [irdma]
[222808.417827] process_one_work+0x4d1/0xa40
[222808.417835] worker_thread+0x319/0x700
[222808.417842] kthread+0x180/0x1b0
[222808.417852] ret_from_fork+0x22/0x30
[222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1:
[222808.417995] irdma_wait_event+0x1e2/0x2c0 [irdma]
[222808.418099] irdma_handle_cqp_op+0xae/0x170 [irdma]
[222808.418202] irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma]
[222808.418308] irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma]
[222808.418411] irdma_rt_deinit_hw+0x179/0x1d0 [irdma]
[222808.418514] irdma_ib_dealloc_device+0x11/0x40 [irdma]
[222808.418618] ib_dealloc_device+0x2a/0x120 [ib_core]
[222808.418823] __ib_unregister_device+0xde/0x100 [ib_core]
[222808.418981] ib_unregister_device+0x22/0x40 [ib_core]
[222808.419142] irdma_ib_unregister_device+0x70/0x90 [irdma]
[222808.419248] i40iw_close+0x6f/0xc0 [irdma]
[222808.419352] i40e_client_device_unregister+0x14a/0x180 [i40e]
[222808.419450] i40iw_remove+0x21/0x30 [irdma]
[222808.419554] auxiliary_bus_remove+0x31/0x50
[222808.419563] device_remove+0x69/0xb0
[222808.419572] device_release_driver_internal+0x293/0x360
[222808.419582] driver_detach+0x7c/0xf0
[222808.419592] bus_remove_driver+0x8c/0x150
[222808.419600] driver_unregister+0x45/0x70
[222808.419610] auxiliary_driver_unregister+0x16/0x30
[222808.419618] irdma_exit_module+0x18/0x1e [irdma]
[222808.419733] __do_sys_delete_module.constprop.0+0x1e2/0x310
[222808.419745] __x64_sys_delete_module+0x1b/0x30
[222808.419755] do_syscall_64+0x39/0x90
[222808.419763] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[222808.419829] value changed: 0x01 -> 0x03
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < c5b5dbcbf91f769b8eb25f88e32a1522f920f37a
(git)
Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < 5986e96be7d0b82e50a9c6b019ea3f1926fd8764 (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < b8b90ba636e3861665aef9a3eab5fcf92839a2c5 (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < f0842bb3d38863777e3454da5653d80b5fde6321 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/hw.c",
"drivers/infiniband/hw/irdma/main.h",
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c5b5dbcbf91f769b8eb25f88e32a1522f920f37a",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "5986e96be7d0b82e50a9c6b019ea3f1926fd8764",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "b8b90ba636e3861665aef9a3eab5fcf92839a2c5",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "f0842bb3d38863777e3454da5653d80b5fde6321",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/hw.c",
"drivers/infiniband/hw/irdma/main.h",
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix data race on CQP request done\n\nKCSAN detects a data race on cqp_request-\u003erequest_done memory location\nwhich is accessed locklessly in irdma_handle_cqp_op while being\nupdated in irdma_cqp_ce_handler.\n\nAnnotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any\ncompiler optimizations like load fusing and/or KCSAN warning.\n\n[222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma]\n\n[222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5:\n[222808.417610] irdma_cqp_ce_handler+0x21e/0x270 [irdma]\n[222808.417725] cqp_compl_worker+0x1b/0x20 [irdma]\n[222808.417827] process_one_work+0x4d1/0xa40\n[222808.417835] worker_thread+0x319/0x700\n[222808.417842] kthread+0x180/0x1b0\n[222808.417852] ret_from_fork+0x22/0x30\n\n[222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1:\n[222808.417995] irdma_wait_event+0x1e2/0x2c0 [irdma]\n[222808.418099] irdma_handle_cqp_op+0xae/0x170 [irdma]\n[222808.418202] irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma]\n[222808.418308] irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma]\n[222808.418411] irdma_rt_deinit_hw+0x179/0x1d0 [irdma]\n[222808.418514] irdma_ib_dealloc_device+0x11/0x40 [irdma]\n[222808.418618] ib_dealloc_device+0x2a/0x120 [ib_core]\n[222808.418823] __ib_unregister_device+0xde/0x100 [ib_core]\n[222808.418981] ib_unregister_device+0x22/0x40 [ib_core]\n[222808.419142] irdma_ib_unregister_device+0x70/0x90 [irdma]\n[222808.419248] i40iw_close+0x6f/0xc0 [irdma]\n[222808.419352] i40e_client_device_unregister+0x14a/0x180 [i40e]\n[222808.419450] i40iw_remove+0x21/0x30 [irdma]\n[222808.419554] auxiliary_bus_remove+0x31/0x50\n[222808.419563] device_remove+0x69/0xb0\n[222808.419572] device_release_driver_internal+0x293/0x360\n[222808.419582] driver_detach+0x7c/0xf0\n[222808.419592] bus_remove_driver+0x8c/0x150\n[222808.419600] driver_unregister+0x45/0x70\n[222808.419610] auxiliary_driver_unregister+0x16/0x30\n[222808.419618] irdma_exit_module+0x18/0x1e [irdma]\n[222808.419733] __do_sys_delete_module.constprop.0+0x1e2/0x310\n[222808.419745] __x64_sys_delete_module+0x1b/0x30\n[222808.419755] do_syscall_64+0x39/0x90\n[222808.419763] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n[222808.419829] value changed: 0x01 -\u003e 0x03"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:30.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c5b5dbcbf91f769b8eb25f88e32a1522f920f37a"
},
{
"url": "https://git.kernel.org/stable/c/5986e96be7d0b82e50a9c6b019ea3f1926fd8764"
},
{
"url": "https://git.kernel.org/stable/c/b8b90ba636e3861665aef9a3eab5fcf92839a2c5"
},
{
"url": "https://git.kernel.org/stable/c/f0842bb3d38863777e3454da5653d80b5fde6321"
}
],
"title": "RDMA/irdma: Fix data race on CQP request done",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54292",
"datePublished": "2025-12-30T12:23:30.419Z",
"dateReserved": "2025-12-30T12:06:44.527Z",
"dateUpdated": "2025-12-30T12:23:30.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40284 (GCVE-0-2025-40284)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
Bluetooth: MGMT: cancel mesh send timer when hdev removed
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: cancel mesh send timer when hdev removed
mesh_send_done timer is not canceled when hdev is removed, which causes
crash if the timer triggers after hdev is gone.
Cancel the timer when MGMT removes the hdev, like other MGMT timers.
Should fix the BUG: sporadically seen by BlueZ test bot
(in "Mesh - Send cancel - 1" test).
Log:
------
BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0
...
Freed by task 36:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x43/0x70
kfree+0x103/0x500
device_release+0x9a/0x210
kobject_put+0x100/0x1e0
vhci_release+0x18b/0x240
------
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 990e6143b0ca0c66f099d67d00c112bf59b30d76
(git)
Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 2927ff643607eddf4f03d10ef80fe10d977154aa (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < fd62ca5ad136dcf6f5aa308423b299a6be6f54ea (git) Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 55fb52ffdd62850d667ebed842815e072d3c9961 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "990e6143b0ca0c66f099d67d00c112bf59b30d76",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "2927ff643607eddf4f03d10ef80fe10d977154aa",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "fd62ca5ad136dcf6f5aa308423b299a6be6f54ea",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "55fb52ffdd62850d667ebed842815e072d3c9961",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: cancel mesh send timer when hdev removed\n\nmesh_send_done timer is not canceled when hdev is removed, which causes\ncrash if the timer triggers after hdev is gone.\n\nCancel the timer when MGMT removes the hdev, like other MGMT timers.\n\nShould fix the BUG: sporadically seen by BlueZ test bot\n(in \"Mesh - Send cancel - 1\" test).\n\nLog:\n------\nBUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0\n...\nFreed by task 36:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x43/0x70\n kfree+0x103/0x500\n device_release+0x9a/0x210\n kobject_put+0x100/0x1e0\n vhci_release+0x18b/0x240\n------"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:08.488Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d00c112bf59b30d76"
},
{
"url": "https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa"
},
{
"url": "https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b"
},
{
"url": "https://git.kernel.org/stable/c/fd62ca5ad136dcf6f5aa308423b299a6be6f54ea"
},
{
"url": "https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961"
}
],
"title": "Bluetooth: MGMT: cancel mesh send timer when hdev removed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40284",
"datePublished": "2025-12-06T21:51:08.488Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:08.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68223 (GCVE-0-2025-68223)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
drm/radeon: delete radeon_fence_process in is_signaled, no deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: delete radeon_fence_process in is_signaled, no deadlock
Delete the attempt to progress the queue when checking if fence is
signaled. This avoids deadlock.
dma-fence_ops::signaled can be called with the fence lock in unknown
state. For radeon, the fence lock is also the wait queue lock. This can
cause a self deadlock when signaled() tries to make forward progress on
the wait queue. But advancing the queue is unneeded because incorrectly
returning false from signaled() is perfectly acceptable.
(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
954605ca3f897ad617123279eb3404a404cce5ab , < 73bc12d6a547f9571ce4393acfd73c004e2df9e5
(git)
Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 7e3e9b3a44c23c8eac86a41308c05077d6d30f41 (git) Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 9eb00b5f5697bd56baa3222c7a1426fa15bacfb5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73bc12d6a547f9571ce4393acfd73c004e2df9e5",
"status": "affected",
"version": "954605ca3f897ad617123279eb3404a404cce5ab",
"versionType": "git"
},
{
"lessThan": "7e3e9b3a44c23c8eac86a41308c05077d6d30f41",
"status": "affected",
"version": "954605ca3f897ad617123279eb3404a404cce5ab",
"versionType": "git"
},
{
"lessThan": "9eb00b5f5697bd56baa3222c7a1426fa15bacfb5",
"status": "affected",
"version": "954605ca3f897ad617123279eb3404a404cce5ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: delete radeon_fence_process in is_signaled, no deadlock\n\nDelete the attempt to progress the queue when checking if fence is\nsignaled. This avoids deadlock.\n\ndma-fence_ops::signaled can be called with the fence lock in unknown\nstate. For radeon, the fence lock is also the wait queue lock. This can\ncause a self deadlock when signaled() tries to make forward progress on\nthe wait queue. But advancing the queue is unneeded because incorrectly\nreturning false from signaled() is perfectly acceptable.\n\n(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:27.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73bc12d6a547f9571ce4393acfd73c004e2df9e5"
},
{
"url": "https://git.kernel.org/stable/c/7e3e9b3a44c23c8eac86a41308c05077d6d30f41"
},
{
"url": "https://git.kernel.org/stable/c/9eb00b5f5697bd56baa3222c7a1426fa15bacfb5"
}
],
"title": "drm/radeon: delete radeon_fence_process in is_signaled, no deadlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68223",
"datePublished": "2025-12-16T13:57:16.764Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2026-01-02T15:34:27.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68354 (GCVE-0-2025-68354)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
regulator_supply_alias_list was accessed without any locking in
regulator_supply_alias(), regulator_register_supply_alias(), and
regulator_unregister_supply_alias(). Concurrent registration,
unregistration and lookups can race, leading to:
1 use-after-free if an alias entry is removed while being read,
2 duplicate entries when two threads register the same alias,
3 inconsistent alias mappings observed by consumers.
Protect all traversals, insertions and deletions on
regulator_supply_alias_list with the existing regulator_list_mutex.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a06ccd9c3785fa5550917ae036944f4e080b5749 , < e1587064137028e7edcca14fb766b68d27bec94b
(git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 9d041a7ba13f21adfac052eb3fda1df62f2166c1 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 09811a83b214cc15521e0d818e43ae9043e9a28d (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a9864d42ebcdd394ebb864643b961b36e7b515be (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 431a1d44ad4866362cc28fc1cc4ca93d84989239 (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf (git) Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1587064137028e7edcca14fb766b68d27bec94b",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "9d041a7ba13f21adfac052eb3fda1df62f2166c1",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "09811a83b214cc15521e0d818e43ae9043e9a28d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "a9864d42ebcdd394ebb864643b961b36e7b515be",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "431a1d44ad4866362cc28fc1cc4ca93d84989239",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
},
{
"lessThan": "0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d",
"status": "affected",
"version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Protect regulator_supply_alias_list with regulator_list_mutex\n\nregulator_supply_alias_list was accessed without any locking in\nregulator_supply_alias(), regulator_register_supply_alias(), and\nregulator_unregister_supply_alias(). Concurrent registration,\nunregistration and lookups can race, leading to:\n\n1 use-after-free if an alias entry is removed while being read,\n2 duplicate entries when two threads register the same alias,\n3 inconsistent alias mappings observed by consumers.\n\nProtect all traversals, insertions and deletions on\nregulator_supply_alias_list with the existing regulator_list_mutex."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:27.299Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1587064137028e7edcca14fb766b68d27bec94b"
},
{
"url": "https://git.kernel.org/stable/c/9d041a7ba13f21adfac052eb3fda1df62f2166c1"
},
{
"url": "https://git.kernel.org/stable/c/a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61"
},
{
"url": "https://git.kernel.org/stable/c/09811a83b214cc15521e0d818e43ae9043e9a28d"
},
{
"url": "https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be"
},
{
"url": "https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239"
},
{
"url": "https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf"
},
{
"url": "https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d"
}
],
"title": "regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68354",
"datePublished": "2025-12-24T10:32:44.840Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-01-19T12:18:27.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50770 (GCVE-0-2022-50770)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
ocfs2: fix memory leak in ocfs2_mount_volume()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix memory leak in ocfs2_mount_volume()
There is a memory leak reported by kmemleak:
unreferenced object 0xffff88810cc65e60 (size 32):
comm "mount.ocfs2", pid 23753, jiffies 4302528942 (age 34735.105s)
hex dump (first 32 bytes):
10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8170f73d>] __kmalloc+0x4d/0x150
[<ffffffffa0ac3f51>] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2]
[<ffffffffa0b65165>] ocfs2_check_volume+0x485/0x900 [ocfs2]
[<ffffffffa0b68129>] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2]
[<ffffffffa0b7160b>] ocfs2_fill_super+0xe0b/0x1740 [ocfs2]
[<ffffffff818e1fe2>] mount_bdev+0x312/0x400
[<ffffffff819a086d>] legacy_get_tree+0xed/0x1d0
[<ffffffff818de82d>] vfs_get_tree+0x7d/0x230
[<ffffffff81957f92>] path_mount+0xd62/0x1760
[<ffffffff81958a5a>] do_mount+0xca/0xe0
[<ffffffff81958d3c>] __x64_sys_mount+0x12c/0x1a0
[<ffffffff82f26f15>] do_syscall_64+0x35/0x80
[<ffffffff8300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
This call stack is related to two problems. Firstly, the ocfs2 super uses
"replay_map" to trace online/offline slots, in order to recover offline
slots during recovery and mount. But when ocfs2_truncate_log_init()
returns an error in ocfs2_mount_volume(), the memory of "replay_map" will
not be freed in error handling path. Secondly, the memory of "replay_map"
will not be freed if d_make_root() returns an error in ocfs2_fill_super().
But the memory of "replay_map" will be freed normally when completing
recovery and mount in ocfs2_complete_mount_recovery().
Fix the first problem by adding error handling path to free "replay_map"
when ocfs2_truncate_log_init() fails. And fix the second problem by
calling ocfs2_free_replay_slots(osb) in the error handling path
"out_dismount". In addition, since ocfs2_free_replay_slots() is static,
it is necessary to remove its static attribute and declare it in header
file.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 , < 7ef516888c4d30ae41bfcd79e7077d86d92794c5
(git)
Affected: 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 , < 2b7e59ed2e77136e9360274f8f0fc208a003e95c (git) Affected: 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 , < 8059e200259e9c483d715fc2df6340c227c3e196 (git) Affected: 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 , < 4efe1d2db731bad19891e2fb9b338724b1f598cc (git) Affected: 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 , < 50ab0ca3aff4da26037113d69f5a756d8c1a92cd (git) Affected: 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 , < ce2fcf1516d674a174d9b34d1e1024d64de9fba3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/journal.c",
"fs/ocfs2/journal.h",
"fs/ocfs2/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ef516888c4d30ae41bfcd79e7077d86d92794c5",
"status": "affected",
"version": "9140db04ef185f934acf2b1b15b3dd5e6a6bfc22",
"versionType": "git"
},
{
"lessThan": "2b7e59ed2e77136e9360274f8f0fc208a003e95c",
"status": "affected",
"version": "9140db04ef185f934acf2b1b15b3dd5e6a6bfc22",
"versionType": "git"
},
{
"lessThan": "8059e200259e9c483d715fc2df6340c227c3e196",
"status": "affected",
"version": "9140db04ef185f934acf2b1b15b3dd5e6a6bfc22",
"versionType": "git"
},
{
"lessThan": "4efe1d2db731bad19891e2fb9b338724b1f598cc",
"status": "affected",
"version": "9140db04ef185f934acf2b1b15b3dd5e6a6bfc22",
"versionType": "git"
},
{
"lessThan": "50ab0ca3aff4da26037113d69f5a756d8c1a92cd",
"status": "affected",
"version": "9140db04ef185f934acf2b1b15b3dd5e6a6bfc22",
"versionType": "git"
},
{
"lessThan": "ce2fcf1516d674a174d9b34d1e1024d64de9fba3",
"status": "affected",
"version": "9140db04ef185f934acf2b1b15b3dd5e6a6bfc22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/journal.c",
"fs/ocfs2/journal.h",
"fs/ocfs2/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix memory leak in ocfs2_mount_volume()\n\nThere is a memory leak reported by kmemleak:\n\n unreferenced object 0xffff88810cc65e60 (size 32):\n comm \"mount.ocfs2\", pid 23753, jiffies 4302528942 (age 34735.105s)\n hex dump (first 32 bytes):\n 10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................\n 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff8170f73d\u003e] __kmalloc+0x4d/0x150\n [\u003cffffffffa0ac3f51\u003e] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2]\n [\u003cffffffffa0b65165\u003e] ocfs2_check_volume+0x485/0x900 [ocfs2]\n [\u003cffffffffa0b68129\u003e] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2]\n [\u003cffffffffa0b7160b\u003e] ocfs2_fill_super+0xe0b/0x1740 [ocfs2]\n [\u003cffffffff818e1fe2\u003e] mount_bdev+0x312/0x400\n [\u003cffffffff819a086d\u003e] legacy_get_tree+0xed/0x1d0\n [\u003cffffffff818de82d\u003e] vfs_get_tree+0x7d/0x230\n [\u003cffffffff81957f92\u003e] path_mount+0xd62/0x1760\n [\u003cffffffff81958a5a\u003e] do_mount+0xca/0xe0\n [\u003cffffffff81958d3c\u003e] __x64_sys_mount+0x12c/0x1a0\n [\u003cffffffff82f26f15\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff8300006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis call stack is related to two problems. Firstly, the ocfs2 super uses\n\"replay_map\" to trace online/offline slots, in order to recover offline\nslots during recovery and mount. But when ocfs2_truncate_log_init()\nreturns an error in ocfs2_mount_volume(), the memory of \"replay_map\" will\nnot be freed in error handling path. Secondly, the memory of \"replay_map\"\nwill not be freed if d_make_root() returns an error in ocfs2_fill_super().\nBut the memory of \"replay_map\" will be freed normally when completing\nrecovery and mount in ocfs2_complete_mount_recovery().\n\nFix the first problem by adding error handling path to free \"replay_map\"\nwhen ocfs2_truncate_log_init() fails. And fix the second problem by\ncalling ocfs2_free_replay_slots(osb) in the error handling path\n\"out_dismount\". In addition, since ocfs2_free_replay_slots() is static,\nit is necessary to remove its static attribute and declare it in header\nfile."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:59.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ef516888c4d30ae41bfcd79e7077d86d92794c5"
},
{
"url": "https://git.kernel.org/stable/c/2b7e59ed2e77136e9360274f8f0fc208a003e95c"
},
{
"url": "https://git.kernel.org/stable/c/8059e200259e9c483d715fc2df6340c227c3e196"
},
{
"url": "https://git.kernel.org/stable/c/4efe1d2db731bad19891e2fb9b338724b1f598cc"
},
{
"url": "https://git.kernel.org/stable/c/50ab0ca3aff4da26037113d69f5a756d8c1a92cd"
},
{
"url": "https://git.kernel.org/stable/c/ce2fcf1516d674a174d9b34d1e1024d64de9fba3"
}
],
"title": "ocfs2: fix memory leak in ocfs2_mount_volume()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50770",
"datePublished": "2025-12-24T13:05:59.700Z",
"dateReserved": "2025-12-24T13:02:21.546Z",
"dateUpdated": "2025-12-24T13:05:59.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54277 (GCVE-0-2023-54277)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16
VLAI?
EPSS
Title
fbdev: udlfb: Fix endpoint check
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: udlfb: Fix endpoint check
The syzbot fuzzer detected a problem in the udlfb driver, caused by an
endpoint not having the expected type:
usb 1-1: Read EDID byte 0 failed: -71
usb 1-1: Unable to get valid EDID from device/display
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880
drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted
6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
04/28/2023
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
...
Call Trace:
<TASK>
dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980
dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315
dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111
dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743
The current approach for this issue failed to catch the problem
because it only checks for the existence of a bulk-OUT endpoint; it
doesn't check whether this endpoint is the one that the driver will
actually use.
We can fix the problem by instead checking that the endpoint used by
the driver does exist and is bulk-OUT.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f6db63819db632158647d5bbf4d7d2d90dc1a268 , < 1522dc58bff87af79461b96d90ec122e9e726004
(git)
Affected: c4fb41bdf4d6ccca850c4af5d707d14a0fb717a7 , < 58ecc165abdaed85447455e6dc396758e8c6f219 (git) Affected: 4df1584738f1dc6f0dd854d258bba48591f1ed0e , < 9e12c58a5ece41be72157cef348576b135c9fc72 (git) Affected: aaf7dbe07385e0b8deb7237eca2a79926bbc7091 , < c8fdf7feca77cd99e25ef0a1e9e72dfc83add8ef (git) Affected: aaf7dbe07385e0b8deb7237eca2a79926bbc7091 , < e19383e5dee5adbf3d19f3f210f440a88d1b7dde (git) Affected: aaf7dbe07385e0b8deb7237eca2a79926bbc7091 , < ed9de4ed39875706607fb08118a58344ae6c5f42 (git) Affected: 895ea8a290ba87850bcaf2ecfcddef75a014fa54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/udlfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1522dc58bff87af79461b96d90ec122e9e726004",
"status": "affected",
"version": "f6db63819db632158647d5bbf4d7d2d90dc1a268",
"versionType": "git"
},
{
"lessThan": "58ecc165abdaed85447455e6dc396758e8c6f219",
"status": "affected",
"version": "c4fb41bdf4d6ccca850c4af5d707d14a0fb717a7",
"versionType": "git"
},
{
"lessThan": "9e12c58a5ece41be72157cef348576b135c9fc72",
"status": "affected",
"version": "4df1584738f1dc6f0dd854d258bba48591f1ed0e",
"versionType": "git"
},
{
"lessThan": "c8fdf7feca77cd99e25ef0a1e9e72dfc83add8ef",
"status": "affected",
"version": "aaf7dbe07385e0b8deb7237eca2a79926bbc7091",
"versionType": "git"
},
{
"lessThan": "e19383e5dee5adbf3d19f3f210f440a88d1b7dde",
"status": "affected",
"version": "aaf7dbe07385e0b8deb7237eca2a79926bbc7091",
"versionType": "git"
},
{
"lessThan": "ed9de4ed39875706607fb08118a58344ae6c5f42",
"status": "affected",
"version": "aaf7dbe07385e0b8deb7237eca2a79926bbc7091",
"versionType": "git"
},
{
"status": "affected",
"version": "895ea8a290ba87850bcaf2ecfcddef75a014fa54",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/udlfb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.4.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.10.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "5.15.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: Fix endpoint check\n\nThe syzbot fuzzer detected a problem in the udlfb driver, caused by an\nendpoint not having the expected type:\n\nusb 1-1: Read EDID byte 0 failed: -71\nusb 1-1: Unable to get valid EDID from device/display\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880\ndrivers/usb/core/urb.c:504\nModules linked in:\nCPU: 0 PID: 9 Comm: kworker/0:1 Not tainted\n6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google\n04/28/2023\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\n...\nCall Trace:\n \u003cTASK\u003e\n dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980\n dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315\n dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111\n dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743\n\nThe current approach for this issue failed to catch the problem\nbecause it only checks for the existence of a bulk-OUT endpoint; it\ndoesn\u0027t check whether this endpoint is the one that the driver will\nactually use.\n\nWe can fix the problem by instead checking that the endpoint used by\nthe driver does exist and is bulk-OUT."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:16:05.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1522dc58bff87af79461b96d90ec122e9e726004"
},
{
"url": "https://git.kernel.org/stable/c/58ecc165abdaed85447455e6dc396758e8c6f219"
},
{
"url": "https://git.kernel.org/stable/c/9e12c58a5ece41be72157cef348576b135c9fc72"
},
{
"url": "https://git.kernel.org/stable/c/c8fdf7feca77cd99e25ef0a1e9e72dfc83add8ef"
},
{
"url": "https://git.kernel.org/stable/c/e19383e5dee5adbf3d19f3f210f440a88d1b7dde"
},
{
"url": "https://git.kernel.org/stable/c/ed9de4ed39875706607fb08118a58344ae6c5f42"
}
],
"title": "fbdev: udlfb: Fix endpoint check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54277",
"datePublished": "2025-12-30T12:16:05.690Z",
"dateReserved": "2025-12-30T12:06:44.524Z",
"dateUpdated": "2025-12-30T12:16:05.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50828 (GCVE-0-2022-50828)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
clk: zynqmp: Fix stack-out-of-bounds in strncpy`
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: zynqmp: Fix stack-out-of-bounds in strncpy`
"BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68"
Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is
longer than 15 bytes, string terminated NULL character will not be received
by Linux. Add explicit NULL character at last byte to fix issues when clock
name is longer.
This fixes below bug reported by KASAN:
==================================================================
BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68
Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3
Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT)
Call trace:
dump_backtrace+0x0/0x1e8
show_stack+0x14/0x20
dump_stack+0xd4/0x108
print_address_description.isra.0+0xbc/0x37c
__kasan_report+0x144/0x198
kasan_report+0xc/0x18
__asan_load1+0x5c/0x68
strncpy+0x30/0x68
zynqmp_clock_probe+0x238/0x7b8
platform_drv_probe+0x6c/0xc8
really_probe+0x14c/0x418
driver_probe_device+0x74/0x130
__device_attach_driver+0xc4/0xe8
bus_for_each_drv+0xec/0x150
__device_attach+0x160/0x1d8
device_initial_probe+0x10/0x18
bus_probe_device+0xe0/0xf0
device_add+0x528/0x950
of_device_add+0x5c/0x80
of_platform_device_create_pdata+0x120/0x168
of_platform_bus_create+0x244/0x4e0
of_platform_populate+0x50/0xe8
zynqmp_firmware_probe+0x370/0x3a8
platform_drv_probe+0x6c/0xc8
really_probe+0x14c/0x418
driver_probe_device+0x74/0x130
device_driver_attach+0x94/0xa0
__driver_attach+0x70/0x108
bus_for_each_dev+0xe4/0x158
driver_attach+0x30/0x40
bus_add_driver+0x21c/0x2b8
driver_register+0xbc/0x1d0
__platform_driver_register+0x7c/0x88
zynqmp_firmware_driver_init+0x1c/0x24
do_one_initcall+0xa4/0x234
kernel_init_freeable+0x1b0/0x24c
kernel_init+0x10/0x110
ret_from_fork+0x10/0x18
The buggy address belongs to the page:
page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff
page dumped because: kasan: bad access detected
addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame:
zynqmp_clock_probe+0x0/0x7b8
this frame has 3 objects:
[32, 44) 'response'
[64, 80) 'ret_payload'
[96, 112) 'name'
Memory state around the buggy address:
ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2
>ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5852b1365df4414523210e444ac7df1dec09acb4 , < 5dbfcf7b080306b65d9f756fadf46c9495793750
(git)
Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < d9e2585c3bcecb1c83febad31b9f450e93d2509e (git) Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < 0a07b13af04d0db7325018aaa83b5ffe864790c9 (git) Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < d66fea97671fcb516bd6d34bcc033f650ac7ee91 (git) Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b (git) Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/zynqmp/clkc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5dbfcf7b080306b65d9f756fadf46c9495793750",
"status": "affected",
"version": "5852b1365df4414523210e444ac7df1dec09acb4",
"versionType": "git"
},
{
"lessThan": "d9e2585c3bcecb1c83febad31b9f450e93d2509e",
"status": "affected",
"version": "5852b1365df4414523210e444ac7df1dec09acb4",
"versionType": "git"
},
{
"lessThan": "0a07b13af04d0db7325018aaa83b5ffe864790c9",
"status": "affected",
"version": "5852b1365df4414523210e444ac7df1dec09acb4",
"versionType": "git"
},
{
"lessThan": "d66fea97671fcb516bd6d34bcc033f650ac7ee91",
"status": "affected",
"version": "5852b1365df4414523210e444ac7df1dec09acb4",
"versionType": "git"
},
{
"lessThan": "bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b",
"status": "affected",
"version": "5852b1365df4414523210e444ac7df1dec09acb4",
"versionType": "git"
},
{
"lessThan": "dd80fb2dbf1cd8751efbe4e53e54056f56a9b115",
"status": "affected",
"version": "5852b1365df4414523210e444ac7df1dec09acb4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/zynqmp/clkc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: zynqmp: Fix stack-out-of-bounds in strncpy`\n\n\"BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68\"\n\nLinux-ATF interface is using 16 bytes of SMC payload. In case clock name is\nlonger than 15 bytes, string terminated NULL character will not be received\nby Linux. Add explicit NULL character at last byte to fix issues when clock\nname is longer.\n\nThis fixes below bug reported by KASAN:\n\n ==================================================================\n BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68\n Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1\n\n CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3\n Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT)\n Call trace:\n dump_backtrace+0x0/0x1e8\n show_stack+0x14/0x20\n dump_stack+0xd4/0x108\n print_address_description.isra.0+0xbc/0x37c\n __kasan_report+0x144/0x198\n kasan_report+0xc/0x18\n __asan_load1+0x5c/0x68\n strncpy+0x30/0x68\n zynqmp_clock_probe+0x238/0x7b8\n platform_drv_probe+0x6c/0xc8\n really_probe+0x14c/0x418\n driver_probe_device+0x74/0x130\n __device_attach_driver+0xc4/0xe8\n bus_for_each_drv+0xec/0x150\n __device_attach+0x160/0x1d8\n device_initial_probe+0x10/0x18\n bus_probe_device+0xe0/0xf0\n device_add+0x528/0x950\n of_device_add+0x5c/0x80\n of_platform_device_create_pdata+0x120/0x168\n of_platform_bus_create+0x244/0x4e0\n of_platform_populate+0x50/0xe8\n zynqmp_firmware_probe+0x370/0x3a8\n platform_drv_probe+0x6c/0xc8\n really_probe+0x14c/0x418\n driver_probe_device+0x74/0x130\n device_driver_attach+0x94/0xa0\n __driver_attach+0x70/0x108\n bus_for_each_dev+0xe4/0x158\n driver_attach+0x30/0x40\n bus_add_driver+0x21c/0x2b8\n driver_register+0xbc/0x1d0\n __platform_driver_register+0x7c/0x88\n zynqmp_firmware_driver_init+0x1c/0x24\n do_one_initcall+0xa4/0x234\n kernel_init_freeable+0x1b0/0x24c\n kernel_init+0x10/0x110\n ret_from_fork+0x10/0x18\n\n The buggy address belongs to the page:\n page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0\n raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff\n page dumped because: kasan: bad access detected\n\n addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame:\n zynqmp_clock_probe+0x0/0x7b8\n\n this frame has 3 objects:\n [32, 44) \u0027response\u0027\n [64, 80) \u0027ret_payload\u0027\n [96, 112) \u0027name\u0027\n\n Memory state around the buggy address:\n ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2\n \u003effff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n ^\n ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n =================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:51.535Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5dbfcf7b080306b65d9f756fadf46c9495793750"
},
{
"url": "https://git.kernel.org/stable/c/d9e2585c3bcecb1c83febad31b9f450e93d2509e"
},
{
"url": "https://git.kernel.org/stable/c/0a07b13af04d0db7325018aaa83b5ffe864790c9"
},
{
"url": "https://git.kernel.org/stable/c/d66fea97671fcb516bd6d34bcc033f650ac7ee91"
},
{
"url": "https://git.kernel.org/stable/c/bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b"
},
{
"url": "https://git.kernel.org/stable/c/dd80fb2dbf1cd8751efbe4e53e54056f56a9b115"
}
],
"title": "clk: zynqmp: Fix stack-out-of-bounds in strncpy`",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50828",
"datePublished": "2025-12-30T12:10:50.757Z",
"dateReserved": "2025-12-30T12:06:07.132Z",
"dateUpdated": "2026-01-02T15:04:51.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54221 (GCVE-0-2023-54221)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe
In function probe(), it returns directly without unregistered hws
when error occurs.
Fix this by adding 'goto unregister_hws;' on line 295 and
line 310.
Use devm_kzalloc() instead of kzalloc() to automatically
free the memory using devm_kfree() when error occurs.
Replace of_iomap() with devm_of_iomap() to automatically
handle the unused ioremap region and delete 'iounmap(anatop_base);'
in unregister_hws.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
24defbe194b650218680fcd9dec8cd103537b531 , < 280a5ff665e12d1e0c54c20cedc9c5008aa686a5
(git)
Affected: 24defbe194b650218680fcd9dec8cd103537b531 , < fac9c624138c4bc021d7a8ee3b974c9e10926d92 (git) Affected: 24defbe194b650218680fcd9dec8cd103537b531 , < d17c16a2b2a6589c45b0bfb1b9914da80b72d89e (git) Affected: 24defbe194b650218680fcd9dec8cd103537b531 , < e02ba11b457647050cb16e7cad16cec3c252fade (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imx93.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "280a5ff665e12d1e0c54c20cedc9c5008aa686a5",
"status": "affected",
"version": "24defbe194b650218680fcd9dec8cd103537b531",
"versionType": "git"
},
{
"lessThan": "fac9c624138c4bc021d7a8ee3b974c9e10926d92",
"status": "affected",
"version": "24defbe194b650218680fcd9dec8cd103537b531",
"versionType": "git"
},
{
"lessThan": "d17c16a2b2a6589c45b0bfb1b9914da80b72d89e",
"status": "affected",
"version": "24defbe194b650218680fcd9dec8cd103537b531",
"versionType": "git"
},
{
"lessThan": "e02ba11b457647050cb16e7cad16cec3c252fade",
"status": "affected",
"version": "24defbe194b650218680fcd9dec8cd103537b531",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/imx/clk-imx93.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe\n\nIn function probe(), it returns directly without unregistered hws\nwhen error occurs.\n\nFix this by adding \u0027goto unregister_hws;\u0027 on line 295 and\nline 310.\n\nUse devm_kzalloc() instead of kzalloc() to automatically\nfree the memory using devm_kfree() when error occurs.\n\nReplace of_iomap() with devm_of_iomap() to automatically\nhandle the unused ioremap region and delete \u0027iounmap(anatop_base);\u0027\nin unregister_hws."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:16.053Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/280a5ff665e12d1e0c54c20cedc9c5008aa686a5"
},
{
"url": "https://git.kernel.org/stable/c/fac9c624138c4bc021d7a8ee3b974c9e10926d92"
},
{
"url": "https://git.kernel.org/stable/c/d17c16a2b2a6589c45b0bfb1b9914da80b72d89e"
},
{
"url": "https://git.kernel.org/stable/c/e02ba11b457647050cb16e7cad16cec3c252fade"
}
],
"title": "clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54221",
"datePublished": "2025-12-30T12:11:16.053Z",
"dateReserved": "2025-12-30T12:06:44.501Z",
"dateUpdated": "2025-12-30T12:11:16.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68759 (GCVE-0-2025-68759)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA
allocations in a loop. When an allocation fails, the previously
successful allocations are not freed on exit.
Fix that by jumping to err_free_rings label on error, which calls
rtl8180_free_rx_ring() to free the allocations. Remove the free of
rx_ring in rtl8180_init_rx_ring() error path, and set the freed
priv->rx_buf entry to null, to avoid double free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f653211197f3841f383fa9757ef8ce182c6cf627 , < 3677c01891fb0239361e444afee8398868e34bdf
(git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 89caaeee8dd95fae8bb4f4964e6fe3ca688500c4 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a4fb7cca9837378878e6c94d9e7af019c8fdfcdb (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < bf8513dfa31ea015c9cf415796dca2113d293840 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < ee7db11742b30641f21306105ad27a275e3c61d7 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a813a74570212cb5f3a7d3b05c0cb0cd00bace1d (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < c9d1c4152e6d32fa74034464854bee262a60bc43 (git) Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 9b5b9c042b30befc5b37e4539ace95af70843473 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3677c01891fb0239361e444afee8398868e34bdf",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "89caaeee8dd95fae8bb4f4964e6fe3ca688500c4",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a4fb7cca9837378878e6c94d9e7af019c8fdfcdb",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "bf8513dfa31ea015c9cf415796dca2113d293840",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "ee7db11742b30641f21306105ad27a275e3c61d7",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "a813a74570212cb5f3a7d3b05c0cb0cd00bace1d",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "c9d1c4152e6d32fa74034464854bee262a60bc43",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
},
{
"lessThan": "9b5b9c042b30befc5b37e4539ace95af70843473",
"status": "affected",
"version": "f653211197f3841f383fa9757ef8ce182c6cf627",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()\n\nIn rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA\nallocations in a loop. When an allocation fails, the previously\nsuccessful allocations are not freed on exit.\n\nFix that by jumping to err_free_rings label on error, which calls\nrtl8180_free_rx_ring() to free the allocations. Remove the free of\nrx_ring in rtl8180_init_rx_ring() error path, and set the freed\npriv-\u003erx_buf entry to null, to avoid double free."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:46.506Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3677c01891fb0239361e444afee8398868e34bdf"
},
{
"url": "https://git.kernel.org/stable/c/89caaeee8dd95fae8bb4f4964e6fe3ca688500c4"
},
{
"url": "https://git.kernel.org/stable/c/a4fb7cca9837378878e6c94d9e7af019c8fdfcdb"
},
{
"url": "https://git.kernel.org/stable/c/bf8513dfa31ea015c9cf415796dca2113d293840"
},
{
"url": "https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7"
},
{
"url": "https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d"
},
{
"url": "https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43"
},
{
"url": "https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473"
}
],
"title": "wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68759",
"datePublished": "2026-01-05T09:32:32.174Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-19T12:18:46.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54211 (GCVE-0-2023-54211)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
tracing: Fix warning in trace_buffered_event_disable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix warning in trace_buffered_event_disable()
Warning happened in trace_buffered_event_disable() at
WARN_ON_ONCE(!trace_buffered_event_ref)
Call Trace:
? __warn+0xa5/0x1b0
? trace_buffered_event_disable+0x189/0x1b0
__ftrace_event_enable_disable+0x19e/0x3e0
free_probe_data+0x3b/0xa0
unregister_ftrace_function_probe_func+0x6b8/0x800
event_enable_func+0x2f0/0x3d0
ftrace_process_regex.isra.0+0x12d/0x1b0
ftrace_filter_write+0xe6/0x140
vfs_write+0x1c9/0x6f0
[...]
The cause of the warning is in __ftrace_event_enable_disable(),
trace_buffered_event_enable() was called once while
trace_buffered_event_disable() was called twice.
Reproduction script show as below, for analysis, see the comments:
```
#!/bin/bash
cd /sys/kernel/tracing/
# 1. Register a 'disable_event' command, then:
# 1) SOFT_DISABLED_BIT was set;
# 2) trace_buffered_event_enable() was called first time;
echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \
set_ftrace_filter
# 2. Enable the event registered, then:
# 1) SOFT_DISABLED_BIT was cleared;
# 2) trace_buffered_event_disable() was called first time;
echo 1 > events/initcall/initcall_finish/enable
# 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was
# set again!!!
cat /proc/cmdline
# 4. Unregister the 'disable_event' command, then:
# 1) SOFT_DISABLED_BIT was cleared again;
# 2) trace_buffered_event_disable() was called second time!!!
echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \
set_ftrace_filter
```
To fix it, IIUC, we can change to call trace_buffered_event_enable() at
fist time soft-mode enabled, and call trace_buffered_event_disable() at
last time soft-mode disabled.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 , < 1488d782c9e43087a3f341b8186cd25f3cf75583
(git)
Affected: 0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 , < b4f4ab423107dc1ba8e9cc6488c645be6403d3f5 (git) Affected: 0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 , < cdcc35e6454133feb61561b4e0d0c80e52cbc2ba (git) Affected: 0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 , < a6d2fd1703cdc8ecfc3e73987e0fb7474ae2b074 (git) Affected: 0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 , < 813cede7b2f5a4b1b75d2d4bb4e705cc8e063b20 (git) Affected: 0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 , < a3a3c7bddab9b6c5690b20796ef5e332b8c48afb (git) Affected: 0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 , < 528c9d73153754defb748f0b96ad33308668d817 (git) Affected: 0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9 , < dea499781a1150d285c62b26659f62fb00824fce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1488d782c9e43087a3f341b8186cd25f3cf75583",
"status": "affected",
"version": "0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9",
"versionType": "git"
},
{
"lessThan": "b4f4ab423107dc1ba8e9cc6488c645be6403d3f5",
"status": "affected",
"version": "0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9",
"versionType": "git"
},
{
"lessThan": "cdcc35e6454133feb61561b4e0d0c80e52cbc2ba",
"status": "affected",
"version": "0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9",
"versionType": "git"
},
{
"lessThan": "a6d2fd1703cdc8ecfc3e73987e0fb7474ae2b074",
"status": "affected",
"version": "0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9",
"versionType": "git"
},
{
"lessThan": "813cede7b2f5a4b1b75d2d4bb4e705cc8e063b20",
"status": "affected",
"version": "0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9",
"versionType": "git"
},
{
"lessThan": "a3a3c7bddab9b6c5690b20796ef5e332b8c48afb",
"status": "affected",
"version": "0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9",
"versionType": "git"
},
{
"lessThan": "528c9d73153754defb748f0b96ad33308668d817",
"status": "affected",
"version": "0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9",
"versionType": "git"
},
{
"lessThan": "dea499781a1150d285c62b26659f62fb00824fce",
"status": "affected",
"version": "0fc1b09ff1ff404ddf753f5ffa5cd0adc8fdcdc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix warning in trace_buffered_event_disable()\n\nWarning happened in trace_buffered_event_disable() at\n WARN_ON_ONCE(!trace_buffered_event_ref)\n\n Call Trace:\n ? __warn+0xa5/0x1b0\n ? trace_buffered_event_disable+0x189/0x1b0\n __ftrace_event_enable_disable+0x19e/0x3e0\n free_probe_data+0x3b/0xa0\n unregister_ftrace_function_probe_func+0x6b8/0x800\n event_enable_func+0x2f0/0x3d0\n ftrace_process_regex.isra.0+0x12d/0x1b0\n ftrace_filter_write+0xe6/0x140\n vfs_write+0x1c9/0x6f0\n [...]\n\nThe cause of the warning is in __ftrace_event_enable_disable(),\ntrace_buffered_event_enable() was called once while\ntrace_buffered_event_disable() was called twice.\nReproduction script show as below, for analysis, see the comments:\n ```\n #!/bin/bash\n\n cd /sys/kernel/tracing/\n\n # 1. Register a \u0027disable_event\u0027 command, then:\n # 1) SOFT_DISABLED_BIT was set;\n # 2) trace_buffered_event_enable() was called first time;\n echo \u0027cmdline_proc_show:disable_event:initcall:initcall_finish\u0027 \u003e \\\n set_ftrace_filter\n\n # 2. Enable the event registered, then:\n # 1) SOFT_DISABLED_BIT was cleared;\n # 2) trace_buffered_event_disable() was called first time;\n echo 1 \u003e events/initcall/initcall_finish/enable\n\n # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was\n # set again!!!\n cat /proc/cmdline\n\n # 4. Unregister the \u0027disable_event\u0027 command, then:\n # 1) SOFT_DISABLED_BIT was cleared again;\n # 2) trace_buffered_event_disable() was called second time!!!\n echo \u0027!cmdline_proc_show:disable_event:initcall:initcall_finish\u0027 \u003e \\\n set_ftrace_filter\n ```\n\nTo fix it, IIUC, we can change to call trace_buffered_event_enable() at\nfist time soft-mode enabled, and call trace_buffered_event_disable() at\nlast time soft-mode disabled."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:09.356Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1488d782c9e43087a3f341b8186cd25f3cf75583"
},
{
"url": "https://git.kernel.org/stable/c/b4f4ab423107dc1ba8e9cc6488c645be6403d3f5"
},
{
"url": "https://git.kernel.org/stable/c/cdcc35e6454133feb61561b4e0d0c80e52cbc2ba"
},
{
"url": "https://git.kernel.org/stable/c/a6d2fd1703cdc8ecfc3e73987e0fb7474ae2b074"
},
{
"url": "https://git.kernel.org/stable/c/813cede7b2f5a4b1b75d2d4bb4e705cc8e063b20"
},
{
"url": "https://git.kernel.org/stable/c/a3a3c7bddab9b6c5690b20796ef5e332b8c48afb"
},
{
"url": "https://git.kernel.org/stable/c/528c9d73153754defb748f0b96ad33308668d817"
},
{
"url": "https://git.kernel.org/stable/c/dea499781a1150d285c62b26659f62fb00824fce"
}
],
"title": "tracing: Fix warning in trace_buffered_event_disable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54211",
"datePublished": "2025-12-30T12:11:09.356Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2025-12-30T12:11:09.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54264 (GCVE-0-2023-54264)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
fs/sysv: Null check to prevent null-ptr-deref bug
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/sysv: Null check to prevent null-ptr-deref bug
sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on
that leads to the null-ptr-deref bug.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e5657933863f43cc6bb76a54d659303dafaa9e58 , < e976988bc245ec3768cc0f76bed7d05488a7dd0f
(git)
Affected: e5657933863f43cc6bb76a54d659303dafaa9e58 , < baa60c66a310c50785289b0ede6fdce8ec3219c7 (git) Affected: e5657933863f43cc6bb76a54d659303dafaa9e58 , < 0a44ceba77c3267f8505dda102a59367dc24caee (git) Affected: e5657933863f43cc6bb76a54d659303dafaa9e58 , < 7f740bc696d4617f8ee44565e8ac0d36278a1e91 (git) Affected: e5657933863f43cc6bb76a54d659303dafaa9e58 , < afd9a31b5aa4b3747f382d44a7b03b7b5d0b7635 (git) Affected: e5657933863f43cc6bb76a54d659303dafaa9e58 , < 1416eebaad80bdc85ad9f97f27242011b031e2a9 (git) Affected: e5657933863f43cc6bb76a54d659303dafaa9e58 , < e28f376dd8dfcc4e880ac101184132bc08703f6e (git) Affected: e5657933863f43cc6bb76a54d659303dafaa9e58 , < ea2b62f305893992156a798f665847e0663c9f41 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/sysv/itree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e976988bc245ec3768cc0f76bed7d05488a7dd0f",
"status": "affected",
"version": "e5657933863f43cc6bb76a54d659303dafaa9e58",
"versionType": "git"
},
{
"lessThan": "baa60c66a310c50785289b0ede6fdce8ec3219c7",
"status": "affected",
"version": "e5657933863f43cc6bb76a54d659303dafaa9e58",
"versionType": "git"
},
{
"lessThan": "0a44ceba77c3267f8505dda102a59367dc24caee",
"status": "affected",
"version": "e5657933863f43cc6bb76a54d659303dafaa9e58",
"versionType": "git"
},
{
"lessThan": "7f740bc696d4617f8ee44565e8ac0d36278a1e91",
"status": "affected",
"version": "e5657933863f43cc6bb76a54d659303dafaa9e58",
"versionType": "git"
},
{
"lessThan": "afd9a31b5aa4b3747f382d44a7b03b7b5d0b7635",
"status": "affected",
"version": "e5657933863f43cc6bb76a54d659303dafaa9e58",
"versionType": "git"
},
{
"lessThan": "1416eebaad80bdc85ad9f97f27242011b031e2a9",
"status": "affected",
"version": "e5657933863f43cc6bb76a54d659303dafaa9e58",
"versionType": "git"
},
{
"lessThan": "e28f376dd8dfcc4e880ac101184132bc08703f6e",
"status": "affected",
"version": "e5657933863f43cc6bb76a54d659303dafaa9e58",
"versionType": "git"
},
{
"lessThan": "ea2b62f305893992156a798f665847e0663c9f41",
"status": "affected",
"version": "e5657933863f43cc6bb76a54d659303dafaa9e58",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/sysv/itree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/sysv: Null check to prevent null-ptr-deref bug\n\nsb_getblk(inode-\u003ei_sb, parent) return a null ptr and taking lock on\nthat leads to the null-ptr-deref bug."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:10.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e976988bc245ec3768cc0f76bed7d05488a7dd0f"
},
{
"url": "https://git.kernel.org/stable/c/baa60c66a310c50785289b0ede6fdce8ec3219c7"
},
{
"url": "https://git.kernel.org/stable/c/0a44ceba77c3267f8505dda102a59367dc24caee"
},
{
"url": "https://git.kernel.org/stable/c/7f740bc696d4617f8ee44565e8ac0d36278a1e91"
},
{
"url": "https://git.kernel.org/stable/c/afd9a31b5aa4b3747f382d44a7b03b7b5d0b7635"
},
{
"url": "https://git.kernel.org/stable/c/1416eebaad80bdc85ad9f97f27242011b031e2a9"
},
{
"url": "https://git.kernel.org/stable/c/e28f376dd8dfcc4e880ac101184132bc08703f6e"
},
{
"url": "https://git.kernel.org/stable/c/ea2b62f305893992156a798f665847e0663c9f41"
}
],
"title": "fs/sysv: Null check to prevent null-ptr-deref bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54264",
"datePublished": "2025-12-30T12:15:56.893Z",
"dateReserved": "2025-12-30T12:06:44.517Z",
"dateUpdated": "2026-01-05T11:37:10.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54088 (GCVE-0-2023-54088)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
blk-cgroup: hold queue_lock when removing blkg->q_node
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: hold queue_lock when removing blkg->q_node
When blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock
has to be held, otherwise, all kinds of bugs(list corruption, hard lockup,
..) can be triggered from blkg_destroy_all().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
81c1188905f88b77743d1fdeeedfc8cb7b67787d , < b5dae1cd0d8368b4338430ff93403df67f0b8bcc
(git)
Affected: bfe46d2efe46c5c952f982e2ca94fe2ec5e58e2a , < 083b58373463a6e5ee60ecb135269348f68ad7df (git) Affected: f1c006f1c6850c14040f8337753a63119bba39b9 , < cd4ffdf56791eec95af01f06bee1ec7665ca75c4 (git) Affected: f1c006f1c6850c14040f8337753a63119bba39b9 , < c164c7bc9775be7bcc68754bb3431fce5823822e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b5dae1cd0d8368b4338430ff93403df67f0b8bcc",
"status": "affected",
"version": "81c1188905f88b77743d1fdeeedfc8cb7b67787d",
"versionType": "git"
},
{
"lessThan": "083b58373463a6e5ee60ecb135269348f68ad7df",
"status": "affected",
"version": "bfe46d2efe46c5c952f982e2ca94fe2ec5e58e2a",
"versionType": "git"
},
{
"lessThan": "cd4ffdf56791eec95af01f06bee1ec7665ca75c4",
"status": "affected",
"version": "f1c006f1c6850c14040f8337753a63119bba39b9",
"versionType": "git"
},
{
"lessThan": "c164c7bc9775be7bcc68754bb3431fce5823822e",
"status": "affected",
"version": "f1c006f1c6850c14040f8337753a63119bba39b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.17",
"versionStartIncluding": "6.1.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.4",
"versionStartIncluding": "6.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: hold queue_lock when removing blkg-\u003eq_node\n\nWhen blkg is removed from q-\u003eblkg_list from blkg_free_workfn(), queue_lock\nhas to be held, otherwise, all kinds of bugs(list corruption, hard lockup,\n..) can be triggered from blkg_destroy_all()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:18.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b5dae1cd0d8368b4338430ff93403df67f0b8bcc"
},
{
"url": "https://git.kernel.org/stable/c/083b58373463a6e5ee60ecb135269348f68ad7df"
},
{
"url": "https://git.kernel.org/stable/c/cd4ffdf56791eec95af01f06bee1ec7665ca75c4"
},
{
"url": "https://git.kernel.org/stable/c/c164c7bc9775be7bcc68754bb3431fce5823822e"
}
],
"title": "blk-cgroup: hold queue_lock when removing blkg-\u003eq_node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54088",
"datePublished": "2025-12-24T13:06:18.216Z",
"dateReserved": "2025-12-24T13:02:52.515Z",
"dateUpdated": "2025-12-24T13:06:18.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53164 (GCVE-0-2024-53164)
Vulnerability from cvelistv5 – Published: 2024-12-27 13:38 – Updated: 2026-01-05 10:55
VLAI?
EPSS
Title
net: sched: fix ordering of qlen adjustment
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: fix ordering of qlen adjustment
Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen
_before_ a call to said function because otherwise it may fail to notify
parent qdiscs when the child is about to become empty.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
959466588aa7f84ccf79ae36a1d89542eaf9aaec , < 44782565e1e6174c94bddfa72ac7267cd09c1648
(git)
Affected: 959466588aa7f84ccf79ae36a1d89542eaf9aaec , < 5e473f462a16f1a34e49ea4289a667d2e4f35b52 (git) Affected: 959466588aa7f84ccf79ae36a1d89542eaf9aaec , < 33db36b3c53d0fda2699ea39ba72bee4de8336e8 (git) Affected: 959466588aa7f84ccf79ae36a1d89542eaf9aaec , < 489422e2befff88a1de52b2acebe7b333bded025 (git) Affected: 959466588aa7f84ccf79ae36a1d89542eaf9aaec , < 97e13434b5da8e91bdf965352fad2141d13d72d3 (git) Affected: 959466588aa7f84ccf79ae36a1d89542eaf9aaec , < e3e54ad9eff8bdaa70f897e5342e34b76109497f (git) Affected: 959466588aa7f84ccf79ae36a1d89542eaf9aaec , < 5eb7de8cd58e73851cd37ff8d0666517d9926948 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:46:55.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c",
"net/sched/sch_choke.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "44782565e1e6174c94bddfa72ac7267cd09c1648",
"status": "affected",
"version": "959466588aa7f84ccf79ae36a1d89542eaf9aaec",
"versionType": "git"
},
{
"lessThan": "5e473f462a16f1a34e49ea4289a667d2e4f35b52",
"status": "affected",
"version": "959466588aa7f84ccf79ae36a1d89542eaf9aaec",
"versionType": "git"
},
{
"lessThan": "33db36b3c53d0fda2699ea39ba72bee4de8336e8",
"status": "affected",
"version": "959466588aa7f84ccf79ae36a1d89542eaf9aaec",
"versionType": "git"
},
{
"lessThan": "489422e2befff88a1de52b2acebe7b333bded025",
"status": "affected",
"version": "959466588aa7f84ccf79ae36a1d89542eaf9aaec",
"versionType": "git"
},
{
"lessThan": "97e13434b5da8e91bdf965352fad2141d13d72d3",
"status": "affected",
"version": "959466588aa7f84ccf79ae36a1d89542eaf9aaec",
"versionType": "git"
},
{
"lessThan": "e3e54ad9eff8bdaa70f897e5342e34b76109497f",
"status": "affected",
"version": "959466588aa7f84ccf79ae36a1d89542eaf9aaec",
"versionType": "git"
},
{
"lessThan": "5eb7de8cd58e73851cd37ff8d0666517d9926948",
"status": "affected",
"version": "959466588aa7f84ccf79ae36a1d89542eaf9aaec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_cake.c",
"net/sched/sch_choke.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.289",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.233",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.289",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.233",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.176",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.122",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.68",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.7",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: fix ordering of qlen adjustment\n\nChanges to sch-\u003eq.qlen around qdisc_tree_reduce_backlog() need to happen\n_before_ a call to said function because otherwise it may fail to notify\nparent qdiscs when the child is about to become empty."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:55:38.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/44782565e1e6174c94bddfa72ac7267cd09c1648"
},
{
"url": "https://git.kernel.org/stable/c/5e473f462a16f1a34e49ea4289a667d2e4f35b52"
},
{
"url": "https://git.kernel.org/stable/c/33db36b3c53d0fda2699ea39ba72bee4de8336e8"
},
{
"url": "https://git.kernel.org/stable/c/489422e2befff88a1de52b2acebe7b333bded025"
},
{
"url": "https://git.kernel.org/stable/c/97e13434b5da8e91bdf965352fad2141d13d72d3"
},
{
"url": "https://git.kernel.org/stable/c/e3e54ad9eff8bdaa70f897e5342e34b76109497f"
},
{
"url": "https://git.kernel.org/stable/c/5eb7de8cd58e73851cd37ff8d0666517d9926948"
}
],
"title": "net: sched: fix ordering of qlen adjustment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53164",
"datePublished": "2024-12-27T13:38:43.407Z",
"dateReserved": "2024-11-19T17:17:25.004Z",
"dateUpdated": "2026-01-05T10:55:38.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54223 (GCVE-0-2023-54223)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
net/mlx5e: xsk: Fix invalid buffer access for legacy rq
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: xsk: Fix invalid buffer access for legacy rq
The below crash can be encountered when using xdpsock in rx mode for
legacy rq: the buffer gets released in the XDP_REDIRECT path, and then
once again in the driver. This fix sets the flag to avoid releasing on
the driver side.
XSK handling of buffers for legacy rq was relying on the caller to set
the skip release flag. But the referenced fix started using fragment
counts for pages instead of the skip flag.
Crash log:
general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP
CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28
Code: ...
RSP: 0018:ffff88810082fc98 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc
RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901
RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006
R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000
R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00
FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? die_addr+0x32/0x80
? exc_general_protection+0x192/0x390
? asm_exc_general_protection+0x22/0x30
? 0xffffffffa000b514
? bpf_prog_03b13f331978c78c+0xf/0x28
mlx5e_xdp_handle+0x48/0x670 [mlx5_core]
? dev_gro_receive+0x3b5/0x6e0
mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core]
mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core]
mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core]
mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core]
__napi_poll+0x25/0x1a0
net_rx_action+0x28a/0x300
__do_softirq+0xcd/0x279
? sort_range+0x20/0x20
run_ksoftirqd+0x1a/0x20
smpboot_thread_fn+0xa2/0x130
kthread+0xc9/0xf0
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core]
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/xsk/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58a113a35846d9a5bd759beb332e551e28451f09",
"status": "affected",
"version": "cbb5379362513cbff450df0457dc370da7244bec",
"versionType": "git"
},
{
"lessThan": "e0f52298fee449fec37e3e3c32df60008b509b16",
"status": "affected",
"version": "7abd955a58fb0fcd4e756fa2065c03ae488fcfa7",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/xsk/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.4.10",
"status": "affected",
"version": "6.4.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: xsk: Fix invalid buffer access for legacy rq\n\nThe below crash can be encountered when using xdpsock in rx mode for\nlegacy rq: the buffer gets released in the XDP_REDIRECT path, and then\nonce again in the driver. This fix sets the flag to avoid releasing on\nthe driver side.\n\nXSK handling of buffers for legacy rq was relying on the caller to set\nthe skip release flag. But the referenced fix started using fragment\ncounts for pages instead of the skip flag.\n\nCrash log:\n general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP\n CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28\n Code: ...\n RSP: 0018:ffff88810082fc98 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc\n RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901\n RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006\n R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000\n R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00\n FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n ? die_addr+0x32/0x80\n ? exc_general_protection+0x192/0x390\n ? asm_exc_general_protection+0x22/0x30\n ? 0xffffffffa000b514\n ? bpf_prog_03b13f331978c78c+0xf/0x28\n mlx5e_xdp_handle+0x48/0x670 [mlx5_core]\n ? dev_gro_receive+0x3b5/0x6e0\n mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core]\n mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core]\n mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core]\n mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core]\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28a/0x300\n __do_softirq+0xcd/0x279\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1a/0x20\n smpboot_thread_fn+0xa2/0x130\n kthread+0xc9/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n \u003c/TASK\u003e\n Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:17.389Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58a113a35846d9a5bd759beb332e551e28451f09"
},
{
"url": "https://git.kernel.org/stable/c/e0f52298fee449fec37e3e3c32df60008b509b16"
}
],
"title": "net/mlx5e: xsk: Fix invalid buffer access for legacy rq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54223",
"datePublished": "2025-12-30T12:11:17.389Z",
"dateReserved": "2025-12-30T12:06:44.501Z",
"dateUpdated": "2025-12-30T12:11:17.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50716 (GCVE-0-2022-50716)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
syzkaller reported use-after-free with the stack trace like below [1]:
[ 38.960489][ C3] ==================================================================
[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240
[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0
[ 38.966363][ C3]
[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18
[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
[ 38.969959][ C3] Call Trace:
[ 38.970841][ C3] <IRQ>
[ 38.971663][ C3] dump_stack_lvl+0xfc/0x174
[ 38.972620][ C3] print_report.cold+0x2c3/0x752
[ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240
[ 38.974644][ C3] kasan_report+0xb1/0x1d0
[ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240
[ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240
[ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0
[ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430
[ 38.981266][ C3] dummy_timer+0x140c/0x34e0
[ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0
[ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60
[ 38.986242][ C3] ? lock_release+0x51c/0x790
[ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70
[ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130
[ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0
[ 38.990777][ C3] ? lock_acquire+0x472/0x550
[ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60
[ 38.993138][ C3] ? lock_acquire+0x472/0x550
[ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230
[ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0
[ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0
[ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0
[ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0
[ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0
[ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0
[ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10
[ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40
[ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0
[ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0
[ 39.016196][ C3] __do_softirq+0x1d2/0x9be
[ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190
[ 39.019004][ C3] irq_exit_rcu+0x5/0x20
[ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0
[ 39.021965][ C3] </IRQ>
[ 39.023237][ C3] <TASK>
In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below
(there are other functions which finally call ar5523_cmd()):
ar5523_probe()
-> ar5523_host_available()
-> ar5523_cmd_read()
-> ar5523_cmd()
If ar5523_cmd() timed out, then ar5523_host_available() failed and
ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb()
might touch the freed structure.
This patch fixes this issue by canceling in-flight tx cmd if submitted
urb timed out.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b7d572e1871df06a96a1c9591c71c5494ff6b624 , < c9ba3fbf6a488da6cad1d304c5234bd8d729eba3
(git)
Affected: b7d572e1871df06a96a1c9591c71c5494ff6b624 , < 340524ae7b53a72cf5d9e7bd7790433422b3b12f (git) Affected: b7d572e1871df06a96a1c9591c71c5494ff6b624 , < 6447beefd21326a3f4719ec2ea511df797f6c820 (git) Affected: b7d572e1871df06a96a1c9591c71c5494ff6b624 , < 7360b323e0343ea099091d4ae09576dbe1f09516 (git) Affected: b7d572e1871df06a96a1c9591c71c5494ff6b624 , < 8af52492717e3538eba3f81d012b1476af8a89a6 (git) Affected: b7d572e1871df06a96a1c9591c71c5494ff6b624 , < 3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd (git) Affected: b7d572e1871df06a96a1c9591c71c5494ff6b624 , < 601ae89375033ac4870c086e24ba03f235d38e55 (git) Affected: b7d572e1871df06a96a1c9591c71c5494ff6b624 , < 9aef34e1ae35a87e5f6a22278c17823b7ce64c88 (git) Affected: b7d572e1871df06a96a1c9591c71c5494ff6b624 , < b6702a942a069c2a975478d719e98d83cdae1797 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ar5523/ar5523.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9ba3fbf6a488da6cad1d304c5234bd8d729eba3",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
},
{
"lessThan": "340524ae7b53a72cf5d9e7bd7790433422b3b12f",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
},
{
"lessThan": "6447beefd21326a3f4719ec2ea511df797f6c820",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
},
{
"lessThan": "7360b323e0343ea099091d4ae09576dbe1f09516",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
},
{
"lessThan": "8af52492717e3538eba3f81d012b1476af8a89a6",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
},
{
"lessThan": "3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
},
{
"lessThan": "601ae89375033ac4870c086e24ba03f235d38e55",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
},
{
"lessThan": "9aef34e1ae35a87e5f6a22278c17823b7ce64c88",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
},
{
"lessThan": "b6702a942a069c2a975478d719e98d83cdae1797",
"status": "affected",
"version": "b7d572e1871df06a96a1c9591c71c5494ff6b624",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ar5523/ar5523.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ar5523: Fix use-after-free on ar5523_cmd() timed out\n\nsyzkaller reported use-after-free with the stack trace like below [1]:\n\n[ 38.960489][ C3] ==================================================================\n[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240\n[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0\n[ 38.966363][ C3]\n[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18\n[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014\n[ 38.969959][ C3] Call Trace:\n[ 38.970841][ C3] \u003cIRQ\u003e\n[ 38.971663][ C3] dump_stack_lvl+0xfc/0x174\n[ 38.972620][ C3] print_report.cold+0x2c3/0x752\n[ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240\n[ 38.974644][ C3] kasan_report+0xb1/0x1d0\n[ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240\n[ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240\n[ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0\n[ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430\n[ 38.981266][ C3] dummy_timer+0x140c/0x34e0\n[ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0\n[ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60\n[ 38.986242][ C3] ? lock_release+0x51c/0x790\n[ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70\n[ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130\n[ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0\n[ 38.990777][ C3] ? lock_acquire+0x472/0x550\n[ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60\n[ 38.993138][ C3] ? lock_acquire+0x472/0x550\n[ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860\n[ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230\n[ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860\n[ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0\n[ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0\n[ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0\n[ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0\n[ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0\n[ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860\n[ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0\n[ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10\n[ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40\n[ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0\n[ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0\n[ 39.016196][ C3] __do_softirq+0x1d2/0x9be\n[ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190\n[ 39.019004][ C3] irq_exit_rcu+0x5/0x20\n[ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0\n[ 39.021965][ C3] \u003c/IRQ\u003e\n[ 39.023237][ C3] \u003cTASK\u003e\n\nIn ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below\n(there are other functions which finally call ar5523_cmd()):\n\nar5523_probe()\n-\u003e ar5523_host_available()\n -\u003e ar5523_cmd_read()\n -\u003e ar5523_cmd()\n\nIf ar5523_cmd() timed out, then ar5523_host_available() failed and\nar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb()\nmight touch the freed structure.\n\nThis patch fixes this issue by canceling in-flight tx cmd if submitted\nurb timed out."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:02.375Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9ba3fbf6a488da6cad1d304c5234bd8d729eba3"
},
{
"url": "https://git.kernel.org/stable/c/340524ae7b53a72cf5d9e7bd7790433422b3b12f"
},
{
"url": "https://git.kernel.org/stable/c/6447beefd21326a3f4719ec2ea511df797f6c820"
},
{
"url": "https://git.kernel.org/stable/c/7360b323e0343ea099091d4ae09576dbe1f09516"
},
{
"url": "https://git.kernel.org/stable/c/8af52492717e3538eba3f81d012b1476af8a89a6"
},
{
"url": "https://git.kernel.org/stable/c/3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd"
},
{
"url": "https://git.kernel.org/stable/c/601ae89375033ac4870c086e24ba03f235d38e55"
},
{
"url": "https://git.kernel.org/stable/c/9aef34e1ae35a87e5f6a22278c17823b7ce64c88"
},
{
"url": "https://git.kernel.org/stable/c/b6702a942a069c2a975478d719e98d83cdae1797"
}
],
"title": "wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50716",
"datePublished": "2025-12-24T12:22:40.461Z",
"dateReserved": "2025-12-24T12:20:40.329Z",
"dateUpdated": "2026-01-02T15:04:02.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-36933 (GCVE-0-2024-36933)
Vulnerability from cvelistv5 – Published: 2024-05-30 15:29 – Updated: 2025-05-04 09:12
VLAI?
EPSS
Title
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
Summary
In the Linux kernel, the following vulnerability has been resolved:
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
syzbot triggered various splats (see [0] and links) by a crafted GSO
packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:
ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP
NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner
protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls
skb_mac_gso_segment() to invoke inner protocol GSO handlers.
nsh_gso_segment() does the following for the original skb before
calling skb_mac_gso_segment()
1. reset skb->network_header
2. save the original skb->{mac_heaeder,mac_len} in a local variable
3. pull the NSH header
4. resets skb->mac_header
5. set up skb->mac_len and skb->protocol for the inner protocol.
and does the following for the segmented skb
6. set ntohs(ETH_P_NSH) to skb->protocol
7. push the NSH header
8. restore skb->mac_header
9. set skb->mac_header + mac_len to skb->network_header
10. restore skb->mac_len
There are two problems in 6-7 and 8-9.
(a)
After 6 & 7, skb->data points to the NSH header, so the outer header
(ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.
Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),
skb_pull() in the first nsh_gso_segment() will make skb->data point
to the middle of the outer NSH or Ethernet header because the Ethernet
header is not pulled by the second nsh_gso_segment().
(b)
While restoring skb->{mac_header,network_header} in 8 & 9,
nsh_gso_segment() does not assume that the data in the linear
buffer is shifted.
However, udp6_ufo_fragment() could shift the data and change
skb->mac_header accordingly as demonstrated by syzbot.
If this happens, even the restored skb->mac_header points to
the middle of the outer header.
It seems nsh_gso_segment() has never worked with outer headers so far.
At the end of nsh_gso_segment(), the outer header must be restored for
the segmented skb, instead of the NSH header.
To do that, let's calculate the outer header position relatively from
the inner header and set skb->{data,mac_header,protocol} properly.
[0]:
BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222
__netdev_start_xmit include/linux/netdevice.h:4989 [inline]
netdev_start_xmit include/linux/netdevice.h:5003 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
__dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
dev_queue_xmit include/linux/netdevice.h:3171 [inline]
packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x735/0xa10 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3819 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
__do_kmalloc_node mm/slub.c:3980 [inline]
__kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001
kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
__
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c411ed854584a71b0e86ac3019b60e4789d88086 , < a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9
(git)
Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 46134031c20fd313d03b90169d64b2e05ca6b65c (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < bbccf0caef2fa917d6d0692385a06ce3c262a216 (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 5a4603fbc285752d19e4b415466db18ef3617e4a (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 37ed6f244ec5bda2e90b085084e322ea55d0aaa2 (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 696d18bb59727a2e0526c0802a812620be1c9340 (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 29a07f2ee4d273760c2acbfc756e29eccd82470a (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 4b911a9690d72641879ea6d13cce1de31d346d79 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-04T15:40:25.095830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:53.616Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-12T16:02:59.824Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240912-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nsh/nsh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "46134031c20fd313d03b90169d64b2e05ca6b65c",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "bbccf0caef2fa917d6d0692385a06ce3c262a216",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "5a4603fbc285752d19e4b415466db18ef3617e4a",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "37ed6f244ec5bda2e90b085084e322ea55d0aaa2",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "696d18bb59727a2e0526c0802a812620be1c9340",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "29a07f2ee4d273760c2acbfc756e29eccd82470a",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "4b911a9690d72641879ea6d13cce1de31d346d79",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nsh/nsh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.314",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.217",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.314",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.276",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.217",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.159",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnsh: Restore skb-\u003e{protocol,data,mac_header} for outer header in nsh_gso_segment().\n\nsyzbot triggered various splats (see [0] and links) by a crafted GSO\npacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:\n\n ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP\n\nNSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS. As the inner\nprotocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls\nskb_mac_gso_segment() to invoke inner protocol GSO handlers.\n\nnsh_gso_segment() does the following for the original skb before\ncalling skb_mac_gso_segment()\n\n 1. reset skb-\u003enetwork_header\n 2. save the original skb-\u003e{mac_heaeder,mac_len} in a local variable\n 3. pull the NSH header\n 4. resets skb-\u003emac_header\n 5. set up skb-\u003emac_len and skb-\u003eprotocol for the inner protocol.\n\nand does the following for the segmented skb\n\n 6. set ntohs(ETH_P_NSH) to skb-\u003eprotocol\n 7. push the NSH header\n 8. restore skb-\u003emac_header\n 9. set skb-\u003emac_header + mac_len to skb-\u003enetwork_header\n 10. restore skb-\u003emac_len\n\nThere are two problems in 6-7 and 8-9.\n\n (a)\n After 6 \u0026 7, skb-\u003edata points to the NSH header, so the outer header\n (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.\n\n Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),\n skb_pull() in the first nsh_gso_segment() will make skb-\u003edata point\n to the middle of the outer NSH or Ethernet header because the Ethernet\n header is not pulled by the second nsh_gso_segment().\n\n (b)\n While restoring skb-\u003e{mac_header,network_header} in 8 \u0026 9,\n nsh_gso_segment() does not assume that the data in the linear\n buffer is shifted.\n\n However, udp6_ufo_fragment() could shift the data and change\n skb-\u003emac_header accordingly as demonstrated by syzbot.\n\n If this happens, even the restored skb-\u003emac_header points to\n the middle of the outer header.\n\nIt seems nsh_gso_segment() has never worked with outer headers so far.\n\nAt the end of nsh_gso_segment(), the outer header must be restored for\nthe segmented skb, instead of the NSH header.\n\nTo do that, let\u0027s calculate the outer header position relatively from\nthe inner header and set skb-\u003e{data,mac_header,protocol} properly.\n\n[0]:\nBUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\nBUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\nBUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668\n ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222\n __netdev_start_xmit include/linux/netdevice.h:4989 [inline]\n netdev_start_xmit include/linux/netdevice.h:5003 [inline]\n xmit_one net/core/dev.c:3547 [inline]\n dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563\n __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n __do_kmalloc_node mm/slub.c:3980 [inline]\n __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001\n kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582\n __\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T09:12:21.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7c2c3c1caabcb4a3d6c47284c397507aaf54fe9"
},
{
"url": "https://git.kernel.org/stable/c/46134031c20fd313d03b90169d64b2e05ca6b65c"
},
{
"url": "https://git.kernel.org/stable/c/bbccf0caef2fa917d6d0692385a06ce3c262a216"
},
{
"url": "https://git.kernel.org/stable/c/5a4603fbc285752d19e4b415466db18ef3617e4a"
},
{
"url": "https://git.kernel.org/stable/c/37ed6f244ec5bda2e90b085084e322ea55d0aaa2"
},
{
"url": "https://git.kernel.org/stable/c/696d18bb59727a2e0526c0802a812620be1c9340"
},
{
"url": "https://git.kernel.org/stable/c/29a07f2ee4d273760c2acbfc756e29eccd82470a"
},
{
"url": "https://git.kernel.org/stable/c/4b911a9690d72641879ea6d13cce1de31d346d79"
}
],
"title": "nsh: Restore skb-\u003e{protocol,data,mac_header} for outer header in nsh_gso_segment().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36933",
"datePublished": "2024-05-30T15:29:23.764Z",
"dateReserved": "2024-05-30T15:25:07.071Z",
"dateUpdated": "2025-05-04T09:12:21.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50868 (GCVE-0-2022-50868)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
hwrng: amd - Fix PCI device refcount leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: amd - Fix PCI device refcount leak
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() for the normal and error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < f1c97f72ffd504f49882774e2ab689d982dc7afc
(git)
Affected: 96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < 526c316948819d3ecd2bb20fe5e2580c51a1b760 (git) Affected: 96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < e246f5eff26055bdcb61a2cc99c50af72a19680f (git) Affected: 96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < 1199f8e02941b326c60ab71a63002b7c80e38212 (git) Affected: 96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < 5998e5c30e839f73e62cb29e0d9617b0d16ccba3 (git) Affected: 96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < 2b79a5e560779b35e1164d57ae35c48b43373082 (git) Affected: 96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < cb348c7908631dd9f60083a0a1542eab055d3edf (git) Affected: 96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < 2e10ecd012ae2b2a374b34f307e9bc1e6096c03d (git) Affected: 96d63c0297ccfd6d9059c614b3f5555d9441a2b3 , < ecadb5b0111ea19fc7c240bb25d424a94471eb7d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/amd-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1c97f72ffd504f49882774e2ab689d982dc7afc",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
},
{
"lessThan": "526c316948819d3ecd2bb20fe5e2580c51a1b760",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
},
{
"lessThan": "e246f5eff26055bdcb61a2cc99c50af72a19680f",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
},
{
"lessThan": "1199f8e02941b326c60ab71a63002b7c80e38212",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
},
{
"lessThan": "5998e5c30e839f73e62cb29e0d9617b0d16ccba3",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
},
{
"lessThan": "2b79a5e560779b35e1164d57ae35c48b43373082",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
},
{
"lessThan": "cb348c7908631dd9f60083a0a1542eab055d3edf",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
},
{
"lessThan": "2e10ecd012ae2b2a374b34f307e9bc1e6096c03d",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
},
{
"lessThan": "ecadb5b0111ea19fc7c240bb25d424a94471eb7d",
"status": "affected",
"version": "96d63c0297ccfd6d9059c614b3f5555d9441a2b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/amd-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: amd - Fix PCI device refcount leak\n\nfor_each_pci_dev() is implemented by pci_get_device(). The comment of\npci_get_device() says that it will increase the reference count for the\nreturned pci_dev and also decrease the reference count for the input\npci_dev @from if it is not NULL.\n\nIf we break for_each_pci_dev() loop with pdev not NULL, we need to call\npci_dev_put() to decrease the reference count. Add the missing\npci_dev_put() for the normal and error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:39.211Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1c97f72ffd504f49882774e2ab689d982dc7afc"
},
{
"url": "https://git.kernel.org/stable/c/526c316948819d3ecd2bb20fe5e2580c51a1b760"
},
{
"url": "https://git.kernel.org/stable/c/e246f5eff26055bdcb61a2cc99c50af72a19680f"
},
{
"url": "https://git.kernel.org/stable/c/1199f8e02941b326c60ab71a63002b7c80e38212"
},
{
"url": "https://git.kernel.org/stable/c/5998e5c30e839f73e62cb29e0d9617b0d16ccba3"
},
{
"url": "https://git.kernel.org/stable/c/2b79a5e560779b35e1164d57ae35c48b43373082"
},
{
"url": "https://git.kernel.org/stable/c/cb348c7908631dd9f60083a0a1542eab055d3edf"
},
{
"url": "https://git.kernel.org/stable/c/2e10ecd012ae2b2a374b34f307e9bc1e6096c03d"
},
{
"url": "https://git.kernel.org/stable/c/ecadb5b0111ea19fc7c240bb25d424a94471eb7d"
}
],
"title": "hwrng: amd - Fix PCI device refcount leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50868",
"datePublished": "2025-12-30T12:15:39.211Z",
"dateReserved": "2025-12-30T12:06:07.136Z",
"dateUpdated": "2025-12-30T12:15:39.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54236 (GCVE-0-2023-54236)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
net/net_failover: fix txq exceeding warning
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/net_failover: fix txq exceeding warning
The failover txq is inited as 16 queues.
when a packet is transmitted from the failover device firstly,
the failover device will select the queue which is returned from
the primary device if the primary device is UP and running.
If the primary device txq is bigger than the default 16,
it can lead to the following warning:
eth0 selects TX queue 18, but real number of TX queues is 16
The warning backtrace is:
[ 32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G E 6.2.8-1.el7.centos.x86_64 #1
[ 32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014
[ 32.147730] Call Trace:
[ 32.147971] <TASK>
[ 32.148183] dump_stack_lvl+0x48/0x70
[ 32.148514] dump_stack+0x10/0x20
[ 32.148820] netdev_core_pick_tx+0xb1/0xe0
[ 32.149180] __dev_queue_xmit+0x529/0xcf0
[ 32.149533] ? __check_object_size.part.0+0x21c/0x2c0
[ 32.149967] ip_finish_output2+0x278/0x560
[ 32.150327] __ip_finish_output+0x1fe/0x2f0
[ 32.150690] ip_finish_output+0x2a/0xd0
[ 32.151032] ip_output+0x7a/0x110
[ 32.151337] ? __pfx_ip_finish_output+0x10/0x10
[ 32.151733] ip_local_out+0x5e/0x70
[ 32.152054] ip_send_skb+0x19/0x50
[ 32.152366] udp_send_skb.isra.0+0x163/0x3a0
[ 32.152736] udp_sendmsg+0xba8/0xec0
[ 32.153060] ? __folio_memcg_unlock+0x25/0x60
[ 32.153445] ? __pfx_ip_generic_getfrag+0x10/0x10
[ 32.153854] ? sock_has_perm+0x85/0xa0
[ 32.154190] inet_sendmsg+0x6d/0x80
[ 32.154508] ? inet_sendmsg+0x6d/0x80
[ 32.154838] sock_sendmsg+0x62/0x70
[ 32.155152] ____sys_sendmsg+0x134/0x290
[ 32.155499] ___sys_sendmsg+0x81/0xc0
[ 32.155828] ? _get_random_bytes.part.0+0x79/0x1a0
[ 32.156240] ? ip4_datagram_release_cb+0x5f/0x1e0
[ 32.156649] ? get_random_u16+0x69/0xf0
[ 32.156989] ? __fget_light+0xcf/0x110
[ 32.157326] __sys_sendmmsg+0xc4/0x210
[ 32.157657] ? __sys_connect+0xb7/0xe0
[ 32.157995] ? __audit_syscall_entry+0xce/0x140
[ 32.158388] ? syscall_trace_enter.isra.0+0x12c/0x1a0
[ 32.158820] __x64_sys_sendmmsg+0x24/0x30
[ 32.159171] do_syscall_64+0x38/0x90
[ 32.159493] entry_SYSCALL_64_after_hwframe+0x72/0xdc
Fix that by reducing txq number as the non-existent primary-dev does.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cfc80d9a11635404a40199a1c9471c96890f3f74 , < 105cc268328231d5c2bfcbd03f265cec444a3492
(git)
Affected: cfc80d9a11635404a40199a1c9471c96890f3f74 , < f032e125149d914e542548c17ebd613851031368 (git) Affected: cfc80d9a11635404a40199a1c9471c96890f3f74 , < 2d5cebf57296f0189a61482035ad420384eedead (git) Affected: cfc80d9a11635404a40199a1c9471c96890f3f74 , < c942f5cd63b7c2e73fe06744185a34b03267595b (git) Affected: cfc80d9a11635404a40199a1c9471c96890f3f74 , < 44d250c22209c680f61befbc2ac326da5452da01 (git) Affected: cfc80d9a11635404a40199a1c9471c96890f3f74 , < e3cbdcb0fbb61045ef3ce0e072927cc41737f787 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/net_failover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "105cc268328231d5c2bfcbd03f265cec444a3492",
"status": "affected",
"version": "cfc80d9a11635404a40199a1c9471c96890f3f74",
"versionType": "git"
},
{
"lessThan": "f032e125149d914e542548c17ebd613851031368",
"status": "affected",
"version": "cfc80d9a11635404a40199a1c9471c96890f3f74",
"versionType": "git"
},
{
"lessThan": "2d5cebf57296f0189a61482035ad420384eedead",
"status": "affected",
"version": "cfc80d9a11635404a40199a1c9471c96890f3f74",
"versionType": "git"
},
{
"lessThan": "c942f5cd63b7c2e73fe06744185a34b03267595b",
"status": "affected",
"version": "cfc80d9a11635404a40199a1c9471c96890f3f74",
"versionType": "git"
},
{
"lessThan": "44d250c22209c680f61befbc2ac326da5452da01",
"status": "affected",
"version": "cfc80d9a11635404a40199a1c9471c96890f3f74",
"versionType": "git"
},
{
"lessThan": "e3cbdcb0fbb61045ef3ce0e072927cc41737f787",
"status": "affected",
"version": "cfc80d9a11635404a40199a1c9471c96890f3f74",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/net_failover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/net_failover: fix txq exceeding warning\n\nThe failover txq is inited as 16 queues.\nwhen a packet is transmitted from the failover device firstly,\nthe failover device will select the queue which is returned from\nthe primary device if the primary device is UP and running.\nIf the primary device txq is bigger than the default 16,\nit can lead to the following warning:\neth0 selects TX queue 18, but real number of TX queues is 16\n\nThe warning backtrace is:\n[ 32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G E 6.2.8-1.el7.centos.x86_64 #1\n[ 32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014\n[ 32.147730] Call Trace:\n[ 32.147971] \u003cTASK\u003e\n[ 32.148183] dump_stack_lvl+0x48/0x70\n[ 32.148514] dump_stack+0x10/0x20\n[ 32.148820] netdev_core_pick_tx+0xb1/0xe0\n[ 32.149180] __dev_queue_xmit+0x529/0xcf0\n[ 32.149533] ? __check_object_size.part.0+0x21c/0x2c0\n[ 32.149967] ip_finish_output2+0x278/0x560\n[ 32.150327] __ip_finish_output+0x1fe/0x2f0\n[ 32.150690] ip_finish_output+0x2a/0xd0\n[ 32.151032] ip_output+0x7a/0x110\n[ 32.151337] ? __pfx_ip_finish_output+0x10/0x10\n[ 32.151733] ip_local_out+0x5e/0x70\n[ 32.152054] ip_send_skb+0x19/0x50\n[ 32.152366] udp_send_skb.isra.0+0x163/0x3a0\n[ 32.152736] udp_sendmsg+0xba8/0xec0\n[ 32.153060] ? __folio_memcg_unlock+0x25/0x60\n[ 32.153445] ? __pfx_ip_generic_getfrag+0x10/0x10\n[ 32.153854] ? sock_has_perm+0x85/0xa0\n[ 32.154190] inet_sendmsg+0x6d/0x80\n[ 32.154508] ? inet_sendmsg+0x6d/0x80\n[ 32.154838] sock_sendmsg+0x62/0x70\n[ 32.155152] ____sys_sendmsg+0x134/0x290\n[ 32.155499] ___sys_sendmsg+0x81/0xc0\n[ 32.155828] ? _get_random_bytes.part.0+0x79/0x1a0\n[ 32.156240] ? ip4_datagram_release_cb+0x5f/0x1e0\n[ 32.156649] ? get_random_u16+0x69/0xf0\n[ 32.156989] ? __fget_light+0xcf/0x110\n[ 32.157326] __sys_sendmmsg+0xc4/0x210\n[ 32.157657] ? __sys_connect+0xb7/0xe0\n[ 32.157995] ? __audit_syscall_entry+0xce/0x140\n[ 32.158388] ? syscall_trace_enter.isra.0+0x12c/0x1a0\n[ 32.158820] __x64_sys_sendmmsg+0x24/0x30\n[ 32.159171] do_syscall_64+0x38/0x90\n[ 32.159493] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFix that by reducing txq number as the non-existent primary-dev does."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:26.373Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/105cc268328231d5c2bfcbd03f265cec444a3492"
},
{
"url": "https://git.kernel.org/stable/c/f032e125149d914e542548c17ebd613851031368"
},
{
"url": "https://git.kernel.org/stable/c/2d5cebf57296f0189a61482035ad420384eedead"
},
{
"url": "https://git.kernel.org/stable/c/c942f5cd63b7c2e73fe06744185a34b03267595b"
},
{
"url": "https://git.kernel.org/stable/c/44d250c22209c680f61befbc2ac326da5452da01"
},
{
"url": "https://git.kernel.org/stable/c/e3cbdcb0fbb61045ef3ce0e072927cc41737f787"
}
],
"title": "net/net_failover: fix txq exceeding warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54236",
"datePublished": "2025-12-30T12:11:26.373Z",
"dateReserved": "2025-12-30T12:06:44.508Z",
"dateUpdated": "2025-12-30T12:11:26.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68287 (GCVE-0-2025-68287)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking `dwc3_remove_requests()`,
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with `dwc3_remove_requests()`:
Path 1:
Triggered via `dwc3_gadget_reset_interrupt()` during USB reset
handling. The call stack includes:
- `dwc3_ep0_reset_state()`
- `dwc3_ep0_stall_and_restart()`
- `dwc3_ep0_out_start()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 2:
Also initiated from `dwc3_gadget_reset_interrupt()`, but through
`dwc3_stop_active_transfers()`. The call stack includes:
- `dwc3_stop_active_transfers()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 3:
Occurs independently during `adb root` execution, which triggers
USB function unbind and bind operations. The sequence includes:
- `gserial_disconnect()`
- `usb_ep_disable()`
- `dwc3_gadget_ep_disable()`
- `dwc3_remove_requests()` with `-ESHUTDOWN` status
Path 3 operates asynchronously and lacks synchronization with Paths
1 and 2. When Path 3 completes, it disables endpoints and frees 'out'
requests. If Paths 1 or 2 are still processing these requests,
accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing
if already completed and added the request status for ep0 while queue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72246da40f3719af3bfd104a2365b32537c27d83 , < 467add9db13219101f14b6cc5477998b4aaa5fe2
(git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 67192e8cb7f941b5bba91e4bb290683576ce1607 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 47de14d741cc4057046c9e2f33df1f7828254e6c (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < afc0e34f161ce61ad351303c46eb57bd44b8b090 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 7cfb62888eba292fa35cd9ddbd28ce595f60e139 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < fa5eaf701e576880070b60922200557ae4aa54e1 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < e4037689a366743c4233966f0e74bc455820d316 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "467add9db13219101f14b6cc5477998b4aaa5fe2",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "67192e8cb7f941b5bba91e4bb290683576ce1607",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "47de14d741cc4057046c9e2f33df1f7828254e6c",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "afc0e34f161ce61ad351303c46eb57bd44b8b090",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "7cfb62888eba292fa35cd9ddbd28ce595f60e139",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "fa5eaf701e576880070b60922200557ae4aa54e1",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "e4037689a366743c4233966f0e74bc455820d316",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/ep0.c",
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths\n\nThis patch addresses a race condition caused by unsynchronized\nexecution of multiple call paths invoking `dwc3_remove_requests()`,\nleading to premature freeing of USB requests and subsequent crashes.\n\nThree distinct execution paths interact with `dwc3_remove_requests()`:\nPath 1:\nTriggered via `dwc3_gadget_reset_interrupt()` during USB reset\nhandling. The call stack includes:\n- `dwc3_ep0_reset_state()`\n- `dwc3_ep0_stall_and_restart()`\n- `dwc3_ep0_out_start()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 2:\nAlso initiated from `dwc3_gadget_reset_interrupt()`, but through\n`dwc3_stop_active_transfers()`. The call stack includes:\n- `dwc3_stop_active_transfers()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 3:\nOccurs independently during `adb root` execution, which triggers\nUSB function unbind and bind operations. The sequence includes:\n- `gserial_disconnect()`\n- `usb_ep_disable()`\n- `dwc3_gadget_ep_disable()`\n- `dwc3_remove_requests()` with `-ESHUTDOWN` status\n\nPath 3 operates asynchronously and lacks synchronization with Paths\n1 and 2. When Path 3 completes, it disables endpoints and frees \u0027out\u0027\nrequests. If Paths 1 or 2 are still processing these requests,\naccessing freed memory leads to a crash due to use-after-free conditions.\n\nTo fix this added check for request completion and skip processing\nif already completed and added the request status for ep0 while queue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:08.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2"
},
{
"url": "https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607"
},
{
"url": "https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c"
},
{
"url": "https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090"
},
{
"url": "https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139"
},
{
"url": "https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1"
},
{
"url": "https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316"
}
],
"title": "usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68287",
"datePublished": "2025-12-16T15:06:08.711Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:08.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53819 (GCVE-0-2023-53819)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
Summary
In the Linux kernel, the following vulnerability has been resolved:
amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
This is motivated by OOB access in amdgpu_vm_update_range when
offset_in_bo+map_size overflows.
v2: keep the validations in amdgpu_vm_bo_map
v3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map
rather than to amdgpu_gem_va_ioctl
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9f7eb5367d0001536c361bd1400e14521f854ff1 , < 82aace80cfaab778245bd2f9e31b67953725e4d0
(git)
Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < d83c337e654d58d3edd15a2ae76e87dc601c07d9 (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < 968e27fd037ec4732068820a9b9836eccc0e0a12 (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < 4300a47e4017c9febb60ffa7d39723eeaed00f2b (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < b10db1d2137415e5e7f9706d96cfe77539c499d4 (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < f015aadc0d973047f49526a127e900c488d4e425 (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < bc6dbf34dc4fb639522f3e8e66ef05997c0441ee (git) Affected: 9f7eb5367d0001536c361bd1400e14521f854ff1 , < 9f0bcf49e9895cb005d78b33a5eebfa11711b425 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82aace80cfaab778245bd2f9e31b67953725e4d0",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "d83c337e654d58d3edd15a2ae76e87dc601c07d9",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "968e27fd037ec4732068820a9b9836eccc0e0a12",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "4300a47e4017c9febb60ffa7d39723eeaed00f2b",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "b10db1d2137415e5e7f9706d96cfe77539c499d4",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "f015aadc0d973047f49526a127e900c488d4e425",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "bc6dbf34dc4fb639522f3e8e66ef05997c0441ee",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
},
{
"lessThan": "9f0bcf49e9895cb005d78b33a5eebfa11711b425",
"status": "affected",
"version": "9f7eb5367d0001536c361bd1400e14521f854ff1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.275",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.313",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.275",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\namdgpu: validate offset_in_bo of drm_amdgpu_gem_va\n\nThis is motivated by OOB access in amdgpu_vm_update_range when\noffset_in_bo+map_size overflows.\n\nv2: keep the validations in amdgpu_vm_bo_map\nv3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map\n rather than to amdgpu_gem_va_ioctl"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:17.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82aace80cfaab778245bd2f9e31b67953725e4d0"
},
{
"url": "https://git.kernel.org/stable/c/d83c337e654d58d3edd15a2ae76e87dc601c07d9"
},
{
"url": "https://git.kernel.org/stable/c/968e27fd037ec4732068820a9b9836eccc0e0a12"
},
{
"url": "https://git.kernel.org/stable/c/4300a47e4017c9febb60ffa7d39723eeaed00f2b"
},
{
"url": "https://git.kernel.org/stable/c/b10db1d2137415e5e7f9706d96cfe77539c499d4"
},
{
"url": "https://git.kernel.org/stable/c/f015aadc0d973047f49526a127e900c488d4e425"
},
{
"url": "https://git.kernel.org/stable/c/bc6dbf34dc4fb639522f3e8e66ef05997c0441ee"
},
{
"url": "https://git.kernel.org/stable/c/9f0bcf49e9895cb005d78b33a5eebfa11711b425"
}
],
"title": "amdgpu: validate offset_in_bo of drm_amdgpu_gem_va",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53819",
"datePublished": "2025-12-09T00:01:17.936Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:17.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40359 (GCVE-0-2025-40359)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:39 – Updated: 2025-12-16 13:39
VLAI?
EPSS
Title
perf/x86/intel: Fix KASAN global-out-of-bounds warning
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel: Fix KASAN global-out-of-bounds warning
When running "perf mem record" command on CWF, the below KASAN
global-out-of-bounds warning is seen.
==================================================================
BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0
Read of size 4 at addr ffffffffb721d000 by task dtlb/9850
Call Trace:
kasan_report+0xb8/0xf0
cmt_latency_data+0x176/0x1b0
setup_arch_pebs_sample_data+0xf49/0x2560
intel_pmu_drain_arch_pebs+0x577/0xb00
handle_pmi_common+0x6c4/0xc80
The issue is caused by below code in __grt_latency_data(). The code
tries to access x86_hybrid_pmu structure which doesn't exist on
non-hybrid platform like CWF.
WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big)
So add is_hybrid() check before calling this WARN_ON_ONCE to fix the
global-out-of-bounds access issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
090262439f66df03d4e9d0e52e14104b729e2ef8 , < 1b61a1da3d8105ea1be548c94c2856697eb7ffd1
(git)
Affected: 090262439f66df03d4e9d0e52e14104b729e2ef8 , < 710a72e81a7028e1ad1a10eb14f941f8dd45ffd3 (git) Affected: 090262439f66df03d4e9d0e52e14104b729e2ef8 , < 0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/intel/ds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b61a1da3d8105ea1be548c94c2856697eb7ffd1",
"status": "affected",
"version": "090262439f66df03d4e9d0e52e14104b729e2ef8",
"versionType": "git"
},
{
"lessThan": "710a72e81a7028e1ad1a10eb14f941f8dd45ffd3",
"status": "affected",
"version": "090262439f66df03d4e9d0e52e14104b729e2ef8",
"versionType": "git"
},
{
"lessThan": "0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251",
"status": "affected",
"version": "090262439f66df03d4e9d0e52e14104b729e2ef8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/intel/ds.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix KASAN global-out-of-bounds warning\n\nWhen running \"perf mem record\" command on CWF, the below KASAN\nglobal-out-of-bounds warning is seen.\n\n ==================================================================\n BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0\n Read of size 4 at addr ffffffffb721d000 by task dtlb/9850\n\n Call Trace:\n\n kasan_report+0xb8/0xf0\n cmt_latency_data+0x176/0x1b0\n setup_arch_pebs_sample_data+0xf49/0x2560\n intel_pmu_drain_arch_pebs+0x577/0xb00\n handle_pmi_common+0x6c4/0xc80\n\nThe issue is caused by below code in __grt_latency_data(). The code\ntries to access x86_hybrid_pmu structure which doesn\u0027t exist on\nnon-hybrid platform like CWF.\n\n WARN_ON_ONCE(hybrid_pmu(event-\u003epmu)-\u003epmu_type == hybrid_big)\n\nSo add is_hybrid() check before calling this WARN_ON_ONCE to fix the\nglobal-out-of-bounds access issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:39:58.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b61a1da3d8105ea1be548c94c2856697eb7ffd1"
},
{
"url": "https://git.kernel.org/stable/c/710a72e81a7028e1ad1a10eb14f941f8dd45ffd3"
},
{
"url": "https://git.kernel.org/stable/c/0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251"
}
],
"title": "perf/x86/intel: Fix KASAN global-out-of-bounds warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40359",
"datePublished": "2025-12-16T13:39:58.778Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:39:58.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50678 (GCVE-0-2022-50678)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
wifi: brcmfmac: fix invalid address access when enabling SCAN log level
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix invalid address access when enabling SCAN log level
The variable i is changed when setting random MAC address and causes
invalid address access when printing the value of pi->reqs[i]->reqid.
We replace reqs index with ri to fix the issue.
[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[ 136.737365] Mem abort info:
[ 136.740172] ESR = 0x96000004
[ 136.743359] Exception class = DABT (current EL), IL = 32 bits
[ 136.749294] SET = 0, FnV = 0
[ 136.752481] EA = 0, S1PTW = 0
[ 136.755635] Data abort info:
[ 136.758514] ISV = 0, ISS = 0x00000004
[ 136.762487] CM = 0, WnR = 0
[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577
[ 136.772265] [0000000000000000] pgd=0000000000000000
[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)
[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)
[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1
[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)
[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)
[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]
[ 136.828162] sp : ffff00000e9a3880
[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400
[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0
[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400
[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8
[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400
[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000
[ 136.863343] x17: 0000000000000000 x16: 0000000000000000
[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050
[ 136.873966] x13: 0000000000003135 x12: 0000000000000000
[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888
[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008
[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d
[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942
[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8
[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000
[ 136.911146] Call trace:
[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]
[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]
[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]
[ 136.937298] genl_rcv_msg+0x358/0x3f4
[ 136.940960] netlink_rcv_skb+0xb4/0x118
[ 136.944795] genl_rcv+0x34/0x48
[ 136.947935] netlink_unicast+0x264/0x300
[ 136.951856] netlink_sendmsg+0x2e4/0x33c
[ 136.955781] __sys_sendto+0x120/0x19c
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 7ccb0529446ae68a8581916bfc95c353306d76ba
(git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 1c12d47a9017a7745585b57b9b0fdc0d8c50978e (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 56a0ac48634155d2b866b99fba7e1dd8df4e2804 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 50e45034c5802cedbf5b707364ea76ace29ad984 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 75995ce1c926ee87bf93d58977c766b4e7744715 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 826405a911473b6ee8bd2aa891cb2f03a13efa17 (git) Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < aa666b68e73fc06d83c070d96180b9010cf5a960 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ccb0529446ae68a8581916bfc95c353306d76ba",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "1c12d47a9017a7745585b57b9b0fdc0d8c50978e",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "56a0ac48634155d2b866b99fba7e1dd8df4e2804",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "50e45034c5802cedbf5b707364ea76ace29ad984",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "75995ce1c926ee87bf93d58977c766b4e7744715",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "826405a911473b6ee8bd2aa891cb2f03a13efa17",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
},
{
"lessThan": "aa666b68e73fc06d83c070d96180b9010cf5a960",
"status": "affected",
"version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix invalid address access when enabling SCAN log level\n\nThe variable i is changed when setting random MAC address and causes\ninvalid address access when printing the value of pi-\u003ereqs[i]-\u003ereqid.\n\nWe replace reqs index with ri to fix the issue.\n\n[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[ 136.737365] Mem abort info:\n[ 136.740172] ESR = 0x96000004\n[ 136.743359] Exception class = DABT (current EL), IL = 32 bits\n[ 136.749294] SET = 0, FnV = 0\n[ 136.752481] EA = 0, S1PTW = 0\n[ 136.755635] Data abort info:\n[ 136.758514] ISV = 0, ISS = 0x00000004\n[ 136.762487] CM = 0, WnR = 0\n[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577\n[ 136.772265] [0000000000000000] pgd=0000000000000000\n[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)\n[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)\n[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1\n[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)\n[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)\n[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]\n[ 136.828162] sp : ffff00000e9a3880\n[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400\n[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0\n[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400\n[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8\n[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400\n[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000\n[ 136.863343] x17: 0000000000000000 x16: 0000000000000000\n[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050\n[ 136.873966] x13: 0000000000003135 x12: 0000000000000000\n[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888\n[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008\n[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d\n[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942\n[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8\n[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000\n[ 136.911146] Call trace:\n[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]\n[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]\n[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]\n[ 136.937298] genl_rcv_msg+0x358/0x3f4\n[ 136.940960] netlink_rcv_skb+0xb4/0x118\n[ 136.944795] genl_rcv+0x34/0x48\n[ 136.947935] netlink_unicast+0x264/0x300\n[ 136.951856] netlink_sendmsg+0x2e4/0x33c\n[ 136.955781] __sys_sendto+0x120/0x19c"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:31.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ccb0529446ae68a8581916bfc95c353306d76ba"
},
{
"url": "https://git.kernel.org/stable/c/1c12d47a9017a7745585b57b9b0fdc0d8c50978e"
},
{
"url": "https://git.kernel.org/stable/c/56a0ac48634155d2b866b99fba7e1dd8df4e2804"
},
{
"url": "https://git.kernel.org/stable/c/50e45034c5802cedbf5b707364ea76ace29ad984"
},
{
"url": "https://git.kernel.org/stable/c/75995ce1c926ee87bf93d58977c766b4e7744715"
},
{
"url": "https://git.kernel.org/stable/c/4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4"
},
{
"url": "https://git.kernel.org/stable/c/826405a911473b6ee8bd2aa891cb2f03a13efa17"
},
{
"url": "https://git.kernel.org/stable/c/aa666b68e73fc06d83c070d96180b9010cf5a960"
}
],
"title": "wifi: brcmfmac: fix invalid address access when enabling SCAN log level",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50678",
"datePublished": "2025-12-09T01:29:31.739Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-23T13:30:31.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54047 (GCVE-0-2023-54047)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
drm/rockchip: dw_hdmi: cleanup drm encoder during unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/rockchip: dw_hdmi: cleanup drm encoder during unbind
This fixes a use-after-free crash during rmmod.
The DRM encoder is embedded inside the larger rockchip_hdmi,
which is allocated with the component. The component memory
gets freed before the main drm device is destroyed. Fix it
by running encoder cleanup before tearing down its container.
[moved encoder cleanup above clk_disable, similar to bind-error-path]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8e3b16e2117409625b89807de3912ff773aea354 , < 110d4202522373d629d14597af9bac97eb58bd67
(git)
Affected: 8e3b16e2117409625b89807de3912ff773aea354 , < 218fe9b624545f4bcfb16cdb35ac3d60c8b0d8c7 (git) Affected: 8e3b16e2117409625b89807de3912ff773aea354 , < b5af48eedcb53491c02ded55d5991e03d6da6dbf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "110d4202522373d629d14597af9bac97eb58bd67",
"status": "affected",
"version": "8e3b16e2117409625b89807de3912ff773aea354",
"versionType": "git"
},
{
"lessThan": "218fe9b624545f4bcfb16cdb35ac3d60c8b0d8c7",
"status": "affected",
"version": "8e3b16e2117409625b89807de3912ff773aea354",
"versionType": "git"
},
{
"lessThan": "b5af48eedcb53491c02ded55d5991e03d6da6dbf",
"status": "affected",
"version": "8e3b16e2117409625b89807de3912ff773aea354",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/rockchip/dw_hdmi-rockchip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/rockchip: dw_hdmi: cleanup drm encoder during unbind\n\nThis fixes a use-after-free crash during rmmod.\n\nThe DRM encoder is embedded inside the larger rockchip_hdmi,\nwhich is allocated with the component. The component memory\ngets freed before the main drm device is destroyed. Fix it\nby running encoder cleanup before tearing down its container.\n\n[moved encoder cleanup above clk_disable, similar to bind-error-path]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:34.362Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/110d4202522373d629d14597af9bac97eb58bd67"
},
{
"url": "https://git.kernel.org/stable/c/218fe9b624545f4bcfb16cdb35ac3d60c8b0d8c7"
},
{
"url": "https://git.kernel.org/stable/c/b5af48eedcb53491c02ded55d5991e03d6da6dbf"
}
],
"title": "drm/rockchip: dw_hdmi: cleanup drm encoder during unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54047",
"datePublished": "2025-12-24T12:22:58.218Z",
"dateReserved": "2025-12-24T12:21:05.089Z",
"dateUpdated": "2026-01-05T10:33:34.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68252 (GCVE-0-2025-68252)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:32 – Updated: 2025-12-16 14:32
VLAI?
EPSS
Title
misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup
In fastrpc_map_lookup, dma_buf_get is called to obtain a reference to
the dma_buf for comparison purposes. However, this reference is never
released when the function returns, leading to a dma_buf memory leak.
Fix this by adding dma_buf_put before returning from the function,
ensuring that the temporarily acquired reference is properly released
regardless of whether a matching map is found.
Rule: add
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec5cb80503bbfee67573699fe52fcf456fd57678 , < c2fef5ebb73f3dabae6fbc571d181914ed32c483
(git)
Affected: 6e0d6cc39f410a4d9ea774fbb254c68fe02ff4bb , < 9a297a68c3ba4a7ecb31ed52f61bd6634abb79d3 (git) Affected: 6e0928a8988e873da9946e17f8065ad77c720186 , < e17b13387827adce7acb19ac0f07f9bcafe0ff4c (git) Affected: 1986bba9597b3d97d3e80530dc457a1cd1994e22 , < 214e81a63a9aa0be42382ef0365ba5ed32c513ab (git) Affected: 9031626ade38b092b72638dfe0c6ffce8d8acd43 , < fff111bf45cbeeb659324316d68554e35d350092 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2fef5ebb73f3dabae6fbc571d181914ed32c483",
"status": "affected",
"version": "ec5cb80503bbfee67573699fe52fcf456fd57678",
"versionType": "git"
},
{
"lessThan": "9a297a68c3ba4a7ecb31ed52f61bd6634abb79d3",
"status": "affected",
"version": "6e0d6cc39f410a4d9ea774fbb254c68fe02ff4bb",
"versionType": "git"
},
{
"lessThan": "e17b13387827adce7acb19ac0f07f9bcafe0ff4c",
"status": "affected",
"version": "6e0928a8988e873da9946e17f8065ad77c720186",
"versionType": "git"
},
{
"lessThan": "214e81a63a9aa0be42382ef0365ba5ed32c513ab",
"status": "affected",
"version": "1986bba9597b3d97d3e80530dc457a1cd1994e22",
"versionType": "git"
},
{
"lessThan": "fff111bf45cbeeb659324316d68554e35d350092",
"status": "affected",
"version": "9031626ade38b092b72638dfe0c6ffce8d8acd43",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.158",
"status": "affected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThan": "6.6.115",
"status": "affected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThan": "6.12.56",
"status": "affected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThan": "6.17.6",
"status": "affected",
"version": "6.17.3",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.1.156",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "6.6.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.12.53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.17.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup\n\nIn fastrpc_map_lookup, dma_buf_get is called to obtain a reference to\nthe dma_buf for comparison purposes. However, this reference is never\nreleased when the function returns, leading to a dma_buf memory leak.\n\nFix this by adding dma_buf_put before returning from the function,\nensuring that the temporarily acquired reference is properly released\nregardless of whether a matching map is found.\n\nRule: add"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:32:18.819Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2fef5ebb73f3dabae6fbc571d181914ed32c483"
},
{
"url": "https://git.kernel.org/stable/c/9a297a68c3ba4a7ecb31ed52f61bd6634abb79d3"
},
{
"url": "https://git.kernel.org/stable/c/e17b13387827adce7acb19ac0f07f9bcafe0ff4c"
},
{
"url": "https://git.kernel.org/stable/c/214e81a63a9aa0be42382ef0365ba5ed32c513ab"
},
{
"url": "https://git.kernel.org/stable/c/fff111bf45cbeeb659324316d68554e35d350092"
}
],
"title": "misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68252",
"datePublished": "2025-12-16T14:32:18.819Z",
"dateReserved": "2025-12-16T13:41:40.266Z",
"dateUpdated": "2025-12-16T14:32:18.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50851 (GCVE-0-2022-50851)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
vhost_vdpa: fix the crash in unmap a large memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost_vdpa: fix the crash in unmap a large memory
While testing in vIOMMU, sometimes Guest will unmap very large memory,
which will cause the crash. To fix this, add a new function
vhost_vdpa_general_unmap(). This function will only unmap the memory
that saved in iotlb.
Call Trace:
[ 647.820144] ------------[ cut here ]------------
[ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174!
[ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62
[ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qem4
[ 647.824365] RIP: 0010:domain_unmap+0x48/0x110
[ 647.825424] Code: 48 89 fb 8d 4c f6 1e 39 c1 0f 4f c8 83 e9 0c 83 f9 3f 7f 18 48 89 e8 48 d3 e8 48 85 c0 75 59
[ 647.828064] RSP: 0018:ffffae5340c0bbf0 EFLAGS: 00010202
[ 647.828973] RAX: 0000000000000001 RBX: ffff921793d10540 RCX: 000000000000001b
[ 647.830083] RDX: 00000000080000ff RSI: 0000000000000001 RDI: ffff921793d10540
[ 647.831214] RBP: 0000000007fc0100 R08: ffffae5340c0bcd0 R09: 0000000000000003
[ 647.832388] R10: 0000007fc0100000 R11: 0000000000100000 R12: 00000000080000ff
[ 647.833668] R13: ffffae5340c0bcd0 R14: ffff921793d10590 R15: 0000008000100000
[ 647.834782] FS: 00007f772ec90640(0000) GS:ffff921ce7a80000(0000) knlGS:0000000000000000
[ 647.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 647.836990] CR2: 00007f02c27a3a20 CR3: 0000000101b0c006 CR4: 0000000000372ee0
[ 647.838107] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 647.839283] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 647.840666] Call Trace:
[ 647.841437] <TASK>
[ 647.842107] intel_iommu_unmap_pages+0x93/0x140
[ 647.843112] __iommu_unmap+0x91/0x1b0
[ 647.844003] iommu_unmap+0x6a/0x95
[ 647.844885] vhost_vdpa_unmap+0x1de/0x1f0 [vhost_vdpa]
[ 647.845985] vhost_vdpa_process_iotlb_msg+0xf0/0x90b [vhost_vdpa]
[ 647.847235] ? _raw_spin_unlock+0x15/0x30
[ 647.848181] ? _copy_from_iter+0x8c/0x580
[ 647.849137] vhost_chr_write_iter+0xb3/0x430 [vhost]
[ 647.850126] vfs_write+0x1e4/0x3a0
[ 647.850897] ksys_write+0x53/0xd0
[ 647.851688] do_syscall_64+0x3a/0x90
[ 647.852508] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 647.853457] RIP: 0033:0x7f7734ef9f4f
[ 647.854408] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 76 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c8
[ 647.857217] RSP: 002b:00007f772ec8f040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[ 647.858486] RAX: ffffffffffffffda RBX: 00000000fef00000 RCX: 00007f7734ef9f4f
[ 647.859713] RDX: 0000000000000048 RSI: 00007f772ec8f090 RDI: 0000000000000010
[ 647.860942] RBP: 00007f772ec8f1a0 R08: 0000000000000000 R09: 0000000000000000
[ 647.862206] R10: 0000000000000001 R11: 0000000000000293 R12: 0000000000000010
[ 647.863446] R13: 0000000000000002 R14: 0000000000000000 R15: ffffffff01100000
[ 647.864692] </TASK>
[ 647.865458] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs v]
[ 647.874688] ---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4c8cf31885f69e86be0b5b9e6677a26797365e1d , < 26b7400c89b81e2f6de4f224ba1fdf06f293de31
(git)
Affected: 4c8cf31885f69e86be0b5b9e6677a26797365e1d , < 8b258a31c2e8d4d4e42be70a7c6ca35a5afbff0d (git) Affected: 4c8cf31885f69e86be0b5b9e6677a26797365e1d , < e794070af224ade46db368271896b2685ff4f96b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "26b7400c89b81e2f6de4f224ba1fdf06f293de31",
"status": "affected",
"version": "4c8cf31885f69e86be0b5b9e6677a26797365e1d",
"versionType": "git"
},
{
"lessThan": "8b258a31c2e8d4d4e42be70a7c6ca35a5afbff0d",
"status": "affected",
"version": "4c8cf31885f69e86be0b5b9e6677a26797365e1d",
"versionType": "git"
},
{
"lessThan": "e794070af224ade46db368271896b2685ff4f96b",
"status": "affected",
"version": "4c8cf31885f69e86be0b5b9e6677a26797365e1d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost_vdpa: fix the crash in unmap a large memory\n\nWhile testing in vIOMMU, sometimes Guest will unmap very large memory,\nwhich will cause the crash. To fix this, add a new function\nvhost_vdpa_general_unmap(). This function will only unmap the memory\nthat saved in iotlb.\n\nCall Trace:\n[ 647.820144] ------------[ cut here ]------------\n[ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174!\n[ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62\n[ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qem4\n[ 647.824365] RIP: 0010:domain_unmap+0x48/0x110\n[ 647.825424] Code: 48 89 fb 8d 4c f6 1e 39 c1 0f 4f c8 83 e9 0c 83 f9 3f 7f 18 48 89 e8 48 d3 e8 48 85 c0 75 59\n[ 647.828064] RSP: 0018:ffffae5340c0bbf0 EFLAGS: 00010202\n[ 647.828973] RAX: 0000000000000001 RBX: ffff921793d10540 RCX: 000000000000001b\n[ 647.830083] RDX: 00000000080000ff RSI: 0000000000000001 RDI: ffff921793d10540\n[ 647.831214] RBP: 0000000007fc0100 R08: ffffae5340c0bcd0 R09: 0000000000000003\n[ 647.832388] R10: 0000007fc0100000 R11: 0000000000100000 R12: 00000000080000ff\n[ 647.833668] R13: ffffae5340c0bcd0 R14: ffff921793d10590 R15: 0000008000100000\n[ 647.834782] FS: 00007f772ec90640(0000) GS:ffff921ce7a80000(0000) knlGS:0000000000000000\n[ 647.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 647.836990] CR2: 00007f02c27a3a20 CR3: 0000000101b0c006 CR4: 0000000000372ee0\n[ 647.838107] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 647.839283] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 647.840666] Call Trace:\n[ 647.841437] \u003cTASK\u003e\n[ 647.842107] intel_iommu_unmap_pages+0x93/0x140\n[ 647.843112] __iommu_unmap+0x91/0x1b0\n[ 647.844003] iommu_unmap+0x6a/0x95\n[ 647.844885] vhost_vdpa_unmap+0x1de/0x1f0 [vhost_vdpa]\n[ 647.845985] vhost_vdpa_process_iotlb_msg+0xf0/0x90b [vhost_vdpa]\n[ 647.847235] ? _raw_spin_unlock+0x15/0x30\n[ 647.848181] ? _copy_from_iter+0x8c/0x580\n[ 647.849137] vhost_chr_write_iter+0xb3/0x430 [vhost]\n[ 647.850126] vfs_write+0x1e4/0x3a0\n[ 647.850897] ksys_write+0x53/0xd0\n[ 647.851688] do_syscall_64+0x3a/0x90\n[ 647.852508] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 647.853457] RIP: 0033:0x7f7734ef9f4f\n[ 647.854408] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 76 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c8\n[ 647.857217] RSP: 002b:00007f772ec8f040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001\n[ 647.858486] RAX: ffffffffffffffda RBX: 00000000fef00000 RCX: 00007f7734ef9f4f\n[ 647.859713] RDX: 0000000000000048 RSI: 00007f772ec8f090 RDI: 0000000000000010\n[ 647.860942] RBP: 00007f772ec8f1a0 R08: 0000000000000000 R09: 0000000000000000\n[ 647.862206] R10: 0000000000000001 R11: 0000000000000293 R12: 0000000000000010\n[ 647.863446] R13: 0000000000000002 R14: 0000000000000000 R15: ffffffff01100000\n[ 647.864692] \u003c/TASK\u003e\n[ 647.865458] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs v]\n[ 647.874688] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:27.765Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/26b7400c89b81e2f6de4f224ba1fdf06f293de31"
},
{
"url": "https://git.kernel.org/stable/c/8b258a31c2e8d4d4e42be70a7c6ca35a5afbff0d"
},
{
"url": "https://git.kernel.org/stable/c/e794070af224ade46db368271896b2685ff4f96b"
}
],
"title": "vhost_vdpa: fix the crash in unmap a large memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50851",
"datePublished": "2025-12-30T12:15:27.765Z",
"dateReserved": "2025-12-30T12:06:07.134Z",
"dateUpdated": "2025-12-30T12:15:27.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54251 (GCVE-0-2023-54251)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.
syzkaller found zero division error [0] in div_s64_rem() called from
get_cycle_time_elapsed(), where sched->cycle_time is the divisor.
We have tests in parse_taprio_schedule() so that cycle_time will never
be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().
The problem is that the types of divisor are different; cycle_time is
s64, but the argument of div_s64_rem() is s32.
syzkaller fed this input and 0x100000000 is cast to s32 to be 0.
@TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}
We use s64 for cycle_time to cast it to ktime_t, so let's keep it and
set max for cycle_time.
While at it, we prevent overflow in setup_txtime() and add another
test in parse_taprio_schedule() to check if cycle_time overflows.
Also, we add a new tdc test case for this issue.
[0]:
divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]
RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]
RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344
Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10
RSP: 0018:ffffc90000acf260 EFLAGS: 00010206
RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000
RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934
R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800
R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
<TASK>
get_packet_txtime net/sched/sch_taprio.c:508 [inline]
taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577
taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658
dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732
__dev_xmit_skb net/core/dev.c:3821 [inline]
__dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169
dev_queue_xmit include/linux/netdevice.h:3088 [inline]
neigh_resolve_output net/core/neighbour.c:1552 [inline]
neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532
neigh_output include/net/neighbour.h:544 [inline]
ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135
__ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196
ip6_finish_output net/ipv6/ip6_output.c:207 [inline]
NF_HOOK_COND include/linux/netfilter.h:292 [inline]
ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228
dst_output include/net/dst.h:458 [inline]
NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303
ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508
ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666
addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175
process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597
worker_thread+0x60f/0x1240 kernel/workqueue.c:2748
kthread+0x2fe/0x3f0 kernel/kthread.c:389
ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4cfd5779bd6efe8c76b4494aec63a063be0d2ff2 , < f04f6d9b3b060f7e11219a65a76da65f1489e391
(git)
Affected: 4cfd5779bd6efe8c76b4494aec63a063be0d2ff2 , < 0b45af982a4df0b14fb8669ee2a871cfdfa6a39c (git) Affected: 4cfd5779bd6efe8c76b4494aec63a063be0d2ff2 , < 57b3fe08ae06ef11af007b4a182629b12a961e30 (git) Affected: 4cfd5779bd6efe8c76b4494aec63a063be0d2ff2 , < e739718444f7bf2fa3d70d101761ad83056ca628 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c",
"tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f04f6d9b3b060f7e11219a65a76da65f1489e391",
"status": "affected",
"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2",
"versionType": "git"
},
{
"lessThan": "0b45af982a4df0b14fb8669ee2a871cfdfa6a39c",
"status": "affected",
"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2",
"versionType": "git"
},
{
"lessThan": "57b3fe08ae06ef11af007b4a182629b12a961e30",
"status": "affected",
"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2",
"versionType": "git"
},
{
"lessThan": "e739718444f7bf2fa3d70d101761ad83056ca628",
"status": "affected",
"version": "4cfd5779bd6efe8c76b4494aec63a063be0d2ff2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_taprio.c",
"tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.\n\nsyzkaller found zero division error [0] in div_s64_rem() called from\nget_cycle_time_elapsed(), where sched-\u003ecycle_time is the divisor.\n\nWe have tests in parse_taprio_schedule() so that cycle_time will never\nbe 0, and actually cycle_time is not 0 in get_cycle_time_elapsed().\n\nThe problem is that the types of divisor are different; cycle_time is\ns64, but the argument of div_s64_rem() is s32.\n\nsyzkaller fed this input and 0x100000000 is cast to s32 to be 0.\n\n @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000}\n\nWe use s64 for cycle_time to cast it to ktime_t, so let\u0027s keep it and\nset max for cycle_time.\n\nWhile at it, we prevent overflow in setup_txtime() and add another\ntest in parse_taprio_schedule() to check if cycle_time overflows.\n\nAlso, we add a new tdc test case for this issue.\n\n[0]:\ndivide error: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: ipv6_addrconf addrconf_dad_work\nRIP: 0010:div_s64_rem include/linux/math64.h:42 [inline]\nRIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline]\nRIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344\nCode: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 \u003c48\u003e f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10\nRSP: 0018:ffffc90000acf260 EFLAGS: 00010206\nRAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000\nRBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934\nR10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800\nR13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n get_packet_txtime net/sched/sch_taprio.c:508 [inline]\n taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577\n taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658\n dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732\n __dev_xmit_skb net/core/dev.c:3821 [inline]\n __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169\n dev_queue_xmit include/linux/netdevice.h:3088 [inline]\n neigh_resolve_output net/core/neighbour.c:1552 [inline]\n neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532\n neigh_output include/net/neighbour.h:544 [inline]\n ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135\n __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196\n ip6_finish_output net/ipv6/ip6_output.c:207 [inline]\n NF_HOOK_COND include/linux/netfilter.h:292 [inline]\n ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228\n dst_output include/net/dst.h:458 [inline]\n NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303\n ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508\n ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666\n addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175\n process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597\n worker_thread+0x60f/0x1240 kernel/workqueue.c:2748\n kthread+0x2fe/0x3f0 kernel/kthread.c:389\n ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308\n \u003c/TASK\u003e\nModules linked in:"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:48.145Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f04f6d9b3b060f7e11219a65a76da65f1489e391"
},
{
"url": "https://git.kernel.org/stable/c/0b45af982a4df0b14fb8669ee2a871cfdfa6a39c"
},
{
"url": "https://git.kernel.org/stable/c/57b3fe08ae06ef11af007b4a182629b12a961e30"
},
{
"url": "https://git.kernel.org/stable/c/e739718444f7bf2fa3d70d101761ad83056ca628"
}
],
"title": "net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54251",
"datePublished": "2025-12-30T12:15:48.145Z",
"dateReserved": "2025-12-30T12:06:44.514Z",
"dateUpdated": "2025-12-30T12:15:48.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54096 (GCVE-0-2023-54096)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
soundwire: fix enumeration completion
Summary
In the Linux kernel, the following vulnerability has been resolved:
soundwire: fix enumeration completion
The soundwire subsystem uses two completion structures that allow
drivers to wait for soundwire device to become enumerated on the bus and
initialised by their drivers, respectively.
The code implementing the signalling is currently broken as it does not
signal all current and future waiters and also uses the wrong
reinitialisation function, which can potentially lead to memory
corruption if there are still waiters on the queue.
Not signalling future waiters specifically breaks sound card probe
deferrals as codec drivers can not tell that the soundwire device is
already attached when being reprobed. Some codec runtime PM
implementations suffer from similar problems as waiting for enumeration
during resume can also timeout despite the device already having been
enumerated.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175 , < 48d1d0ce0782f995fda678508fdae35c5e9593f0
(git)
Affected: fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175 , < a36b522767f3a72688893a472e80c9aa03e67eda (git) Affected: fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175 , < e1d54962a63b6ec04ed0204a3ecca942fde3a6fe (git) Affected: fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175 , < c5265691cd065464d795de5666dcfb89c26b9bc1 (git) Affected: fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175 , < c40d6b3249b11d60e09d81530588f56233d9aa44 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soundwire/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48d1d0ce0782f995fda678508fdae35c5e9593f0",
"status": "affected",
"version": "fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175",
"versionType": "git"
},
{
"lessThan": "a36b522767f3a72688893a472e80c9aa03e67eda",
"status": "affected",
"version": "fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175",
"versionType": "git"
},
{
"lessThan": "e1d54962a63b6ec04ed0204a3ecca942fde3a6fe",
"status": "affected",
"version": "fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175",
"versionType": "git"
},
{
"lessThan": "c5265691cd065464d795de5666dcfb89c26b9bc1",
"status": "affected",
"version": "fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175",
"versionType": "git"
},
{
"lessThan": "c40d6b3249b11d60e09d81530588f56233d9aa44",
"status": "affected",
"version": "fb9469e54fa7a7b6a8137c40ae66c41b8d0ab175",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soundwire/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: fix enumeration completion\n\nThe soundwire subsystem uses two completion structures that allow\ndrivers to wait for soundwire device to become enumerated on the bus and\ninitialised by their drivers, respectively.\n\nThe code implementing the signalling is currently broken as it does not\nsignal all current and future waiters and also uses the wrong\nreinitialisation function, which can potentially lead to memory\ncorruption if there are still waiters on the queue.\n\nNot signalling future waiters specifically breaks sound card probe\ndeferrals as codec drivers can not tell that the soundwire device is\nalready attached when being reprobed. Some codec runtime PM\nimplementations suffer from similar problems as waiting for enumeration\nduring resume can also timeout despite the device already having been\nenumerated."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:23.828Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48d1d0ce0782f995fda678508fdae35c5e9593f0"
},
{
"url": "https://git.kernel.org/stable/c/a36b522767f3a72688893a472e80c9aa03e67eda"
},
{
"url": "https://git.kernel.org/stable/c/e1d54962a63b6ec04ed0204a3ecca942fde3a6fe"
},
{
"url": "https://git.kernel.org/stable/c/c5265691cd065464d795de5666dcfb89c26b9bc1"
},
{
"url": "https://git.kernel.org/stable/c/c40d6b3249b11d60e09d81530588f56233d9aa44"
}
],
"title": "soundwire: fix enumeration completion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54096",
"datePublished": "2025-12-24T13:06:23.828Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:23.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54315 (GCVE-0-2023-54315)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
powerpc/powernv/sriov: perform null check on iov before dereferencing iov
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/powernv/sriov: perform null check on iov before dereferencing iov
Currently pointer iov is being dereferenced before the null check of iov
which can lead to null pointer dereference errors. Fix this by moving the
iov null check before the dereferencing.
Detected using cppcheck static analysis:
linux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either
the condition '!iov' is redundant or there is possible null pointer
dereference: iov. [nullPointerRedundantCheck]
num_vfs = iov->num_vfs;
^
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
052da31d45fc71238ea8bed7e9a84648a1ee0bf3 , < 07c19c0ad4b07f4b598da369714de028f6a6a323
(git)
Affected: 052da31d45fc71238ea8bed7e9a84648a1ee0bf3 , < d3a0d96c16e5f8d55e2c70163abda3c7c8328106 (git) Affected: 052da31d45fc71238ea8bed7e9a84648a1ee0bf3 , < d9a1aaea856002cb58dfb7c8d8770400fa1a0299 (git) Affected: 052da31d45fc71238ea8bed7e9a84648a1ee0bf3 , < 6314465b88072a6b6f3b3c12a7898abe09095f95 (git) Affected: 052da31d45fc71238ea8bed7e9a84648a1ee0bf3 , < 72990144e17e5e2cb378f1d9b10530b85b9bc382 (git) Affected: 052da31d45fc71238ea8bed7e9a84648a1ee0bf3 , < f4f913c980bc6abe0ccfe88fe3909c125afe4a2d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/powernv/pci-sriov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07c19c0ad4b07f4b598da369714de028f6a6a323",
"status": "affected",
"version": "052da31d45fc71238ea8bed7e9a84648a1ee0bf3",
"versionType": "git"
},
{
"lessThan": "d3a0d96c16e5f8d55e2c70163abda3c7c8328106",
"status": "affected",
"version": "052da31d45fc71238ea8bed7e9a84648a1ee0bf3",
"versionType": "git"
},
{
"lessThan": "d9a1aaea856002cb58dfb7c8d8770400fa1a0299",
"status": "affected",
"version": "052da31d45fc71238ea8bed7e9a84648a1ee0bf3",
"versionType": "git"
},
{
"lessThan": "6314465b88072a6b6f3b3c12a7898abe09095f95",
"status": "affected",
"version": "052da31d45fc71238ea8bed7e9a84648a1ee0bf3",
"versionType": "git"
},
{
"lessThan": "72990144e17e5e2cb378f1d9b10530b85b9bc382",
"status": "affected",
"version": "052da31d45fc71238ea8bed7e9a84648a1ee0bf3",
"versionType": "git"
},
{
"lessThan": "f4f913c980bc6abe0ccfe88fe3909c125afe4a2d",
"status": "affected",
"version": "052da31d45fc71238ea8bed7e9a84648a1ee0bf3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/powernv/pci-sriov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/powernv/sriov: perform null check on iov before dereferencing iov\n\nCurrently pointer iov is being dereferenced before the null check of iov\nwhich can lead to null pointer dereference errors. Fix this by moving the\niov null check before the dereferencing.\n\nDetected using cppcheck static analysis:\nlinux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either\nthe condition \u0027!iov\u0027 is redundant or there is possible null pointer\ndereference: iov. [nullPointerRedundantCheck]\n num_vfs = iov-\u003enum_vfs;\n ^"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:45.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07c19c0ad4b07f4b598da369714de028f6a6a323"
},
{
"url": "https://git.kernel.org/stable/c/d3a0d96c16e5f8d55e2c70163abda3c7c8328106"
},
{
"url": "https://git.kernel.org/stable/c/d9a1aaea856002cb58dfb7c8d8770400fa1a0299"
},
{
"url": "https://git.kernel.org/stable/c/6314465b88072a6b6f3b3c12a7898abe09095f95"
},
{
"url": "https://git.kernel.org/stable/c/72990144e17e5e2cb378f1d9b10530b85b9bc382"
},
{
"url": "https://git.kernel.org/stable/c/f4f913c980bc6abe0ccfe88fe3909c125afe4a2d"
}
],
"title": "powerpc/powernv/sriov: perform null check on iov before dereferencing iov",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54315",
"datePublished": "2025-12-30T12:23:45.858Z",
"dateReserved": "2025-12-30T12:06:44.531Z",
"dateUpdated": "2025-12-30T12:23:45.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68740 (GCVE-0-2025-68740)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
ima: Handle error code returned by ima_filter_rule_match()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: Handle error code returned by ima_filter_rule_match()
In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to
the rule being NULL, the function incorrectly skips the 'if (!rc)' check
and sets 'result = true'. The LSM rule is considered a match, causing
extra files to be measured by IMA.
This issue can be reproduced in the following scenario:
After unloading the SELinux policy module via 'semodule -d', if an IMA
measurement is triggered before ima_lsm_rules is updated,
in ima_match_rules(), the first call to ima_filter_rule_match() returns
-ESTALE. This causes the code to enter the 'if (rc == -ESTALE &&
!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In
ima_lsm_copy_rule(), since the SELinux module has been removed, the rule
becomes NULL, and the second call to ima_filter_rule_match() returns
-ENOENT. This bypasses the 'if (!rc)' check and results in a false match.
Call trace:
selinux_audit_rule_match+0x310/0x3b8
security_audit_rule_match+0x60/0xa0
ima_match_rules+0x2e4/0x4a0
ima_match_policy+0x9c/0x1e8
ima_get_action+0x48/0x60
process_measurement+0xf8/0xa98
ima_bprm_check+0x98/0xd8
security_bprm_check+0x5c/0x78
search_binary_handler+0x6c/0x318
exec_binprm+0x58/0x1b8
bprm_execve+0xb8/0x130
do_execveat_common.isra.0+0x1a8/0x258
__arm64_sys_execve+0x48/0x68
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x44/0x200
el0t_64_sync_handler+0x100/0x130
el0t_64_sync+0x3c8/0x3d0
Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error
codes like -ENOENT do not bypass the check and accidentally result in a
successful match.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4af4662fa4a9dc62289c580337ae2506339c4729 , < d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51
(git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < cca3e7df3c0f99542033657ba850b9a6d27f8784 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < c2238d487a640ae3511e1b6f4640ab27ce10d7f6 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < de4431faf308d0c533cb386f5fa9af009bc86158 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 32952c4f4d1b2deb30dce72ba109da808a9018e1 (git) Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "cca3e7df3c0f99542033657ba850b9a6d27f8784",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "c2238d487a640ae3511e1b6f4640ab27ce10d7f6",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "de4431faf308d0c533cb386f5fa9af009bc86158",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "32952c4f4d1b2deb30dce72ba109da808a9018e1",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
},
{
"lessThan": "738c9738e690f5cea24a3ad6fd2d9a323cf614f6",
"status": "affected",
"version": "4af4662fa4a9dc62289c580337ae2506339c4729",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Handle error code returned by ima_filter_rule_match()\n\nIn ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to\nthe rule being NULL, the function incorrectly skips the \u0027if (!rc)\u0027 check\nand sets \u0027result = true\u0027. The LSM rule is considered a match, causing\nextra files to be measured by IMA.\n\nThis issue can be reproduced in the following scenario:\nAfter unloading the SELinux policy module via \u0027semodule -d\u0027, if an IMA\nmeasurement is triggered before ima_lsm_rules is updated,\nin ima_match_rules(), the first call to ima_filter_rule_match() returns\n-ESTALE. This causes the code to enter the \u0027if (rc == -ESTALE \u0026\u0026\n!rule_reinitialized)\u0027 block, perform ima_lsm_copy_rule() and retry. In\nima_lsm_copy_rule(), since the SELinux module has been removed, the rule\nbecomes NULL, and the second call to ima_filter_rule_match() returns\n-ENOENT. This bypasses the \u0027if (!rc)\u0027 check and results in a false match.\n\nCall trace:\n selinux_audit_rule_match+0x310/0x3b8\n security_audit_rule_match+0x60/0xa0\n ima_match_rules+0x2e4/0x4a0\n ima_match_policy+0x9c/0x1e8\n ima_get_action+0x48/0x60\n process_measurement+0xf8/0xa98\n ima_bprm_check+0x98/0xd8\n security_bprm_check+0x5c/0x78\n search_binary_handler+0x6c/0x318\n exec_binprm+0x58/0x1b8\n bprm_execve+0xb8/0x130\n do_execveat_common.isra.0+0x1a8/0x258\n __arm64_sys_execve+0x48/0x68\n invoke_syscall+0x50/0x128\n el0_svc_common.constprop.0+0xc8/0xf0\n do_el0_svc+0x24/0x38\n el0_svc+0x44/0x200\n el0t_64_sync_handler+0x100/0x130\n el0t_64_sync+0x3c8/0x3d0\n\nFix this by changing \u0027if (!rc)\u0027 to \u0027if (rc \u003c= 0)\u0027 to ensure that error\ncodes like -ENOENT do not bypass the check and accidentally result in a\nsuccessful match."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:41.479Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51"
},
{
"url": "https://git.kernel.org/stable/c/f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85"
},
{
"url": "https://git.kernel.org/stable/c/88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749"
},
{
"url": "https://git.kernel.org/stable/c/cca3e7df3c0f99542033657ba850b9a6d27f8784"
},
{
"url": "https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6"
},
{
"url": "https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158"
},
{
"url": "https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1"
},
{
"url": "https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6"
}
],
"title": "ima: Handle error code returned by ima_filter_rule_match()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68740",
"datePublished": "2025-12-24T12:09:37.971Z",
"dateReserved": "2025-12-24T10:30:51.030Z",
"dateUpdated": "2026-01-19T12:18:41.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68749 (GCVE-0-2025-68749)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-30 09:48
VLAI?
EPSS
Title
accel/ivpu: Fix race condition when unbinding BOs
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Fix race condition when unbinding BOs
Fix 'Memory manager not clean during takedown' warning that occurs
when ivpu_gem_bo_free() removes the BO from the BOs list before it
gets unmapped. Then file_priv_unbind() triggers a warning in
drm_mm_takedown() during context teardown.
Protect the unmapping sequence with bo_list_lock to ensure the BO is
always fully unmapped when removed from the list. This ensures the BO
is either fully unmapped at context teardown time or present on the
list and unmapped by file_priv_unbind().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < 0328bb097bef05a796217c54b3d651cc3782827c
(git)
Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < fb16493ebd8f171bcf0772262619618a131f30f7 (git) Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < d71333ffdd3707d84cfb95acfaf8ba892adc066b (git) Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < 00812636df370bedf4e44a0c81b86ea96bca8628 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0328bb097bef05a796217c54b3d651cc3782827c",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "fb16493ebd8f171bcf0772262619618a131f30f7",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "d71333ffdd3707d84cfb95acfaf8ba892adc066b",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
},
{
"lessThan": "00812636df370bedf4e44a0c81b86ea96bca8628",
"status": "affected",
"version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix race condition when unbinding BOs\n\nFix \u0027Memory manager not clean during takedown\u0027 warning that occurs\nwhen ivpu_gem_bo_free() removes the BO from the BOs list before it\ngets unmapped. Then file_priv_unbind() triggers a warning in\ndrm_mm_takedown() during context teardown.\n\nProtect the unmapping sequence with bo_list_lock to ensure the BO is\nalways fully unmapped when removed from the list. This ensures the BO\nis either fully unmapped at context teardown time or present on the\nlist and unmapped by file_priv_unbind()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T09:48:49.789Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0328bb097bef05a796217c54b3d651cc3782827c"
},
{
"url": "https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7"
},
{
"url": "https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b"
},
{
"url": "https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628"
}
],
"title": "accel/ivpu: Fix race condition when unbinding BOs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68749",
"datePublished": "2025-12-24T12:09:44.301Z",
"dateReserved": "2025-12-24T10:30:51.032Z",
"dateUpdated": "2026-01-30T09:48:49.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54284 (GCVE-0-2023-54284)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
media: av7110: prevent underflow in write_ts_to_decoder()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: av7110: prevent underflow in write_ts_to_decoder()
The buf[4] value comes from the user via ts_play(). It is a value in
the u8 range. The final length we pass to av7110_ipack_instant_repack()
is "len - (buf[4] + 1) - 4" so add a check to ensure that the length is
not negative. It's not clear that passing a negative len value does
anything bad necessarily, but it's not best practice.
With the new bounds checking the "if (!len)" condition is no longer
possible or required so remove that.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < 6680af5be9f08d830567e9118f76d3e64684db8f
(git)
Affected: fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < 6606e2404ee9e20a3ae5b42fc3660d41b739ed3e (git) Affected: fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < 620b983589e0223876bf1463b01100a9c67b56ba (git) Affected: fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < 86ba65e5357bfbb6c082f68b265a292ee1bdde1d (git) Affected: fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < ca4ce92e3ec9fd3c7c936b912b95c53331d5159c (git) Affected: fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < 423350af9e27f005611bd881b1df2cab66de943d (git) Affected: fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < 77eeb4732135c18c2fdfab80839645b393f3e774 (git) Affected: fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < 7b93ab60fe9ed04be0ff155bc30ad39dea23e22b (git) Affected: fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf , < eed9496a0501357aa326ddd6b71408189ed872eb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/av7110/av7110_av.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6680af5be9f08d830567e9118f76d3e64684db8f",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
},
{
"lessThan": "6606e2404ee9e20a3ae5b42fc3660d41b739ed3e",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
},
{
"lessThan": "620b983589e0223876bf1463b01100a9c67b56ba",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
},
{
"lessThan": "86ba65e5357bfbb6c082f68b265a292ee1bdde1d",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
},
{
"lessThan": "ca4ce92e3ec9fd3c7c936b912b95c53331d5159c",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
},
{
"lessThan": "423350af9e27f005611bd881b1df2cab66de943d",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
},
{
"lessThan": "77eeb4732135c18c2fdfab80839645b393f3e774",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
},
{
"lessThan": "7b93ab60fe9ed04be0ff155bc30ad39dea23e22b",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
},
{
"lessThan": "eed9496a0501357aa326ddd6b71408189ed872eb",
"status": "affected",
"version": "fd46d16d602ab7fd53cef7ff55b9dcb0b47ad3bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/av7110/av7110_av.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.211",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: av7110: prevent underflow in write_ts_to_decoder()\n\nThe buf[4] value comes from the user via ts_play(). It is a value in\nthe u8 range. The final length we pass to av7110_ipack_instant_repack()\nis \"len - (buf[4] + 1) - 4\" so add a check to ensure that the length is\nnot negative. It\u0027s not clear that passing a negative len value does\nanything bad necessarily, but it\u0027s not best practice.\n\nWith the new bounds checking the \"if (!len)\" condition is no longer\npossible or required so remove that."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:25.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6680af5be9f08d830567e9118f76d3e64684db8f"
},
{
"url": "https://git.kernel.org/stable/c/6606e2404ee9e20a3ae5b42fc3660d41b739ed3e"
},
{
"url": "https://git.kernel.org/stable/c/620b983589e0223876bf1463b01100a9c67b56ba"
},
{
"url": "https://git.kernel.org/stable/c/86ba65e5357bfbb6c082f68b265a292ee1bdde1d"
},
{
"url": "https://git.kernel.org/stable/c/ca4ce92e3ec9fd3c7c936b912b95c53331d5159c"
},
{
"url": "https://git.kernel.org/stable/c/423350af9e27f005611bd881b1df2cab66de943d"
},
{
"url": "https://git.kernel.org/stable/c/77eeb4732135c18c2fdfab80839645b393f3e774"
},
{
"url": "https://git.kernel.org/stable/c/7b93ab60fe9ed04be0ff155bc30ad39dea23e22b"
},
{
"url": "https://git.kernel.org/stable/c/eed9496a0501357aa326ddd6b71408189ed872eb"
}
],
"title": "media: av7110: prevent underflow in write_ts_to_decoder()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54284",
"datePublished": "2025-12-30T12:23:25.116Z",
"dateReserved": "2025-12-30T12:06:44.525Z",
"dateUpdated": "2025-12-30T12:23:25.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50527 (GCVE-0-2022-50527)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:19 – Updated: 2025-12-20 08:50
VLAI?
EPSS
Title
drm/amdgpu: Fix size validation for non-exclusive domains (v4)
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix size validation for non-exclusive domains (v4)
Fix amdgpu_bo_validate_size() to check whether the TTM domain manager for the
requested memory exists, else we get a kernel oops when dereferencing "man".
v2: Make the patch standalone, i.e. not dependent on local patches.
v3: Preserve old behaviour and just check that the manager pointer is not
NULL.
v4: Complain if GTT domain requested and it is uninitialized--most likely a
bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 80546eef216854a7bd47e39e828f04b406c00599
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 7554886daa31eacc8e7fac9e15bbce67d10b8f1f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80546eef216854a7bd47e39e828f04b406c00599",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "7554886daa31eacc8e7fac9e15bbce67d10b8f1f",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_object.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix size validation for non-exclusive domains (v4)\n\nFix amdgpu_bo_validate_size() to check whether the TTM domain manager for the\nrequested memory exists, else we get a kernel oops when dereferencing \"man\".\n\nv2: Make the patch standalone, i.e. not dependent on local patches.\nv3: Preserve old behaviour and just check that the manager pointer is not\n NULL.\nv4: Complain if GTT domain requested and it is uninitialized--most likely a\n bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:50:56.959Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80546eef216854a7bd47e39e828f04b406c00599"
},
{
"url": "https://git.kernel.org/stable/c/8ba7c55e112f4ffd2a95b99be1cb1c891ef08ba1"
},
{
"url": "https://git.kernel.org/stable/c/7554886daa31eacc8e7fac9e15bbce67d10b8f1f"
}
],
"title": "drm/amdgpu: Fix size validation for non-exclusive domains (v4)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50527",
"datePublished": "2025-10-07T15:19:19.238Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-12-20T08:50:56.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50822 (GCVE-0-2022-50822)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
RDMA/restrack: Release MR restrack when delete
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/restrack: Release MR restrack when delete
The MR restrack also needs to be released when delete it, otherwise it
cause memory leak as the task struct won't be released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
13ef5539def732dc7b9c58c320d97a0a95b52634 , < 13586753ae55146269a6dc8b216f17d86b81560c
(git)
Affected: 13ef5539def732dc7b9c58c320d97a0a95b52634 , < 37c90753079fc95d93cc31b79796dd2ae57ad018 (git) Affected: 13ef5539def732dc7b9c58c320d97a0a95b52634 , < 8731cb5c7820bef577bab4ff17691fbf61c671cb (git) Affected: 13ef5539def732dc7b9c58c320d97a0a95b52634 , < dac153f2802db1ad46207283cb9b2aae3d707a45 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/restrack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13586753ae55146269a6dc8b216f17d86b81560c",
"status": "affected",
"version": "13ef5539def732dc7b9c58c320d97a0a95b52634",
"versionType": "git"
},
{
"lessThan": "37c90753079fc95d93cc31b79796dd2ae57ad018",
"status": "affected",
"version": "13ef5539def732dc7b9c58c320d97a0a95b52634",
"versionType": "git"
},
{
"lessThan": "8731cb5c7820bef577bab4ff17691fbf61c671cb",
"status": "affected",
"version": "13ef5539def732dc7b9c58c320d97a0a95b52634",
"versionType": "git"
},
{
"lessThan": "dac153f2802db1ad46207283cb9b2aae3d707a45",
"status": "affected",
"version": "13ef5539def732dc7b9c58c320d97a0a95b52634",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/restrack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/restrack: Release MR restrack when delete\n\nThe MR restrack also needs to be released when delete it, otherwise it\ncause memory leak as the task struct won\u0027t be released."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:36.228Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13586753ae55146269a6dc8b216f17d86b81560c"
},
{
"url": "https://git.kernel.org/stable/c/37c90753079fc95d93cc31b79796dd2ae57ad018"
},
{
"url": "https://git.kernel.org/stable/c/8731cb5c7820bef577bab4ff17691fbf61c671cb"
},
{
"url": "https://git.kernel.org/stable/c/dac153f2802db1ad46207283cb9b2aae3d707a45"
}
],
"title": "RDMA/restrack: Release MR restrack when delete",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50822",
"datePublished": "2025-12-30T12:08:36.228Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2025-12-30T12:08:36.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50776 (GCVE-0-2022-50776)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
clk: st: Fix memory leak in st_of_quadfs_setup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: st: Fix memory leak in st_of_quadfs_setup()
If st_clk_register_quadfs_pll() fails, @lock should be freed before goto
@err_exit, otherwise will cause meory leak issue, fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < 081538ae5817631a2b99e8e75cce981060aab29f
(git)
Affected: 5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < f0295209de457049a4a5f3e3985528391bd1ab34 (git) Affected: 5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < be03875007621fcee96e6f9fd7b9e59c8dfcf6fa (git) Affected: 5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < 713ad301c2d49e88fe586b57ebac8f220a98e162 (git) Affected: 5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < efd025f32fce27a8ada9bcb4731e8a84476e5b3d (git) Affected: 5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < adf6a00859d014cecf046dc91f75c0e65a544360 (git) Affected: 5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < 335ef7546c77e63154d6ea4d603b11274a85900e (git) Affected: 5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < f4731395d6db850127634197863aede188d8e9de (git) Affected: 5f7aa9071e935c8c0e869306c7ef073df6c409f6 , < cfd3ffb36f0d566846163118651d868e607300ba (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/st/clkgen-fsyn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "081538ae5817631a2b99e8e75cce981060aab29f",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
},
{
"lessThan": "f0295209de457049a4a5f3e3985528391bd1ab34",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
},
{
"lessThan": "be03875007621fcee96e6f9fd7b9e59c8dfcf6fa",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
},
{
"lessThan": "713ad301c2d49e88fe586b57ebac8f220a98e162",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
},
{
"lessThan": "efd025f32fce27a8ada9bcb4731e8a84476e5b3d",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
},
{
"lessThan": "adf6a00859d014cecf046dc91f75c0e65a544360",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
},
{
"lessThan": "335ef7546c77e63154d6ea4d603b11274a85900e",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
},
{
"lessThan": "f4731395d6db850127634197863aede188d8e9de",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
},
{
"lessThan": "cfd3ffb36f0d566846163118651d868e607300ba",
"status": "affected",
"version": "5f7aa9071e935c8c0e869306c7ef073df6c409f6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/st/clkgen-fsyn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: st: Fix memory leak in st_of_quadfs_setup()\n\nIf st_clk_register_quadfs_pll() fails, @lock should be freed before goto\n@err_exit, otherwise will cause meory leak issue, fix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:34.746Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/081538ae5817631a2b99e8e75cce981060aab29f"
},
{
"url": "https://git.kernel.org/stable/c/f0295209de457049a4a5f3e3985528391bd1ab34"
},
{
"url": "https://git.kernel.org/stable/c/be03875007621fcee96e6f9fd7b9e59c8dfcf6fa"
},
{
"url": "https://git.kernel.org/stable/c/713ad301c2d49e88fe586b57ebac8f220a98e162"
},
{
"url": "https://git.kernel.org/stable/c/efd025f32fce27a8ada9bcb4731e8a84476e5b3d"
},
{
"url": "https://git.kernel.org/stable/c/adf6a00859d014cecf046dc91f75c0e65a544360"
},
{
"url": "https://git.kernel.org/stable/c/335ef7546c77e63154d6ea4d603b11274a85900e"
},
{
"url": "https://git.kernel.org/stable/c/f4731395d6db850127634197863aede188d8e9de"
},
{
"url": "https://git.kernel.org/stable/c/cfd3ffb36f0d566846163118651d868e607300ba"
}
],
"title": "clk: st: Fix memory leak in st_of_quadfs_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50776",
"datePublished": "2025-12-24T13:06:05.804Z",
"dateReserved": "2025-12-24T13:02:21.547Z",
"dateUpdated": "2026-01-02T15:04:34.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54078 (GCVE-0-2023-54078)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
media: max9286: Free control handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: max9286: Free control handler
The control handler is leaked in some probe-time error paths, as well as
in the remove path. Fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
66d8c9d2422da21ed41f75c03ba0685987b65fe0 , < 9a3a907cf69f804eb41ece5c079720d1a6a15aa1
(git)
Affected: 66d8c9d2422da21ed41f75c03ba0685987b65fe0 , < 1ad4b8c4552b4096dfc86531462dc1899f96af94 (git) Affected: 66d8c9d2422da21ed41f75c03ba0685987b65fe0 , < 1e9fc6c473210138eff3425a6136f0a9bf4eb0ae (git) Affected: 66d8c9d2422da21ed41f75c03ba0685987b65fe0 , < 0f25f99dacc72bce7d4128f7a254b23f1a343cc7 (git) Affected: 66d8c9d2422da21ed41f75c03ba0685987b65fe0 , < 19f36204dbe28bf4ec0149e87e9996a56af4e654 (git) Affected: 66d8c9d2422da21ed41f75c03ba0685987b65fe0 , < bfce6a12e5ba1edde95126aa06778027f16115d4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/max9286.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a3a907cf69f804eb41ece5c079720d1a6a15aa1",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "1ad4b8c4552b4096dfc86531462dc1899f96af94",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "1e9fc6c473210138eff3425a6136f0a9bf4eb0ae",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "0f25f99dacc72bce7d4128f7a254b23f1a343cc7",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "19f36204dbe28bf4ec0149e87e9996a56af4e654",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
},
{
"lessThan": "bfce6a12e5ba1edde95126aa06778027f16115d4",
"status": "affected",
"version": "66d8c9d2422da21ed41f75c03ba0685987b65fe0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/max9286.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: max9286: Free control handler\n\nThe control handler is leaked in some probe-time error paths, as well as\nin the remove path. Fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:11.282Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a3a907cf69f804eb41ece5c079720d1a6a15aa1"
},
{
"url": "https://git.kernel.org/stable/c/1ad4b8c4552b4096dfc86531462dc1899f96af94"
},
{
"url": "https://git.kernel.org/stable/c/1e9fc6c473210138eff3425a6136f0a9bf4eb0ae"
},
{
"url": "https://git.kernel.org/stable/c/0f25f99dacc72bce7d4128f7a254b23f1a343cc7"
},
{
"url": "https://git.kernel.org/stable/c/19f36204dbe28bf4ec0149e87e9996a56af4e654"
},
{
"url": "https://git.kernel.org/stable/c/bfce6a12e5ba1edde95126aa06778027f16115d4"
}
],
"title": "media: max9286: Free control handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54078",
"datePublished": "2025-12-24T13:06:11.282Z",
"dateReserved": "2025-12-24T13:02:52.514Z",
"dateUpdated": "2025-12-24T13:06:11.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54293 (GCVE-0-2023-54293)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
bcache: fixup btree_cache_wait list damage
Summary
In the Linux kernel, the following vulnerability has been resolved:
bcache: fixup btree_cache_wait list damage
We get a kernel crash about "list_add corruption. next->prev should be
prev (ffff9c801bc01210), but was ffff9c77b688237c.
(next=ffffae586d8afe68)."
crash> struct list_head 0xffff9c801bc01210
struct list_head {
next = 0xffffae586d8afe68,
prev = 0xffffae586d8afe68
}
crash> struct list_head 0xffff9c77b688237c
struct list_head {
next = 0x0,
prev = 0x0
}
crash> struct list_head 0xffffae586d8afe68
struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback"
Cannot access memory at address 0xffffae586d8afe68
[230469.019492] Call Trace:
[230469.032041] prepare_to_wait+0x8a/0xb0
[230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache]
[230469.056533] mca_cannibalize_lock+0x72/0x90 [escache]
[230469.068788] mca_alloc+0x2ae/0x450 [escache]
[230469.080790] bch_btree_node_get+0x136/0x2d0 [escache]
[230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache]
[230469.104382] ? finish_wait+0x80/0x80
[230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache]
[230469.127259] kthread+0x112/0x130
[230469.138448] ? kthread_flush_work_fn+0x10/0x10
[230469.149477] ret_from_fork+0x35/0x40
bch_btree_check_thread() and bch_dirty_init_thread() may call
mca_cannibalize() to cannibalize other cached btree nodes. Only one thread
can do it at a time, so the op of other threads will be added to the
btree_cache_wait list.
We must call finish_wait() to remove op from btree_cache_wait before free
it's memory address. Otherwise, the list will be damaged. Also should call
bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up
other waiters.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8e7102273f597dbb38af43da874f8c123f8e6dbe , < bcb295778afda4f2feb0d3c0289a53fd43d5a3a6
(git)
Affected: 8e7102273f597dbb38af43da874f8c123f8e6dbe , < cbdd5b3322f7bbe6454c97cac994757f1192c07b (git) Affected: 8e7102273f597dbb38af43da874f8c123f8e6dbe , < 25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed (git) Affected: 8e7102273f597dbb38af43da874f8c123f8e6dbe , < 2882a4c4f0c90e99f37dbd8db369b9982fd613e7 (git) Affected: 8e7102273f597dbb38af43da874f8c123f8e6dbe , < f0854489fc07d2456f7cc71a63f4faf9c716ffbe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/btree.c",
"drivers/md/bcache/btree.h",
"drivers/md/bcache/writeback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bcb295778afda4f2feb0d3c0289a53fd43d5a3a6",
"status": "affected",
"version": "8e7102273f597dbb38af43da874f8c123f8e6dbe",
"versionType": "git"
},
{
"lessThan": "cbdd5b3322f7bbe6454c97cac994757f1192c07b",
"status": "affected",
"version": "8e7102273f597dbb38af43da874f8c123f8e6dbe",
"versionType": "git"
},
{
"lessThan": "25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed",
"status": "affected",
"version": "8e7102273f597dbb38af43da874f8c123f8e6dbe",
"versionType": "git"
},
{
"lessThan": "2882a4c4f0c90e99f37dbd8db369b9982fd613e7",
"status": "affected",
"version": "8e7102273f597dbb38af43da874f8c123f8e6dbe",
"versionType": "git"
},
{
"lessThan": "f0854489fc07d2456f7cc71a63f4faf9c716ffbe",
"status": "affected",
"version": "8e7102273f597dbb38af43da874f8c123f8e6dbe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/bcache/btree.c",
"drivers/md/bcache/btree.h",
"drivers/md/bcache/writeback.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fixup btree_cache_wait list damage\n\nWe get a kernel crash about \"list_add corruption. next-\u003eprev should be\nprev (ffff9c801bc01210), but was ffff9c77b688237c.\n(next=ffffae586d8afe68).\"\n\ncrash\u003e struct list_head 0xffff9c801bc01210\nstruct list_head {\n next = 0xffffae586d8afe68,\n prev = 0xffffae586d8afe68\n}\ncrash\u003e struct list_head 0xffff9c77b688237c\nstruct list_head {\n next = 0x0,\n prev = 0x0\n}\ncrash\u003e struct list_head 0xffffae586d8afe68\nstruct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: \"gdb_readmem_callback\"\nCannot access memory at address 0xffffae586d8afe68\n\n[230469.019492] Call Trace:\n[230469.032041] prepare_to_wait+0x8a/0xb0\n[230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache]\n[230469.056533] mca_cannibalize_lock+0x72/0x90 [escache]\n[230469.068788] mca_alloc+0x2ae/0x450 [escache]\n[230469.080790] bch_btree_node_get+0x136/0x2d0 [escache]\n[230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache]\n[230469.104382] ? finish_wait+0x80/0x80\n[230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache]\n[230469.127259] kthread+0x112/0x130\n[230469.138448] ? kthread_flush_work_fn+0x10/0x10\n[230469.149477] ret_from_fork+0x35/0x40\n\nbch_btree_check_thread() and bch_dirty_init_thread() may call\nmca_cannibalize() to cannibalize other cached btree nodes. Only one thread\ncan do it at a time, so the op of other threads will be added to the\nbtree_cache_wait list.\n\nWe must call finish_wait() to remove op from btree_cache_wait before free\nit\u0027s memory address. Otherwise, the list will be damaged. Also should call\nbch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up\nother waiters."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:31.111Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bcb295778afda4f2feb0d3c0289a53fd43d5a3a6"
},
{
"url": "https://git.kernel.org/stable/c/cbdd5b3322f7bbe6454c97cac994757f1192c07b"
},
{
"url": "https://git.kernel.org/stable/c/25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed"
},
{
"url": "https://git.kernel.org/stable/c/2882a4c4f0c90e99f37dbd8db369b9982fd613e7"
},
{
"url": "https://git.kernel.org/stable/c/f0854489fc07d2456f7cc71a63f4faf9c716ffbe"
}
],
"title": "bcache: fixup btree_cache_wait list damage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54293",
"datePublished": "2025-12-30T12:23:31.111Z",
"dateReserved": "2025-12-30T12:06:44.527Z",
"dateUpdated": "2025-12-30T12:23:31.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38608 (GCVE-0-2025-38608)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
When sending plaintext data, we initially calculated the corresponding
ciphertext length. However, if we later reduced the plaintext data length
via socket policy, we failed to recalculate the ciphertext length.
This results in transmitting buffers containing uninitialized data during
ciphertext transmission.
This causes uninitialized bytes to be appended after a complete
"Application Data" packet, leading to errors on the receiving end when
parsing TLS record.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 6ba20ff3cdb96a908b9dc93cf247d0b087672e7c
(git)
Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 849d24dc5aed45ebeb3490df429356739256ac40 (git) Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 73fc5d04009d3969ff8e8574f0fd769f04124e59 (git) Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb (git) Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 0e853c1464bcf61207f8b5c32d2ac5ee495e859d (git) Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e (git) Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 90d6ef67440cec2a0aad71a0108c8f216437345c (git) Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 1e480387d4b42776f8957fb148af9d75ce93b96d (git) Affected: 7246d8ed4dcce23f7509949a77be15fa9f0e3d28 , < 178f6a5c8cb3b6be1602de0964cd440243f493c9 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:21.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ba20ff3cdb96a908b9dc93cf247d0b087672e7c",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "849d24dc5aed45ebeb3490df429356739256ac40",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "73fc5d04009d3969ff8e8574f0fd769f04124e59",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "0e853c1464bcf61207f8b5c32d2ac5ee495e859d",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "90d6ef67440cec2a0aad71a0108c8f216437345c",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "1e480387d4b42776f8957fb148af9d75ce93b96d",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
},
{
"lessThan": "178f6a5c8cb3b6be1602de0964cd440243f493c9",
"status": "affected",
"version": "7246d8ed4dcce23f7509949a77be15fa9f0e3d28",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls\n\nWhen sending plaintext data, we initially calculated the corresponding\nciphertext length. However, if we later reduced the plaintext data length\nvia socket policy, we failed to recalculate the ciphertext length.\n\nThis results in transmitting buffers containing uninitialized data during\nciphertext transmission.\n\nThis causes uninitialized bytes to be appended after a complete\n\"Application Data\" packet, leading to errors on the receiving end when\nparsing TLS record."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:42.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ba20ff3cdb96a908b9dc93cf247d0b087672e7c"
},
{
"url": "https://git.kernel.org/stable/c/849d24dc5aed45ebeb3490df429356739256ac40"
},
{
"url": "https://git.kernel.org/stable/c/73fc5d04009d3969ff8e8574f0fd769f04124e59"
},
{
"url": "https://git.kernel.org/stable/c/16aca8bb4ad0d8a13c8b6da4007f4e52d53035bb"
},
{
"url": "https://git.kernel.org/stable/c/0e853c1464bcf61207f8b5c32d2ac5ee495e859d"
},
{
"url": "https://git.kernel.org/stable/c/ee03766d79de0f61ea29ffb6ab1c7b196ea1b02e"
},
{
"url": "https://git.kernel.org/stable/c/90d6ef67440cec2a0aad71a0108c8f216437345c"
},
{
"url": "https://git.kernel.org/stable/c/1e480387d4b42776f8957fb148af9d75ce93b96d"
},
{
"url": "https://git.kernel.org/stable/c/178f6a5c8cb3b6be1602de0964cd440243f493c9"
}
],
"title": "bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38608",
"datePublished": "2025-08-19T17:03:51.688Z",
"dateReserved": "2025-04-16T04:51:24.028Z",
"dateUpdated": "2025-11-03T17:40:21.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50782 (GCVE-0-2022-50782)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
ext4: fix bug_on in __es_tree_search caused by bad quota inode
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on in __es_tree_search caused by bad quota inode
We got a issue as fllows:
==================================================================
kernel BUG at fs/ext4/extents_status.c:202!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352
RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0
RSP: 0018:ffffc90001227900 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8
RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001
R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10
R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000
FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_es_cache_extent+0xe2/0x210
ext4_cache_extents+0xd2/0x110
ext4_find_extent+0x5d5/0x8c0
ext4_ext_map_blocks+0x9c/0x1d30
ext4_map_blocks+0x431/0xa50
ext4_getblk+0x82/0x340
ext4_bread+0x14/0x110
ext4_quota_read+0xf0/0x180
v2_read_header+0x24/0x90
v2_check_quota_file+0x2f/0xa0
dquot_load_quota_sb+0x26c/0x760
dquot_load_quota_inode+0xa5/0x190
ext4_enable_quotas+0x14c/0x300
__ext4_fill_super+0x31cc/0x32c0
ext4_fill_super+0x115/0x2d0
get_tree_bdev+0x1d2/0x360
ext4_get_tree+0x19/0x30
vfs_get_tree+0x26/0xe0
path_mount+0x81d/0xfc0
do_mount+0x8d/0xc0
__x64_sys_mount+0xc0/0x160
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_orphan_cleanup
ext4_enable_quotas
ext4_quota_enable
ext4_iget --> get error inode <5>
ext4_ext_check_inode --> Wrong imode makes it escape inspection
make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode
dquot_load_quota_inode
vfs_setup_quota_inode --> check pass
dquot_load_quota_sb
v2_check_quota_file
v2_read_header
ext4_quota_read
ext4_bread
ext4_getblk
ext4_map_blocks
ext4_ext_map_blocks
ext4_find_extent
ext4_cache_extents
ext4_es_cache_extent
__es_tree_search.isra.0
ext4_es_end --> Wrong extents trigger BUG_ON
In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains
incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,
the ext4_ext_check_inode check in the ext4_iget function can be bypassed,
finally, the extents that are not checked trigger the BUG_ON in the
__es_tree_search function. To solve this issue, check whether the inode is
bad_inode in vfs_setup_quota_inode().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
393d1d1d76933886d5e1ce603214c9987589c6d5 , < fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3
(git)
Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 1d5524832ff204b8a8cd54ae1628b2122f6e9a8d (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 98004f926d27eaccdd2d336b7916a42e07392da1 (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 0dcbf4dc3d54aab5990952cfd832042fb300dbe3 (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 794c9175db1f2e5d2a28c326f10bd024dbd944f8 (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 1daff79463d7d76096c84c57cddc30c5d4be2226 (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < d323877484765aaacbb2769b06e355c2041ed115 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "1d5524832ff204b8a8cd54ae1628b2122f6e9a8d",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "98004f926d27eaccdd2d336b7916a42e07392da1",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "0dcbf4dc3d54aab5990952cfd832042fb300dbe3",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "794c9175db1f2e5d2a28c326f10bd024dbd944f8",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "1daff79463d7d76096c84c57cddc30c5d4be2226",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "d323877484765aaacbb2769b06e355c2041ed115",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search caused by bad quota inode\n\nWe got a issue as fllows:\n==================================================================\n kernel BUG at fs/ext4/extents_status.c:202!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352\n RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0\n RSP: 0018:ffffc90001227900 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000\n RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8\n RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001\n R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10\n R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000\n FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n ext4_es_cache_extent+0xe2/0x210\n ext4_cache_extents+0xd2/0x110\n ext4_find_extent+0x5d5/0x8c0\n ext4_ext_map_blocks+0x9c/0x1d30\n ext4_map_blocks+0x431/0xa50\n ext4_getblk+0x82/0x340\n ext4_bread+0x14/0x110\n ext4_quota_read+0xf0/0x180\n v2_read_header+0x24/0x90\n v2_check_quota_file+0x2f/0xa0\n dquot_load_quota_sb+0x26c/0x760\n dquot_load_quota_inode+0xa5/0x190\n ext4_enable_quotas+0x14c/0x300\n __ext4_fill_super+0x31cc/0x32c0\n ext4_fill_super+0x115/0x2d0\n get_tree_bdev+0x1d2/0x360\n ext4_get_tree+0x19/0x30\n vfs_get_tree+0x26/0xe0\n path_mount+0x81d/0xfc0\n do_mount+0x8d/0xc0\n __x64_sys_mount+0xc0/0x160\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n ext4_enable_quotas\n ext4_quota_enable\n ext4_iget --\u003e get error inode \u003c5\u003e\n ext4_ext_check_inode --\u003e Wrong imode makes it escape inspection\n make_bad_inode(inode) --\u003e EXT4_BOOT_LOADER_INO set imode\n dquot_load_quota_inode\n vfs_setup_quota_inode --\u003e check pass\n dquot_load_quota_sb\n v2_check_quota_file\n v2_read_header\n ext4_quota_read\n ext4_bread\n ext4_getblk\n ext4_map_blocks\n ext4_ext_map_blocks\n ext4_find_extent\n ext4_cache_extents\n ext4_es_cache_extent\n __es_tree_search.isra.0\n ext4_es_end --\u003e Wrong extents trigger BUG_ON\n\nIn the above issue, s_usr_quota_inum is set to 5, but inode\u003c5\u003e contains\nincorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,\nthe ext4_ext_check_inode check in the ext4_iget function can be bypassed,\nfinally, the extents that are not checked trigger the BUG_ON in the\n__es_tree_search function. To solve this issue, check whether the inode is\nbad_inode in vfs_setup_quota_inode()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:44.459Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3"
},
{
"url": "https://git.kernel.org/stable/c/1d5524832ff204b8a8cd54ae1628b2122f6e9a8d"
},
{
"url": "https://git.kernel.org/stable/c/98004f926d27eaccdd2d336b7916a42e07392da1"
},
{
"url": "https://git.kernel.org/stable/c/0dcbf4dc3d54aab5990952cfd832042fb300dbe3"
},
{
"url": "https://git.kernel.org/stable/c/794c9175db1f2e5d2a28c326f10bd024dbd944f8"
},
{
"url": "https://git.kernel.org/stable/c/1daff79463d7d76096c84c57cddc30c5d4be2226"
},
{
"url": "https://git.kernel.org/stable/c/d323877484765aaacbb2769b06e355c2041ed115"
}
],
"title": "ext4: fix bug_on in __es_tree_search caused by bad quota inode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50782",
"datePublished": "2025-12-24T13:06:09.914Z",
"dateReserved": "2025-12-24T13:02:21.548Z",
"dateUpdated": "2026-01-02T15:04:44.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54242 (GCVE-0-2023-54242)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-05 11:36
VLAI?
EPSS
Title
block, bfq: Fix division by zero error on zero wsum
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: Fix division by zero error on zero wsum
When the weighted sum is zero the calculation of limit causes
a division by zero error. Fix this by continuing to the next level.
This was discovered by running as root:
stress-ng --ioprio 0
Fixes divison by error oops:
[ 521.450556] divide error: 0000 [#1] SMP NOPTI
[ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1
[ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
[ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400
[ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 <48> f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44
[ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046
[ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000
[ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978
[ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0
[ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18
[ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970
[ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000
[ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0
[ 521.455491] PKRU: 55555554
[ 521.455619] Call Trace:
[ 521.455736] <TASK>
[ 521.455837] ? bfq_request_merge+0x3a/0xc0
[ 521.456027] ? elv_merge+0x115/0x140
[ 521.456191] bfq_limit_depth+0xc8/0x240
[ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0
[ 521.456577] blk_mq_submit_bio+0x23c/0x6c0
[ 521.456766] __submit_bio+0xb8/0x140
[ 521.457236] submit_bio_noacct_nocheck+0x212/0x300
[ 521.457748] submit_bio_noacct+0x1a6/0x580
[ 521.458220] submit_bio+0x43/0x80
[ 521.458660] ext4_io_submit+0x23/0x80
[ 521.459116] ext4_do_writepages+0x40a/0xd00
[ 521.459596] ext4_writepages+0x65/0x100
[ 521.460050] do_writepages+0xb7/0x1c0
[ 521.460492] __filemap_fdatawrite_range+0xa6/0x100
[ 521.460979] file_write_and_wait_range+0xbf/0x140
[ 521.461452] ext4_sync_file+0x105/0x340
[ 521.461882] __x64_sys_fsync+0x67/0x100
[ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0
[ 521.462768] do_syscall_64+0x3b/0xc0
[ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4
[ 521.463621] RIP: 0033:0x5640b6c56590
[ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
76f1df88bbc2f984eb0418cc90de0a8384e63604 , < 1655cfc85250a224b0d9486c8136baeea33b9b5c
(git)
Affected: 76f1df88bbc2f984eb0418cc90de0a8384e63604 , < c0346a59d719461248c6dc6f21c9e55ef836b66f (git) Affected: 76f1df88bbc2f984eb0418cc90de0a8384e63604 , < e53413f8deedf738a6782cc14cc00bd5852ccf18 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1655cfc85250a224b0d9486c8136baeea33b9b5c",
"status": "affected",
"version": "76f1df88bbc2f984eb0418cc90de0a8384e63604",
"versionType": "git"
},
{
"lessThan": "c0346a59d719461248c6dc6f21c9e55ef836b66f",
"status": "affected",
"version": "76f1df88bbc2f984eb0418cc90de0a8384e63604",
"versionType": "git"
},
{
"lessThan": "e53413f8deedf738a6782cc14cc00bd5852ccf18",
"status": "affected",
"version": "76f1df88bbc2f984eb0418cc90de0a8384e63604",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: Fix division by zero error on zero wsum\n\nWhen the weighted sum is zero the calculation of limit causes\na division by zero error. Fix this by continuing to the next level.\n\nThis was discovered by running as root:\n\nstress-ng --ioprio 0\n\nFixes divison by error oops:\n\n[ 521.450556] divide error: 0000 [#1] SMP NOPTI\n[ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1\n[ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\n[ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400\n[ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 \u003c48\u003e f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44\n[ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046\n[ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000\n[ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978\n[ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0\n[ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18\n[ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970\n[ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000\n[ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0\n[ 521.455491] PKRU: 55555554\n[ 521.455619] Call Trace:\n[ 521.455736] \u003cTASK\u003e\n[ 521.455837] ? bfq_request_merge+0x3a/0xc0\n[ 521.456027] ? elv_merge+0x115/0x140\n[ 521.456191] bfq_limit_depth+0xc8/0x240\n[ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0\n[ 521.456577] blk_mq_submit_bio+0x23c/0x6c0\n[ 521.456766] __submit_bio+0xb8/0x140\n[ 521.457236] submit_bio_noacct_nocheck+0x212/0x300\n[ 521.457748] submit_bio_noacct+0x1a6/0x580\n[ 521.458220] submit_bio+0x43/0x80\n[ 521.458660] ext4_io_submit+0x23/0x80\n[ 521.459116] ext4_do_writepages+0x40a/0xd00\n[ 521.459596] ext4_writepages+0x65/0x100\n[ 521.460050] do_writepages+0xb7/0x1c0\n[ 521.460492] __filemap_fdatawrite_range+0xa6/0x100\n[ 521.460979] file_write_and_wait_range+0xbf/0x140\n[ 521.461452] ext4_sync_file+0x105/0x340\n[ 521.461882] __x64_sys_fsync+0x67/0x100\n[ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0\n[ 521.462768] do_syscall_64+0x3b/0xc0\n[ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4\n[ 521.463621] RIP: 0033:0x5640b6c56590\n[ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:36:58.701Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1655cfc85250a224b0d9486c8136baeea33b9b5c"
},
{
"url": "https://git.kernel.org/stable/c/c0346a59d719461248c6dc6f21c9e55ef836b66f"
},
{
"url": "https://git.kernel.org/stable/c/e53413f8deedf738a6782cc14cc00bd5852ccf18"
}
],
"title": "block, bfq: Fix division by zero error on zero wsum",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54242",
"datePublished": "2025-12-30T12:11:30.503Z",
"dateReserved": "2025-12-30T12:06:44.510Z",
"dateUpdated": "2026-01-05T11:36:58.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53769 (GCVE-0-2023-53769)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
virt/coco/sev-guest: Double-buffer messages
Summary
In the Linux kernel, the following vulnerability has been resolved:
virt/coco/sev-guest: Double-buffer messages
The encryption algorithms read and write directly to shared unencrypted
memory, which may leak information as well as permit the host to tamper
with the message integrity. Instead, copy whole messages in or out as
needed before doing any computation on them.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d5af44dde5461d125d1602ac913ab5c6bdf09b8b , < 577a64725bfd77645986168e953d405067ee565b
(git)
Affected: d5af44dde5461d125d1602ac913ab5c6bdf09b8b , < c27dafc4aa50a29ec927b3aa84ac7b430071f682 (git) Affected: d5af44dde5461d125d1602ac913ab5c6bdf09b8b , < 4b69c63f716cfda38e1210e65b68f67f6cee2ddf (git) Affected: d5af44dde5461d125d1602ac913ab5c6bdf09b8b , < 965006103a14703cc42043bbf9b5e0cdf7a468ad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/virt/coco/sev-guest/sev-guest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "577a64725bfd77645986168e953d405067ee565b",
"status": "affected",
"version": "d5af44dde5461d125d1602ac913ab5c6bdf09b8b",
"versionType": "git"
},
{
"lessThan": "c27dafc4aa50a29ec927b3aa84ac7b430071f682",
"status": "affected",
"version": "d5af44dde5461d125d1602ac913ab5c6bdf09b8b",
"versionType": "git"
},
{
"lessThan": "4b69c63f716cfda38e1210e65b68f67f6cee2ddf",
"status": "affected",
"version": "d5af44dde5461d125d1602ac913ab5c6bdf09b8b",
"versionType": "git"
},
{
"lessThan": "965006103a14703cc42043bbf9b5e0cdf7a468ad",
"status": "affected",
"version": "d5af44dde5461d125d1602ac913ab5c6bdf09b8b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/virt/coco/sev-guest/sev-guest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirt/coco/sev-guest: Double-buffer messages\n\nThe encryption algorithms read and write directly to shared unencrypted\nmemory, which may leak information as well as permit the host to tamper\nwith the message integrity. Instead, copy whole messages in or out as\nneeded before doing any computation on them."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:32.417Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/577a64725bfd77645986168e953d405067ee565b"
},
{
"url": "https://git.kernel.org/stable/c/c27dafc4aa50a29ec927b3aa84ac7b430071f682"
},
{
"url": "https://git.kernel.org/stable/c/4b69c63f716cfda38e1210e65b68f67f6cee2ddf"
},
{
"url": "https://git.kernel.org/stable/c/965006103a14703cc42043bbf9b5e0cdf7a468ad"
}
],
"title": "virt/coco/sev-guest: Double-buffer messages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53769",
"datePublished": "2025-12-08T01:19:32.417Z",
"dateReserved": "2025-12-08T01:18:04.281Z",
"dateUpdated": "2025-12-08T01:19:32.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54028 (GCVE-0-2023-54028)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task"
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task"
In the function rxe_create_qp(), rxe_qp_from_init() is called to
initialize qp, internally things like rxe_init_task are not setup until
rxe_qp_init_req().
If an error occurred before this point then the unwind will call
rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()
which will oops when trying to access the uninitialized spinlock.
If rxe_init_task is not executed, rxe_cleanup_task will not be called.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < 3236221bb8e4de8e3d0c8385f634064fb26b8e38
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < c8473cd5b301279a41dc75e5afb26b3d5223b6c7 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 0d938264fcfe4927e54f0e519da05af1d5d720b4 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3236221bb8e4de8e3d0c8385f634064fb26b8e38",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "c8473cd5b301279a41dc75e5afb26b3d5223b6c7",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "0d938264fcfe4927e54f0e519da05af1d5d720b4",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.32",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix the error \"trying to register non-static key in rxe_cleanup_task\"\n\nIn the function rxe_create_qp(), rxe_qp_from_init() is called to\ninitialize qp, internally things like rxe_init_task are not setup until\nrxe_qp_init_req().\n\nIf an error occurred before this point then the unwind will call\nrxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task()\nwhich will oops when trying to access the uninitialized spinlock.\n\nIf rxe_init_task is not executed, rxe_cleanup_task will not be called."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:56.619Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3236221bb8e4de8e3d0c8385f634064fb26b8e38"
},
{
"url": "https://git.kernel.org/stable/c/c8473cd5b301279a41dc75e5afb26b3d5223b6c7"
},
{
"url": "https://git.kernel.org/stable/c/0d938264fcfe4927e54f0e519da05af1d5d720b4"
},
{
"url": "https://git.kernel.org/stable/c/b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad"
}
],
"title": "RDMA/rxe: Fix the error \"trying to register non-static key in rxe_cleanup_task\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54028",
"datePublished": "2025-12-24T10:55:56.619Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:56.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50867 (GCVE-0-2022-50867)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 13:56
VLAI?
EPSS
Title
drm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage
adreno_show_object() is a trap! It will re-allocate the pointer it is
passed on first call, when the data is ascii85 encoded, using kvmalloc/
kvfree(). Which means the data *passed* to it must be kvmalloc'd, ie.
we cannot use the state_kcalloc() helper.
This partially reverts commit ec8f1813bf8d ("drm/msm/a6xx: Replace
kcalloc() with kvzalloc()"), but adds the missing kvfree() to fix the
memory leak that was present previously. And adds a warning comment.
Patchwork: https://patchwork.freedesktop.org/patch/507014/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c",
"drivers/gpu/drm/msm/adreno/adreno_gpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b1bbc0571a5d7ee10f754186dc3d619b9ced5c1",
"status": "affected",
"version": "b859f9b009bbfbc236d9b076c64c59ccb41b8737",
"versionType": "git"
},
{
"lessThan": "83d18e9d9c0150d98dc24e3642ea93f5e245322c",
"status": "affected",
"version": "b859f9b009bbfbc236d9b076c64c59ccb41b8737",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c",
"drivers/gpu/drm/msm/adreno/adreno_gpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage\n\nadreno_show_object() is a trap! It will re-allocate the pointer it is\npassed on first call, when the data is ascii85 encoded, using kvmalloc/\nkvfree(). Which means the data *passed* to it must be kvmalloc\u0027d, ie.\nwe cannot use the state_kcalloc() helper.\n\nThis partially reverts commit ec8f1813bf8d (\"drm/msm/a6xx: Replace\nkcalloc() with kvzalloc()\"), but adds the missing kvfree() to fix the\nmemory leak that was present previously. And adds a warning comment.\n\nPatchwork: https://patchwork.freedesktop.org/patch/507014/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T13:56:57.841Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b1bbc0571a5d7ee10f754186dc3d619b9ced5c1"
},
{
"url": "https://git.kernel.org/stable/c/83d18e9d9c0150d98dc24e3642ea93f5e245322c"
}
],
"title": "drm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50867",
"datePublished": "2025-12-30T12:15:38.520Z",
"dateReserved": "2025-12-30T12:06:07.136Z",
"dateUpdated": "2025-12-30T13:56:57.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54111 (GCVE-0-2023-54111)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
of_find_node_by_phandle() returns a node pointer with refcount incremented,
We should use of_node_put() on it when not needed anymore.
Add missing of_node_put() to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d3e5116119bd02ea7716bbe04b39c21bba4bcf42 , < aa017ab5716c9157c65fdce061c4a4a568af53a8
(git)
Affected: d3e5116119bd02ea7716bbe04b39c21bba4bcf42 , < 5868013522297bf628eee4322d99d6d4de4f308e (git) Affected: d3e5116119bd02ea7716bbe04b39c21bba4bcf42 , < 954a7a0011d94475f8ba5ceb77a5d11e01cf402f (git) Affected: d3e5116119bd02ea7716bbe04b39c21bba4bcf42 , < d562054a3a2eede3507a5461011ee82b671fcb88 (git) Affected: d3e5116119bd02ea7716bbe04b39c21bba4bcf42 , < 0f735f232ff59863e0b6ebac0849d637e215a9c2 (git) Affected: d3e5116119bd02ea7716bbe04b39c21bba4bcf42 , < dbef00ef4b9b98d15183340396e5df0fa7a860d8 (git) Affected: d3e5116119bd02ea7716bbe04b39c21bba4bcf42 , < 3c40b34e3462aab12af3dba77d2e1602afc72e80 (git) Affected: d3e5116119bd02ea7716bbe04b39c21bba4bcf42 , < c818ae563bf99457f02e8170aabd6b174f629f65 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-rockchip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa017ab5716c9157c65fdce061c4a4a568af53a8",
"status": "affected",
"version": "d3e5116119bd02ea7716bbe04b39c21bba4bcf42",
"versionType": "git"
},
{
"lessThan": "5868013522297bf628eee4322d99d6d4de4f308e",
"status": "affected",
"version": "d3e5116119bd02ea7716bbe04b39c21bba4bcf42",
"versionType": "git"
},
{
"lessThan": "954a7a0011d94475f8ba5ceb77a5d11e01cf402f",
"status": "affected",
"version": "d3e5116119bd02ea7716bbe04b39c21bba4bcf42",
"versionType": "git"
},
{
"lessThan": "d562054a3a2eede3507a5461011ee82b671fcb88",
"status": "affected",
"version": "d3e5116119bd02ea7716bbe04b39c21bba4bcf42",
"versionType": "git"
},
{
"lessThan": "0f735f232ff59863e0b6ebac0849d637e215a9c2",
"status": "affected",
"version": "d3e5116119bd02ea7716bbe04b39c21bba4bcf42",
"versionType": "git"
},
{
"lessThan": "dbef00ef4b9b98d15183340396e5df0fa7a860d8",
"status": "affected",
"version": "d3e5116119bd02ea7716bbe04b39c21bba4bcf42",
"versionType": "git"
},
{
"lessThan": "3c40b34e3462aab12af3dba77d2e1602afc72e80",
"status": "affected",
"version": "d3e5116119bd02ea7716bbe04b39c21bba4bcf42",
"versionType": "git"
},
{
"lessThan": "c818ae563bf99457f02e8170aabd6b174f629f65",
"status": "affected",
"version": "d3e5116119bd02ea7716bbe04b39c21bba4bcf42",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-rockchip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.11"
},
{
"lessThan": "3.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.270",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "3.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups\n\nof_find_node_by_phandle() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:34.187Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa017ab5716c9157c65fdce061c4a4a568af53a8"
},
{
"url": "https://git.kernel.org/stable/c/5868013522297bf628eee4322d99d6d4de4f308e"
},
{
"url": "https://git.kernel.org/stable/c/954a7a0011d94475f8ba5ceb77a5d11e01cf402f"
},
{
"url": "https://git.kernel.org/stable/c/d562054a3a2eede3507a5461011ee82b671fcb88"
},
{
"url": "https://git.kernel.org/stable/c/0f735f232ff59863e0b6ebac0849d637e215a9c2"
},
{
"url": "https://git.kernel.org/stable/c/dbef00ef4b9b98d15183340396e5df0fa7a860d8"
},
{
"url": "https://git.kernel.org/stable/c/3c40b34e3462aab12af3dba77d2e1602afc72e80"
},
{
"url": "https://git.kernel.org/stable/c/c818ae563bf99457f02e8170aabd6b174f629f65"
}
],
"title": "pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54111",
"datePublished": "2025-12-24T13:06:34.187Z",
"dateReserved": "2025-12-24T13:02:52.518Z",
"dateUpdated": "2025-12-24T13:06:34.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68235 (GCVE-0-2025-68235)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08
VLAI?
EPSS
Title
nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot
Summary
In the Linux kernel, the following vulnerability has been resolved:
nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot
nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a
kmemleak warning.
Make sure this data is deallocated.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2541626cfb794e57ba0575a6920826f591f7ced0 , < 7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0
(git)
Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 6492add9a3a163d5e0390428d2636adc3e61b883 (git) Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 2bba02a39bfb383bd1a95868d532c0917e38f9e7 (git) Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 949f1fd2225baefbea2995afa807dba5cbdb6bd3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/falcon/fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0",
"status": "affected",
"version": "2541626cfb794e57ba0575a6920826f591f7ced0",
"versionType": "git"
},
{
"lessThan": "6492add9a3a163d5e0390428d2636adc3e61b883",
"status": "affected",
"version": "2541626cfb794e57ba0575a6920826f591f7ced0",
"versionType": "git"
},
{
"lessThan": "2bba02a39bfb383bd1a95868d532c0917e38f9e7",
"status": "affected",
"version": "2541626cfb794e57ba0575a6920826f591f7ced0",
"versionType": "git"
},
{
"lessThan": "949f1fd2225baefbea2995afa807dba5cbdb6bd3",
"status": "affected",
"version": "2541626cfb794e57ba0575a6920826f591f7ced0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/falcon/fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot\n\nnvkm_falcon_fw::boot is allocated, but no one frees it. This causes a\nkmemleak warning.\n\nMake sure this data is deallocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:08:29.396Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0"
},
{
"url": "https://git.kernel.org/stable/c/6492add9a3a163d5e0390428d2636adc3e61b883"
},
{
"url": "https://git.kernel.org/stable/c/2bba02a39bfb383bd1a95868d532c0917e38f9e7"
},
{
"url": "https://git.kernel.org/stable/c/949f1fd2225baefbea2995afa807dba5cbdb6bd3"
}
],
"title": "nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68235",
"datePublished": "2025-12-16T14:08:29.396Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T14:08:29.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54175 (GCVE-0-2023-54175)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path
The xiic_xfer() function gets a runtime PM reference when the function is
entered. This reference is released when the function is exited. There is
currently one error path where the function exits directly, which leads to
a leak of the runtime PM reference.
Make sure that this error path also releases the runtime PM reference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
30def367fa205d81e2880f5390b8c43ed66a9667 , < 2d320d9de7d31c0eb279b3f8a02cf1af473a3737
(git)
Affected: c7ed4ddaa5a236bde32de46266a9b0e55701201d , < 72cb227a368cf286efb8ce1e741e8c7085747b4d (git) Affected: fdacc3c7405d1fc33c1f2771699a4fc24551e480 , < 06e661a259978305c0015f6f33d14477a0cfbe8f (git) Affected: fdacc3c7405d1fc33c1f2771699a4fc24551e480 , < 6027d84c073e26cb1b32a90d69c5fbad57776406 (git) Affected: fdacc3c7405d1fc33c1f2771699a4fc24551e480 , < 688fdfc458bfa651dca39c736d39c1b7520af0e8 (git) Affected: fdacc3c7405d1fc33c1f2771699a4fc24551e480 , < d663d93bb47e7ab45602b227701022d8aa16040a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-xiic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d320d9de7d31c0eb279b3f8a02cf1af473a3737",
"status": "affected",
"version": "30def367fa205d81e2880f5390b8c43ed66a9667",
"versionType": "git"
},
{
"lessThan": "72cb227a368cf286efb8ce1e741e8c7085747b4d",
"status": "affected",
"version": "c7ed4ddaa5a236bde32de46266a9b0e55701201d",
"versionType": "git"
},
{
"lessThan": "06e661a259978305c0015f6f33d14477a0cfbe8f",
"status": "affected",
"version": "fdacc3c7405d1fc33c1f2771699a4fc24551e480",
"versionType": "git"
},
{
"lessThan": "6027d84c073e26cb1b32a90d69c5fbad57776406",
"status": "affected",
"version": "fdacc3c7405d1fc33c1f2771699a4fc24551e480",
"versionType": "git"
},
{
"lessThan": "688fdfc458bfa651dca39c736d39c1b7520af0e8",
"status": "affected",
"version": "fdacc3c7405d1fc33c1f2771699a4fc24551e480",
"versionType": "git"
},
{
"lessThan": "d663d93bb47e7ab45602b227701022d8aa16040a",
"status": "affected",
"version": "fdacc3c7405d1fc33c1f2771699a4fc24551e480",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-xiic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: xiic: xiic_xfer(): Fix runtime PM leak on error path\n\nThe xiic_xfer() function gets a runtime PM reference when the function is\nentered. This reference is released when the function is exited. There is\ncurrently one error path where the function exits directly, which leads to\na leak of the runtime PM reference.\n\nMake sure that this error path also releases the runtime PM reference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:48.231Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d320d9de7d31c0eb279b3f8a02cf1af473a3737"
},
{
"url": "https://git.kernel.org/stable/c/72cb227a368cf286efb8ce1e741e8c7085747b4d"
},
{
"url": "https://git.kernel.org/stable/c/06e661a259978305c0015f6f33d14477a0cfbe8f"
},
{
"url": "https://git.kernel.org/stable/c/6027d84c073e26cb1b32a90d69c5fbad57776406"
},
{
"url": "https://git.kernel.org/stable/c/688fdfc458bfa651dca39c736d39c1b7520af0e8"
},
{
"url": "https://git.kernel.org/stable/c/d663d93bb47e7ab45602b227701022d8aa16040a"
}
],
"title": "i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54175",
"datePublished": "2025-12-30T12:08:48.231Z",
"dateReserved": "2025-12-30T12:06:44.496Z",
"dateUpdated": "2025-12-30T12:08:48.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53746 (GCVE-0-2023-53746)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
s390/vfio-ap: fix memory leak in vfio_ap device driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/vfio-ap: fix memory leak in vfio_ap device driver
The device release callback function invoked to release the matrix device
uses the dev_get_drvdata(device *dev) function to retrieve the
pointer to the vfio_matrix_dev object in order to free its storage. The
problem is, this object is not stored as drvdata with the device; since the
kfree function will accept a NULL pointer, the memory for the
vfio_matrix_dev object is never freed.
Since the device being released is contained within the vfio_matrix_dev
object, the container_of macro will be used to retrieve its pointer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1fde573413b549d52183382e639c1d6ce88f5959 , < 5195de1d5f66b276683240a896783f7f43c4f664
(git)
Affected: 1fde573413b549d52183382e639c1d6ce88f5959 , < ee17dea3072dec0bc34399a32fa884e26342e4ea (git) Affected: 1fde573413b549d52183382e639c1d6ce88f5959 , < aa2bff25e9bb10c935c7ffe3d5f5975bdccb1749 (git) Affected: 1fde573413b549d52183382e639c1d6ce88f5959 , < 6a40fda14b4be3e38f03cc42ffd4efbc64fb3e67 (git) Affected: 1fde573413b549d52183382e639c1d6ce88f5959 , < 7b6a02f5bf15931464c79dfd487c57f76aae3496 (git) Affected: 1fde573413b549d52183382e639c1d6ce88f5959 , < 8f8cf767589f2131ae5d40f3758429095c701c84 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/crypto/vfio_ap_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5195de1d5f66b276683240a896783f7f43c4f664",
"status": "affected",
"version": "1fde573413b549d52183382e639c1d6ce88f5959",
"versionType": "git"
},
{
"lessThan": "ee17dea3072dec0bc34399a32fa884e26342e4ea",
"status": "affected",
"version": "1fde573413b549d52183382e639c1d6ce88f5959",
"versionType": "git"
},
{
"lessThan": "aa2bff25e9bb10c935c7ffe3d5f5975bdccb1749",
"status": "affected",
"version": "1fde573413b549d52183382e639c1d6ce88f5959",
"versionType": "git"
},
{
"lessThan": "6a40fda14b4be3e38f03cc42ffd4efbc64fb3e67",
"status": "affected",
"version": "1fde573413b549d52183382e639c1d6ce88f5959",
"versionType": "git"
},
{
"lessThan": "7b6a02f5bf15931464c79dfd487c57f76aae3496",
"status": "affected",
"version": "1fde573413b549d52183382e639c1d6ce88f5959",
"versionType": "git"
},
{
"lessThan": "8f8cf767589f2131ae5d40f3758429095c701c84",
"status": "affected",
"version": "1fde573413b549d52183382e639c1d6ce88f5959",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/crypto/vfio_ap_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/vfio-ap: fix memory leak in vfio_ap device driver\n\nThe device release callback function invoked to release the matrix device\nuses the dev_get_drvdata(device *dev) function to retrieve the\npointer to the vfio_matrix_dev object in order to free its storage. The\nproblem is, this object is not stored as drvdata with the device; since the\nkfree function will accept a NULL pointer, the memory for the\nvfio_matrix_dev object is never freed.\n\nSince the device being released is contained within the vfio_matrix_dev\nobject, the container_of macro will be used to retrieve its pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:05.204Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5195de1d5f66b276683240a896783f7f43c4f664"
},
{
"url": "https://git.kernel.org/stable/c/ee17dea3072dec0bc34399a32fa884e26342e4ea"
},
{
"url": "https://git.kernel.org/stable/c/aa2bff25e9bb10c935c7ffe3d5f5975bdccb1749"
},
{
"url": "https://git.kernel.org/stable/c/6a40fda14b4be3e38f03cc42ffd4efbc64fb3e67"
},
{
"url": "https://git.kernel.org/stable/c/7b6a02f5bf15931464c79dfd487c57f76aae3496"
},
{
"url": "https://git.kernel.org/stable/c/8f8cf767589f2131ae5d40f3758429095c701c84"
}
],
"title": "s390/vfio-ap: fix memory leak in vfio_ap device driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53746",
"datePublished": "2025-12-08T01:19:05.204Z",
"dateReserved": "2025-12-08T01:18:04.279Z",
"dateUpdated": "2025-12-08T01:19:05.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53848 (GCVE-0-2023-53848)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
md/raid5-cache: fix a deadlock in r5l_exit_log()
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid5-cache: fix a deadlock in r5l_exit_log()
Commit b13015af94cf ("md/raid5-cache: Clear conf->log after finishing
work") introduce a new problem:
// caller hold reconfig_mutex
r5l_exit_log
flush_work(&log->disable_writeback_work)
r5c_disable_writeback_async
wait_event
/*
* conf->log is not NULL, and mddev_trylock()
* will fail, wait_event() can never pass.
*/
conf->log = NULL
Fix this problem by setting 'config->log' to NULL before wake_up() as it
used to be, so that wait_event() from r5c_disable_writeback_async() can
exist. In the meantime, move forward md_unregister_thread() so that
null-ptr-deref this commit fixed can still be fixed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b13015af94cf405f73ff64ce0797269554020c37 , < ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b
(git)
Affected: b13015af94cf405f73ff64ce0797269554020c37 , < 71cf23271f015a57038bdc4669952096f9fe5500 (git) Affected: b13015af94cf405f73ff64ce0797269554020c37 , < c406984738215dc20ac2dc63e49d70f20797730e (git) Affected: b13015af94cf405f73ff64ce0797269554020c37 , < a705b11b358dee677aad80630e7608b2d5f56691 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5-cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "71cf23271f015a57038bdc4669952096f9fe5500",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "c406984738215dc20ac2dc63e49d70f20797730e",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
},
{
"lessThan": "a705b11b358dee677aad80630e7608b2d5f56691",
"status": "affected",
"version": "b13015af94cf405f73ff64ce0797269554020c37",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5-cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5-cache: fix a deadlock in r5l_exit_log()\n\nCommit b13015af94cf (\"md/raid5-cache: Clear conf-\u003elog after finishing\nwork\") introduce a new problem:\n\n// caller hold reconfig_mutex\nr5l_exit_log\n flush_work(\u0026log-\u003edisable_writeback_work)\n\t\t\tr5c_disable_writeback_async\n\t\t\t wait_event\n\t\t\t /*\n\t\t\t * conf-\u003elog is not NULL, and mddev_trylock()\n\t\t\t * will fail, wait_event() can never pass.\n\t\t\t */\n conf-\u003elog = NULL\n\nFix this problem by setting \u0027config-\u003elog\u0027 to NULL before wake_up() as it\nused to be, so that wait_event() from r5c_disable_writeback_async() can\nexist. In the meantime, move forward md_unregister_thread() so that\nnull-ptr-deref this commit fixed can still be fixed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:11.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b"
},
{
"url": "https://git.kernel.org/stable/c/71cf23271f015a57038bdc4669952096f9fe5500"
},
{
"url": "https://git.kernel.org/stable/c/c406984738215dc20ac2dc63e49d70f20797730e"
},
{
"url": "https://git.kernel.org/stable/c/a705b11b358dee677aad80630e7608b2d5f56691"
}
],
"title": "md/raid5-cache: fix a deadlock in r5l_exit_log()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53848",
"datePublished": "2025-12-09T01:30:11.895Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:11.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50617 (GCVE-0-2022-50617)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
drm/amdgpu/powerplay/psm: Fix memory leak in power state init
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/powerplay/psm: Fix memory leak in power state init
Commit 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power
state init") made the power state init function return early in case of
failure to get an entry from the powerplay table, but it missed to clean up
the allocated memory for the current power state before returning.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
902bc65de0b3d72c481b45cbac3e97ab8cb399c2 , < 1caed03305b560bafea8eaa57f1847791658b3ff
(git)
Affected: 902bc65de0b3d72c481b45cbac3e97ab8cb399c2 , < 7cb8932644438bee992dc898a36ffe155fdc1bfa (git) Affected: 902bc65de0b3d72c481b45cbac3e97ab8cb399c2 , < 1c65f8f98148709e08bd6157a807c443ba91f0ac (git) Affected: 902bc65de0b3d72c481b45cbac3e97ab8cb399c2 , < 8f8033d5663b18e6efb33feb61f2287a04605ab5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1caed03305b560bafea8eaa57f1847791658b3ff",
"status": "affected",
"version": "902bc65de0b3d72c481b45cbac3e97ab8cb399c2",
"versionType": "git"
},
{
"lessThan": "7cb8932644438bee992dc898a36ffe155fdc1bfa",
"status": "affected",
"version": "902bc65de0b3d72c481b45cbac3e97ab8cb399c2",
"versionType": "git"
},
{
"lessThan": "1c65f8f98148709e08bd6157a807c443ba91f0ac",
"status": "affected",
"version": "902bc65de0b3d72c481b45cbac3e97ab8cb399c2",
"versionType": "git"
},
{
"lessThan": "8f8033d5663b18e6efb33feb61f2287a04605ab5",
"status": "affected",
"version": "902bc65de0b3d72c481b45cbac3e97ab8cb399c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/powerplay/psm: Fix memory leak in power state init\n\nCommit 902bc65de0b3 (\"drm/amdgpu/powerplay/psm: return an error in power\nstate init\") made the power state init function return early in case of\nfailure to get an entry from the powerplay table, but it missed to clean up\nthe allocated memory for the current power state before returning."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:30.544Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1caed03305b560bafea8eaa57f1847791658b3ff"
},
{
"url": "https://git.kernel.org/stable/c/7cb8932644438bee992dc898a36ffe155fdc1bfa"
},
{
"url": "https://git.kernel.org/stable/c/1c65f8f98148709e08bd6157a807c443ba91f0ac"
},
{
"url": "https://git.kernel.org/stable/c/8f8033d5663b18e6efb33feb61f2287a04605ab5"
}
],
"title": "drm/amdgpu/powerplay/psm: Fix memory leak in power state init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50617",
"datePublished": "2025-12-08T01:16:30.544Z",
"dateReserved": "2025-12-08T01:14:55.189Z",
"dateUpdated": "2025-12-08T01:16:30.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54010 (GCVE-0-2023-54010)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4
ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause
null pointer dereference later.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9957510255724c1c746c9a6264c849e9fdd4cd24 , < c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968
(git)
Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < 35d67ffad6f5d78dbd800d354f5334c7b71a19e0 (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88 (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < 978e0d05547ae707d51a942fc7e85a34e181ee6f (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < d997c920a5305b37f0b8a40501b5aca10d099ecd (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < fee6133490091492dc66bcf71479bd53bd17a7d2 (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < ed2e1e85644ca3d351324e9927a538c8af4df654 (git) Affected: 9957510255724c1c746c9a6264c849e9fdd4cd24 , < ae5a0eccc85fc960834dd66e3befc2728284b86c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dbnames.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "35d67ffad6f5d78dbd800d354f5334c7b71a19e0",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "978e0d05547ae707d51a942fc7e85a34e181ee6f",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "d997c920a5305b37f0b8a40501b5aca10d099ecd",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "fee6133490091492dc66bcf71479bd53bd17a7d2",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "ed2e1e85644ca3d351324e9927a538c8af4df654",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
},
{
"lessThan": "ae5a0eccc85fc960834dd66e3befc2728284b86c",
"status": "affected",
"version": "9957510255724c1c746c9a6264c849e9fdd4cd24",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpica/dbnames.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects\n\nACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4\n\nACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause\nnull pointer dereference later."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:24.967Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968"
},
{
"url": "https://git.kernel.org/stable/c/35d67ffad6f5d78dbd800d354f5334c7b71a19e0"
},
{
"url": "https://git.kernel.org/stable/c/c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88"
},
{
"url": "https://git.kernel.org/stable/c/978e0d05547ae707d51a942fc7e85a34e181ee6f"
},
{
"url": "https://git.kernel.org/stable/c/d997c920a5305b37f0b8a40501b5aca10d099ecd"
},
{
"url": "https://git.kernel.org/stable/c/fee6133490091492dc66bcf71479bd53bd17a7d2"
},
{
"url": "https://git.kernel.org/stable/c/ed2e1e85644ca3d351324e9927a538c8af4df654"
},
{
"url": "https://git.kernel.org/stable/c/ae5a0eccc85fc960834dd66e3befc2728284b86c"
}
],
"title": "ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54010",
"datePublished": "2025-12-24T10:55:43.386Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:24.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50881 (GCVE-0-2022-50881)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()
This patch fixes a use-after-free in ath9k that occurs in
ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access
'drv_priv' that has already been freed by ieee80211_free_hw(), called by
ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before
ieee80211_free_hw(). Note that urbs from the driver should be killed
before freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will
access 'wmi'.
Found by a modified version of syzkaller.
==================================================================
BUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40
Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7
CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x8e/0xd1
print_address_description.constprop.0.cold+0x93/0x334
? ath9k_destroy_wmi+0x38/0x40
? ath9k_destroy_wmi+0x38/0x40
kasan_report.cold+0x83/0xdf
? ath9k_destroy_wmi+0x38/0x40
ath9k_destroy_wmi+0x38/0x40
ath9k_hif_usb_disconnect+0x329/0x3f0
? ath9k_hif_usb_suspend+0x120/0x120
? usb_disable_interface+0xfc/0x180
usb_unbind_interface+0x19b/0x7e0
? usb_autoresume_device+0x50/0x50
device_release_driver_internal+0x44d/0x520
bus_remove_device+0x2e5/0x5a0
device_del+0x5b2/0xe30
? __device_link_del+0x370/0x370
? usb_remove_ep_devs+0x43/0x80
? remove_intf_ep_devs+0x112/0x1a0
usb_disable_device+0x1e3/0x5a0
usb_disconnect+0x267/0x870
hub_event+0x168d/0x3950
? rcu_read_lock_sched_held+0xa1/0xd0
? hub_port_debounce+0x2e0/0x2e0
? check_irq_usage+0x860/0xf20
? drain_workqueue+0x281/0x360
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x92b/0x1460
? pwq_dec_nr_in_flight+0x330/0x330
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x95/0xe00
? __kthread_parkme+0x115/0x1e0
? process_one_work+0x1460/0x1460
kthread+0x3a1/0x480
? set_kthread_struct+0x120/0x120
ret_from_fork+0x1f/0x30
The buggy address belongs to the page:
page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635
prep_new_page+0x1aa/0x240
get_page_from_freelist+0x159a/0x27c0
__alloc_pages+0x2da/0x6a0
alloc_pages+0xec/0x1e0
kmalloc_order+0x39/0xf0
kmalloc_order_trace+0x19/0x120
__kmalloc+0x308/0x390
wiphy_new_nm+0x6f5/0x1dd0
ieee80211_alloc_hw_nm+0x36d/0x2230
ath9k_htc_probe_device+0x9d/0x1e10
ath9k_htc_hw_init+0x34/0x50
ath9k_hif_usb_firmware_cb+0x25f/0x4e0
request_firmware_work_func+0x131/0x240
process_one_work+0x92b/0x1460
worker_thread+0x95/0xe00
kthread+0x3a1/0x480
page last free stack trace:
free_pcp_prepare+0x3d3/0x7f0
free_unref_page+0x1e/0x3d0
device_release+0xa4/0x240
kobject_put+0x186/0x4c0
put_device+0x20/0x30
ath9k_htc_disconnect_device+0x1cf/0x2c0
ath9k_htc_hw_deinit+0x26/0x30
ath9k_hif_usb_disconnect+0x2d9/0x3f0
usb_unbind_interface+0x19b/0x7e0
device_release_driver_internal+0x44d/0x520
bus_remove_device+0x2e5/0x5a0
device_del+0x5b2/0xe30
usb_disable_device+0x1e3/0x5a0
usb_disconnect+0x267/0x870
hub_event+0x168d/0x3950
process_one_work+0x92b/0x1460
Memory state around the buggy address:
ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 , < 99ff971b62e5bd5dee65bbe9777375206f5db791
(git)
Affected: abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 , < 634a5471a6bd774c0d0fa448dfa6ec593e899ec9 (git) Affected: abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 , < 1f137c634a8c8faba648574f687805641e62f92e (git) Affected: abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 , < de15e8bbd9eb26fe94a06d0ec7be82dc490eb729 (git) Affected: abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 , < f099c5c9e2ba08a379bd354a82e05ef839ae29ac (git) Affected: 5c42f9bfb4c22898ed3d2806d75e2e58522a5edd (git) Affected: 44736603a7099d2a9b48c669e43a689588e272a5 (git) Affected: 406a2fbfabbf7ed9ed21884a82c07fabc6fe0b68 (git) Affected: 66a4ca83d50bb38c814190af2188868153cce5de (git) Affected: 3eb802924486a923585b344340a5536d91989a45 (git) Affected: 1bc633311a37913293c3c0a1b0f5261c49e3d5dc (git) Affected: 378d2734bf603bac4959bce2cadf5927aa2beffc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c",
"drivers/net/wireless/ath/ath9k/htc_drv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99ff971b62e5bd5dee65bbe9777375206f5db791",
"status": "affected",
"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908",
"versionType": "git"
},
{
"lessThan": "634a5471a6bd774c0d0fa448dfa6ec593e899ec9",
"status": "affected",
"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908",
"versionType": "git"
},
{
"lessThan": "1f137c634a8c8faba648574f687805641e62f92e",
"status": "affected",
"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908",
"versionType": "git"
},
{
"lessThan": "de15e8bbd9eb26fe94a06d0ec7be82dc490eb729",
"status": "affected",
"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908",
"versionType": "git"
},
{
"lessThan": "f099c5c9e2ba08a379bd354a82e05ef839ae29ac",
"status": "affected",
"version": "abeaa85054ff8cfe8b99aafc5c70ea067e5d0908",
"versionType": "git"
},
{
"status": "affected",
"version": "5c42f9bfb4c22898ed3d2806d75e2e58522a5edd",
"versionType": "git"
},
{
"status": "affected",
"version": "44736603a7099d2a9b48c669e43a689588e272a5",
"versionType": "git"
},
{
"status": "affected",
"version": "406a2fbfabbf7ed9ed21884a82c07fabc6fe0b68",
"versionType": "git"
},
{
"status": "affected",
"version": "66a4ca83d50bb38c814190af2188868153cce5de",
"versionType": "git"
},
{
"status": "affected",
"version": "3eb802924486a923585b344340a5536d91989a45",
"versionType": "git"
},
{
"status": "affected",
"version": "1bc633311a37913293c3c0a1b0f5261c49e3d5dc",
"versionType": "git"
},
{
"status": "affected",
"version": "378d2734bf603bac4959bce2cadf5927aa2beffc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c",
"drivers/net/wireless/ath/ath9k/htc_drv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.228",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.228",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.129",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()\n\nThis patch fixes a use-after-free in ath9k that occurs in\nath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access\n\u0027drv_priv\u0027 that has already been freed by ieee80211_free_hw(), called by\nath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before\nieee80211_free_hw(). Note that urbs from the driver should be killed\nbefore freeing \u0027wmi\u0027 with ath9k_destroy_wmi() as their callbacks will\naccess \u0027wmi\u0027.\n\nFound by a modified version of syzkaller.\n\n==================================================================\nBUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40\nRead of size 8 at addr ffff8881069132a0 by task kworker/0:1/7\n\nCPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x8e/0xd1\n print_address_description.constprop.0.cold+0x93/0x334\n ? ath9k_destroy_wmi+0x38/0x40\n ? ath9k_destroy_wmi+0x38/0x40\n kasan_report.cold+0x83/0xdf\n ? ath9k_destroy_wmi+0x38/0x40\n ath9k_destroy_wmi+0x38/0x40\n ath9k_hif_usb_disconnect+0x329/0x3f0\n ? ath9k_hif_usb_suspend+0x120/0x120\n ? usb_disable_interface+0xfc/0x180\n usb_unbind_interface+0x19b/0x7e0\n ? usb_autoresume_device+0x50/0x50\n device_release_driver_internal+0x44d/0x520\n bus_remove_device+0x2e5/0x5a0\n device_del+0x5b2/0xe30\n ? __device_link_del+0x370/0x370\n ? usb_remove_ep_devs+0x43/0x80\n ? remove_intf_ep_devs+0x112/0x1a0\n usb_disable_device+0x1e3/0x5a0\n usb_disconnect+0x267/0x870\n hub_event+0x168d/0x3950\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? hub_port_debounce+0x2e0/0x2e0\n ? check_irq_usage+0x860/0xf20\n ? drain_workqueue+0x281/0x360\n ? lock_release+0x640/0x640\n ? rcu_read_lock_sched_held+0xa1/0xd0\n ? rcu_read_lock_bh_held+0xb0/0xb0\n ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n process_one_work+0x92b/0x1460\n ? pwq_dec_nr_in_flight+0x330/0x330\n ? rwlock_bug.part.0+0x90/0x90\n worker_thread+0x95/0xe00\n ? __kthread_parkme+0x115/0x1e0\n ? process_one_work+0x1460/0x1460\n kthread+0x3a1/0x480\n ? set_kthread_struct+0x120/0x120\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the page:\npage:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913\nflags: 0x200000000000000(node=0|zone=2)\nraw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635\n prep_new_page+0x1aa/0x240\n get_page_from_freelist+0x159a/0x27c0\n __alloc_pages+0x2da/0x6a0\n alloc_pages+0xec/0x1e0\n kmalloc_order+0x39/0xf0\n kmalloc_order_trace+0x19/0x120\n __kmalloc+0x308/0x390\n wiphy_new_nm+0x6f5/0x1dd0\n ieee80211_alloc_hw_nm+0x36d/0x2230\n ath9k_htc_probe_device+0x9d/0x1e10\n ath9k_htc_hw_init+0x34/0x50\n ath9k_hif_usb_firmware_cb+0x25f/0x4e0\n request_firmware_work_func+0x131/0x240\n process_one_work+0x92b/0x1460\n worker_thread+0x95/0xe00\n kthread+0x3a1/0x480\npage last free stack trace:\n free_pcp_prepare+0x3d3/0x7f0\n free_unref_page+0x1e/0x3d0\n device_release+0xa4/0x240\n kobject_put+0x186/0x4c0\n put_device+0x20/0x30\n ath9k_htc_disconnect_device+0x1cf/0x2c0\n ath9k_htc_hw_deinit+0x26/0x30\n ath9k_hif_usb_disconnect+0x2d9/0x3f0\n usb_unbind_interface+0x19b/0x7e0\n device_release_driver_internal+0x44d/0x520\n bus_remove_device+0x2e5/0x5a0\n device_del+0x5b2/0xe30\n usb_disable_device+0x1e3/0x5a0\n usb_disconnect+0x267/0x870\n hub_event+0x168d/0x3950\n process_one_work+0x92b/0x1460\n\nMemory state around the buggy address:\n ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\u003effff888\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:15.332Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99ff971b62e5bd5dee65bbe9777375206f5db791"
},
{
"url": "https://git.kernel.org/stable/c/634a5471a6bd774c0d0fa448dfa6ec593e899ec9"
},
{
"url": "https://git.kernel.org/stable/c/1f137c634a8c8faba648574f687805641e62f92e"
},
{
"url": "https://git.kernel.org/stable/c/de15e8bbd9eb26fe94a06d0ec7be82dc490eb729"
},
{
"url": "https://git.kernel.org/stable/c/f099c5c9e2ba08a379bd354a82e05ef839ae29ac"
}
],
"title": "wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50881",
"datePublished": "2025-12-30T12:23:20.343Z",
"dateReserved": "2025-12-30T12:06:07.137Z",
"dateUpdated": "2026-01-02T15:05:15.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40168 (GCVE-0-2025-40168)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().
smc_clc_prfx_match() is called from smc_listen_work() and
not under RCU nor RTNL.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
Note that the returned value of smc_clc_prfx_match() is not
used in the caller.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d26e80f7fb62d77757b67a1b94e4ac756bc9c658",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
},
{
"lessThan": "235f81045c008169cc4e1955b4a64e118eebe61b",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().\n\nsmc_clc_prfx_match() is called from smc_listen_work() and\nnot under RCU nor RTNL.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu().\n\nNote that the returned value of smc_clc_prfx_match() is not\nused in the caller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:22.173Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d26e80f7fb62d77757b67a1b94e4ac756bc9c658"
},
{
"url": "https://git.kernel.org/stable/c/235f81045c008169cc4e1955b4a64e118eebe61b"
}
],
"title": "smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40168",
"datePublished": "2025-11-12T10:46:51.422Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:22.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50735 (GCVE-0-2022-50735)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
wifi: mt76: do not run mt76u_status_worker if the device is not running
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: do not run mt76u_status_worker if the device is not running
Fix the following NULL pointer dereference avoiding to run
mt76u_status_worker thread if the device is not running yet.
KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware
name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: mt76 mt76u_tx_status_data
RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0
Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00
48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f>
b6
04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7
RSP: 0018:ffffc900005af988 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a
RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c
R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8
R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28
FS: 0000000000000000(0000) GS:ffff88811aa00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0
PKRU: 55555554
Call Trace:
mt76x02_send_tx_status+0x1d2/0xeb0
mt76x02_tx_status_data+0x8e/0xd0
mt76u_tx_status_data+0xe1/0x240
process_one_work+0x92b/0x1460
worker_thread+0x95/0xe00
kthread+0x3a1/0x480
ret_from_fork+0x1f/0x30
Modules linked in:
--[ end trace 8df5d20fc5040f65 ]--
RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0
Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00
48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f>
b6
04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7
RSP: 0018:ffffc900005af988 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a
RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c
R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8
R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28
FS: 0000000000000000(0000) GS:ffff88811aa00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0
PKRU: 55555554
Moreover move stat_work schedule out of the for loop.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9daf27e62852d68c6ffc2c21090238ea51bb0a7f , < 69346de0eb956fb92949b9473de4647d9c34a54f
(git)
Affected: 9daf27e62852d68c6ffc2c21090238ea51bb0a7f , < 58fdd84a89b121b761dbfb8a196356e007376ca4 (git) Affected: 9daf27e62852d68c6ffc2c21090238ea51bb0a7f , < f5ac749a0b21beee55d87d0b05de36976b22dff9 (git) Affected: 9daf27e62852d68c6ffc2c21090238ea51bb0a7f , < bd5dac7ced5a7c9faa4dc468ac9560c3256df845 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69346de0eb956fb92949b9473de4647d9c34a54f",
"status": "affected",
"version": "9daf27e62852d68c6ffc2c21090238ea51bb0a7f",
"versionType": "git"
},
{
"lessThan": "58fdd84a89b121b761dbfb8a196356e007376ca4",
"status": "affected",
"version": "9daf27e62852d68c6ffc2c21090238ea51bb0a7f",
"versionType": "git"
},
{
"lessThan": "f5ac749a0b21beee55d87d0b05de36976b22dff9",
"status": "affected",
"version": "9daf27e62852d68c6ffc2c21090238ea51bb0a7f",
"versionType": "git"
},
{
"lessThan": "bd5dac7ced5a7c9faa4dc468ac9560c3256df845",
"status": "affected",
"version": "9daf27e62852d68c6ffc2c21090238ea51bb0a7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: do not run mt76u_status_worker if the device is not running\n\nFix the following NULL pointer dereference avoiding to run\nmt76u_status_worker thread if the device is not running yet.\n\nKASAN: null-ptr-deref in range\n[0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware\nname: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: mt76 mt76u_tx_status_data\nRIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0\nCode: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00\n48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 \u003c0f\u003e\nb6\n04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7\nRSP: 0018:ffffc900005af988 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a\nRBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c\nR10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8\nR13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28\nFS: 0000000000000000(0000) GS:ffff88811aa00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n mt76x02_send_tx_status+0x1d2/0xeb0\n mt76x02_tx_status_data+0x8e/0xd0\n mt76u_tx_status_data+0xe1/0x240\n process_one_work+0x92b/0x1460\n worker_thread+0x95/0xe00\n kthread+0x3a1/0x480\n ret_from_fork+0x1f/0x30\nModules linked in:\n--[ end trace 8df5d20fc5040f65 ]--\nRIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0\nCode: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00\n48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 \u003c0f\u003e\nb6\n04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7\nRSP: 0018:ffffc900005af988 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a\nRBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c\nR10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8\nR13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28\nFS: 0000000000000000(0000) GS:ffff88811aa00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0\nPKRU: 55555554\n\nMoreover move stat_work schedule out of the for loop."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:11.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69346de0eb956fb92949b9473de4647d9c34a54f"
},
{
"url": "https://git.kernel.org/stable/c/58fdd84a89b121b761dbfb8a196356e007376ca4"
},
{
"url": "https://git.kernel.org/stable/c/f5ac749a0b21beee55d87d0b05de36976b22dff9"
},
{
"url": "https://git.kernel.org/stable/c/bd5dac7ced5a7c9faa4dc468ac9560c3256df845"
}
],
"title": "wifi: mt76: do not run mt76u_status_worker if the device is not running",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50735",
"datePublished": "2025-12-24T12:22:54.004Z",
"dateReserved": "2025-12-24T12:20:40.331Z",
"dateUpdated": "2026-01-02T15:04:11.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40102 (GCVE-0-2025-40102)
Vulnerability from cvelistv5 – Published: 2025-10-30 09:48 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
KVM: arm64: Prevent access to vCPU events before init
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Prevent access to vCPU events before init
Another day, another syzkaller bug. KVM erroneously allows userspace to
pend vCPU events for a vCPU that hasn't been initialized yet, leading to
KVM interpreting a bunch of uninitialized garbage for routing /
injecting the exception.
In one case the injection code and the hyp disagree on whether the vCPU
has a 32bit EL1 and put the vCPU into an illegal mode for AArch64,
tripping the BUG() in exception_target_el() during the next injection:
kernel BUG at arch/arm64/kvm/inject_fault.c:40!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : exception_target_el+0x88/0x8c
lr : pend_serror_exception+0x18/0x13c
sp : ffff800082f03a10
x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000
x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000
x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004
x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20
Call trace:
exception_target_el+0x88/0x8c (P)
kvm_inject_serror_esr+0x40/0x3b4
__kvm_arm_vcpu_set_events+0xf0/0x100
kvm_arch_vcpu_ioctl+0x180/0x9d4
kvm_vcpu_ioctl+0x60c/0x9f4
__arm64_sys_ioctl+0xac/0x104
invoke_syscall+0x48/0x110
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xf0
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000)
Reject the ioctls outright as no sane VMM would call these before
KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been
thrown away by the eventual reset of the vCPU's state.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64a04e6320fc5affbadc59dc7024d79f909bfe84",
"status": "affected",
"version": "b7b27facc7b50a5fce0afaa3df56157136ce181a",
"versionType": "git"
},
{
"lessThan": "0aa1b76fe1429629215a7c79820e4b96233ac4a3",
"status": "affected",
"version": "b7b27facc7b50a5fce0afaa3df56157136ce181a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/arm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Prevent access to vCPU events before init\n\nAnother day, another syzkaller bug. KVM erroneously allows userspace to\npend vCPU events for a vCPU that hasn\u0027t been initialized yet, leading to\nKVM interpreting a bunch of uninitialized garbage for routing /\ninjecting the exception.\n\nIn one case the injection code and the hyp disagree on whether the vCPU\nhas a 32bit EL1 and put the vCPU into an illegal mode for AArch64,\ntripping the BUG() in exception_target_el() during the next injection:\n\n kernel BUG at arch/arm64/kvm/inject_fault.c:40!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT\n Hardware name: linux,dummy-virt (DT)\n pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : exception_target_el+0x88/0x8c\n lr : pend_serror_exception+0x18/0x13c\n sp : ffff800082f03a10\n x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000\n x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000\n x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004\n x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20\n Call trace:\n exception_target_el+0x88/0x8c (P)\n kvm_inject_serror_esr+0x40/0x3b4\n __kvm_arm_vcpu_set_events+0xf0/0x100\n kvm_arch_vcpu_ioctl+0x180/0x9d4\n kvm_vcpu_ioctl+0x60c/0x9f4\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xf0\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000)\n\nReject the ioctls outright as no sane VMM would call these before\nKVM_ARM_VCPU_INIT anyway. Even if it did the exception would\u0027ve been\nthrown away by the eventual reset of the vCPU\u0027s state."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:04.753Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64a04e6320fc5affbadc59dc7024d79f909bfe84"
},
{
"url": "https://git.kernel.org/stable/c/0aa1b76fe1429629215a7c79820e4b96233ac4a3"
}
],
"title": "KVM: arm64: Prevent access to vCPU events before init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40102",
"datePublished": "2025-10-30T09:48:07.790Z",
"dateReserved": "2025-04-16T07:20:57.164Z",
"dateUpdated": "2025-12-01T06:18:04.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40178 (GCVE-0-2025-40178)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
pid: Add a judgment for ns null in pid_nr_ns
Summary
In the Linux kernel, the following vulnerability has been resolved:
pid: Add a judgment for ns null in pid_nr_ns
__task_pid_nr_ns
ns = task_active_pid_ns(current);
pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
if (pid && ns->level <= pid->level) {
Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.
For example:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
Data abort info:
ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000
[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000
pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __task_pid_nr_ns+0x74/0xd0
lr : __task_pid_nr_ns+0x24/0xd0
sp : ffffffc08001bd10
x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001
x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31
x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0
x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000
x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc
x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800
x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001
x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449
x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc
x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0
Call trace:
__task_pid_nr_ns+0x74/0xd0
...
__handle_irq_event_percpu+0xd4/0x284
handle_irq_event+0x48/0xb0
handle_fasteoi_irq+0x160/0x2d8
generic_handle_domain_irq+0x44/0x60
gic_handle_irq+0x4c/0x114
call_on_irq_stack+0x3c/0x74
do_interrupt_handler+0x4c/0x84
el1_interrupt+0x34/0x58
el1h_64_irq_handler+0x18/0x24
el1h_64_irq+0x68/0x6c
account_kernel_stack+0x60/0x144
exit_task_stack_account+0x1c/0x80
do_exit+0x7e4/0xaf8
...
get_signal+0x7bc/0x8d8
do_notify_resume+0x128/0x828
el0_svc+0x6c/0x70
el0t_64_sync_handler+0x68/0xbc
el0t_64_sync+0x1a8/0x1ac
Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops: Fatal exception in interrupt
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17cf22c33e1f1b5e435469c84e43872579497653 , < 75dbc029c5359438be4a6f908bfbfdab969af776
(git)
Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < c2d09d724856b6f82ab688f65fc1ce833bb56333 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < c3b654021931dc806ba086c549e8756c3f204a67 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < e10c36a771c5cc910abd9fe4aa9033ee32a47c38 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < 09d227c59d97efda7d5cc878a4335a6b2bb224c2 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < 2076b916bf41be48799d1443df0f8fc75d12ccd0 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < a0212978af1825b37da0b453b94d9b0e5af11478 (git) Affected: 17cf22c33e1f1b5e435469c84e43872579497653 , < 006568ab4c5ca2309ceb36fa553e390b4aa9c0c7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/pid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75dbc029c5359438be4a6f908bfbfdab969af776",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "c2d09d724856b6f82ab688f65fc1ce833bb56333",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "c3b654021931dc806ba086c549e8756c3f204a67",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "e10c36a771c5cc910abd9fe4aa9033ee32a47c38",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "09d227c59d97efda7d5cc878a4335a6b2bb224c2",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "2076b916bf41be48799d1443df0f8fc75d12ccd0",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "a0212978af1825b37da0b453b94d9b0e5af11478",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
},
{
"lessThan": "006568ab4c5ca2309ceb36fa553e390b4aa9c0c7",
"status": "affected",
"version": "17cf22c33e1f1b5e435469c84e43872579497653",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/pid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npid: Add a judgment for ns null in pid_nr_ns\n\n__task_pid_nr_ns\n ns = task_active_pid_ns(current);\n pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);\n if (pid \u0026\u0026 ns-\u003elevel \u003c= pid-\u003elevel) {\n\nSometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns.\n\nFor example:\n\tUnable to handle kernel NULL pointer dereference at virtual address 0000000000000058\n\tMem abort info:\n\tESR = 0x0000000096000007\n\tEC = 0x25: DABT (current EL), IL = 32 bits\n\tSET = 0, FnV = 0\n\tEA = 0, S1PTW = 0\n\tFSC = 0x07: level 3 translation fault\n\tData abort info:\n\tISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n\tCM = 0, WnR = 0, TnD = 0, TagAccess = 0\n\tGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n\tuser pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000\n\t[0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000\n\tpstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n\tpc : __task_pid_nr_ns+0x74/0xd0\n\tlr : __task_pid_nr_ns+0x24/0xd0\n\tsp : ffffffc08001bd10\n\tx29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001\n\tx26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31\n\tx23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0\n\tx20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000\n\tx17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc\n\tx14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800\n\tx11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001\n\tx8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449\n\tx5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc\n\tx2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0\n\tCall trace:\n\t__task_pid_nr_ns+0x74/0xd0\n\t...\n\t__handle_irq_event_percpu+0xd4/0x284\n\thandle_irq_event+0x48/0xb0\n\thandle_fasteoi_irq+0x160/0x2d8\n\tgeneric_handle_domain_irq+0x44/0x60\n\tgic_handle_irq+0x4c/0x114\n\tcall_on_irq_stack+0x3c/0x74\n\tdo_interrupt_handler+0x4c/0x84\n\tel1_interrupt+0x34/0x58\n\tel1h_64_irq_handler+0x18/0x24\n\tel1h_64_irq+0x68/0x6c\n\taccount_kernel_stack+0x60/0x144\n\texit_task_stack_account+0x1c/0x80\n\tdo_exit+0x7e4/0xaf8\n\t...\n\tget_signal+0x7bc/0x8d8\n\tdo_notify_resume+0x128/0x828\n\tel0_svc+0x6c/0x70\n\tel0t_64_sync_handler+0x68/0xbc\n\tel0t_64_sync+0x1a8/0x1ac\n\tCode: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69)\n\t---[ end trace 0000000000000000 ]---\n\tKernel panic - not syncing: Oops: Fatal exception in interrupt"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:08.316Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75dbc029c5359438be4a6f908bfbfdab969af776"
},
{
"url": "https://git.kernel.org/stable/c/c2d09d724856b6f82ab688f65fc1ce833bb56333"
},
{
"url": "https://git.kernel.org/stable/c/c3b654021931dc806ba086c549e8756c3f204a67"
},
{
"url": "https://git.kernel.org/stable/c/e10c36a771c5cc910abd9fe4aa9033ee32a47c38"
},
{
"url": "https://git.kernel.org/stable/c/09d227c59d97efda7d5cc878a4335a6b2bb224c2"
},
{
"url": "https://git.kernel.org/stable/c/2076b916bf41be48799d1443df0f8fc75d12ccd0"
},
{
"url": "https://git.kernel.org/stable/c/a0212978af1825b37da0b453b94d9b0e5af11478"
},
{
"url": "https://git.kernel.org/stable/c/006568ab4c5ca2309ceb36fa553e390b4aa9c0c7"
}
],
"title": "pid: Add a judgment for ns null in pid_nr_ns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40178",
"datePublished": "2025-11-12T21:56:24.051Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2026-01-02T15:33:08.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68259 (GCVE-0-2025-68259)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn
instruction, discard the exception and retry the instruction if the code
stream is changed (e.g. by a different vCPU) between when the CPU
executes the instruction and when KVM decodes the instruction to get the
next RIP.
As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject
INT3/INTO instead of retrying the instruction"), failure to verify that
the correct INTn instruction was decoded can effectively clobber guest
state due to decoding the wrong instruction and thus specifying the
wrong next RIP.
The bug most often manifests as "Oops: int3" panics on static branch
checks in Linux guests. Enabling or disabling a static branch in Linux
uses the kernel's "text poke" code patching mechanism. To modify code
while other CPUs may be executing that code, Linux (temporarily)
replaces the first byte of the original instruction with an int3 (opcode
0xcc), then patches in the new code stream except for the first byte,
and finally replaces the int3 with the first byte of the new code
stream. If a CPU hits the int3, i.e. executes the code while it's being
modified, then the guest kernel must look up the RIP to determine how to
handle the #BP, e.g. by emulating the new instruction. If the RIP is
incorrect, then this lookup fails and the guest kernel panics.
The bug reproduces almost instantly by hacking the guest kernel to
repeatedly check a static branch[1] while running a drgn script[2] on
the host to constantly swap out the memory containing the guest's TSS.
[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a
[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 2e84a018c2895c05abe213eb10db128aa45f6ec6
(git)
Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 152289a51107ef45bbfe9b4aeeaa584a503042b5 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 87cc1622c88a4888959d64fa1fc9ba1e264aa3d4 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 54bcccc2c7805a00af1d7d2faffd6f424c0133aa (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 53903ac9ca1abffa27327e85075ec496fa55ccf3 (git) Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 4da3768e1820cf15cced390242d8789aed34f54d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e84a018c2895c05abe213eb10db128aa45f6ec6",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "152289a51107ef45bbfe9b4aeeaa584a503042b5",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "87cc1622c88a4888959d64fa1fc9ba1e264aa3d4",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "54bcccc2c7805a00af1d7d2faffd6f424c0133aa",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "53903ac9ca1abffa27327e85075ec496fa55ccf3",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
},
{
"lessThan": "4da3768e1820cf15cced390242d8789aed34f54d",
"status": "affected",
"version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/kvm_host.h",
"arch/x86/kvm/svm/svm.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced\n\nWhen re-injecting a soft interrupt from an INT3, INT0, or (select) INTn\ninstruction, discard the exception and retry the instruction if the code\nstream is changed (e.g. by a different vCPU) between when the CPU\nexecutes the instruction and when KVM decodes the instruction to get the\nnext RIP.\n\nAs effectively predicted by commit 6ef88d6e36c2 (\"KVM: SVM: Re-inject\nINT3/INTO instead of retrying the instruction\"), failure to verify that\nthe correct INTn instruction was decoded can effectively clobber guest\nstate due to decoding the wrong instruction and thus specifying the\nwrong next RIP.\n\nThe bug most often manifests as \"Oops: int3\" panics on static branch\nchecks in Linux guests. Enabling or disabling a static branch in Linux\nuses the kernel\u0027s \"text poke\" code patching mechanism. To modify code\nwhile other CPUs may be executing that code, Linux (temporarily)\nreplaces the first byte of the original instruction with an int3 (opcode\n0xcc), then patches in the new code stream except for the first byte,\nand finally replaces the int3 with the first byte of the new code\nstream. If a CPU hits the int3, i.e. executes the code while it\u0027s being\nmodified, then the guest kernel must look up the RIP to determine how to\nhandle the #BP, e.g. by emulating the new instruction. If the RIP is\nincorrect, then this lookup fails and the guest kernel panics.\n\nThe bug reproduces almost instantly by hacking the guest kernel to\nrepeatedly check a static branch[1] while running a drgn script[2] on\nthe host to constantly swap out the memory containing the guest\u0027s TSS.\n\n[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a\n[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:34.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e84a018c2895c05abe213eb10db128aa45f6ec6"
},
{
"url": "https://git.kernel.org/stable/c/152289a51107ef45bbfe9b4aeeaa584a503042b5"
},
{
"url": "https://git.kernel.org/stable/c/87cc1622c88a4888959d64fa1fc9ba1e264aa3d4"
},
{
"url": "https://git.kernel.org/stable/c/54bcccc2c7805a00af1d7d2faffd6f424c0133aa"
},
{
"url": "https://git.kernel.org/stable/c/53903ac9ca1abffa27327e85075ec496fa55ccf3"
},
{
"url": "https://git.kernel.org/stable/c/4da3768e1820cf15cced390242d8789aed34f54d"
}
],
"title": "KVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68259",
"datePublished": "2025-12-16T14:45:01.753Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-01-11T16:29:34.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68303 (GCVE-0-2025-68303)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
platform/x86: intel: punit_ipc: fix memory corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: intel: punit_ipc: fix memory corruption
This passes the address of the pointer "&punit_ipcdev" when the intent
was to pass the pointer itself "punit_ipcdev" (without the ampersand).
This means that the:
complete(&ipcdev->cmd_complete);
in intel_punit_ioc() will write to a wrong memory address corrupting it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fdca4f16f57da76a8e68047923588a87d1c01f0a , < 15d560cdf5b36c51fffec07ac2a983ab3bff4cb2
(git)
Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 46e9d6f54184573dae1dcbcf6685a572ba6f4480 (git) Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 3e7442c5802146fd418ba3f68dcb9ca92b5cec83 (git) Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < a21615a4ac6fecbb586d59fe2206b63501021789 (git) Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < c2ee6d38996775a19bfdf20cb01a9b8698cb0baa (git) Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 9b9c0adbc3f8a524d291baccc9d0c04097fb4869 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/punit_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15d560cdf5b36c51fffec07ac2a983ab3bff4cb2",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "46e9d6f54184573dae1dcbcf6685a572ba6f4480",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "3e7442c5802146fd418ba3f68dcb9ca92b5cec83",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "a21615a4ac6fecbb586d59fe2206b63501021789",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "c2ee6d38996775a19bfdf20cb01a9b8698cb0baa",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
},
{
"lessThan": "9b9c0adbc3f8a524d291baccc9d0c04097fb4869",
"status": "affected",
"version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/intel/punit_ipc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel: punit_ipc: fix memory corruption\n\nThis passes the address of the pointer \"\u0026punit_ipcdev\" when the intent\nwas to pass the pointer itself \"punit_ipcdev\" (without the ampersand).\nThis means that the:\n\n\tcomplete(\u0026ipcdev-\u003ecmd_complete);\n\nin intel_punit_ioc() will write to a wrong memory address corrupting it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:21.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15d560cdf5b36c51fffec07ac2a983ab3bff4cb2"
},
{
"url": "https://git.kernel.org/stable/c/46e9d6f54184573dae1dcbcf6685a572ba6f4480"
},
{
"url": "https://git.kernel.org/stable/c/3e7442c5802146fd418ba3f68dcb9ca92b5cec83"
},
{
"url": "https://git.kernel.org/stable/c/a21615a4ac6fecbb586d59fe2206b63501021789"
},
{
"url": "https://git.kernel.org/stable/c/c2ee6d38996775a19bfdf20cb01a9b8698cb0baa"
},
{
"url": "https://git.kernel.org/stable/c/9b9c0adbc3f8a524d291baccc9d0c04097fb4869"
}
],
"title": "platform/x86: intel: punit_ipc: fix memory corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68303",
"datePublished": "2025-12-16T15:06:21.208Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:21.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54213 (GCVE-0-2023-54213)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-05 11:36
VLAI?
EPSS
Title
USB: sisusbvga: Add endpoint checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: sisusbvga: Add endpoint checks
The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95
RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003
R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]
sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379
sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]
sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]
sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177
sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869
...
The problem was caused by the fact that the driver does not check
whether the endpoints it uses are actually present and have the
appropriate types. This can be fixed by adding a simple check of
the endpoints.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bccb2ccb65515dc66a8001f99f4dcba8a45987f9
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a8f980ecb0112100366c64e0404d9dd1dcbd2fcd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a730feb672c7d7c5f7414c3715f8e3fa844e5a9b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ccef03c5113506d27dd6530d3a9ef5715c068e13 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 43f569fd0699c4240a5c96e5ba1a0844a595afca (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d5dba4b7bf904143702fb4be641802ee2e9c95aa (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f9028b6ffaa98bff7c479cccf2558247e295534 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < df05a9b05e466a46725564528b277d0c570d0104 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/misc/sisusbvga/sisusbvga.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bccb2ccb65515dc66a8001f99f4dcba8a45987f9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a8f980ecb0112100366c64e0404d9dd1dcbd2fcd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a730feb672c7d7c5f7414c3715f8e3fa844e5a9b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ccef03c5113506d27dd6530d3a9ef5715c068e13",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43f569fd0699c4240a5c96e5ba1a0844a595afca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d5dba4b7bf904143702fb4be641802ee2e9c95aa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0f9028b6ffaa98bff7c479cccf2558247e295534",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "df05a9b05e466a46725564528b277d0c570d0104",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/misc/sisusbvga/sisusbvga.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: sisusbvga: Add endpoint checks\n\nThe syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:\n\n------------[ cut here ]------------\nusb 1-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\nModules linked in:\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023\nWorkqueue: usb_hub_wq hub_event\nRIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504\nCode: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 \u003c0f\u003e 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7\nRSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\nRDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95\nRBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003\nR13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600\nFS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]\n sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379\n sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]\n sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]\n sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177\n sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869\n...\n\nThe problem was caused by the fact that the driver does not check\nwhether the endpoints it uses are actually present and have the\nappropriate types. This can be fixed by adding a simple check of\nthe endpoints."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:36:51.512Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bccb2ccb65515dc66a8001f99f4dcba8a45987f9"
},
{
"url": "https://git.kernel.org/stable/c/a8f980ecb0112100366c64e0404d9dd1dcbd2fcd"
},
{
"url": "https://git.kernel.org/stable/c/a730feb672c7d7c5f7414c3715f8e3fa844e5a9b"
},
{
"url": "https://git.kernel.org/stable/c/ccef03c5113506d27dd6530d3a9ef5715c068e13"
},
{
"url": "https://git.kernel.org/stable/c/43f569fd0699c4240a5c96e5ba1a0844a595afca"
},
{
"url": "https://git.kernel.org/stable/c/d5dba4b7bf904143702fb4be641802ee2e9c95aa"
},
{
"url": "https://git.kernel.org/stable/c/0f9028b6ffaa98bff7c479cccf2558247e295534"
},
{
"url": "https://git.kernel.org/stable/c/df05a9b05e466a46725564528b277d0c570d0104"
}
],
"title": "USB: sisusbvga: Add endpoint checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54213",
"datePublished": "2025-12-30T12:11:10.702Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2026-01-05T11:36:51.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40064 (GCVE-0-2025-40064)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
smc: Fix use-after-free in __pnet_find_base_ndev().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix use-after-free in __pnet_find_base_ndev().
syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),
which was called during connect(). [0]
smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes
down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened
at __pnet_find_base_ndev() when the dev is first used.
This means dev had already been freed before acquiring RTNL in
pnet_find_base_ndev().
While dev is going away, dst->dev could be swapped with blackhole_netdev,
and the dev's refcnt by dst will be released.
We must hold dev's refcnt before calling smc_pnet_find_ism_resource().
Also, smc_pnet_find_roce_resource() has the same problem.
Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.
[0]:
BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609
CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926
pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]
smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]
smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154
smc_find_ism_device net/smc/af_smc.c:1030 [inline]
smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]
__smc_connect+0x372/0x1890 net/smc/af_smc.c:1545
smc_connect+0x877/0xd90 net/smc/af_smc.c:1715
__sys_connect_file net/socket.c:2086 [inline]
__sys_connect+0x313/0x440 net/socket.c:2105
__do_sys_connect net/socket.c:2111 [inline]
__se_sys_connect net/socket.c:2108 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2108
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47cbf8eba9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9
RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b
RBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000
raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317
__kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348
__do_kmalloc_node mm/slub.c:4364 [inline]
__kvmalloc_node
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_pnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "233927b645cb7a14bb98d23ac72e4c7243a9f0d9",
"status": "affected",
"version": "0afff91c6f5ecef27715ea71e34dc2baacba1060",
"versionType": "git"
},
{
"lessThan": "3d3466878afd8d43ec0ca2facfbc7f03e40d0f79",
"status": "affected",
"version": "0afff91c6f5ecef27715ea71e34dc2baacba1060",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_pnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in __pnet_find_base_ndev().\n\nsyzbot reported use-after-free of net_device in __pnet_find_base_ndev(),\nwhich was called during connect(). [0]\n\nsmc_pnet_find_ism_resource() fetches sk_dst_get(sk)-\u003edev and passes\ndown to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened\nat __pnet_find_base_ndev() when the dev is first used.\n\nThis means dev had already been freed before acquiring RTNL in\npnet_find_base_ndev().\n\nWhile dev is going away, dst-\u003edev could be swapped with blackhole_netdev,\nand the dev\u0027s refcnt by dst will be released.\n\nWe must hold dev\u0027s refcnt before calling smc_pnet_find_ism_resource().\n\nAlso, smc_pnet_find_roce_resource() has the same problem.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu() in the two functions.\n\n[0]:\nBUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\nRead of size 1 at addr ffff888036bac33a by task syz.0.3632/18609\n\nCPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926\n pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline]\n smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline]\n smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154\n smc_find_ism_device net/smc/af_smc.c:1030 [inline]\n smc_find_proposal_devices net/smc/af_smc.c:1115 [inline]\n __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545\n smc_connect+0x877/0xd90 net/smc/af_smc.c:1715\n __sys_connect_file net/socket.c:2086 [inline]\n __sys_connect+0x313/0x440 net/socket.c:2105\n __do_sys_connect net/socket.c:2111 [inline]\n __se_sys_connect net/socket.c:2108 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2108\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f47cbf8eba9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9\nRDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000b\nRBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8\n \u003c/TASK\u003e\n\nThe buggy address belongs to the physical page:\npage: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bac\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000\nraw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466\n set_page_owner include/linux/page_owner.h:32 [inline]\n post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851\n prep_new_page mm/page_alloc.c:1859 [inline]\n get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858\n __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148\n alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416\n ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317\n __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348\n __do_kmalloc_node mm/slub.c:4364 [inline]\n __kvmalloc_node\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:14.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/233927b645cb7a14bb98d23ac72e4c7243a9f0d9"
},
{
"url": "https://git.kernel.org/stable/c/3d3466878afd8d43ec0ca2facfbc7f03e40d0f79"
}
],
"title": "smc: Fix use-after-free in __pnet_find_base_ndev().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40064",
"datePublished": "2025-10-28T11:48:35.155Z",
"dateReserved": "2025-04-16T07:20:57.159Z",
"dateUpdated": "2025-12-01T06:17:14.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68747 (GCVE-0-2025-68747)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2025-12-24 12:09
VLAI?
EPSS
Title
drm/panthor: Fix UAF on kernel BO VA nodes
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Fix UAF on kernel BO VA nodes
If the MMU is down, panthor_vm_unmap_range() might return an error.
We expect the page table to be updated still, and if the MMU is blocked,
the rest of the GPU should be blocked too, so no risk of accessing
physical memory returned to the system (which the current code doesn't
cover for anyway).
Proceed with the rest of the cleanup instead of bailing out and leaving
the va_node inserted in the drm_mm, which leads to UAF when other
adjacent nodes are removed from the drm_mm tree.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8a1cc07578bf42d85f008316873d710ff684dd29 , < 5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391
(git)
Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 1123eadb843588b361c96f53a771202b7953154f (git) Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 0612704b6f6ddf2ae223019c52148c5ac76cf70e (git) Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 98dd5143447af0ee33551776d8b2560c35d0bc4a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
},
{
"lessThan": "1123eadb843588b361c96f53a771202b7953154f",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
},
{
"lessThan": "0612704b6f6ddf2ae223019c52148c5ac76cf70e",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
},
{
"lessThan": "98dd5143447af0ee33551776d8b2560c35d0bc4a",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix UAF on kernel BO VA nodes\n\nIf the MMU is down, panthor_vm_unmap_range() might return an error.\nWe expect the page table to be updated still, and if the MMU is blocked,\nthe rest of the GPU should be blocked too, so no risk of accessing\nphysical memory returned to the system (which the current code doesn\u0027t\ncover for anyway).\n\nProceed with the rest of the cleanup instead of bailing out and leaving\nthe va_node inserted in the drm_mm, which leads to UAF when other\nadjacent nodes are removed from the drm_mm tree."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:09:42.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391"
},
{
"url": "https://git.kernel.org/stable/c/1123eadb843588b361c96f53a771202b7953154f"
},
{
"url": "https://git.kernel.org/stable/c/0612704b6f6ddf2ae223019c52148c5ac76cf70e"
},
{
"url": "https://git.kernel.org/stable/c/98dd5143447af0ee33551776d8b2560c35d0bc4a"
}
],
"title": "drm/panthor: Fix UAF on kernel BO VA nodes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68747",
"datePublished": "2025-12-24T12:09:42.925Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2025-12-24T12:09:42.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50702 (GCVE-0-2022-50702)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()
Inject fault while probing module, if device_register() fails in
vdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is
not decreased to 0, the name allocated in dev_set_name() is leaked.
Fix this by calling put_device(), so that name can be freed in
callback function kobject_cleanup().
(vdpa_sim_net)
unreferenced object 0xffff88807eebc370 (size 16):
comm "modprobe", pid 3848, jiffies 4362982860 (age 18.153s)
hex dump (first 16 bytes):
76 64 70 61 73 69 6d 5f 6e 65 74 00 6b 6b 6b a5 vdpasim_net.kkk.
backtrace:
[<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150
[<ffffffff81731d53>] kstrdup+0x33/0x60
[<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110
[<ffffffff82d87aab>] dev_set_name+0xab/0xe0
[<ffffffff82d91a23>] device_add+0xe3/0x1a80
[<ffffffffa0270013>] 0xffffffffa0270013
[<ffffffff81001c27>] do_one_initcall+0x87/0x2e0
[<ffffffff813739cb>] do_init_module+0x1ab/0x640
[<ffffffff81379d20>] load_module+0x5d00/0x77f0
[<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0
[<ffffffff83c4d505>] do_syscall_64+0x35/0x80
[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
(vdpa_sim_blk)
unreferenced object 0xffff8881070c1250 (size 16):
comm "modprobe", pid 6844, jiffies 4364069319 (age 17.572s)
hex dump (first 16 bytes):
76 64 70 61 73 69 6d 5f 62 6c 6b 00 6b 6b 6b a5 vdpasim_blk.kkk.
backtrace:
[<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150
[<ffffffff81731d53>] kstrdup+0x33/0x60
[<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110
[<ffffffff82d87aab>] dev_set_name+0xab/0xe0
[<ffffffff82d91a23>] device_add+0xe3/0x1a80
[<ffffffffa0220013>] 0xffffffffa0220013
[<ffffffff81001c27>] do_one_initcall+0x87/0x2e0
[<ffffffff813739cb>] do_init_module+0x1ab/0x640
[<ffffffff81379d20>] load_module+0x5d00/0x77f0
[<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0
[<ffffffff83c4d505>] do_syscall_64+0x35/0x80
[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a3c06ae158dd6fa8336157c31d9234689d068d02 , < 586e6fd7d581f987f7d0d2592edf0b26397e783e
(git)
Affected: a3c06ae158dd6fa8336157c31d9234689d068d02 , < 5be953e353fe421f2983e1fd37f07fba97edbffc (git) Affected: a3c06ae158dd6fa8336157c31d9234689d068d02 , < 337c24d817e28dd454ca22f1063dfad20822426e (git) Affected: a3c06ae158dd6fa8336157c31d9234689d068d02 , < aeca7ff254843d49a8739f07f7dab1341450111d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa_sim/vdpa_sim_blk.c",
"drivers/vdpa/vdpa_sim/vdpa_sim_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "586e6fd7d581f987f7d0d2592edf0b26397e783e",
"status": "affected",
"version": "a3c06ae158dd6fa8336157c31d9234689d068d02",
"versionType": "git"
},
{
"lessThan": "5be953e353fe421f2983e1fd37f07fba97edbffc",
"status": "affected",
"version": "a3c06ae158dd6fa8336157c31d9234689d068d02",
"versionType": "git"
},
{
"lessThan": "337c24d817e28dd454ca22f1063dfad20822426e",
"status": "affected",
"version": "a3c06ae158dd6fa8336157c31d9234689d068d02",
"versionType": "git"
},
{
"lessThan": "aeca7ff254843d49a8739f07f7dab1341450111d",
"status": "affected",
"version": "a3c06ae158dd6fa8336157c31d9234689d068d02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa_sim/vdpa_sim_blk.c",
"drivers/vdpa/vdpa_sim/vdpa_sim_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()\n\nInject fault while probing module, if device_register() fails in\nvdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is\nnot decreased to 0, the name allocated in dev_set_name() is leaked.\nFix this by calling put_device(), so that name can be freed in\ncallback function kobject_cleanup().\n\n(vdpa_sim_net)\nunreferenced object 0xffff88807eebc370 (size 16):\n comm \"modprobe\", pid 3848, jiffies 4362982860 (age 18.153s)\n hex dump (first 16 bytes):\n 76 64 70 61 73 69 6d 5f 6e 65 74 00 6b 6b 6b a5 vdpasim_net.kkk.\n backtrace:\n [\u003cffffffff8174f19e\u003e] __kmalloc_node_track_caller+0x4e/0x150\n [\u003cffffffff81731d53\u003e] kstrdup+0x33/0x60\n [\u003cffffffff83a5d421\u003e] kobject_set_name_vargs+0x41/0x110\n [\u003cffffffff82d87aab\u003e] dev_set_name+0xab/0xe0\n [\u003cffffffff82d91a23\u003e] device_add+0xe3/0x1a80\n [\u003cffffffffa0270013\u003e] 0xffffffffa0270013\n [\u003cffffffff81001c27\u003e] do_one_initcall+0x87/0x2e0\n [\u003cffffffff813739cb\u003e] do_init_module+0x1ab/0x640\n [\u003cffffffff81379d20\u003e] load_module+0x5d00/0x77f0\n [\u003cffffffff8137bc40\u003e] __do_sys_finit_module+0x110/0x1b0\n [\u003cffffffff83c4d505\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff83e0006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n(vdpa_sim_blk)\nunreferenced object 0xffff8881070c1250 (size 16):\n comm \"modprobe\", pid 6844, jiffies 4364069319 (age 17.572s)\n hex dump (first 16 bytes):\n 76 64 70 61 73 69 6d 5f 62 6c 6b 00 6b 6b 6b a5 vdpasim_blk.kkk.\n backtrace:\n [\u003cffffffff8174f19e\u003e] __kmalloc_node_track_caller+0x4e/0x150\n [\u003cffffffff81731d53\u003e] kstrdup+0x33/0x60\n [\u003cffffffff83a5d421\u003e] kobject_set_name_vargs+0x41/0x110\n [\u003cffffffff82d87aab\u003e] dev_set_name+0xab/0xe0\n [\u003cffffffff82d91a23\u003e] device_add+0xe3/0x1a80\n [\u003cffffffffa0220013\u003e] 0xffffffffa0220013\n [\u003cffffffff81001c27\u003e] do_one_initcall+0x87/0x2e0\n [\u003cffffffff813739cb\u003e] do_init_module+0x1ab/0x640\n [\u003cffffffff81379d20\u003e] load_module+0x5d00/0x77f0\n [\u003cffffffff8137bc40\u003e] __do_sys_finit_module+0x110/0x1b0\n [\u003cffffffff83c4d505\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff83e0006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:17.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/586e6fd7d581f987f7d0d2592edf0b26397e783e"
},
{
"url": "https://git.kernel.org/stable/c/5be953e353fe421f2983e1fd37f07fba97edbffc"
},
{
"url": "https://git.kernel.org/stable/c/337c24d817e28dd454ca22f1063dfad20822426e"
},
{
"url": "https://git.kernel.org/stable/c/aeca7ff254843d49a8739f07f7dab1341450111d"
}
],
"title": "vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50702",
"datePublished": "2025-12-24T10:55:17.831Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2025-12-24T10:55:17.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53780 (GCVE-0-2023-53780)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amd/display: fix FCLK pstate change underflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix FCLK pstate change underflow
[Why]
Currently we set FCLK p-state change
watermark calculated based on dummy
p-state latency when UCLK p-state is
not supported
[How]
Calculate FCLK p-state change watermark
based on on FCLK pstate change latency
in case UCLK p-state is not supported
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 4bdfa48d74649898468a0bf5c8b8a48dded77b4a
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 6853d56dba56d1c24db403ff3885c71e18d572c4 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 972243f973eb0821084e5833d5f7f4ed025f42da (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4bdfa48d74649898468a0bf5c8b8a48dded77b4a",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "6853d56dba56d1c24db403ff3885c71e18d572c4",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "972243f973eb0821084e5833d5f7f4ed025f42da",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix FCLK pstate change underflow\n\n[Why]\nCurrently we set FCLK p-state change\nwatermark calculated based on dummy\np-state latency when UCLK p-state is\nnot supported\n\n[How]\nCalculate FCLK p-state change watermark\nbased on on FCLK pstate change latency\nin case UCLK p-state is not supported"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:18.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4bdfa48d74649898468a0bf5c8b8a48dded77b4a"
},
{
"url": "https://git.kernel.org/stable/c/6853d56dba56d1c24db403ff3885c71e18d572c4"
},
{
"url": "https://git.kernel.org/stable/c/972243f973eb0821084e5833d5f7f4ed025f42da"
}
],
"title": "drm/amd/display: fix FCLK pstate change underflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53780",
"datePublished": "2025-12-09T00:00:35.925Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-20T08:51:18.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68230 (GCVE-0-2025-68230)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
drm/amdgpu: fix gpu page fault after hibernation on PF passthrough
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix gpu page fault after hibernation on PF passthrough
On PF passthrough environment, after hibernate and then resume, coralgemm
will cause gpu page fault.
Mode1 reset happens during hibernate, but partition mode is not restored
on resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right
after resume. When CP access the MQD BO, wrong stride size is used,
this will cause out of bound access on the MQD BO, resulting page fault.
The fix is to ensure gfx_v9_4_3_switch_compute_partition() is called
when resume from a hibernation.
KFD resume is called separately during a reset recovery or resume from
suspend sequence. Hence it's not required to be called as part of
partition switch.
(cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
955220b04d42c41050158fec0f53957f320b96f9 , < a45d6359eefb41e08d374a3260b10bff5626823b
(git)
Affected: 955220b04d42c41050158fec0f53957f320b96f9 , < eef72d856f978955e633c270abb1f7ec7b61c6d2 (git) Affected: 955220b04d42c41050158fec0f53957f320b96f9 , < eb6e7f520d6efa4d4ebf1671455abe4a681f7a05 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a45d6359eefb41e08d374a3260b10bff5626823b",
"status": "affected",
"version": "955220b04d42c41050158fec0f53957f320b96f9",
"versionType": "git"
},
{
"lessThan": "eef72d856f978955e633c270abb1f7ec7b61c6d2",
"status": "affected",
"version": "955220b04d42c41050158fec0f53957f320b96f9",
"versionType": "git"
},
{
"lessThan": "eb6e7f520d6efa4d4ebf1671455abe4a681f7a05",
"status": "affected",
"version": "955220b04d42c41050158fec0f53957f320b96f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix gpu page fault after hibernation on PF passthrough\n\nOn PF passthrough environment, after hibernate and then resume, coralgemm\nwill cause gpu page fault.\n\nMode1 reset happens during hibernate, but partition mode is not restored\non resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right\nafter resume. When CP access the MQD BO, wrong stride size is used,\nthis will cause out of bound access on the MQD BO, resulting page fault.\n\nThe fix is to ensure gfx_v9_4_3_switch_compute_partition() is called\nwhen resume from a hibernation.\nKFD resume is called separately during a reset recovery or resume from\nsuspend sequence. Hence it\u0027s not required to be called as part of\npartition switch.\n\n(cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:28.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a45d6359eefb41e08d374a3260b10bff5626823b"
},
{
"url": "https://git.kernel.org/stable/c/eef72d856f978955e633c270abb1f7ec7b61c6d2"
},
{
"url": "https://git.kernel.org/stable/c/eb6e7f520d6efa4d4ebf1671455abe4a681f7a05"
}
],
"title": "drm/amdgpu: fix gpu page fault after hibernation on PF passthrough",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68230",
"datePublished": "2025-12-16T13:57:22.787Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2026-01-02T15:34:28.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54031 (GCVE-0-2023-54031)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa queue index attr to avoid
such bugs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
13b00b135665c92065a27c0c39dd97e0f380bd4f , < 8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70
(git)
Affected: 13b00b135665c92065a27c0c39dd97e0f380bd4f , < ccb533b7070aeeb65c66ea5d590e9c62421dcd61 (git) Affected: 13b00b135665c92065a27c0c39dd97e0f380bd4f , < b3003e1b54e057f5f3124e437b80c3bef26ed3fe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70",
"status": "affected",
"version": "13b00b135665c92065a27c0c39dd97e0f380bd4f",
"versionType": "git"
},
{
"lessThan": "ccb533b7070aeeb65c66ea5d590e9c62421dcd61",
"status": "affected",
"version": "13b00b135665c92065a27c0c39dd97e0f380bd4f",
"versionType": "git"
},
{
"lessThan": "b3003e1b54e057f5f3124e437b80c3bef26ed3fe",
"status": "affected",
"version": "13b00b135665c92065a27c0c39dd97e0f380bd4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa: Add queue index attr to vdpa_nl_policy for nlattr length check\n\nThe vdpa_nl_policy structure is used to validate the nlattr when parsing\nthe incoming nlmsg. It will ensure the attribute being described produces\na valid nlattr pointer in info-\u003eattrs before entering into each handler\nin vdpa_nl_ops.\n\nThat is to say, the missing part in vdpa_nl_policy may lead to illegal\nnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.\n\nThis patch adds the missing nla_policy for vdpa queue index attr to avoid\nsuch bugs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:58.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70"
},
{
"url": "https://git.kernel.org/stable/c/ccb533b7070aeeb65c66ea5d590e9c62421dcd61"
},
{
"url": "https://git.kernel.org/stable/c/b3003e1b54e057f5f3124e437b80c3bef26ed3fe"
}
],
"title": "vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54031",
"datePublished": "2025-12-24T10:55:58.885Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:58.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53765 (GCVE-0-2023-53765)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
dm cache: free background tracker's queued work in btracker_destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm cache: free background tracker's queued work in btracker_destroy
Otherwise the kernel can BUG with:
[ 2245.426978] =============================================================================
[ 2245.435155] BUG bt_work (Tainted: G B W ): Objects remaining in bt_work on __kmem_cache_shutdown()
[ 2245.445233] -----------------------------------------------------------------------------
[ 2245.445233]
[ 2245.454879] Slab 0x00000000b0ce2b30 objects=64 used=2 fp=0x000000000a3c6a4e flags=0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[ 2245.467300] CPU: 7 PID: 10805 Comm: lvm Kdump: loaded Tainted: G B W 6.0.0-rc2 #19
[ 2245.476078] Hardware name: Dell Inc. PowerEdge R7525/0590KW, BIOS 2.5.6 10/06/2021
[ 2245.483646] Call Trace:
[ 2245.486100] <TASK>
[ 2245.488206] dump_stack_lvl+0x34/0x48
[ 2245.491878] slab_err+0x95/0xcd
[ 2245.495028] __kmem_cache_shutdown.cold+0x31/0x136
[ 2245.499821] kmem_cache_destroy+0x49/0x130
[ 2245.503928] btracker_destroy+0x12/0x20 [dm_cache]
[ 2245.508728] smq_destroy+0x15/0x60 [dm_cache_smq]
[ 2245.513435] dm_cache_policy_destroy+0x12/0x20 [dm_cache]
[ 2245.518834] destroy+0xc0/0x110 [dm_cache]
[ 2245.522933] dm_table_destroy+0x5c/0x120 [dm_mod]
[ 2245.527649] __dm_destroy+0x10e/0x1c0 [dm_mod]
[ 2245.532102] dev_remove+0x117/0x190 [dm_mod]
[ 2245.536384] ctl_ioctl+0x1a2/0x290 [dm_mod]
[ 2245.540579] dm_ctl_ioctl+0xa/0x20 [dm_mod]
[ 2245.544773] __x64_sys_ioctl+0x8a/0xc0
[ 2245.548524] do_syscall_64+0x5c/0x90
[ 2245.552104] ? syscall_exit_to_user_mode+0x12/0x30
[ 2245.556897] ? do_syscall_64+0x69/0x90
[ 2245.560648] ? do_syscall_64+0x69/0x90
[ 2245.564394] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 2245.569447] RIP: 0033:0x7fe52583ec6b
...
[ 2245.646771] ------------[ cut here ]------------
[ 2245.651395] kmem_cache_destroy bt_work: Slab cache still has objects when called from btracker_destroy+0x12/0x20 [dm_cache]
[ 2245.651408] WARNING: CPU: 7 PID: 10805 at mm/slab_common.c:478 kmem_cache_destroy+0x128/0x130
Found using: lvm2-testsuite --only "cache-single-split.sh"
Ben bisected and found that commit 0495e337b703 ("mm/slab_common:
Deleting kobject in kmem_cache_destroy() without holding
slab_mutex/cpu_hotplug_lock") first exposed dm-cache's incomplete
cleanup of its background tracker work objects.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b29d4986d0da1a27cd35917cdb433672f5c95d7f , < 673a3af21d5e3ed769f3eaed0c888244290a3506
(git)
Affected: b29d4986d0da1a27cd35917cdb433672f5c95d7f , < ed56ad5cacb7a3aeb611494d5d66e2399d2bfecc (git) Affected: b29d4986d0da1a27cd35917cdb433672f5c95d7f , < 95ab80a8a0fef2ce0cc494a306dd283948066ce7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-background-tracker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "673a3af21d5e3ed769f3eaed0c888244290a3506",
"status": "affected",
"version": "b29d4986d0da1a27cd35917cdb433672f5c95d7f",
"versionType": "git"
},
{
"lessThan": "ed56ad5cacb7a3aeb611494d5d66e2399d2bfecc",
"status": "affected",
"version": "b29d4986d0da1a27cd35917cdb433672f5c95d7f",
"versionType": "git"
},
{
"lessThan": "95ab80a8a0fef2ce0cc494a306dd283948066ce7",
"status": "affected",
"version": "b29d4986d0da1a27cd35917cdb433672f5c95d7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-cache-background-tracker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: free background tracker\u0027s queued work in btracker_destroy\n\nOtherwise the kernel can BUG with:\n\n[ 2245.426978] =============================================================================\n[ 2245.435155] BUG bt_work (Tainted: G B W ): Objects remaining in bt_work on __kmem_cache_shutdown()\n[ 2245.445233] -----------------------------------------------------------------------------\n[ 2245.445233]\n[ 2245.454879] Slab 0x00000000b0ce2b30 objects=64 used=2 fp=0x000000000a3c6a4e flags=0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)\n[ 2245.467300] CPU: 7 PID: 10805 Comm: lvm Kdump: loaded Tainted: G B W 6.0.0-rc2 #19\n[ 2245.476078] Hardware name: Dell Inc. PowerEdge R7525/0590KW, BIOS 2.5.6 10/06/2021\n[ 2245.483646] Call Trace:\n[ 2245.486100] \u003cTASK\u003e\n[ 2245.488206] dump_stack_lvl+0x34/0x48\n[ 2245.491878] slab_err+0x95/0xcd\n[ 2245.495028] __kmem_cache_shutdown.cold+0x31/0x136\n[ 2245.499821] kmem_cache_destroy+0x49/0x130\n[ 2245.503928] btracker_destroy+0x12/0x20 [dm_cache]\n[ 2245.508728] smq_destroy+0x15/0x60 [dm_cache_smq]\n[ 2245.513435] dm_cache_policy_destroy+0x12/0x20 [dm_cache]\n[ 2245.518834] destroy+0xc0/0x110 [dm_cache]\n[ 2245.522933] dm_table_destroy+0x5c/0x120 [dm_mod]\n[ 2245.527649] __dm_destroy+0x10e/0x1c0 [dm_mod]\n[ 2245.532102] dev_remove+0x117/0x190 [dm_mod]\n[ 2245.536384] ctl_ioctl+0x1a2/0x290 [dm_mod]\n[ 2245.540579] dm_ctl_ioctl+0xa/0x20 [dm_mod]\n[ 2245.544773] __x64_sys_ioctl+0x8a/0xc0\n[ 2245.548524] do_syscall_64+0x5c/0x90\n[ 2245.552104] ? syscall_exit_to_user_mode+0x12/0x30\n[ 2245.556897] ? do_syscall_64+0x69/0x90\n[ 2245.560648] ? do_syscall_64+0x69/0x90\n[ 2245.564394] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 2245.569447] RIP: 0033:0x7fe52583ec6b\n...\n[ 2245.646771] ------------[ cut here ]------------\n[ 2245.651395] kmem_cache_destroy bt_work: Slab cache still has objects when called from btracker_destroy+0x12/0x20 [dm_cache]\n[ 2245.651408] WARNING: CPU: 7 PID: 10805 at mm/slab_common.c:478 kmem_cache_destroy+0x128/0x130\n\nFound using: lvm2-testsuite --only \"cache-single-split.sh\"\n\nBen bisected and found that commit 0495e337b703 (\"mm/slab_common:\nDeleting kobject in kmem_cache_destroy() without holding\nslab_mutex/cpu_hotplug_lock\") first exposed dm-cache\u0027s incomplete\ncleanup of its background tracker work objects."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:48.382Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/673a3af21d5e3ed769f3eaed0c888244290a3506"
},
{
"url": "https://git.kernel.org/stable/c/ed56ad5cacb7a3aeb611494d5d66e2399d2bfecc"
},
{
"url": "https://git.kernel.org/stable/c/95ab80a8a0fef2ce0cc494a306dd283948066ce7"
}
],
"title": "dm cache: free background tracker\u0027s queued work in btracker_destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53765",
"datePublished": "2025-12-08T01:19:27.831Z",
"dateReserved": "2025-12-08T01:18:04.281Z",
"dateUpdated": "2026-01-05T10:32:48.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40081 (GCVE-0-2025-40081)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
Cast nr_pages to unsigned long to avoid overflow when handling large
AUX buffer sizes (>= 2 GiB).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d5d9696b03808bc6be723cc85288c912c3a05606 , < 656e9a5d69acdd1b20462f4a33378b90ddcb9626
(git)
Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 9c045d4501f7f70724a3bbb561f4f22d292bbfe6 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 5d01f2b81568289443d22f1e13a363f829de6343 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 7500384d3c9587593d75ded3b006835e7aa73ef8 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 379cae2cb982f571cda9493ac573ab71125fd299 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < 1a19ba8e1f4ff24ece8ca69b79df8442c431db90 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < e516cfd19b0f4c774a57b17fb43a7f41991f0735 (git) Affected: d5d9696b03808bc6be723cc85288c912c3a05606 , < a29fea30dd93da16652930162b177941abd8c75e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm_spe_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "656e9a5d69acdd1b20462f4a33378b90ddcb9626",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "9c045d4501f7f70724a3bbb561f4f22d292bbfe6",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "5d01f2b81568289443d22f1e13a363f829de6343",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "7500384d3c9587593d75ded3b006835e7aa73ef8",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "379cae2cb982f571cda9493ac573ab71125fd299",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "1a19ba8e1f4ff24ece8ca69b79df8442c431db90",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "e516cfd19b0f4c774a57b17fb43a7f41991f0735",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
},
{
"lessThan": "a29fea30dd93da16652930162b177941abd8c75e",
"status": "affected",
"version": "d5d9696b03808bc6be723cc85288c912c3a05606",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/perf/arm_spe_pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: arm_spe: Prevent overflow in PERF_IDX2OFF()\n\nCast nr_pages to unsigned long to avoid overflow when handling large\nAUX buffer sizes (\u003e= 2 GiB)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:38.737Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/656e9a5d69acdd1b20462f4a33378b90ddcb9626"
},
{
"url": "https://git.kernel.org/stable/c/9c045d4501f7f70724a3bbb561f4f22d292bbfe6"
},
{
"url": "https://git.kernel.org/stable/c/5d01f2b81568289443d22f1e13a363f829de6343"
},
{
"url": "https://git.kernel.org/stable/c/7500384d3c9587593d75ded3b006835e7aa73ef8"
},
{
"url": "https://git.kernel.org/stable/c/379cae2cb982f571cda9493ac573ab71125fd299"
},
{
"url": "https://git.kernel.org/stable/c/1a19ba8e1f4ff24ece8ca69b79df8442c431db90"
},
{
"url": "https://git.kernel.org/stable/c/e516cfd19b0f4c774a57b17fb43a7f41991f0735"
},
{
"url": "https://git.kernel.org/stable/c/a29fea30dd93da16652930162b177941abd8c75e"
}
],
"title": "perf: arm_spe: Prevent overflow in PERF_IDX2OFF()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40081",
"datePublished": "2025-10-28T11:48:45.392Z",
"dateReserved": "2025-04-16T07:20:57.161Z",
"dateUpdated": "2025-12-01T06:17:38.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54274 (GCVE-0-2023-54274)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16
VLAI?
EPSS
Title
RDMA/srpt: Add a check for valid 'mad_agent' pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/srpt: Add a check for valid 'mad_agent' pointer
When unregistering MAD agent, srpt module has a non-null check
for 'mad_agent' pointer before invoking ib_unregister_mad_agent().
This check can pass if 'mad_agent' variable holds an error value.
The 'mad_agent' can have an error value for a short window when
srpt_add_one() and srpt_remove_one() is executed simultaneously.
In srpt module, added a valid pointer check for 'sport->mad_agent'
before unregistering MAD agent.
This issue can hit when RoCE driver unregisters ib_device
Stack Trace:
------------
BUG: kernel NULL pointer dereference, address: 000000000000004d
PGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P
Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020
Workqueue: bnxt_re bnxt_re_task [bnxt_re]
RIP: 0010:_raw_spin_lock_irqsave+0x19/0x40
Call Trace:
ib_unregister_mad_agent+0x46/0x2f0 [ib_core]
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
? __schedule+0x20b/0x560
srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt]
srpt_remove_one+0x20/0x150 [ib_srpt]
remove_client_context+0x88/0xd0 [ib_core]
bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex
disable_device+0x8a/0x160 [ib_core]
bond0: active interface up!
? kernfs_name_hash+0x12/0x80
(NULL device *): Bonding Info Received: rdev: 000000006c0b8247
__ib_unregister_device+0x42/0xb0 [ib_core]
(NULL device *): Master: mode: 4 num_slaves:2
ib_unregister_device+0x22/0x30 [ib_core]
(NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0
bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re]
bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a42d985bd5b234da8b61347a78dc3057bf7bb94d , < 8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe
(git)
Affected: a42d985bd5b234da8b61347a78dc3057bf7bb94d , < 00cc21e32ea1b8ebbabf5d645da9378d986bf8ba (git) Affected: a42d985bd5b234da8b61347a78dc3057bf7bb94d , < 4323aaedeba32076e652aad056afd7885bb96bb7 (git) Affected: a42d985bd5b234da8b61347a78dc3057bf7bb94d , < 5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9 (git) Affected: a42d985bd5b234da8b61347a78dc3057bf7bb94d , < b713623bfef8cb1df9c769a3887fa10db63d1c54 (git) Affected: a42d985bd5b234da8b61347a78dc3057bf7bb94d , < eca5cd9474cd26d62f9756f536e2e656d3f62f3a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/ulp/srpt/ib_srpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe",
"status": "affected",
"version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d",
"versionType": "git"
},
{
"lessThan": "00cc21e32ea1b8ebbabf5d645da9378d986bf8ba",
"status": "affected",
"version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d",
"versionType": "git"
},
{
"lessThan": "4323aaedeba32076e652aad056afd7885bb96bb7",
"status": "affected",
"version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d",
"versionType": "git"
},
{
"lessThan": "5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9",
"status": "affected",
"version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d",
"versionType": "git"
},
{
"lessThan": "b713623bfef8cb1df9c769a3887fa10db63d1c54",
"status": "affected",
"version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d",
"versionType": "git"
},
{
"lessThan": "eca5cd9474cd26d62f9756f536e2e656d3f62f3a",
"status": "affected",
"version": "a42d985bd5b234da8b61347a78dc3057bf7bb94d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/ulp/srpt/ib_srpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Add a check for valid \u0027mad_agent\u0027 pointer\n\nWhen unregistering MAD agent, srpt module has a non-null check\nfor \u0027mad_agent\u0027 pointer before invoking ib_unregister_mad_agent().\nThis check can pass if \u0027mad_agent\u0027 variable holds an error value.\nThe \u0027mad_agent\u0027 can have an error value for a short window when\nsrpt_add_one() and srpt_remove_one() is executed simultaneously.\n\nIn srpt module, added a valid pointer check for \u0027sport-\u003emad_agent\u0027\nbefore unregistering MAD agent.\n\nThis issue can hit when RoCE driver unregisters ib_device\n\nStack Trace:\n------------\nBUG: kernel NULL pointer dereference, address: 000000000000004d\nPGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0\nOops: 0002 [#1] PREEMPT SMP NOPTI\nCPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P\nHardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020\nWorkqueue: bnxt_re bnxt_re_task [bnxt_re]\nRIP: 0010:_raw_spin_lock_irqsave+0x19/0x40\nCall Trace:\n ib_unregister_mad_agent+0x46/0x2f0 [ib_core]\n IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready\n ? __schedule+0x20b/0x560\n srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt]\n srpt_remove_one+0x20/0x150 [ib_srpt]\n remove_client_context+0x88/0xd0 [ib_core]\n bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex\n disable_device+0x8a/0x160 [ib_core]\n bond0: active interface up!\n ? kernfs_name_hash+0x12/0x80\n (NULL device *): Bonding Info Received: rdev: 000000006c0b8247\n __ib_unregister_device+0x42/0xb0 [ib_core]\n (NULL device *): Master: mode: 4 num_slaves:2\n ib_unregister_device+0x22/0x30 [ib_core]\n (NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0\n bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re]\n bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:16:03.696Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe"
},
{
"url": "https://git.kernel.org/stable/c/00cc21e32ea1b8ebbabf5d645da9378d986bf8ba"
},
{
"url": "https://git.kernel.org/stable/c/4323aaedeba32076e652aad056afd7885bb96bb7"
},
{
"url": "https://git.kernel.org/stable/c/5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9"
},
{
"url": "https://git.kernel.org/stable/c/b713623bfef8cb1df9c769a3887fa10db63d1c54"
},
{
"url": "https://git.kernel.org/stable/c/eca5cd9474cd26d62f9756f536e2e656d3f62f3a"
}
],
"title": "RDMA/srpt: Add a check for valid \u0027mad_agent\u0027 pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54274",
"datePublished": "2025-12-30T12:16:03.696Z",
"dateReserved": "2025-12-30T12:06:44.523Z",
"dateUpdated": "2025-12-30T12:16:03.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54234 (GCVE-0-2023-54234)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
scsi: mpi3mr: Fix missing mrioc->evtack_cmds initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Fix missing mrioc->evtack_cmds initialization
Commit c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic")
introduced an array mrioc->evtack_cmds but initialization of the array
elements was missed. They are just zero cleared. The function
mpi3mr_complete_evt_ack() refers host_tag field of the elements. Due to the
zero value of the host_tag field, the function calls clear_bit() for
mrico->evtack_cmds_bitmap with wrong bit index. This results in memory
access to invalid address and "BUG: KASAN: use-after-free". This BUG was
observed at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add
the missing initialization of mrioc->evtack_cmds.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c1af985d27da2d530c22604644e9025810f57d7c , < 4e0dfdb48a824deac3dfbc67fb856ef2aee13529
(git)
Affected: c1af985d27da2d530c22604644e9025810f57d7c , < 67989091e11a974003ddf2ec39bc613df8eadd83 (git) Affected: c1af985d27da2d530c22604644e9025810f57d7c , < e39ea831ebad4ab15c4748cb62a397a8abcca36e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e0dfdb48a824deac3dfbc67fb856ef2aee13529",
"status": "affected",
"version": "c1af985d27da2d530c22604644e9025810f57d7c",
"versionType": "git"
},
{
"lessThan": "67989091e11a974003ddf2ec39bc613df8eadd83",
"status": "affected",
"version": "c1af985d27da2d530c22604644e9025810f57d7c",
"versionType": "git"
},
{
"lessThan": "e39ea831ebad4ab15c4748cb62a397a8abcca36e",
"status": "affected",
"version": "c1af985d27da2d530c22604644e9025810f57d7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix missing mrioc-\u003eevtack_cmds initialization\n\nCommit c1af985d27da (\"scsi: mpi3mr: Add Event acknowledgment logic\")\nintroduced an array mrioc-\u003eevtack_cmds but initialization of the array\nelements was missed. They are just zero cleared. The function\nmpi3mr_complete_evt_ack() refers host_tag field of the elements. Due to the\nzero value of the host_tag field, the function calls clear_bit() for\nmrico-\u003eevtack_cmds_bitmap with wrong bit index. This results in memory\naccess to invalid address and \"BUG: KASAN: use-after-free\". This BUG was\nobserved at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add\nthe missing initialization of mrioc-\u003eevtack_cmds."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:25.021Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e0dfdb48a824deac3dfbc67fb856ef2aee13529"
},
{
"url": "https://git.kernel.org/stable/c/67989091e11a974003ddf2ec39bc613df8eadd83"
},
{
"url": "https://git.kernel.org/stable/c/e39ea831ebad4ab15c4748cb62a397a8abcca36e"
}
],
"title": "scsi: mpi3mr: Fix missing mrioc-\u003eevtack_cmds initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54234",
"datePublished": "2025-12-30T12:11:25.021Z",
"dateReserved": "2025-12-30T12:06:44.507Z",
"dateUpdated": "2025-12-30T12:11:25.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54042 (GCVE-0-2023-54042)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
powerpc/64s: Fix VAS mm use after free
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s: Fix VAS mm use after free
The refcount on mm is dropped before the coprocessor is detached.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < f7d92313002b2d543500cc417d8079aaed1fb0a8
(git)
Affected: 7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < 4e82f92c349ea603736ade1e814861c0182a55ad (git) Affected: 7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < db8657fdd53c5e3069149d7f957cb60e63027bb2 (git) Affected: 7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < 421cd1544480f2458042fe7f4913a2069c4d7251 (git) Affected: 7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85 , < b4bda59b47879cce38a6ec5a01cd3cac702b5331 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/powernv/vas-window.c",
"arch/powerpc/platforms/pseries/vas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7d92313002b2d543500cc417d8079aaed1fb0a8",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
},
{
"lessThan": "4e82f92c349ea603736ade1e814861c0182a55ad",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
},
{
"lessThan": "db8657fdd53c5e3069149d7f957cb60e63027bb2",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
},
{
"lessThan": "421cd1544480f2458042fe7f4913a2069c4d7251",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
},
{
"lessThan": "b4bda59b47879cce38a6ec5a01cd3cac702b5331",
"status": "affected",
"version": "7bc6f71bdff5f8921e324da0a8fad6f4e2e63a85",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/powernv/vas-window.c",
"arch/powerpc/platforms/pseries/vas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/64s: Fix VAS mm use after free\n\nThe refcount on mm is dropped before the coprocessor is detached."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:07.565Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7d92313002b2d543500cc417d8079aaed1fb0a8"
},
{
"url": "https://git.kernel.org/stable/c/4e82f92c349ea603736ade1e814861c0182a55ad"
},
{
"url": "https://git.kernel.org/stable/c/db8657fdd53c5e3069149d7f957cb60e63027bb2"
},
{
"url": "https://git.kernel.org/stable/c/421cd1544480f2458042fe7f4913a2069c4d7251"
},
{
"url": "https://git.kernel.org/stable/c/b4bda59b47879cce38a6ec5a01cd3cac702b5331"
}
],
"title": "powerpc/64s: Fix VAS mm use after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54042",
"datePublished": "2025-12-24T10:56:07.565Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:07.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54148 (GCVE-0-2023-54148)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:07 – Updated: 2025-12-24 13:07
VLAI?
EPSS
Title
net/mlx5e: Move representor neigh cleanup to profile cleanup_tx
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Move representor neigh cleanup to profile cleanup_tx
For IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as
the flow is duplicated to the peer eswitch, the related neighbour
information on the peer uplink representor is created as well.
In the cited commit, eswitch devcom unpair is moved to uplink unload
API, specifically the profile->cleanup_tx. If there is a encap rule
offloaded in ECMP mode, when one eswitch does unpair (because of
unloading the driver, for instance), and the peer rule from the peer
eswitch is going to be deleted, the use-after-free error is triggered
while accessing neigh info, as it is already cleaned up in uplink's
profile->disable, which is before its profile->cleanup_tx.
To fix this issue, move the neigh cleanup to profile's cleanup_tx
callback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh
init is moved to init_tx for symmeter.
[ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]
[ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496
[ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15
[ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 2453.384335] Call Trace:
[ 2453.384625] <TASK>
[ 2453.384891] dump_stack_lvl+0x33/0x50
[ 2453.385285] print_report+0xc2/0x610
[ 2453.385667] ? __virt_addr_valid+0xb1/0x130
[ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]
[ 2453.386757] kasan_report+0xae/0xe0
[ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]
[ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]
[ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core]
[ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core]
[ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core]
[ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core]
[ 2453.391015] ? complete_all+0x43/0xd0
[ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core]
[ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core]
[ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core]
[ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core]
[ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core]
[ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core]
[ 2453.395268] ? down_write+0xaa/0x100
[ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core]
[ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core]
[ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core]
[ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core]
[ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core]
[ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core]
[ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core]
[ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core]
[ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core]
[ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core]
[ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core]
[ 2453.405170] ? up_write+0x39/0x60
[ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0
[ 2453.405985] auxiliary_bus_remove+0x2e/0x40
[ 2453.406405] device_release_driver_internal+0x243/0x2d0
[ 2453.406900] ? kobject_put+0x42/0x2d0
[ 2453.407284] bus_remove_device+0x128/0x1d0
[ 2453.407687] device_del+0x240/0x550
[ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0
[ 2453.408511] ? kobject_put+0xfa/0x2d0
[ 2453.408889] ? __kmem_cache_free+0x14d/0x280
[ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core]
[ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core]
[ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core]
[ 2453.411111] remove_one+0x89/0x130 [mlx5_core]
[ 24
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b17294e7aa8c39dbb9c3e28e2d1983c88b94b387 , < d628ba98eb1637acce44001e04c718d8dbb1f7ce
(git)
Affected: 2be5bd42a5bba1a05daedc86cf0e248210009669 , < 36697c592cd0809e626df01b3644c23ac522a4d0 (git) Affected: 2be5bd42a5bba1a05daedc86cf0e248210009669 , < d03b6e6f31820b84f7449cca022047f36c42bc3f (git) Affected: 10cbfecc0f99f579fb170feee866c9efaab7ee47 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d628ba98eb1637acce44001e04c718d8dbb1f7ce",
"status": "affected",
"version": "b17294e7aa8c39dbb9c3e28e2d1983c88b94b387",
"versionType": "git"
},
{
"lessThan": "36697c592cd0809e626df01b3644c23ac522a4d0",
"status": "affected",
"version": "2be5bd42a5bba1a05daedc86cf0e248210009669",
"versionType": "git"
},
{
"lessThan": "d03b6e6f31820b84f7449cca022047f36c42bc3f",
"status": "affected",
"version": "2be5bd42a5bba1a05daedc86cf0e248210009669",
"versionType": "git"
},
{
"status": "affected",
"version": "10cbfecc0f99f579fb170feee866c9efaab7ee47",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "6.1.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Move representor neigh cleanup to profile cleanup_tx\n\nFor IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as\nthe flow is duplicated to the peer eswitch, the related neighbour\ninformation on the peer uplink representor is created as well.\n\nIn the cited commit, eswitch devcom unpair is moved to uplink unload\nAPI, specifically the profile-\u003ecleanup_tx. If there is a encap rule\noffloaded in ECMP mode, when one eswitch does unpair (because of\nunloading the driver, for instance), and the peer rule from the peer\neswitch is going to be deleted, the use-after-free error is triggered\nwhile accessing neigh info, as it is already cleaned up in uplink\u0027s\nprofile-\u003edisable, which is before its profile-\u003ecleanup_tx.\n\nTo fix this issue, move the neigh cleanup to profile\u0027s cleanup_tx\ncallback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh\ninit is moved to init_tx for symmeter.\n\n[ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]\n[ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496\n\n[ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15\n[ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 2453.384335] Call Trace:\n[ 2453.384625] \u003cTASK\u003e\n[ 2453.384891] dump_stack_lvl+0x33/0x50\n[ 2453.385285] print_report+0xc2/0x610\n[ 2453.385667] ? __virt_addr_valid+0xb1/0x130\n[ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]\n[ 2453.386757] kasan_report+0xae/0xe0\n[ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]\n[ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core]\n[ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core]\n[ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core]\n[ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core]\n[ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core]\n[ 2453.391015] ? complete_all+0x43/0xd0\n[ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core]\n[ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core]\n[ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core]\n[ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core]\n[ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core]\n[ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core]\n[ 2453.395268] ? down_write+0xaa/0x100\n[ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core]\n[ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core]\n[ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core]\n[ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core]\n[ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core]\n[ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core]\n[ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core]\n[ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core]\n[ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core]\n[ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core]\n[ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core]\n[ 2453.405170] ? up_write+0x39/0x60\n[ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0\n[ 2453.405985] auxiliary_bus_remove+0x2e/0x40\n[ 2453.406405] device_release_driver_internal+0x243/0x2d0\n[ 2453.406900] ? kobject_put+0x42/0x2d0\n[ 2453.407284] bus_remove_device+0x128/0x1d0\n[ 2453.407687] device_del+0x240/0x550\n[ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0\n[ 2453.408511] ? kobject_put+0xfa/0x2d0\n[ 2453.408889] ? __kmem_cache_free+0x14d/0x280\n[ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core]\n[ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core]\n[ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core]\n[ 2453.411111] remove_one+0x89/0x130 [mlx5_core]\n[ 24\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:07:00.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d628ba98eb1637acce44001e04c718d8dbb1f7ce"
},
{
"url": "https://git.kernel.org/stable/c/36697c592cd0809e626df01b3644c23ac522a4d0"
},
{
"url": "https://git.kernel.org/stable/c/d03b6e6f31820b84f7449cca022047f36c42bc3f"
}
],
"title": "net/mlx5e: Move representor neigh cleanup to profile cleanup_tx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54148",
"datePublished": "2025-12-24T13:07:00.260Z",
"dateReserved": "2025-12-24T13:02:52.528Z",
"dateUpdated": "2025-12-24T13:07:00.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54298 (GCVE-0-2023-54298)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
thermal: intel: quark_dts: fix error pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: intel: quark_dts: fix error pointer dereference
If alloc_soc_dts() fails, then we can just return. Trying to free
"soc_dts" will lead to an Oops.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8c1876939663191b5044807230fa295f35462215 , < 0b366c6a42e2e2bc67af8d1130b68f3bfa31c80e
(git)
Affected: 8c1876939663191b5044807230fa295f35462215 , < d0178f2788fb1183a5cc350213efdc94010b9147 (git) Affected: 8c1876939663191b5044807230fa295f35462215 , < e23f1d9e6e03d04da2f18e78ab5d4255ffeb1333 (git) Affected: 8c1876939663191b5044807230fa295f35462215 , < f73134231fa23e0856c15010db5f5c03693c1e92 (git) Affected: 8c1876939663191b5044807230fa295f35462215 , < 5eaf55b38691291d49417c22e726591078ca1893 (git) Affected: 8c1876939663191b5044807230fa295f35462215 , < 69e49f1b53605706bc2203455021539aba2ebe21 (git) Affected: 8c1876939663191b5044807230fa295f35462215 , < 24c221b11c2894e1a5f07b93362d9bc91c6d8be7 (git) Affected: 8c1876939663191b5044807230fa295f35462215 , < f1b930e740811d416de4d2074da48b6633a672c8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/intel_quark_dts_thermal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b366c6a42e2e2bc67af8d1130b68f3bfa31c80e",
"status": "affected",
"version": "8c1876939663191b5044807230fa295f35462215",
"versionType": "git"
},
{
"lessThan": "d0178f2788fb1183a5cc350213efdc94010b9147",
"status": "affected",
"version": "8c1876939663191b5044807230fa295f35462215",
"versionType": "git"
},
{
"lessThan": "e23f1d9e6e03d04da2f18e78ab5d4255ffeb1333",
"status": "affected",
"version": "8c1876939663191b5044807230fa295f35462215",
"versionType": "git"
},
{
"lessThan": "f73134231fa23e0856c15010db5f5c03693c1e92",
"status": "affected",
"version": "8c1876939663191b5044807230fa295f35462215",
"versionType": "git"
},
{
"lessThan": "5eaf55b38691291d49417c22e726591078ca1893",
"status": "affected",
"version": "8c1876939663191b5044807230fa295f35462215",
"versionType": "git"
},
{
"lessThan": "69e49f1b53605706bc2203455021539aba2ebe21",
"status": "affected",
"version": "8c1876939663191b5044807230fa295f35462215",
"versionType": "git"
},
{
"lessThan": "24c221b11c2894e1a5f07b93362d9bc91c6d8be7",
"status": "affected",
"version": "8c1876939663191b5044807230fa295f35462215",
"versionType": "git"
},
{
"lessThan": "f1b930e740811d416de4d2074da48b6633a672c8",
"status": "affected",
"version": "8c1876939663191b5044807230fa295f35462215",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/intel/intel_quark_dts_thermal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: intel: quark_dts: fix error pointer dereference\n\nIf alloc_soc_dts() fails, then we can just return. Trying to free\n\"soc_dts\" will lead to an Oops."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:34.503Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b366c6a42e2e2bc67af8d1130b68f3bfa31c80e"
},
{
"url": "https://git.kernel.org/stable/c/d0178f2788fb1183a5cc350213efdc94010b9147"
},
{
"url": "https://git.kernel.org/stable/c/e23f1d9e6e03d04da2f18e78ab5d4255ffeb1333"
},
{
"url": "https://git.kernel.org/stable/c/f73134231fa23e0856c15010db5f5c03693c1e92"
},
{
"url": "https://git.kernel.org/stable/c/5eaf55b38691291d49417c22e726591078ca1893"
},
{
"url": "https://git.kernel.org/stable/c/69e49f1b53605706bc2203455021539aba2ebe21"
},
{
"url": "https://git.kernel.org/stable/c/24c221b11c2894e1a5f07b93362d9bc91c6d8be7"
},
{
"url": "https://git.kernel.org/stable/c/f1b930e740811d416de4d2074da48b6633a672c8"
}
],
"title": "thermal: intel: quark_dts: fix error pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54298",
"datePublished": "2025-12-30T12:23:34.503Z",
"dateReserved": "2025-12-30T12:06:44.528Z",
"dateUpdated": "2025-12-30T12:23:34.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40211 (GCVE-0-2025-40211)
Vulnerability from cvelistv5 – Published: 2025-11-21 10:21 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
The switch_brightness_work delayed work accesses device->brightness
and device->backlight, freed by acpi_video_dev_unregister_backlight()
during device removal.
If the work executes after acpi_video_bus_unregister_backlight()
frees these resources, it causes a use-after-free when
acpi_video_switch_brightness() dereferences device->brightness or
device->backlight.
Fix this by calling cancel_delayed_work_sync() for each device's
switch_brightness_work in acpi_video_bus_remove_notify_handler()
after removing the notify handler that queues the work. This ensures
the work completes before the memory is freed.
[ rjw: Changelog edit ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 3f803ccf5a0c043e7c8b83f6665b082401fc8bee
(git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < ba1704316492a0496c69334338ea1fdbf4c2fd34 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < bc78a4f51d548c1ccc3d1967c2b394bf687c86e9 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 4e85246ec0d019dfba86ba54d841ef6694f97149 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < de5fc93275a4a459fe2f7cb746984f2ab3e8292a (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 293125536ef5521328815fa7c76d5f9eb1635659 (git) Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 8f067aa59430266386b83c18b983ca583faa6a11 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f803ccf5a0c043e7c8b83f6665b082401fc8bee",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "ba1704316492a0496c69334338ea1fdbf4c2fd34",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "bc78a4f51d548c1ccc3d1967c2b394bf687c86e9",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "4e85246ec0d019dfba86ba54d841ef6694f97149",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "de5fc93275a4a459fe2f7cb746984f2ab3e8292a",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "293125536ef5521328815fa7c76d5f9eb1635659",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
},
{
"lessThan": "8f067aa59430266386b83c18b983ca583faa6a11",
"status": "affected",
"version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/acpi_video.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: Fix use-after-free in acpi_video_switch_brightness()\n\nThe switch_brightness_work delayed work accesses device-\u003ebrightness\nand device-\u003ebacklight, freed by acpi_video_dev_unregister_backlight()\nduring device removal.\n\nIf the work executes after acpi_video_bus_unregister_backlight()\nfrees these resources, it causes a use-after-free when\nacpi_video_switch_brightness() dereferences device-\u003ebrightness or\ndevice-\u003ebacklight.\n\nFix this by calling cancel_delayed_work_sync() for each device\u0027s\nswitch_brightness_work in acpi_video_bus_remove_notify_handler()\nafter removing the notify handler that queues the work. This ensures\nthe work completes before the memory is freed.\n\n[ rjw: Changelog edit ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:42.455Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f803ccf5a0c043e7c8b83f6665b082401fc8bee"
},
{
"url": "https://git.kernel.org/stable/c/ba1704316492a0496c69334338ea1fdbf4c2fd34"
},
{
"url": "https://git.kernel.org/stable/c/bc78a4f51d548c1ccc3d1967c2b394bf687c86e9"
},
{
"url": "https://git.kernel.org/stable/c/a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9"
},
{
"url": "https://git.kernel.org/stable/c/4e85246ec0d019dfba86ba54d841ef6694f97149"
},
{
"url": "https://git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a"
},
{
"url": "https://git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659"
},
{
"url": "https://git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11"
}
],
"title": "ACPI: video: Fix use-after-free in acpi_video_switch_brightness()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40211",
"datePublished": "2025-11-21T10:21:36.438Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-06T21:38:42.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68195 (GCVE-0-2025-68195)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43
VLAI?
EPSS
Title
x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode
Running x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out
of bounds access.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c6b56a76478bd1ab609827c571905386c11d308",
"status": "affected",
"version": "36ff93e66d0efc46e39fab536a9feec968daa766",
"versionType": "git"
},
{
"lessThan": "f1fdffe0afea02ba783acfe815b6a60e7180df40",
"status": "affected",
"version": "607b9fb2ce248cc5b633c5949e0153838992c152",
"versionType": "git"
},
{
"status": "affected",
"version": "e980de2ff109dacb6d9d3a77f01b27c467115ecb",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.58",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode\n\nRunning x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out\nof bounds access."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:43:21.855Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c6b56a76478bd1ab609827c571905386c11d308"
},
{
"url": "https://git.kernel.org/stable/c/f1fdffe0afea02ba783acfe815b6a60e7180df40"
}
],
"title": "x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68195",
"datePublished": "2025-12-16T13:43:21.855Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2025-12-16T13:43:21.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53787 (GCVE-0-2023-53787)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
regulator: da9063: fix null pointer deref with partial DT config
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: da9063: fix null pointer deref with partial DT config
When some of the da9063 regulators do not have corresponding DT nodes
a null pointer dereference occurs on boot because such regulators have
no init_data causing the pointers calculated in
da9063_check_xvp_constraints() to be invalid.
Do not dereference them in this case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/da9063-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "04a025b17d83d07924e5e32508c72536ab8f42d9",
"status": "affected",
"version": "b8717a80e6ee6500ae396d21aac2a00947bba993",
"versionType": "git"
},
{
"lessThan": "98e2dd5f7a8be5cb2501a897e96910393a49f0ff",
"status": "affected",
"version": "b8717a80e6ee6500ae396d21aac2a00947bba993",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/da9063-regulator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: da9063: fix null pointer deref with partial DT config\n\nWhen some of the da9063 regulators do not have corresponding DT nodes\na null pointer dereference occurs on boot because such regulators have\nno init_data causing the pointers calculated in\nda9063_check_xvp_constraints() to be invalid.\n\nDo not dereference them in this case."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:42.334Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/04a025b17d83d07924e5e32508c72536ab8f42d9"
},
{
"url": "https://git.kernel.org/stable/c/98e2dd5f7a8be5cb2501a897e96910393a49f0ff"
}
],
"title": "regulator: da9063: fix null pointer deref with partial DT config",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53787",
"datePublished": "2025-12-09T00:00:42.334Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2025-12-09T00:00:42.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54171 (GCVE-0-2023-54171)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
tracing: Fix memory leak of iter->temp when reading trace_pipe
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix memory leak of iter->temp when reading trace_pipe
kmemleak reports:
unreferenced object 0xffff88814d14e200 (size 256):
comm "cat", pid 336, jiffies 4294871818 (age 779.490s)
hex dump (first 32 bytes):
04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ................
0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff .........Z......
backtrace:
[<ffffffff9bdff18f>] __kmalloc+0x4f/0x140
[<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0
[<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0
[<ffffffff9bc94490>] print_trace_line+0x3e0/0x950
[<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0
[<ffffffff9bf03a43>] vfs_read+0x143/0x520
[<ffffffff9bf04c2d>] ksys_read+0xbd/0x160
[<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90
[<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
when reading file 'trace_pipe', 'iter->temp' is allocated or relocated
in trace_find_next_entry() but not freed before 'trace_pipe' is closed.
To fix it, free 'iter->temp' in tracing_release_pipe().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ff895103a84abc85a5f43ecabc7f67cf36e1348f , < 1a1e793e021d75cd0accd8f329ec9456e5cd105e
(git)
Affected: ff895103a84abc85a5f43ecabc7f67cf36e1348f , < 954792db9f61b6c0b8a94b8831fed5f146014029 (git) Affected: ff895103a84abc85a5f43ecabc7f67cf36e1348f , < be970e22c53d5572b2795b79da9716ada937023b (git) Affected: ff895103a84abc85a5f43ecabc7f67cf36e1348f , < 3f42d57a76e7e96585f08855554e002218cbca0c (git) Affected: ff895103a84abc85a5f43ecabc7f67cf36e1348f , < d5a821896360cc8b93a15bd888fabc858c038dc0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a1e793e021d75cd0accd8f329ec9456e5cd105e",
"status": "affected",
"version": "ff895103a84abc85a5f43ecabc7f67cf36e1348f",
"versionType": "git"
},
{
"lessThan": "954792db9f61b6c0b8a94b8831fed5f146014029",
"status": "affected",
"version": "ff895103a84abc85a5f43ecabc7f67cf36e1348f",
"versionType": "git"
},
{
"lessThan": "be970e22c53d5572b2795b79da9716ada937023b",
"status": "affected",
"version": "ff895103a84abc85a5f43ecabc7f67cf36e1348f",
"versionType": "git"
},
{
"lessThan": "3f42d57a76e7e96585f08855554e002218cbca0c",
"status": "affected",
"version": "ff895103a84abc85a5f43ecabc7f67cf36e1348f",
"versionType": "git"
},
{
"lessThan": "d5a821896360cc8b93a15bd888fabc858c038dc0",
"status": "affected",
"version": "ff895103a84abc85a5f43ecabc7f67cf36e1348f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix memory leak of iter-\u003etemp when reading trace_pipe\n\nkmemleak reports:\n unreferenced object 0xffff88814d14e200 (size 256):\n comm \"cat\", pid 336, jiffies 4294871818 (age 779.490s)\n hex dump (first 32 bytes):\n 04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ................\n 0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff .........Z......\n backtrace:\n [\u003cffffffff9bdff18f\u003e] __kmalloc+0x4f/0x140\n [\u003cffffffff9bc9238b\u003e] trace_find_next_entry+0xbb/0x1d0\n [\u003cffffffff9bc9caef\u003e] trace_print_lat_context+0xaf/0x4e0\n [\u003cffffffff9bc94490\u003e] print_trace_line+0x3e0/0x950\n [\u003cffffffff9bc95499\u003e] tracing_read_pipe+0x2d9/0x5a0\n [\u003cffffffff9bf03a43\u003e] vfs_read+0x143/0x520\n [\u003cffffffff9bf04c2d\u003e] ksys_read+0xbd/0x160\n [\u003cffffffff9d0f0edf\u003e] do_syscall_64+0x3f/0x90\n [\u003cffffffff9d2000aa\u003e] entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nwhen reading file \u0027trace_pipe\u0027, \u0027iter-\u003etemp\u0027 is allocated or relocated\nin trace_find_next_entry() but not freed before \u0027trace_pipe\u0027 is closed.\n\nTo fix it, free \u0027iter-\u003etemp\u0027 in tracing_release_pipe()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:45.441Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a1e793e021d75cd0accd8f329ec9456e5cd105e"
},
{
"url": "https://git.kernel.org/stable/c/954792db9f61b6c0b8a94b8831fed5f146014029"
},
{
"url": "https://git.kernel.org/stable/c/be970e22c53d5572b2795b79da9716ada937023b"
},
{
"url": "https://git.kernel.org/stable/c/3f42d57a76e7e96585f08855554e002218cbca0c"
},
{
"url": "https://git.kernel.org/stable/c/d5a821896360cc8b93a15bd888fabc858c038dc0"
}
],
"title": "tracing: Fix memory leak of iter-\u003etemp when reading trace_pipe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54171",
"datePublished": "2025-12-30T12:08:45.441Z",
"dateReserved": "2025-12-30T12:06:44.496Z",
"dateUpdated": "2025-12-30T12:08:45.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50829 (GCVE-0-2022-50829)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10
VLAI?
EPSS
Title
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
It is possible that skb is freed in ath9k_htc_rx_msg(), then
usb_submit_urb() fails and we try to free skb again. It causes
use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes
NULL but rx_buf is not freed and there can be a memory leak.
The patch removes unnecessary nskb and makes skb processing more clear: it
is supposed that ath9k_htc_rx_msg() either frees old skb or passes its
managing to another callback function.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3deff76095c4ac4252e27c537db3041f619c23a2 , < 5e8751a977a49a6e00cce1a8da5ca16da83f9c8c
(git)
Affected: 3deff76095c4ac4252e27c537db3041f619c23a2 , < f127c2b4c967025e5c3a4ce7e13b79135d46a33d (git) Affected: 3deff76095c4ac4252e27c537db3041f619c23a2 , < 0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f (git) Affected: 3deff76095c4ac4252e27c537db3041f619c23a2 , < 988bd27de2484faf17afe0408db2e3d9e5ac61fc (git) Affected: 3deff76095c4ac4252e27c537db3041f619c23a2 , < 98d9172822dc6f38138333941984bd759a89d419 (git) Affected: 3deff76095c4ac4252e27c537db3041f619c23a2 , < 355f16f756aad0c95cdaa0c14a34ab4137d32815 (git) Affected: 3deff76095c4ac4252e27c537db3041f619c23a2 , < 53b9bb1a00c4285ee7f58a11129dbea015db61bc (git) Affected: 3deff76095c4ac4252e27c537db3041f619c23a2 , < 71fc0ad671a62c494d2aec731baeabd3bfe6c95d (git) Affected: 3deff76095c4ac4252e27c537db3041f619c23a2 , < dd95f2239fc846795fc926787c3ae0ca701c9840 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e8751a977a49a6e00cce1a8da5ca16da83f9c8c",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
},
{
"lessThan": "f127c2b4c967025e5c3a4ce7e13b79135d46a33d",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
},
{
"lessThan": "0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
},
{
"lessThan": "988bd27de2484faf17afe0408db2e3d9e5ac61fc",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
},
{
"lessThan": "98d9172822dc6f38138333941984bd759a89d419",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
},
{
"lessThan": "355f16f756aad0c95cdaa0c14a34ab4137d32815",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
},
{
"lessThan": "53b9bb1a00c4285ee7f58a11129dbea015db61bc",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
},
{
"lessThan": "71fc0ad671a62c494d2aec731baeabd3bfe6c95d",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
},
{
"lessThan": "dd95f2239fc846795fc926787c3ae0ca701c9840",
"status": "affected",
"version": "3deff76095c4ac4252e27c537db3041f619c23a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()\n\nIt is possible that skb is freed in ath9k_htc_rx_msg(), then\nusb_submit_urb() fails and we try to free skb again. It causes\nuse-after-free bug. Moreover, if alloc_skb() fails, urb-\u003econtext becomes\nNULL but rx_buf is not freed and there can be a memory leak.\n\nThe patch removes unnecessary nskb and makes skb processing more clear: it\nis supposed that ath9k_htc_rx_msg() either frees old skb or passes its\nmanaging to another callback function.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:51.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e8751a977a49a6e00cce1a8da5ca16da83f9c8c"
},
{
"url": "https://git.kernel.org/stable/c/f127c2b4c967025e5c3a4ce7e13b79135d46a33d"
},
{
"url": "https://git.kernel.org/stable/c/0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f"
},
{
"url": "https://git.kernel.org/stable/c/988bd27de2484faf17afe0408db2e3d9e5ac61fc"
},
{
"url": "https://git.kernel.org/stable/c/98d9172822dc6f38138333941984bd759a89d419"
},
{
"url": "https://git.kernel.org/stable/c/355f16f756aad0c95cdaa0c14a34ab4137d32815"
},
{
"url": "https://git.kernel.org/stable/c/53b9bb1a00c4285ee7f58a11129dbea015db61bc"
},
{
"url": "https://git.kernel.org/stable/c/71fc0ad671a62c494d2aec731baeabd3bfe6c95d"
},
{
"url": "https://git.kernel.org/stable/c/dd95f2239fc846795fc926787c3ae0ca701c9840"
}
],
"title": "wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50829",
"datePublished": "2025-12-30T12:10:51.434Z",
"dateReserved": "2025-12-30T12:06:07.132Z",
"dateUpdated": "2025-12-30T12:10:51.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53777 (GCVE-0-2023-53777)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
erofs: kill hooked chains to avoid loops on deduplicated compressed images
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: kill hooked chains to avoid loops on deduplicated compressed images
After heavily stressing EROFS with several images which include a
hand-crafted image of repeated patterns for more than 46 days, I found
two chains could be linked with each other almost simultaneously and
form a loop so that the entire loop won't be submitted. As a
consequence, the corresponding file pages will remain locked forever.
It can be _only_ observed on data-deduplicated compressed images.
For example, consider two chains with five pclusters in total:
Chain 1: 2->3->4->5 -- The tail pcluster is 5;
Chain 2: 5->1->2 -- The tail pcluster is 2.
Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link
to Chain 2 at the same time with pcluster 2.
Since hooked chains are all linked locklessly now, I have no idea how
to simply avoid the race. Instead, let's avoid hooked chains completely
until I could work out a proper way to fix this and end users finally
tell us that it's needed to add it back.
Actually, this optimization can be found with multi-threaded workloads
(especially even more often on deduplicated compressed images), yet I'm
not sure about the overall system impacts of not having this compared
with implementation complexity.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
267f2492c8f71dac44399988b510f9bf6b074a51 , < d3b39ea24835ac03da1a30f93ae7c05d55a40191
(git)
Affected: 267f2492c8f71dac44399988b510f9bf6b074a51 , < b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2 (git) Affected: 267f2492c8f71dac44399988b510f9bf6b074a51 , < 10c2b98a40d9044a3e97f4697ca6213bad7e19c2 (git) Affected: 267f2492c8f71dac44399988b510f9bf6b074a51 , < 967c28b23f6c89bb8eef6a046ea88afe0d7c1029 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3b39ea24835ac03da1a30f93ae7c05d55a40191",
"status": "affected",
"version": "267f2492c8f71dac44399988b510f9bf6b074a51",
"versionType": "git"
},
{
"lessThan": "b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2",
"status": "affected",
"version": "267f2492c8f71dac44399988b510f9bf6b074a51",
"versionType": "git"
},
{
"lessThan": "10c2b98a40d9044a3e97f4697ca6213bad7e19c2",
"status": "affected",
"version": "267f2492c8f71dac44399988b510f9bf6b074a51",
"versionType": "git"
},
{
"lessThan": "967c28b23f6c89bb8eef6a046ea88afe0d7c1029",
"status": "affected",
"version": "267f2492c8f71dac44399988b510f9bf6b074a51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zdata.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: kill hooked chains to avoid loops on deduplicated compressed images\n\nAfter heavily stressing EROFS with several images which include a\nhand-crafted image of repeated patterns for more than 46 days, I found\ntwo chains could be linked with each other almost simultaneously and\nform a loop so that the entire loop won\u0027t be submitted. As a\nconsequence, the corresponding file pages will remain locked forever.\n\nIt can be _only_ observed on data-deduplicated compressed images.\nFor example, consider two chains with five pclusters in total:\n\tChain 1: 2-\u003e3-\u003e4-\u003e5 -- The tail pcluster is 5;\n Chain 2: 5-\u003e1-\u003e2 -- The tail pcluster is 2.\n\nChain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link\nto Chain 2 at the same time with pcluster 2.\n\nSince hooked chains are all linked locklessly now, I have no idea how\nto simply avoid the race. Instead, let\u0027s avoid hooked chains completely\nuntil I could work out a proper way to fix this and end users finally\ntell us that it\u0027s needed to add it back.\n\nActually, this optimization can be found with multi-threaded workloads\n(especially even more often on deduplicated compressed images), yet I\u0027m\nnot sure about the overall system impacts of not having this compared\nwith implementation complexity."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:32.947Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3b39ea24835ac03da1a30f93ae7c05d55a40191"
},
{
"url": "https://git.kernel.org/stable/c/b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2"
},
{
"url": "https://git.kernel.org/stable/c/10c2b98a40d9044a3e97f4697ca6213bad7e19c2"
},
{
"url": "https://git.kernel.org/stable/c/967c28b23f6c89bb8eef6a046ea88afe0d7c1029"
}
],
"title": "erofs: kill hooked chains to avoid loops on deduplicated compressed images",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53777",
"datePublished": "2025-12-09T00:00:32.947Z",
"dateReserved": "2025-12-08T23:58:35.271Z",
"dateUpdated": "2025-12-09T00:00:32.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49975 (GCVE-0-2022-49975)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:00 – Updated: 2025-12-23 13:26
VLAI?
EPSS
Title
bpf: Don't redirect packets with invalid pkt_len
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Don't redirect packets with invalid pkt_len
Syzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any
skbs, that is, the flow->head is null.
The root cause, as the [2] says, is because that bpf_prog_test_run_skb()
run a bpf prog which redirects empty skbs.
So we should determine whether the length of the packet modified by bpf
prog or others like bpf_prog_test is valid before forwarding it directly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < 8b68e53d56697a59b5c53893b53f508bbdf272a0
(git)
Affected: 5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < 6204bf78b2a903b96ba43afff6abc0b04d6e0462 (git) Affected: 5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < a75987714bd2d8e59840667a28e15c1fa5c47554 (git) Affected: 5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < 72f2dc8993f10262092745a88cb2dd0fef094f23 (git) Affected: 5293efe62df81908f2e90c9820c7edcc8e61f5e9 , < fd1894224407c484f652ad456e1ce423e89bb3eb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/bpf/test_run.c",
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b68e53d56697a59b5c53893b53f508bbdf272a0",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
},
{
"lessThan": "6204bf78b2a903b96ba43afff6abc0b04d6e0462",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
},
{
"lessThan": "a75987714bd2d8e59840667a28e15c1fa5c47554",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
},
{
"lessThan": "72f2dc8993f10262092745a88cb2dd0fef094f23",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
},
{
"lessThan": "fd1894224407c484f652ad456e1ce423e89bb3eb",
"status": "affected",
"version": "5293efe62df81908f2e90c9820c7edcc8e61f5e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/bpf/test_run.c",
"net/core/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.212",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.212",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.141",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.65",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.7",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Don\u0027t redirect packets with invalid pkt_len\n\nSyzbot found an issue [1]: fq_codel_drop() try to drop a flow whitout any\nskbs, that is, the flow-\u003ehead is null.\nThe root cause, as the [2] says, is because that bpf_prog_test_run_skb()\nrun a bpf prog which redirects empty skbs.\nSo we should determine whether the length of the packet modified by bpf\nprog or others like bpf_prog_test is valid before forwarding it directly."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:26:14.542Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b68e53d56697a59b5c53893b53f508bbdf272a0"
},
{
"url": "https://git.kernel.org/stable/c/6204bf78b2a903b96ba43afff6abc0b04d6e0462"
},
{
"url": "https://git.kernel.org/stable/c/a75987714bd2d8e59840667a28e15c1fa5c47554"
},
{
"url": "https://git.kernel.org/stable/c/72f2dc8993f10262092745a88cb2dd0fef094f23"
},
{
"url": "https://git.kernel.org/stable/c/fd1894224407c484f652ad456e1ce423e89bb3eb"
}
],
"title": "bpf: Don\u0027t redirect packets with invalid pkt_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49975",
"datePublished": "2025-06-18T11:00:38.157Z",
"dateReserved": "2025-06-18T10:57:27.385Z",
"dateUpdated": "2025-12-23T13:26:14.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40200 (GCVE-0-2025-40200)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
Squashfs: reject negative file sizes in squashfs_read_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: reject negative file sizes in squashfs_read_inode()
Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.
This warning is ultimately caused because the underlying Squashfs file
system returns a file with a negative file size.
This commit checks for a negative file size and returns EINVAL.
[phillip@squashfs.org.uk: only need to check 64 bit quantity]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 54170057a5fadd24a37b70de41e61d39284d9bd7
(git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 2871c74caa3f4f05b429e6bfefebac62dbf1b408 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < fbfc745db628de31f5c089147deeb87e95b89e66 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 8118f66124895829443d09c207e654adcb2f9321 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 8c7aad76751816207fee556d44aa88a710824810 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 875fb3f87ae0225b881319ba016a1a8c4ffd5812 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < f271155ff31aca8ef82c61c8df23ca97e9a77dd4 (git) Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54170057a5fadd24a37b70de41e61d39284d9bd7",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "2871c74caa3f4f05b429e6bfefebac62dbf1b408",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "fbfc745db628de31f5c089147deeb87e95b89e66",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8118f66124895829443d09c207e654adcb2f9321",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "8c7aad76751816207fee556d44aa88a710824810",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "875fb3f87ae0225b881319ba016a1a8c4ffd5812",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "f271155ff31aca8ef82c61c8df23ca97e9a77dd4",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
},
{
"lessThan": "9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b",
"status": "affected",
"version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: reject negative file sizes in squashfs_read_inode()\n\nSyskaller reports a \"WARNING in ovl_copy_up_file\" in overlayfs.\n\nThis warning is ultimately caused because the underlying Squashfs file\nsystem returns a file with a negative file size.\n\nThis commit checks for a negative file size and returns EINVAL.\n\n[phillip@squashfs.org.uk: only need to check 64 bit quantity]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:02.406Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54170057a5fadd24a37b70de41e61d39284d9bd7"
},
{
"url": "https://git.kernel.org/stable/c/2871c74caa3f4f05b429e6bfefebac62dbf1b408"
},
{
"url": "https://git.kernel.org/stable/c/fbfc745db628de31f5c089147deeb87e95b89e66"
},
{
"url": "https://git.kernel.org/stable/c/8118f66124895829443d09c207e654adcb2f9321"
},
{
"url": "https://git.kernel.org/stable/c/8c7aad76751816207fee556d44aa88a710824810"
},
{
"url": "https://git.kernel.org/stable/c/875fb3f87ae0225b881319ba016a1a8c4ffd5812"
},
{
"url": "https://git.kernel.org/stable/c/f271155ff31aca8ef82c61c8df23ca97e9a77dd4"
},
{
"url": "https://git.kernel.org/stable/c/9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b"
}
],
"title": "Squashfs: reject negative file sizes in squashfs_read_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40200",
"datePublished": "2025-11-12T21:56:33.783Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:20:02.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50839 (GCVE-0-2022-50839)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
jbd2: fix potential buffer head reference count leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: fix potential buffer head reference count leak
As in 'jbd2_fc_wait_bufs' if buffer isn't uptodate, will return -EIO without
update 'journal->j_fc_off'. But 'jbd2_fc_release_bufs' will release buffer head
from ‘j_fc_off - 1’ if 'bh' is NULL will terminal release which will lead to
buffer head buffer head reference count leak.
To solve above issue, update 'journal->j_fc_off' before return -EIO.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ff780b91efe901b8eecd8114785abae5341820ad , < 7a33dde572fceb45d02d188e0213c47059401c93
(git)
Affected: ff780b91efe901b8eecd8114785abae5341820ad , < e7385c868ee038d6a0cb0e85c22d2741e7910fd5 (git) Affected: ff780b91efe901b8eecd8114785abae5341820ad , < 68ed9c76b2affd47177b92495446abb7262d0ef7 (git) Affected: ff780b91efe901b8eecd8114785abae5341820ad , < 9b073d73725366d886b711b74e058c02f51e7a0e (git) Affected: ff780b91efe901b8eecd8114785abae5341820ad , < e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/journal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a33dde572fceb45d02d188e0213c47059401c93",
"status": "affected",
"version": "ff780b91efe901b8eecd8114785abae5341820ad",
"versionType": "git"
},
{
"lessThan": "e7385c868ee038d6a0cb0e85c22d2741e7910fd5",
"status": "affected",
"version": "ff780b91efe901b8eecd8114785abae5341820ad",
"versionType": "git"
},
{
"lessThan": "68ed9c76b2affd47177b92495446abb7262d0ef7",
"status": "affected",
"version": "ff780b91efe901b8eecd8114785abae5341820ad",
"versionType": "git"
},
{
"lessThan": "9b073d73725366d886b711b74e058c02f51e7a0e",
"status": "affected",
"version": "ff780b91efe901b8eecd8114785abae5341820ad",
"versionType": "git"
},
{
"lessThan": "e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a",
"status": "affected",
"version": "ff780b91efe901b8eecd8114785abae5341820ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/journal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: fix potential buffer head reference count leak\n\nAs in \u0027jbd2_fc_wait_bufs\u0027 if buffer isn\u0027t uptodate, will return -EIO without\nupdate \u0027journal-\u003ej_fc_off\u0027. But \u0027jbd2_fc_release_bufs\u0027 will release buffer head\nfrom \u2018j_fc_off - 1\u2019 if \u0027bh\u0027 is NULL will terminal release which will lead to\nbuffer head buffer head reference count leak.\nTo solve above issue, update \u0027journal-\u003ej_fc_off\u0027 before return -EIO."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:54.389Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a33dde572fceb45d02d188e0213c47059401c93"
},
{
"url": "https://git.kernel.org/stable/c/e7385c868ee038d6a0cb0e85c22d2741e7910fd5"
},
{
"url": "https://git.kernel.org/stable/c/68ed9c76b2affd47177b92495446abb7262d0ef7"
},
{
"url": "https://git.kernel.org/stable/c/9b073d73725366d886b711b74e058c02f51e7a0e"
},
{
"url": "https://git.kernel.org/stable/c/e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a"
}
],
"title": "jbd2: fix potential buffer head reference count leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50839",
"datePublished": "2025-12-30T12:10:58.406Z",
"dateReserved": "2025-12-30T12:06:07.133Z",
"dateUpdated": "2026-01-02T15:04:54.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54287 (GCVE-0-2023-54287)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
tty: serial: imx: disable Ageing Timer interrupt request irq
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: imx: disable Ageing Timer interrupt request irq
There maybe pending USR interrupt before requesting irq, however
uart_add_one_port has not executed, so there will be kernel panic:
[ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre
ss 0000000000000080
[ 0.802701] Mem abort info:
[ 0.805367] ESR = 0x0000000096000004
[ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.814033] SET = 0, FnV = 0
[ 0.816950] EA = 0, S1PTW = 0
[ 0.819950] FSC = 0x04: level 0 translation fault
[ 0.824617] Data abort info:
[ 0.827367] ISV = 0, ISS = 0x00000004
[ 0.831033] CM = 0, WnR = 0
[ 0.833866] [0000000000000080] user address but active_mm is swapper
[ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 0.845953] Modules linked in:
[ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1
[ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT)
[ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0
[ 0.872283] lr : imx_uart_int+0xf8/0x1ec
The issue only happends in the inmate linux when Jailhouse hypervisor
enabled. The test procedure is:
while true; do
jailhouse enable imx8mp.cell
jailhouse cell linux xxxx
sleep 10
jailhouse cell destroy 1
jailhouse disable
sleep 5
done
And during the upper test, press keys to the 2nd linux console.
When `jailhouse cell destroy 1`, the 2nd linux has no chance to put
the uart to a quiese state, so USR1/2 may has pending interrupts. Then
when `jailhosue cell linux xx` to start 2nd linux again, the issue
trigger.
In order to disable irqs before requesting them, both UCR1 and UCR2 irqs
should be disabled, so here fix that, disable the Ageing Timer interrupt
in UCR2 as UCR1 does.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8a61f0c70ae65c6b70d13228c3120c73d7425a60 , < 3d41d9b256ae626c0dc434427c8e32450358d3b4
(git)
Affected: 8a61f0c70ae65c6b70d13228c3120c73d7425a60 , < 9795ece3a85ba9238191e97665586e2d79703ff3 (git) Affected: 8a61f0c70ae65c6b70d13228c3120c73d7425a60 , < 963875b0655197281775b0ea614aab8b6b3eb001 (git) Affected: 8a61f0c70ae65c6b70d13228c3120c73d7425a60 , < ef25e16ea9674b713a68c3bda821556ce9901254 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/imx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d41d9b256ae626c0dc434427c8e32450358d3b4",
"status": "affected",
"version": "8a61f0c70ae65c6b70d13228c3120c73d7425a60",
"versionType": "git"
},
{
"lessThan": "9795ece3a85ba9238191e97665586e2d79703ff3",
"status": "affected",
"version": "8a61f0c70ae65c6b70d13228c3120c73d7425a60",
"versionType": "git"
},
{
"lessThan": "963875b0655197281775b0ea614aab8b6b3eb001",
"status": "affected",
"version": "8a61f0c70ae65c6b70d13228c3120c73d7425a60",
"versionType": "git"
},
{
"lessThan": "ef25e16ea9674b713a68c3bda821556ce9901254",
"status": "affected",
"version": "8a61f0c70ae65c6b70d13228c3120c73d7425a60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/imx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: imx: disable Ageing Timer interrupt request irq\n\nThere maybe pending USR interrupt before requesting irq, however\nuart_add_one_port has not executed, so there will be kernel panic:\n[ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre\nss 0000000000000080\n[ 0.802701] Mem abort info:\n[ 0.805367] ESR = 0x0000000096000004\n[ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.814033] SET = 0, FnV = 0\n[ 0.816950] EA = 0, S1PTW = 0\n[ 0.819950] FSC = 0x04: level 0 translation fault\n[ 0.824617] Data abort info:\n[ 0.827367] ISV = 0, ISS = 0x00000004\n[ 0.831033] CM = 0, WnR = 0\n[ 0.833866] [0000000000000080] user address but active_mm is swapper\n[ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n[ 0.845953] Modules linked in:\n[ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1\n[ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT)\n[ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0\n[ 0.872283] lr : imx_uart_int+0xf8/0x1ec\n\nThe issue only happends in the inmate linux when Jailhouse hypervisor\nenabled. The test procedure is:\nwhile true; do\n\tjailhouse enable imx8mp.cell\n\tjailhouse cell linux xxxx\n\tsleep 10\n\tjailhouse cell destroy 1\n\tjailhouse disable\n\tsleep 5\ndone\n\nAnd during the upper test, press keys to the 2nd linux console.\nWhen `jailhouse cell destroy 1`, the 2nd linux has no chance to put\nthe uart to a quiese state, so USR1/2 may has pending interrupts. Then\nwhen `jailhosue cell linux xx` to start 2nd linux again, the issue\ntrigger.\n\nIn order to disable irqs before requesting them, both UCR1 and UCR2 irqs\nshould be disabled, so here fix that, disable the Ageing Timer interrupt\nin UCR2 as UCR1 does."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:27.076Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4"
},
{
"url": "https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3"
},
{
"url": "https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001"
},
{
"url": "https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254"
}
],
"title": "tty: serial: imx: disable Ageing Timer interrupt request irq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54287",
"datePublished": "2025-12-30T12:23:27.076Z",
"dateReserved": "2025-12-30T12:06:44.526Z",
"dateUpdated": "2025-12-30T12:23:27.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54304 (GCVE-0-2023-54304)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
firmware: meson_sm: fix to avoid potential NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: meson_sm: fix to avoid potential NULL pointer dereference
of_match_device() may fail and returns a NULL pointer.
Fix this by checking the return value of of_match_device.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
525ae72d9f0b5cf027f1c78c84e41c90e86df026 , < fba9c24c196310546f13c77ff66d0741155fa771
(git)
Affected: 8cde3c2153e8f57be884c0e73f18bc4de150e870 , < 9f4017cac70c04090dd4f672e755d6c875af67d8 (git) Affected: 8cde3c2153e8f57be884c0e73f18bc4de150e870 , < 502dfc5875bab9ae5d6a2939146c2c5e5683be40 (git) Affected: 8cde3c2153e8f57be884c0e73f18bc4de150e870 , < bd3a6b6d5dd863dbbe17985c7612159cf4533cad (git) Affected: 8cde3c2153e8f57be884c0e73f18bc4de150e870 , < 68f3209546b5083f8bffa46f7173cc05191eace1 (git) Affected: 8cde3c2153e8f57be884c0e73f18bc4de150e870 , < 2d6c4a1a4e6678cb98dd57964f133a995ecc91c1 (git) Affected: 8cde3c2153e8f57be884c0e73f18bc4de150e870 , < f2ed165619c16577c02b703a114a1f6b52026df4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/meson/meson_sm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fba9c24c196310546f13c77ff66d0741155fa771",
"status": "affected",
"version": "525ae72d9f0b5cf027f1c78c84e41c90e86df026",
"versionType": "git"
},
{
"lessThan": "9f4017cac70c04090dd4f672e755d6c875af67d8",
"status": "affected",
"version": "8cde3c2153e8f57be884c0e73f18bc4de150e870",
"versionType": "git"
},
{
"lessThan": "502dfc5875bab9ae5d6a2939146c2c5e5683be40",
"status": "affected",
"version": "8cde3c2153e8f57be884c0e73f18bc4de150e870",
"versionType": "git"
},
{
"lessThan": "bd3a6b6d5dd863dbbe17985c7612159cf4533cad",
"status": "affected",
"version": "8cde3c2153e8f57be884c0e73f18bc4de150e870",
"versionType": "git"
},
{
"lessThan": "68f3209546b5083f8bffa46f7173cc05191eace1",
"status": "affected",
"version": "8cde3c2153e8f57be884c0e73f18bc4de150e870",
"versionType": "git"
},
{
"lessThan": "2d6c4a1a4e6678cb98dd57964f133a995ecc91c1",
"status": "affected",
"version": "8cde3c2153e8f57be884c0e73f18bc4de150e870",
"versionType": "git"
},
{
"lessThan": "f2ed165619c16577c02b703a114a1f6b52026df4",
"status": "affected",
"version": "8cde3c2153e8f57be884c0e73f18bc4de150e870",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/meson/meson_sm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: meson_sm: fix to avoid potential NULL pointer dereference\n\nof_match_device() may fail and returns a NULL pointer.\n\nFix this by checking the return value of of_match_device."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:38.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fba9c24c196310546f13c77ff66d0741155fa771"
},
{
"url": "https://git.kernel.org/stable/c/9f4017cac70c04090dd4f672e755d6c875af67d8"
},
{
"url": "https://git.kernel.org/stable/c/502dfc5875bab9ae5d6a2939146c2c5e5683be40"
},
{
"url": "https://git.kernel.org/stable/c/bd3a6b6d5dd863dbbe17985c7612159cf4533cad"
},
{
"url": "https://git.kernel.org/stable/c/68f3209546b5083f8bffa46f7173cc05191eace1"
},
{
"url": "https://git.kernel.org/stable/c/2d6c4a1a4e6678cb98dd57964f133a995ecc91c1"
},
{
"url": "https://git.kernel.org/stable/c/f2ed165619c16577c02b703a114a1f6b52026df4"
}
],
"title": "firmware: meson_sm: fix to avoid potential NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54304",
"datePublished": "2025-12-30T12:23:38.495Z",
"dateReserved": "2025-12-30T12:06:44.529Z",
"dateUpdated": "2025-12-30T12:23:38.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54198 (GCVE-0-2023-54198)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:09 – Updated: 2026-01-05 11:36
VLAI?
EPSS
Title
tty: fix out-of-bounds access in tty_driver_lookup_tty()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: fix out-of-bounds access in tty_driver_lookup_tty()
When specifying an invalid console= device like console=tty3270,
tty_driver_lookup_tty() returns the tty struct without checking
whether index is a valid number.
To reproduce:
qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \
-kernel ../linux-build-x86/arch/x86/boot/bzImage \
-append "console=ttyS0 console=tty3270"
This crashes with:
[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef
[ 0.771265] #PF: supervisor read access in kernel mode
[ 0.771773] #PF: error_code(0x0000) - not-present page
[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI
[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0
[ 0.784013] chrdev_open+0xbd/0x230
[ 0.784444] ? cdev_device_add+0x80/0x80
[ 0.784920] do_dentry_open+0x1e0/0x410
[ 0.785389] path_openat+0xca9/0x1050
[ 0.785813] do_filp_open+0xaa/0x150
[ 0.786240] file_open_name+0x133/0x1b0
[ 0.786746] filp_open+0x27/0x50
[ 0.787244] console_on_rootfs+0x14/0x4d
[ 0.787800] kernel_init_freeable+0x1e4/0x20d
[ 0.788383] ? rest_init+0xc0/0xc0
[ 0.788881] kernel_init+0x11/0x120
[ 0.789356] ret_from_fork+0x22/0x30
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
99f1fe189daf8e99a847e420567e49dd7ee2aae7 , < 3df6f492f500a16c231f07ccc6f6ed1302caddf9
(git)
Affected: 99f1fe189daf8e99a847e420567e49dd7ee2aae7 , < b79109d6470aaae7062998353e3a19449055829d (git) Affected: 99f1fe189daf8e99a847e420567e49dd7ee2aae7 , < 953a4a352a0c185460ae1449e4c6e6658e55fdfc (git) Affected: 99f1fe189daf8e99a847e420567e49dd7ee2aae7 , < 84ea44dc3e4ecb2632586238014bf6722aa5843b (git) Affected: 99f1fe189daf8e99a847e420567e49dd7ee2aae7 , < f9d9d25ad1f0d060eaf297a2f7f03b5855a45561 (git) Affected: 99f1fe189daf8e99a847e420567e49dd7ee2aae7 , < 765566110eb0da3cf60198b0165ecceeaafa6444 (git) Affected: 99f1fe189daf8e99a847e420567e49dd7ee2aae7 , < fcfeaa570f7a5c2d5f4f14931909531ff18b7fde (git) Affected: 99f1fe189daf8e99a847e420567e49dd7ee2aae7 , < db4df8e9d79e7d37732c1a1b560958e8dadfefa1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/tty_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3df6f492f500a16c231f07ccc6f6ed1302caddf9",
"status": "affected",
"version": "99f1fe189daf8e99a847e420567e49dd7ee2aae7",
"versionType": "git"
},
{
"lessThan": "b79109d6470aaae7062998353e3a19449055829d",
"status": "affected",
"version": "99f1fe189daf8e99a847e420567e49dd7ee2aae7",
"versionType": "git"
},
{
"lessThan": "953a4a352a0c185460ae1449e4c6e6658e55fdfc",
"status": "affected",
"version": "99f1fe189daf8e99a847e420567e49dd7ee2aae7",
"versionType": "git"
},
{
"lessThan": "84ea44dc3e4ecb2632586238014bf6722aa5843b",
"status": "affected",
"version": "99f1fe189daf8e99a847e420567e49dd7ee2aae7",
"versionType": "git"
},
{
"lessThan": "f9d9d25ad1f0d060eaf297a2f7f03b5855a45561",
"status": "affected",
"version": "99f1fe189daf8e99a847e420567e49dd7ee2aae7",
"versionType": "git"
},
{
"lessThan": "765566110eb0da3cf60198b0165ecceeaafa6444",
"status": "affected",
"version": "99f1fe189daf8e99a847e420567e49dd7ee2aae7",
"versionType": "git"
},
{
"lessThan": "fcfeaa570f7a5c2d5f4f14931909531ff18b7fde",
"status": "affected",
"version": "99f1fe189daf8e99a847e420567e49dd7ee2aae7",
"versionType": "git"
},
{
"lessThan": "db4df8e9d79e7d37732c1a1b560958e8dadfefa1",
"status": "affected",
"version": "99f1fe189daf8e99a847e420567e49dd7ee2aae7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/tty_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix out-of-bounds access in tty_driver_lookup_tty()\n\nWhen specifying an invalid console= device like console=tty3270,\ntty_driver_lookup_tty() returns the tty struct without checking\nwhether index is a valid number.\n\nTo reproduce:\n\nqemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \\\n-kernel ../linux-build-x86/arch/x86/boot/bzImage \\\n-append \"console=ttyS0 console=tty3270\"\n\nThis crashes with:\n\n[ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef\n[ 0.771265] #PF: supervisor read access in kernel mode\n[ 0.771773] #PF: error_code(0x0000) - not-present page\n[ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 0.774878] RIP: 0010:tty_open+0x268/0x6f0\n[ 0.784013] chrdev_open+0xbd/0x230\n[ 0.784444] ? cdev_device_add+0x80/0x80\n[ 0.784920] do_dentry_open+0x1e0/0x410\n[ 0.785389] path_openat+0xca9/0x1050\n[ 0.785813] do_filp_open+0xaa/0x150\n[ 0.786240] file_open_name+0x133/0x1b0\n[ 0.786746] filp_open+0x27/0x50\n[ 0.787244] console_on_rootfs+0x14/0x4d\n[ 0.787800] kernel_init_freeable+0x1e4/0x20d\n[ 0.788383] ? rest_init+0xc0/0xc0\n[ 0.788881] kernel_init+0x11/0x120\n[ 0.789356] ret_from_fork+0x22/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:36:50.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9"
},
{
"url": "https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d"
},
{
"url": "https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc"
},
{
"url": "https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b"
},
{
"url": "https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561"
},
{
"url": "https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444"
},
{
"url": "https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde"
},
{
"url": "https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1"
}
],
"title": "tty: fix out-of-bounds access in tty_driver_lookup_tty()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54198",
"datePublished": "2025-12-30T12:09:04.229Z",
"dateReserved": "2025-12-30T12:06:44.499Z",
"dateUpdated": "2026-01-05T11:36:50.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53782 (GCVE-0-2023-53782)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
dccp: Fix out of bounds access in DCCP error handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
dccp: Fix out of bounds access in DCCP error handler
There was a previous attempt to fix an out-of-bounds access in the DCCP
error handlers, but that fix assumed that the error handlers only want
to access the first 8 bytes of the DCCP header. Actually, they also look
at the DCCP sequence number, which is stored beyond 8 bytes, so an
explicit pskb_may_pull() is required.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 3533e10272555c422a7d51ebc0ce8c483429f7f2
(git)
Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 177212bf6dc1ff2d13d0409cddc5c9e81feec63d (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 7a7dd70cb954d3efa706a429687ded88c02496fa (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 4b8a938e329ae4eb54b73b0c87b5170607b038a8 (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 6ecf09699eb1554299aa1e7fd13e9e80f656c2f9 (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < f8a7f10a1dccf9868ff09342a73dce27501b86df (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < d8171411a661253e6271fa10b65b46daf1b6471c (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < ec620c34f5fa5d055f9f6136a387755db6157712 (git) Affected: 6706a97fec963d6cb3f7fc2978ec1427b4651214 , < 977ad86c2a1bcaf58f01ab98df5cc145083c489c (git) Affected: 96106a207ae972d8f9e4815e84c159f29e4bbee7 (git) Affected: 261def571d19d3b4e2228643c5c0ac89f5e10d15 (git) Affected: dbf1719c65fb0368a94d15767c669e47e295a073 (git) Affected: 46b1ffd4738a3ee04b2e8f5a4b8cfc39e9c722a2 (git) Affected: a2df29ed840f90e459a3f8ff029b216be3912731 (git) Affected: ba93cf7d2118774c0b2dcfccc8ae999427815caa (git) Affected: 4ca7e66fcce02459fa6961979f9fe30ae1098cf0 (git) Affected: bd380617d5d161ea2bbe7a8073b3ca7bca0381e5 (git) Affected: bfe7d1dee859cad6802f8e21a0a863f408114612 (git) Affected: 968953df833c61fce5adcc0612efeaced24e5719 (git) Affected: 99131760a8851e6e5b2c9b24d0a68a3068923a08 (git) Affected: 84d9c612bb7a9e44c6bf286bedfbe72a6d2d71d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dccp/ipv4.c",
"net/dccp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3533e10272555c422a7d51ebc0ce8c483429f7f2",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "177212bf6dc1ff2d13d0409cddc5c9e81feec63d",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "7a7dd70cb954d3efa706a429687ded88c02496fa",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "4b8a938e329ae4eb54b73b0c87b5170607b038a8",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "6ecf09699eb1554299aa1e7fd13e9e80f656c2f9",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "f8a7f10a1dccf9868ff09342a73dce27501b86df",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "d8171411a661253e6271fa10b65b46daf1b6471c",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "ec620c34f5fa5d055f9f6136a387755db6157712",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"lessThan": "977ad86c2a1bcaf58f01ab98df5cc145083c489c",
"status": "affected",
"version": "6706a97fec963d6cb3f7fc2978ec1427b4651214",
"versionType": "git"
},
{
"status": "affected",
"version": "96106a207ae972d8f9e4815e84c159f29e4bbee7",
"versionType": "git"
},
{
"status": "affected",
"version": "261def571d19d3b4e2228643c5c0ac89f5e10d15",
"versionType": "git"
},
{
"status": "affected",
"version": "dbf1719c65fb0368a94d15767c669e47e295a073",
"versionType": "git"
},
{
"status": "affected",
"version": "46b1ffd4738a3ee04b2e8f5a4b8cfc39e9c722a2",
"versionType": "git"
},
{
"status": "affected",
"version": "a2df29ed840f90e459a3f8ff029b216be3912731",
"versionType": "git"
},
{
"status": "affected",
"version": "ba93cf7d2118774c0b2dcfccc8ae999427815caa",
"versionType": "git"
},
{
"status": "affected",
"version": "4ca7e66fcce02459fa6961979f9fe30ae1098cf0",
"versionType": "git"
},
{
"status": "affected",
"version": "bd380617d5d161ea2bbe7a8073b3ca7bca0381e5",
"versionType": "git"
},
{
"status": "affected",
"version": "bfe7d1dee859cad6802f8e21a0a863f408114612",
"versionType": "git"
},
{
"status": "affected",
"version": "968953df833c61fce5adcc0612efeaced24e5719",
"versionType": "git"
},
{
"status": "affected",
"version": "99131760a8851e6e5b2c9b24d0a68a3068923a08",
"versionType": "git"
},
{
"status": "affected",
"version": "84d9c612bb7a9e44c6bf286bedfbe72a6d2d71d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dccp/ipv4.c",
"net/dccp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: Fix out of bounds access in DCCP error handler\n\nThere was a previous attempt to fix an out-of-bounds access in the DCCP\nerror handlers, but that fix assumed that the error handlers only want\nto access the first 8 bytes of the DCCP header. Actually, they also look\nat the DCCP sequence number, which is stored beyond 8 bytes, so an\nexplicit pskb_may_pull() is required."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:37.741Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3533e10272555c422a7d51ebc0ce8c483429f7f2"
},
{
"url": "https://git.kernel.org/stable/c/177212bf6dc1ff2d13d0409cddc5c9e81feec63d"
},
{
"url": "https://git.kernel.org/stable/c/7a7dd70cb954d3efa706a429687ded88c02496fa"
},
{
"url": "https://git.kernel.org/stable/c/4b8a938e329ae4eb54b73b0c87b5170607b038a8"
},
{
"url": "https://git.kernel.org/stable/c/6ecf09699eb1554299aa1e7fd13e9e80f656c2f9"
},
{
"url": "https://git.kernel.org/stable/c/f8a7f10a1dccf9868ff09342a73dce27501b86df"
},
{
"url": "https://git.kernel.org/stable/c/d8171411a661253e6271fa10b65b46daf1b6471c"
},
{
"url": "https://git.kernel.org/stable/c/ec620c34f5fa5d055f9f6136a387755db6157712"
},
{
"url": "https://git.kernel.org/stable/c/977ad86c2a1bcaf58f01ab98df5cc145083c489c"
}
],
"title": "dccp: Fix out of bounds access in DCCP error handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53782",
"datePublished": "2025-12-09T00:00:37.741Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-09T00:00:37.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40275 (GCVE-0-2025-40275)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50
VLAI?
EPSS
Title
ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd
In snd_usb_create_streams(), for UAC version 3 devices, the Interface
Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this
call fails, a fallback routine attempts to obtain the IAD from the next
interface and sets a BADD profile. However, snd_usb_mixer_controls_badd()
assumes that the IAD retrieved from usb_ifnum_to_if() is always valid,
without performing a NULL check. This can lead to a NULL pointer
dereference when usb_ifnum_to_if() fails to find the interface descriptor.
This patch adds a NULL pointer check after calling usb_ifnum_to_if() in
snd_usb_mixer_controls_badd() to prevent the dereference.
This issue was discovered by syzkaller, which triggered the bug by sending
a crafted USB device descriptor.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
17156f23e93c0f59e06dd2aaffd06221341caaee , < 23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4
(git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 9f282104627be5fbded3102ff9004f753c55a063 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 2762d3ea9c929ca4094541ca517c317ffa94625b (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 57f607c112966c21240c424b33e2cb71e121dcf0 (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < cbdbfc756f2990942138ed0138da9303b4dbf9ff (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 85568535893600024d7d8794f4f8b6428b521e0c (git) Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 632108ec072ad64c8c83db6e16a7efee29ebfb74 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "9f282104627be5fbded3102ff9004f753c55a063",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "2762d3ea9c929ca4094541ca517c317ffa94625b",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "57f607c112966c21240c424b33e2cb71e121dcf0",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "cbdbfc756f2990942138ed0138da9303b4dbf9ff",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "85568535893600024d7d8794f4f8b6428b521e0c",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
},
{
"lessThan": "632108ec072ad64c8c83db6e16a7efee29ebfb74",
"status": "affected",
"version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/mixer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd\n\nIn snd_usb_create_streams(), for UAC version 3 devices, the Interface\nAssociation Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this\ncall fails, a fallback routine attempts to obtain the IAD from the next\ninterface and sets a BADD profile. However, snd_usb_mixer_controls_badd()\nassumes that the IAD retrieved from usb_ifnum_to_if() is always valid,\nwithout performing a NULL check. This can lead to a NULL pointer\ndereference when usb_ifnum_to_if() fails to find the interface descriptor.\n\nThis patch adds a NULL pointer check after calling usb_ifnum_to_if() in\nsnd_usb_mixer_controls_badd() to prevent the dereference.\n\nThis issue was discovered by syzkaller, which triggered the bug by sending\na crafted USB device descriptor."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:57.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4"
},
{
"url": "https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6"
},
{
"url": "https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063"
},
{
"url": "https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b"
},
{
"url": "https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0"
},
{
"url": "https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff"
},
{
"url": "https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c"
},
{
"url": "https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74"
}
],
"title": "ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40275",
"datePublished": "2025-12-06T21:50:57.914Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:50:57.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54214 (GCVE-0-2023-54214)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
Bluetooth: L2CAP: Fix potential user-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix potential user-after-free
This fixes all instances of which requires to allocate a buffer calling
alloc_skb which may release the chan lock and reacquire later which
makes it possible that the chan is disconnected in the meantime.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a6a5568c03c4805d4d250f6bd9d468eeeb4ea059 , < b2fde8cb2a25125111f2144604e0e7c0ebcc4bba
(git)
Affected: a6a5568c03c4805d4d250f6bd9d468eeeb4ea059 , < a6a7d1541fefddf7ca0cfb34c1bff63ff809cc49 (git) Affected: a6a5568c03c4805d4d250f6bd9d468eeeb4ea059 , < 60aaccf16d1e099c16bebfb96428ae762cb528f7 (git) Affected: a6a5568c03c4805d4d250f6bd9d468eeeb4ea059 , < b8ed41cc04fb74005aa51d17865ca3d022760335 (git) Affected: a6a5568c03c4805d4d250f6bd9d468eeeb4ea059 , < 31a288a4df7f6a28e65da22a4ab2add4a963738e (git) Affected: a6a5568c03c4805d4d250f6bd9d468eeeb4ea059 , < 64e28ecf44e46de9f01915a4146706a21c3469d2 (git) Affected: a6a5568c03c4805d4d250f6bd9d468eeeb4ea059 , < 994e3e18908f5c4a12d07b44018e6aa85f071048 (git) Affected: a6a5568c03c4805d4d250f6bd9d468eeeb4ea059 , < df5703348813235874d851934e957c3723d71644 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c",
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2fde8cb2a25125111f2144604e0e7c0ebcc4bba",
"status": "affected",
"version": "a6a5568c03c4805d4d250f6bd9d468eeeb4ea059",
"versionType": "git"
},
{
"lessThan": "a6a7d1541fefddf7ca0cfb34c1bff63ff809cc49",
"status": "affected",
"version": "a6a5568c03c4805d4d250f6bd9d468eeeb4ea059",
"versionType": "git"
},
{
"lessThan": "60aaccf16d1e099c16bebfb96428ae762cb528f7",
"status": "affected",
"version": "a6a5568c03c4805d4d250f6bd9d468eeeb4ea059",
"versionType": "git"
},
{
"lessThan": "b8ed41cc04fb74005aa51d17865ca3d022760335",
"status": "affected",
"version": "a6a5568c03c4805d4d250f6bd9d468eeeb4ea059",
"versionType": "git"
},
{
"lessThan": "31a288a4df7f6a28e65da22a4ab2add4a963738e",
"status": "affected",
"version": "a6a5568c03c4805d4d250f6bd9d468eeeb4ea059",
"versionType": "git"
},
{
"lessThan": "64e28ecf44e46de9f01915a4146706a21c3469d2",
"status": "affected",
"version": "a6a5568c03c4805d4d250f6bd9d468eeeb4ea059",
"versionType": "git"
},
{
"lessThan": "994e3e18908f5c4a12d07b44018e6aa85f071048",
"status": "affected",
"version": "a6a5568c03c4805d4d250f6bd9d468eeeb4ea059",
"versionType": "git"
},
{
"lessThan": "df5703348813235874d851934e957c3723d71644",
"status": "affected",
"version": "a6a5568c03c4805d4d250f6bd9d468eeeb4ea059",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c",
"net/bluetooth/l2cap_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix potential user-after-free\n\nThis fixes all instances of which requires to allocate a buffer calling\nalloc_skb which may release the chan lock and reacquire later which\nmakes it possible that the chan is disconnected in the meantime."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:11.383Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2fde8cb2a25125111f2144604e0e7c0ebcc4bba"
},
{
"url": "https://git.kernel.org/stable/c/a6a7d1541fefddf7ca0cfb34c1bff63ff809cc49"
},
{
"url": "https://git.kernel.org/stable/c/60aaccf16d1e099c16bebfb96428ae762cb528f7"
},
{
"url": "https://git.kernel.org/stable/c/b8ed41cc04fb74005aa51d17865ca3d022760335"
},
{
"url": "https://git.kernel.org/stable/c/31a288a4df7f6a28e65da22a4ab2add4a963738e"
},
{
"url": "https://git.kernel.org/stable/c/64e28ecf44e46de9f01915a4146706a21c3469d2"
},
{
"url": "https://git.kernel.org/stable/c/994e3e18908f5c4a12d07b44018e6aa85f071048"
},
{
"url": "https://git.kernel.org/stable/c/df5703348813235874d851934e957c3723d71644"
}
],
"title": "Bluetooth: L2CAP: Fix potential user-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54214",
"datePublished": "2025-12-30T12:11:11.383Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2025-12-30T12:11:11.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53860 (GCVE-0-2023-53860)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
dm: don't attempt to queue IO under RCU protection
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: don't attempt to queue IO under RCU protection
dm looks up the table for IO based on the request type, with an
assumption that if the request is marked REQ_NOWAIT, it's fine to
attempt to submit that IO while under RCU read lock protection. This
is not OK, as REQ_NOWAIT just means that we should not be sleeping
waiting on other IO, it does not mean that we can't potentially
schedule.
A simple test case demonstrates this quite nicely:
int main(int argc, char *argv[])
{
struct iovec iov;
int fd;
fd = open("/dev/dm-0", O_RDONLY | O_DIRECT);
posix_memalign(&iov.iov_base, 4096, 4096);
iov.iov_len = 4096;
preadv2(fd, &iov, 1, 0, RWF_NOWAIT);
return 0;
}
which will instantly spew:
BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
INFO: lockdep is turned off.
CPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x11d/0x1b0
__might_resched+0x3c3/0x5e0
? preempt_count_sub+0x150/0x150
mempool_alloc+0x1e2/0x390
? mempool_resize+0x7d0/0x7d0
? lock_sync+0x190/0x190
? lock_release+0x4b7/0x670
? internal_get_user_pages_fast+0x868/0x2d40
bio_alloc_bioset+0x417/0x8c0
? bvec_alloc+0x200/0x200
? internal_get_user_pages_fast+0xb8c/0x2d40
bio_alloc_clone+0x53/0x100
dm_submit_bio+0x27f/0x1a20
? lock_release+0x4b7/0x670
? blk_try_enter_queue+0x1a0/0x4d0
? dm_dax_direct_access+0x260/0x260
? rcu_is_watching+0x12/0xb0
? blk_try_enter_queue+0x1cc/0x4d0
__submit_bio+0x239/0x310
? __bio_queue_enter+0x700/0x700
? kvm_clock_get_cycles+0x40/0x60
? ktime_get+0x285/0x470
submit_bio_noacct_nocheck+0x4d9/0xb80
? should_fail_request+0x80/0x80
? preempt_count_sub+0x150/0x150
? lock_release+0x4b7/0x670
? __bio_add_page+0x143/0x2d0
? iov_iter_revert+0x27/0x360
submit_bio_noacct+0x53e/0x1b30
submit_bio_wait+0x10a/0x230
? submit_bio_wait_endio+0x40/0x40
__blkdev_direct_IO_simple+0x4f8/0x780
? blkdev_bio_end_io+0x4c0/0x4c0
? stack_trace_save+0x90/0xc0
? __bio_clone+0x3c0/0x3c0
? lock_release+0x4b7/0x670
? lock_sync+0x190/0x190
? atime_needs_update+0x3bf/0x7e0
? timestamp_truncate+0x21b/0x2d0
? inode_owner_or_capable+0x240/0x240
blkdev_direct_IO.part.0+0x84a/0x1810
? rcu_is_watching+0x12/0xb0
? lock_release+0x4b7/0x670
? blkdev_read_iter+0x40d/0x530
? reacquire_held_locks+0x4e0/0x4e0
? __blkdev_direct_IO_simple+0x780/0x780
? rcu_is_watching+0x12/0xb0
? __mark_inode_dirty+0x297/0xd50
? preempt_count_add+0x72/0x140
blkdev_read_iter+0x2a4/0x530
do_iter_readv_writev+0x2f2/0x3c0
? generic_copy_file_range+0x1d0/0x1d0
? fsnotify_perm.part.0+0x25d/0x630
? security_file_permission+0xd8/0x100
do_iter_read+0x31b/0x880
? import_iovec+0x10b/0x140
vfs_readv+0x12d/0x1a0
? vfs_iter_read+0xb0/0xb0
? rcu_is_watching+0x12/0xb0
? rcu_is_watching+0x12/0xb0
? lock_release+0x4b7/0x670
do_preadv+0x1b3/0x260
? do_readv+0x370/0x370
__x64_sys_preadv2+0xef/0x150
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f5af41ad806
Code: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55
RSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806
RDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001
</TASK>
where in fact it is
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
563a225c9fd207326c2a2af9d59b4097cb31ce70 , < d7b2abd87d1fcdb47811f90090a363e7ca15cb14
(git)
Affected: 563a225c9fd207326c2a2af9d59b4097cb31ce70 , < 699775e9338adcd4eaedea000d32c60250c3114d (git) Affected: 563a225c9fd207326c2a2af9d59b4097cb31ce70 , < a9ce385344f916cd1c36a33905e564f5581beae9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7b2abd87d1fcdb47811f90090a363e7ca15cb14",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
},
{
"lessThan": "699775e9338adcd4eaedea000d32c60250c3114d",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
},
{
"lessThan": "a9ce385344f916cd1c36a33905e564f5581beae9",
"status": "affected",
"version": "563a225c9fd207326c2a2af9d59b4097cb31ce70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: don\u0027t attempt to queue IO under RCU protection\n\ndm looks up the table for IO based on the request type, with an\nassumption that if the request is marked REQ_NOWAIT, it\u0027s fine to\nattempt to submit that IO while under RCU read lock protection. This\nis not OK, as REQ_NOWAIT just means that we should not be sleeping\nwaiting on other IO, it does not mean that we can\u0027t potentially\nschedule.\n\nA simple test case demonstrates this quite nicely:\n\nint main(int argc, char *argv[])\n{\n struct iovec iov;\n int fd;\n\n fd = open(\"/dev/dm-0\", O_RDONLY | O_DIRECT);\n posix_memalign(\u0026iov.iov_base, 4096, 4096);\n iov.iov_len = 4096;\n preadv2(fd, \u0026iov, 1, 0, RWF_NOWAIT);\n return 0;\n}\n\nwhich will instantly spew:\n\nBUG: sleeping function called from invalid context at include/linux/sched/mm.h:306\nin_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait\npreempt_count: 0, expected: 0\nRCU nest depth: 1, expected: 0\nINFO: lockdep is turned off.\nCPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x11d/0x1b0\n __might_resched+0x3c3/0x5e0\n ? preempt_count_sub+0x150/0x150\n mempool_alloc+0x1e2/0x390\n ? mempool_resize+0x7d0/0x7d0\n ? lock_sync+0x190/0x190\n ? lock_release+0x4b7/0x670\n ? internal_get_user_pages_fast+0x868/0x2d40\n bio_alloc_bioset+0x417/0x8c0\n ? bvec_alloc+0x200/0x200\n ? internal_get_user_pages_fast+0xb8c/0x2d40\n bio_alloc_clone+0x53/0x100\n dm_submit_bio+0x27f/0x1a20\n ? lock_release+0x4b7/0x670\n ? blk_try_enter_queue+0x1a0/0x4d0\n ? dm_dax_direct_access+0x260/0x260\n ? rcu_is_watching+0x12/0xb0\n ? blk_try_enter_queue+0x1cc/0x4d0\n __submit_bio+0x239/0x310\n ? __bio_queue_enter+0x700/0x700\n ? kvm_clock_get_cycles+0x40/0x60\n ? ktime_get+0x285/0x470\n submit_bio_noacct_nocheck+0x4d9/0xb80\n ? should_fail_request+0x80/0x80\n ? preempt_count_sub+0x150/0x150\n ? lock_release+0x4b7/0x670\n ? __bio_add_page+0x143/0x2d0\n ? iov_iter_revert+0x27/0x360\n submit_bio_noacct+0x53e/0x1b30\n submit_bio_wait+0x10a/0x230\n ? submit_bio_wait_endio+0x40/0x40\n __blkdev_direct_IO_simple+0x4f8/0x780\n ? blkdev_bio_end_io+0x4c0/0x4c0\n ? stack_trace_save+0x90/0xc0\n ? __bio_clone+0x3c0/0x3c0\n ? lock_release+0x4b7/0x670\n ? lock_sync+0x190/0x190\n ? atime_needs_update+0x3bf/0x7e0\n ? timestamp_truncate+0x21b/0x2d0\n ? inode_owner_or_capable+0x240/0x240\n blkdev_direct_IO.part.0+0x84a/0x1810\n ? rcu_is_watching+0x12/0xb0\n ? lock_release+0x4b7/0x670\n ? blkdev_read_iter+0x40d/0x530\n ? reacquire_held_locks+0x4e0/0x4e0\n ? __blkdev_direct_IO_simple+0x780/0x780\n ? rcu_is_watching+0x12/0xb0\n ? __mark_inode_dirty+0x297/0xd50\n ? preempt_count_add+0x72/0x140\n blkdev_read_iter+0x2a4/0x530\n do_iter_readv_writev+0x2f2/0x3c0\n ? generic_copy_file_range+0x1d0/0x1d0\n ? fsnotify_perm.part.0+0x25d/0x630\n ? security_file_permission+0xd8/0x100\n do_iter_read+0x31b/0x880\n ? import_iovec+0x10b/0x140\n vfs_readv+0x12d/0x1a0\n ? vfs_iter_read+0xb0/0xb0\n ? rcu_is_watching+0x12/0xb0\n ? rcu_is_watching+0x12/0xb0\n ? lock_release+0x4b7/0x670\n do_preadv+0x1b3/0x260\n ? do_readv+0x370/0x370\n __x64_sys_preadv2+0xef/0x150\n do_syscall_64+0x39/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f5af41ad806\nCode: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55\nRSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806\nRDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003\nRBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003\nR13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001\n \u003c/TASK\u003e\n\nwhere in fact it is\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:27.903Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7b2abd87d1fcdb47811f90090a363e7ca15cb14"
},
{
"url": "https://git.kernel.org/stable/c/699775e9338adcd4eaedea000d32c60250c3114d"
},
{
"url": "https://git.kernel.org/stable/c/a9ce385344f916cd1c36a33905e564f5581beae9"
}
],
"title": "dm: don\u0027t attempt to queue IO under RCU protection",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53860",
"datePublished": "2025-12-09T01:30:27.903Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:27.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53762 (GCVE-0-2023-53762)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync
Use-after-free can occur in hci_disconnect_all_sync if a connection is
deleted by concurrent processing of a controller event.
To prevent this the code now tries to iterate over the list backwards
to ensure the links are cleanup before its parents, also it no longer
relies on a cursor, instead it always uses the last element since
hci_abort_conn_sync is guaranteed to call hci_conn_del.
UAF crash log:
==================================================================
BUG: KASAN: slab-use-after-free in hci_set_powered_sync
(net/bluetooth/hci_sync.c:5424) [bluetooth]
Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124
CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W
6.5.0-rc1+ #10
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.2-1.fc38 04/01/2014
Workqueue: hci0 hci_cmd_sync_work [bluetooth]
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x90
print_report+0xcf/0x670
? __virt_addr_valid+0xdd/0x160
? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
kasan_report+0xa6/0xe0
? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]
? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]
? __pfx_lock_release+0x10/0x10
? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
hci_cmd_sync_work+0x137/0x220 [bluetooth]
process_one_work+0x526/0x9d0
? __pfx_process_one_work+0x10/0x10
? __pfx_do_raw_spin_lock+0x10/0x10
? mark_held_locks+0x1a/0x90
worker_thread+0x92/0x630
? __pfx_worker_thread+0x10/0x10
kthread+0x196/0x1e0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
</TASK>
Allocated by task 1782:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
__kasan_kmalloc+0x8f/0xa0
hci_conn_add+0xa5/0xa80 [bluetooth]
hci_bind_cis+0x881/0x9b0 [bluetooth]
iso_connect_cis+0x121/0x520 [bluetooth]
iso_sock_connect+0x3f6/0x790 [bluetooth]
__sys_connect+0x109/0x130
__x64_sys_connect+0x40/0x50
do_syscall_64+0x60/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Freed by task 695:
kasan_save_stack+0x33/0x60
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2b/0x50
__kasan_slab_free+0x10a/0x180
__kmem_cache_free+0x14d/0x2e0
device_release+0x5d/0xf0
kobject_put+0xdf/0x270
hci_disconn_complete_evt+0x274/0x3a0 [bluetooth]
hci_event_packet+0x579/0x7e0 [bluetooth]
hci_rx_work+0x287/0xaa0 [bluetooth]
process_one_work+0x526/0x9d0
worker_thread+0x92/0x630
kthread+0x196/0x1e0
ret_from_fork+0x2c/0x50
==================================================================
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
182ee45da083db4e3e621541ccf255bfa9652214 , < a30c074f0b5b7f909a15c978fbc96a29e2f94e42
(git)
Affected: 182ee45da083db4e3e621541ccf255bfa9652214 , < ba3ba53ce1f76fc372b8f918fece4f9b1e41acd4 (git) Affected: 182ee45da083db4e3e621541ccf255bfa9652214 , < 94d9ba9f9888b748d4abd2aa1547af56ae85f772 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a30c074f0b5b7f909a15c978fbc96a29e2f94e42",
"status": "affected",
"version": "182ee45da083db4e3e621541ccf255bfa9652214",
"versionType": "git"
},
{
"lessThan": "ba3ba53ce1f76fc372b8f918fece4f9b1e41acd4",
"status": "affected",
"version": "182ee45da083db4e3e621541ccf255bfa9652214",
"versionType": "git"
},
{
"lessThan": "94d9ba9f9888b748d4abd2aa1547af56ae85f772",
"status": "affected",
"version": "182ee45da083db4e3e621541ccf255bfa9652214",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync\n\nUse-after-free can occur in hci_disconnect_all_sync if a connection is\ndeleted by concurrent processing of a controller event.\n\nTo prevent this the code now tries to iterate over the list backwards\nto ensure the links are cleanup before its parents, also it no longer\nrelies on a cursor, instead it always uses the last element since\nhci_abort_conn_sync is guaranteed to call hci_conn_del.\n\nUAF crash log:\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_set_powered_sync\n(net/bluetooth/hci_sync.c:5424) [bluetooth]\nRead of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124\n\nCPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W\n6.5.0-rc1+ #10\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n1.16.2-1.fc38 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work [bluetooth]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0xdd/0x160\n ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\n kasan_report+0xa6/0xe0\n ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\n ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]\n hci_set_powered_sync+0x2c9/0x4a0 [bluetooth]\n ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth]\n ? __pfx_lock_release+0x10/0x10\n ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]\n hci_cmd_sync_work+0x137/0x220 [bluetooth]\n process_one_work+0x526/0x9d0\n ? __pfx_process_one_work+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n worker_thread+0x92/0x630\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x196/0x1e0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \u003c/TASK\u003e\n\nAllocated by task 1782:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n hci_conn_add+0xa5/0xa80 [bluetooth]\n hci_bind_cis+0x881/0x9b0 [bluetooth]\n iso_connect_cis+0x121/0x520 [bluetooth]\n iso_sock_connect+0x3f6/0x790 [bluetooth]\n __sys_connect+0x109/0x130\n __x64_sys_connect+0x40/0x50\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nFreed by task 695:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n __kasan_slab_free+0x10a/0x180\n __kmem_cache_free+0x14d/0x2e0\n device_release+0x5d/0xf0\n kobject_put+0xdf/0x270\n hci_disconn_complete_evt+0x274/0x3a0 [bluetooth]\n hci_event_packet+0x579/0x7e0 [bluetooth]\n hci_rx_work+0x287/0xaa0 [bluetooth]\n process_one_work+0x526/0x9d0\n worker_thread+0x92/0x630\n kthread+0x196/0x1e0\n ret_from_fork+0x2c/0x50\n=================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:23.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a30c074f0b5b7f909a15c978fbc96a29e2f94e42"
},
{
"url": "https://git.kernel.org/stable/c/ba3ba53ce1f76fc372b8f918fece4f9b1e41acd4"
},
{
"url": "https://git.kernel.org/stable/c/94d9ba9f9888b748d4abd2aa1547af56ae85f772"
}
],
"title": "Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53762",
"datePublished": "2025-12-08T01:19:23.927Z",
"dateReserved": "2025-12-08T01:18:04.281Z",
"dateUpdated": "2025-12-08T01:19:23.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54064 (GCVE-0-2023-54064)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
ipmi:ssif: Fix a memory leak when scanning for an adapter
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipmi:ssif: Fix a memory leak when scanning for an adapter
The adapter scan ssif_info_find() sets info->adapter_name if the adapter
info came from SMBIOS, as it's not set in that case. However, this
function can be called more than once, and it will leak the adapter name
if it had already been set. So check for NULL before setting it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c , < de677f4379fa67f650e367c188a0f80bee9b6732
(git)
Affected: c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c , < 13623b966bb6d36ba61646b69cd49cdac6e4978a (git) Affected: c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c , < 3ad53071fe8547eb8d8813971844cc43246008ee (git) Affected: c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c , < 74a1194cce60a90723d0fe148863c18931a31153 (git) Affected: c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c , < 7db16d2e791bf2ec3e0249f56b7ec81c35bba6e6 (git) Affected: c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c , < b870caeb18041f856893066ded81c560db3d56cc (git) Affected: c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c , < b8d72e32e1453d37ee5c8a219f24e7eeadc471ef (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_ssif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de677f4379fa67f650e367c188a0f80bee9b6732",
"status": "affected",
"version": "c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c",
"versionType": "git"
},
{
"lessThan": "13623b966bb6d36ba61646b69cd49cdac6e4978a",
"status": "affected",
"version": "c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c",
"versionType": "git"
},
{
"lessThan": "3ad53071fe8547eb8d8813971844cc43246008ee",
"status": "affected",
"version": "c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c",
"versionType": "git"
},
{
"lessThan": "74a1194cce60a90723d0fe148863c18931a31153",
"status": "affected",
"version": "c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c",
"versionType": "git"
},
{
"lessThan": "7db16d2e791bf2ec3e0249f56b7ec81c35bba6e6",
"status": "affected",
"version": "c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c",
"versionType": "git"
},
{
"lessThan": "b870caeb18041f856893066ded81c560db3d56cc",
"status": "affected",
"version": "c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c",
"versionType": "git"
},
{
"lessThan": "b8d72e32e1453d37ee5c8a219f24e7eeadc471ef",
"status": "affected",
"version": "c4436c9149c5d2bc0c49ab57ec85c75ea1c4d61c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_ssif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi:ssif: Fix a memory leak when scanning for an adapter\n\nThe adapter scan ssif_info_find() sets info-\u003eadapter_name if the adapter\ninfo came from SMBIOS, as it\u0027s not set in that case. However, this\nfunction can be called more than once, and it will leak the adapter name\nif it had already been set. So check for NULL before setting it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:10.051Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de677f4379fa67f650e367c188a0f80bee9b6732"
},
{
"url": "https://git.kernel.org/stable/c/13623b966bb6d36ba61646b69cd49cdac6e4978a"
},
{
"url": "https://git.kernel.org/stable/c/3ad53071fe8547eb8d8813971844cc43246008ee"
},
{
"url": "https://git.kernel.org/stable/c/74a1194cce60a90723d0fe148863c18931a31153"
},
{
"url": "https://git.kernel.org/stable/c/7db16d2e791bf2ec3e0249f56b7ec81c35bba6e6"
},
{
"url": "https://git.kernel.org/stable/c/b870caeb18041f856893066ded81c560db3d56cc"
},
{
"url": "https://git.kernel.org/stable/c/b8d72e32e1453d37ee5c8a219f24e7eeadc471ef"
}
],
"title": "ipmi:ssif: Fix a memory leak when scanning for an adapter",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54064",
"datePublished": "2025-12-24T12:23:10.051Z",
"dateReserved": "2025-12-24T12:21:05.092Z",
"dateUpdated": "2025-12-24T12:23:10.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53996 (GCVE-0-2023-53996)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
x86/sev: Make enc_dec_hypercall() accept a size instead of npages
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/sev: Make enc_dec_hypercall() accept a size instead of npages
enc_dec_hypercall() accepted a page count instead of a size, which
forced its callers to round up. As a result, non-page aligned
vaddrs caused pages to be spuriously marked as decrypted via the
encryption status hypercall, which in turn caused consistent
corruption of pages during live migration. Live migration requires
accurate encryption status information to avoid migrating pages
from the wrong perspective.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
064ce6c550a0630789978bfec7a13ab2bd1bdcdf , < ba50e7773a99a109a1ea6f753b766a080d3b21cc
(git)
Affected: 064ce6c550a0630789978bfec7a13ab2bd1bdcdf , < 6615212d8e131b45bd9705b0d69cc0d2f624666f (git) Affected: 064ce6c550a0630789978bfec7a13ab2bd1bdcdf , < 8ae7457e71a320867d868f2622d7c643596e4f43 (git) Affected: 064ce6c550a0630789978bfec7a13ab2bd1bdcdf , < ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/mem_encrypt.h",
"arch/x86/kernel/kvm.c",
"arch/x86/mm/mem_encrypt_amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba50e7773a99a109a1ea6f753b766a080d3b21cc",
"status": "affected",
"version": "064ce6c550a0630789978bfec7a13ab2bd1bdcdf",
"versionType": "git"
},
{
"lessThan": "6615212d8e131b45bd9705b0d69cc0d2f624666f",
"status": "affected",
"version": "064ce6c550a0630789978bfec7a13ab2bd1bdcdf",
"versionType": "git"
},
{
"lessThan": "8ae7457e71a320867d868f2622d7c643596e4f43",
"status": "affected",
"version": "064ce6c550a0630789978bfec7a13ab2bd1bdcdf",
"versionType": "git"
},
{
"lessThan": "ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2",
"status": "affected",
"version": "064ce6c550a0630789978bfec7a13ab2bd1bdcdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/mem_encrypt.h",
"arch/x86/kernel/kvm.c",
"arch/x86/mm/mem_encrypt_amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Make enc_dec_hypercall() accept a size instead of npages\n\nenc_dec_hypercall() accepted a page count instead of a size, which\nforced its callers to round up. As a result, non-page aligned\nvaddrs caused pages to be spuriously marked as decrypted via the\nencryption status hypercall, which in turn caused consistent\ncorruption of pages during live migration. Live migration requires\naccurate encryption status information to avoid migrating pages\nfrom the wrong perspective."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:33.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba50e7773a99a109a1ea6f753b766a080d3b21cc"
},
{
"url": "https://git.kernel.org/stable/c/6615212d8e131b45bd9705b0d69cc0d2f624666f"
},
{
"url": "https://git.kernel.org/stable/c/8ae7457e71a320867d868f2622d7c643596e4f43"
},
{
"url": "https://git.kernel.org/stable/c/ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2"
}
],
"title": "x86/sev: Make enc_dec_hypercall() accept a size instead of npages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53996",
"datePublished": "2025-12-24T10:55:33.402Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:33.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54072 (GCVE-0-2023-54072)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
ALSA: pcm: Fix potential data race at PCM memory allocation helpers
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: pcm: Fix potential data race at PCM memory allocation helpers
The PCM memory allocation helpers have a sanity check against too many
buffer allocations. However, the check is performed without a proper
lock and the allocation isn't serialized; this allows user to allocate
more memories than predefined max size.
Practically seen, this isn't really a big problem, as it's more or
less some "soft limit" as a sanity check, and it's not possible to
allocate unlimitedly. But it's still better to address this for more
consistent behavior.
The patch covers the size check in do_alloc_pages() with the
card->memory_mutex, and increases the allocated size there for
preventing the further overflow. When the actual allocation fails,
the size is decreased accordingly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
95b30a4312545f2dde9db12bf6a425f35d5a0d77 , < 7e1d1456c8db9949459c5a24e8845cfe92430b0f
(git)
Affected: d4cfb30fce03093ad944e0b44bd8f40bdad5330e , < 7e11c58b2620a22c67a5ae28d64ce383890ee9f4 (git) Affected: d4cfb30fce03093ad944e0b44bd8f40bdad5330e , < a0ab49e7a758b488b2090171a75d50735c0876f6 (git) Affected: d4cfb30fce03093ad944e0b44bd8f40bdad5330e , < 3eb4e47a94e3f76521d7d344696db61e6a9619c7 (git) Affected: d4cfb30fce03093ad944e0b44bd8f40bdad5330e , < 773ccad902f67583a58b5650a2f8d8daf2e76fac (git) Affected: d4cfb30fce03093ad944e0b44bd8f40bdad5330e , < bd55842ed998a622ba6611fe59b3358c9f76773d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e1d1456c8db9949459c5a24e8845cfe92430b0f",
"status": "affected",
"version": "95b30a4312545f2dde9db12bf6a425f35d5a0d77",
"versionType": "git"
},
{
"lessThan": "7e11c58b2620a22c67a5ae28d64ce383890ee9f4",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
},
{
"lessThan": "a0ab49e7a758b488b2090171a75d50735c0876f6",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
},
{
"lessThan": "3eb4e47a94e3f76521d7d344696db61e6a9619c7",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
},
{
"lessThan": "773ccad902f67583a58b5650a2f8d8daf2e76fac",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
},
{
"lessThan": "bd55842ed998a622ba6611fe59b3358c9f76773d",
"status": "affected",
"version": "d4cfb30fce03093ad944e0b44bd8f40bdad5330e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/core/pcm_memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.193",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.129",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.193",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.129",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix potential data race at PCM memory allocation helpers\n\nThe PCM memory allocation helpers have a sanity check against too many\nbuffer allocations. However, the check is performed without a proper\nlock and the allocation isn\u0027t serialized; this allows user to allocate\nmore memories than predefined max size.\n\nPractically seen, this isn\u0027t really a big problem, as it\u0027s more or\nless some \"soft limit\" as a sanity check, and it\u0027s not possible to\nallocate unlimitedly. But it\u0027s still better to address this for more\nconsistent behavior.\n\nThe patch covers the size check in do_alloc_pages() with the\ncard-\u003ememory_mutex, and increases the allocated size there for\npreventing the further overflow. When the actual allocation fails,\nthe size is decreased accordingly."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:39.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e1d1456c8db9949459c5a24e8845cfe92430b0f"
},
{
"url": "https://git.kernel.org/stable/c/7e11c58b2620a22c67a5ae28d64ce383890ee9f4"
},
{
"url": "https://git.kernel.org/stable/c/a0ab49e7a758b488b2090171a75d50735c0876f6"
},
{
"url": "https://git.kernel.org/stable/c/3eb4e47a94e3f76521d7d344696db61e6a9619c7"
},
{
"url": "https://git.kernel.org/stable/c/773ccad902f67583a58b5650a2f8d8daf2e76fac"
},
{
"url": "https://git.kernel.org/stable/c/bd55842ed998a622ba6611fe59b3358c9f76773d"
}
],
"title": "ALSA: pcm: Fix potential data race at PCM memory allocation helpers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54072",
"datePublished": "2025-12-24T12:23:15.552Z",
"dateReserved": "2025-12-24T12:21:05.093Z",
"dateUpdated": "2026-01-05T10:33:39.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53816 (GCVE-0-2023-53816)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amdkfd: fix potential kgd_mem UAFs
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: fix potential kgd_mem UAFs
kgd_mem pointers returned by kfd_process_device_translate_handle are
only guaranteed to be valid while p->mutex is held. As soon as the mutex
is unlocked, another thread can free the BO.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a488a7ad71401169cecee75dc94bcce642e2c53 , < 5045360f3bb62ccd4f87202e33489f71f8bbc3fc
(git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 5ca14fb5552ac13a2402d306c0bd2379a71610ff (git) Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 9da050b0d9e04439d225a2ec3044af70cdfb3933 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_chardev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5045360f3bb62ccd4f87202e33489f71f8bbc3fc",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "5ca14fb5552ac13a2402d306c0bd2379a71610ff",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
},
{
"lessThan": "9da050b0d9e04439d225a2ec3044af70cdfb3933",
"status": "affected",
"version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_chardev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: fix potential kgd_mem UAFs\n\nkgd_mem pointers returned by kfd_process_device_translate_handle are\nonly guaranteed to be valid while p-\u003emutex is held. As soon as the mutex\nis unlocked, another thread can free the BO."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:25.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5045360f3bb62ccd4f87202e33489f71f8bbc3fc"
},
{
"url": "https://git.kernel.org/stable/c/5ca14fb5552ac13a2402d306c0bd2379a71610ff"
},
{
"url": "https://git.kernel.org/stable/c/9da050b0d9e04439d225a2ec3044af70cdfb3933"
}
],
"title": "drm/amdkfd: fix potential kgd_mem UAFs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53816",
"datePublished": "2025-12-09T00:01:14.166Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-20T08:51:25.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40250 (GCVE-0-2025-40250)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
EPSS
Title
net/mlx5: Clean up only new IRQ glue on request_irq() failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Clean up only new IRQ glue on request_irq() failure
The mlx5_irq_alloc() function can inadvertently free the entire rmap
and end up in a crash[1] when the other threads tries to access this,
when request_irq() fails due to exhausted IRQ vectors. This commit
modifies the cleanup to remove only the specific IRQ mapping that was
just added.
This prevents removal of other valid mappings and ensures precise
cleanup of the failed IRQ allocation's associated glue object.
Note: This error is observed when both fwctl and rds configs are enabled.
[1]
mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1
mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
request irq. err = -28
infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
trying to test write-combining support
mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1
mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1
mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to
request irq. err = -28
infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while
trying to test write-combining support
mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1
mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
request irq. err = -28
mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to
request irq. err = -28
general protection fault, probably for non-canonical address
0xe277a58fde16f291: 0000 [#1] SMP NOPTI
RIP: 0010:free_irq_cpu_rmap+0x23/0x7d
Call Trace:
<TASK>
? show_trace_log_lvl+0x1d6/0x2f9
? show_trace_log_lvl+0x1d6/0x2f9
? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
? __die_body.cold+0x8/0xa
? die_addr+0x39/0x53
? exc_general_protection+0x1c4/0x3e9
? dev_vprintk_emit+0x5f/0x90
? asm_exc_general_protection+0x22/0x27
? free_irq_cpu_rmap+0x23/0x7d
mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]
irq_pool_request_vector+0x7d/0x90 [mlx5_core]
mlx5_irq_request+0x2e/0xe0 [mlx5_core]
mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]
comp_irq_request_pci+0x64/0xf0 [mlx5_core]
create_comp_eq+0x71/0x385 [mlx5_core]
? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]
mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]
? xas_load+0x8/0x91
mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]
mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]
mlx5e_open_channels+0xad/0x250 [mlx5_core]
mlx5e_open_locked+0x3e/0x110 [mlx5_core]
mlx5e_open+0x23/0x70 [mlx5_core]
__dev_open+0xf1/0x1a5
__dev_change_flags+0x1e1/0x249
dev_change_flags+0x21/0x5c
do_setlink+0x28b/0xcc4
? __nla_parse+0x22/0x3d
? inet6_validate_link_af+0x6b/0x108
? cpumask_next+0x1f/0x35
? __snmp6_fill_stats64.constprop.0+0x66/0x107
? __nla_validate_parse+0x48/0x1e6
__rtnl_newlink+0x5ff/0xa57
? kmem_cache_alloc_trace+0x164/0x2ce
rtnl_newlink+0x44/0x6e
rtnetlink_rcv_msg+0x2bb/0x362
? __netlink_sendskb+0x4c/0x6c
? netlink_unicast+0x28f/0x2ce
? rtnl_calcit.isra.0+0x150/0x146
netlink_rcv_skb+0x5f/0x112
netlink_unicast+0x213/0x2ce
netlink_sendmsg+0x24f/0x4d9
__sock_sendmsg+0x65/0x6a
____sys_sendmsg+0x28f/0x2c9
? import_iovec+0x17/0x2b
___sys_sendmsg+0x97/0xe0
__sys_sendmsg+0x81/0xd8
do_syscall_64+0x35/0x87
entry_SYSCALL_64_after_hwframe+0x6e/0x0
RIP: 0033:0x7fc328603727
Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed
ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48
RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727
RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d
RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00000000000
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3354822cde5a9f72aa725b3c619188b149a71a33 , < 69e043bce09c9a77e5f55b9ac7505874a2a1a9f0
(git)
Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < 6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee (git) Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < 4d6b4bea8b80bfa13c903ba547538249e7c5e977 (git) Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < d47515af6cccd7484d8b0870376858c9848a18ec (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69e043bce09c9a77e5f55b9ac7505874a2a1a9f0",
"status": "affected",
"version": "3354822cde5a9f72aa725b3c619188b149a71a33",
"versionType": "git"
},
{
"lessThan": "6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee",
"status": "affected",
"version": "3354822cde5a9f72aa725b3c619188b149a71a33",
"versionType": "git"
},
{
"lessThan": "4d6b4bea8b80bfa13c903ba547538249e7c5e977",
"status": "affected",
"version": "3354822cde5a9f72aa725b3c619188b149a71a33",
"versionType": "git"
},
{
"lessThan": "d47515af6cccd7484d8b0870376858c9848a18ec",
"status": "affected",
"version": "3354822cde5a9f72aa725b3c619188b149a71a33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clean up only new IRQ glue on request_irq() failure\n\nThe mlx5_irq_alloc() function can inadvertently free the entire rmap\nand end up in a crash[1] when the other threads tries to access this,\nwhen request_irq() fails due to exhausted IRQ vectors. This commit\nmodifies the cleanup to remove only the specific IRQ mapping that was\njust added.\n\nThis prevents removal of other valid mappings and ensures precise\ncleanup of the failed IRQ allocation\u0027s associated glue object.\n\nNote: This error is observed when both fwctl and rds configs are enabled.\n\n[1]\nmlx5_core 0000:05:00.0: Successfully registered panic handler for port 1\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\nrequest irq. err = -28\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\ntrying to test write-combining support\nmlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1\nmlx5_core 0000:06:00.0: Successfully registered panic handler for port 1\nmlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\nrequest irq. err = -28\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\ntrying to test write-combining support\nmlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1\nmlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\nrequest irq. err = -28\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\nrequest irq. err = -28\ngeneral protection fault, probably for non-canonical address\n0xe277a58fde16f291: 0000 [#1] SMP NOPTI\n\nRIP: 0010:free_irq_cpu_rmap+0x23/0x7d\nCall Trace:\n \u003cTASK\u003e\n ? show_trace_log_lvl+0x1d6/0x2f9\n ? show_trace_log_lvl+0x1d6/0x2f9\n ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\n ? __die_body.cold+0x8/0xa\n ? die_addr+0x39/0x53\n ? exc_general_protection+0x1c4/0x3e9\n ? dev_vprintk_emit+0x5f/0x90\n ? asm_exc_general_protection+0x22/0x27\n ? free_irq_cpu_rmap+0x23/0x7d\n mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\n irq_pool_request_vector+0x7d/0x90 [mlx5_core]\n mlx5_irq_request+0x2e/0xe0 [mlx5_core]\n mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]\n comp_irq_request_pci+0x64/0xf0 [mlx5_core]\n create_comp_eq+0x71/0x385 [mlx5_core]\n ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]\n mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]\n ? xas_load+0x8/0x91\n mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]\n mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]\n mlx5e_open_channels+0xad/0x250 [mlx5_core]\n mlx5e_open_locked+0x3e/0x110 [mlx5_core]\n mlx5e_open+0x23/0x70 [mlx5_core]\n __dev_open+0xf1/0x1a5\n __dev_change_flags+0x1e1/0x249\n dev_change_flags+0x21/0x5c\n do_setlink+0x28b/0xcc4\n ? __nla_parse+0x22/0x3d\n ? inet6_validate_link_af+0x6b/0x108\n ? cpumask_next+0x1f/0x35\n ? __snmp6_fill_stats64.constprop.0+0x66/0x107\n ? __nla_validate_parse+0x48/0x1e6\n __rtnl_newlink+0x5ff/0xa57\n ? kmem_cache_alloc_trace+0x164/0x2ce\n rtnl_newlink+0x44/0x6e\n rtnetlink_rcv_msg+0x2bb/0x362\n ? __netlink_sendskb+0x4c/0x6c\n ? netlink_unicast+0x28f/0x2ce\n ? rtnl_calcit.isra.0+0x150/0x146\n netlink_rcv_skb+0x5f/0x112\n netlink_unicast+0x213/0x2ce\n netlink_sendmsg+0x24f/0x4d9\n __sock_sendmsg+0x65/0x6a\n ____sys_sendmsg+0x28f/0x2c9\n ? import_iovec+0x17/0x2b\n ___sys_sendmsg+0x97/0xe0\n __sys_sendmsg+0x81/0xd8\n do_syscall_64+0x35/0x87\n entry_SYSCALL_64_after_hwframe+0x6e/0x0\nRIP: 0033:0x7fc328603727\nCode: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed\nff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00\nf0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48\nRSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727\nRDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d\nRBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 00000000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T16:08:12.984Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69e043bce09c9a77e5f55b9ac7505874a2a1a9f0"
},
{
"url": "https://git.kernel.org/stable/c/6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee"
},
{
"url": "https://git.kernel.org/stable/c/4d6b4bea8b80bfa13c903ba547538249e7c5e977"
},
{
"url": "https://git.kernel.org/stable/c/d47515af6cccd7484d8b0870376858c9848a18ec"
}
],
"title": "net/mlx5: Clean up only new IRQ glue on request_irq() failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40250",
"datePublished": "2025-12-04T16:08:12.984Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T16:08:12.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53821 (GCVE-0-2023-53821)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
ip6_vti: fix slab-use-after-free in decode_session6
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: fix slab-use-after-free in decode_session6
When ipv6_vti device is set to the qdisc of the sfb type, the cb field
of the sent skb may be modified during enqueuing. Then,
slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.
The stack information is as follows:
BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11d/0x130
decode_session6+0x103f/0x1890
__xfrm_decode_session+0x54/0xb0
vti6_tnl_xmit+0x3e6/0x1ee0
dev_hard_start_xmit+0x187/0x700
sch_direct_xmit+0x1a3/0xc30
__qdisc_run+0x510/0x17a0
__dev_queue_xmit+0x2215/0x3b10
neigh_connected_output+0x3c2/0x550
ip6_finish_output2+0x55a/0x1550
ip6_finish_output+0x6b9/0x1270
ip6_output+0x1f1/0x540
ndisc_send_skb+0xa63/0x1890
ndisc_send_rs+0x132/0x6f0
addrconf_rs_timer+0x3f1/0x870
call_timer_fn+0x1a0/0x580
expire_timers+0x29b/0x4b0
run_timer_softirq+0x326/0x910
__do_softirq+0x1d4/0x905
irq_exit_rcu+0xb7/0x120
sysvec_apic_timer_interrupt+0x97/0xc0
</IRQ>
Allocated by task 9176:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x1cd/0x410
kmalloc_reserve+0x165/0x270
__alloc_skb+0x129/0x330
netlink_sendmsg+0x9b1/0xe30
sock_sendmsg+0xde/0x190
____sys_sendmsg+0x739/0x920
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1c0
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 9176:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0x160/0x1c0
slab_free_freelist_hook+0x11b/0x220
kmem_cache_free+0xf0/0x490
skb_free_head+0x17f/0x1b0
skb_release_data+0x59c/0x850
consume_skb+0xd2/0x170
netlink_unicast+0x54f/0x7f0
netlink_sendmsg+0x926/0xe30
sock_sendmsg+0xde/0x190
____sys_sendmsg+0x739/0x920
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1c0
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88802e08ed00
which belongs to the cache skbuff_small_head of size 640
The buggy address is located 194 bytes inside of
freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)
As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
_decode_session6.") showed, xfrm_decode_session was originally intended
only for the receive path. IP6CB(skb)->nhoff is not set during
transmission. Therefore, set the cb field in the skb to 0 before
sending packets.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f855691975bb06373a98711e4cfe2c224244b536 , < 0f0ab8d52ee0062b28367dea23c29e254a26d7db
(git)
Affected: f855691975bb06373a98711e4cfe2c224244b536 , < fa6c6c04f6c9b21b315023f487e5a07ae7fcf647 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < eb47e612e59c358c3968a92f90dd36c78c9a2106 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < a1639a82ce14af76b6419778d343ccbff86ee626 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < 55ad2309205cc00c585344374c7472420e1b2c12 (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < c070688bfbe7759e61e697e421b2a331b0dd74bc (git) Affected: f855691975bb06373a98711e4cfe2c224244b536 , < 9fd41f1ba638938c9a1195d09bc6fa3be2712f25 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f0ab8d52ee0062b28367dea23c29e254a26d7db",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "fa6c6c04f6c9b21b315023f487e5a07ae7fcf647",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "eb47e612e59c358c3968a92f90dd36c78c9a2106",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "a1639a82ce14af76b6419778d343ccbff86ee626",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "55ad2309205cc00c585344374c7472420e1b2c12",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "c070688bfbe7759e61e697e421b2a331b0dd74bc",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
},
{
"lessThan": "9fd41f1ba638938c9a1195d09bc6fa3be2712f25",
"status": "affected",
"version": "f855691975bb06373a98711e4cfe2c224244b536",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: fix slab-use-after-free in decode_session6\n\nWhen ipv6_vti device is set to the qdisc of the sfb type, the cb field\nof the sent skb may be modified during enqueuing. Then,\nslab-use-after-free may occur when ipv6_vti device sends IPv6 packets.\n\nThe stack information is as follows:\nBUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890\nRead of size 1 at addr ffff88802e08edc2 by task swapper/0/0\nCPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl+0xd9/0x150\nprint_address_description.constprop.0+0x2c/0x3c0\nkasan_report+0x11d/0x130\ndecode_session6+0x103f/0x1890\n__xfrm_decode_session+0x54/0xb0\nvti6_tnl_xmit+0x3e6/0x1ee0\ndev_hard_start_xmit+0x187/0x700\nsch_direct_xmit+0x1a3/0xc30\n__qdisc_run+0x510/0x17a0\n__dev_queue_xmit+0x2215/0x3b10\nneigh_connected_output+0x3c2/0x550\nip6_finish_output2+0x55a/0x1550\nip6_finish_output+0x6b9/0x1270\nip6_output+0x1f1/0x540\nndisc_send_skb+0xa63/0x1890\nndisc_send_rs+0x132/0x6f0\naddrconf_rs_timer+0x3f1/0x870\ncall_timer_fn+0x1a0/0x580\nexpire_timers+0x29b/0x4b0\nrun_timer_softirq+0x326/0x910\n__do_softirq+0x1d4/0x905\nirq_exit_rcu+0xb7/0x120\nsysvec_apic_timer_interrupt+0x97/0xc0\n\u003c/IRQ\u003e\nAllocated by task 9176:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\n__kasan_slab_alloc+0x7f/0x90\nkmem_cache_alloc_node+0x1cd/0x410\nkmalloc_reserve+0x165/0x270\n__alloc_skb+0x129/0x330\nnetlink_sendmsg+0x9b1/0xe30\nsock_sendmsg+0xde/0x190\n____sys_sendmsg+0x739/0x920\n___sys_sendmsg+0x110/0x1b0\n__sys_sendmsg+0xf7/0x1c0\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nFreed by task 9176:\nkasan_save_stack+0x22/0x40\nkasan_set_track+0x25/0x30\nkasan_save_free_info+0x2b/0x40\n____kasan_slab_free+0x160/0x1c0\nslab_free_freelist_hook+0x11b/0x220\nkmem_cache_free+0xf0/0x490\nskb_free_head+0x17f/0x1b0\nskb_release_data+0x59c/0x850\nconsume_skb+0xd2/0x170\nnetlink_unicast+0x54f/0x7f0\nnetlink_sendmsg+0x926/0xe30\nsock_sendmsg+0xde/0x190\n____sys_sendmsg+0x739/0x920\n___sys_sendmsg+0x110/0x1b0\n__sys_sendmsg+0xf7/0x1c0\ndo_syscall_64+0x39/0xb0\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nThe buggy address belongs to the object at ffff88802e08ed00\nwhich belongs to the cache skbuff_small_head of size 640\nThe buggy address is located 194 bytes inside of\nfreed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)\n\nAs commit f855691975bb (\"xfrm6: Fix the nexthdr offset in\n_decode_session6.\") showed, xfrm_decode_session was originally intended\nonly for the receive path. IP6CB(skb)-\u003enhoff is not set during\ntransmission. Therefore, set the cb field in the skb to 0 before\nsending packets."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:34.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f0ab8d52ee0062b28367dea23c29e254a26d7db"
},
{
"url": "https://git.kernel.org/stable/c/fa6c6c04f6c9b21b315023f487e5a07ae7fcf647"
},
{
"url": "https://git.kernel.org/stable/c/eb47e612e59c358c3968a92f90dd36c78c9a2106"
},
{
"url": "https://git.kernel.org/stable/c/ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36"
},
{
"url": "https://git.kernel.org/stable/c/a1639a82ce14af76b6419778d343ccbff86ee626"
},
{
"url": "https://git.kernel.org/stable/c/55ad2309205cc00c585344374c7472420e1b2c12"
},
{
"url": "https://git.kernel.org/stable/c/c070688bfbe7759e61e697e421b2a331b0dd74bc"
},
{
"url": "https://git.kernel.org/stable/c/9fd41f1ba638938c9a1195d09bc6fa3be2712f25"
}
],
"title": "ip6_vti: fix slab-use-after-free in decode_session6",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53821",
"datePublished": "2025-12-09T01:29:34.073Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-09T01:29:34.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68286 (GCVE-0-2025-68286)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amd/display: Check NULL before accessing
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check NULL before accessing
[WHAT]
IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic
fails with NULL pointer dereference. This can be reproduced with
both an eDP panel and a DP monitors connected.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted
6.16.0-99-custom #8 PREEMPT(voluntary)
Hardware name: AMD ........
RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]
Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49
89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30
c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02
RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668
RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000
RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760
R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000
R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c
FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]
amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]
? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]
amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]
drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400
drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30
drm_crtc_get_last_vbltimestamp+0x55/0x90
drm_crtc_next_vblank_start+0x45/0xa0
drm_atomic_helper_wait_for_fences+0x81/0x1f0
...
(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 781f2f32e9c19eb791b52af283c96f9a9677a7f2
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 09092269cb762378ca8b56024746b1a136761e0d (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 109e9c92543f3105e8e1efd2c5e6b92ef55d5743 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 62150f1e7ec707da76ff353fb7db51fef9cd6557 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 3ce62c189693e8ed7b3abe551802bbc67f3ace54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "781f2f32e9c19eb791b52af283c96f9a9677a7f2",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "09092269cb762378ca8b56024746b1a136761e0d",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "109e9c92543f3105e8e1efd2c5e6b92ef55d5743",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "62150f1e7ec707da76ff353fb7db51fef9cd6557",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "3ce62c189693e8ed7b3abe551802bbc67f3ace54",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check NULL before accessing\n\n[WHAT]\nIGT kms_cursor_legacy\u0027s long-nonblocking-modeset-vs-cursor-atomic\nfails with NULL pointer dereference. This can be reproduced with\nboth an eDP panel and a DP monitors connected.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted\n6.16.0-99-custom #8 PREEMPT(voluntary)\n Hardware name: AMD ........\n RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]\n Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49\n 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30\n c2 \u003c48\u003e 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02\n RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668\n RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000\n RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760\n R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000\n R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c\n FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)\nknlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]\n amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]\n ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]\n amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]\n drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400\n drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30\n drm_crtc_get_last_vbltimestamp+0x55/0x90\n drm_crtc_next_vblank_start+0x45/0xa0\n drm_atomic_helper_wait_for_fences+0x81/0x1f0\n ...\n\n(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:20.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2"
},
{
"url": "https://git.kernel.org/stable/c/09092269cb762378ca8b56024746b1a136761e0d"
},
{
"url": "https://git.kernel.org/stable/c/109e9c92543f3105e8e1efd2c5e6b92ef55d5743"
},
{
"url": "https://git.kernel.org/stable/c/9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9"
},
{
"url": "https://git.kernel.org/stable/c/f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf"
},
{
"url": "https://git.kernel.org/stable/c/62150f1e7ec707da76ff353fb7db51fef9cd6557"
},
{
"url": "https://git.kernel.org/stable/c/3ce62c189693e8ed7b3abe551802bbc67f3ace54"
}
],
"title": "drm/amd/display: Check NULL before accessing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68286",
"datePublished": "2025-12-16T15:06:07.838Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-20T08:52:20.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40167 (GCVE-0-2025-40167)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
ext4: detect invalid INLINE_DATA + EXTENTS flag combination
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: detect invalid INLINE_DATA + EXTENTS flag combination
syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
file on a corrupted ext4 filesystem mounted without a journal.
The issue is that the filesystem has an inode with both the INLINE_DATA
and EXTENTS flags set:
EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
Investigation revealed that the inode has both flags set:
DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
This is an invalid combination since an inode should have either:
- INLINE_DATA: data stored directly in the inode
- EXTENTS: data stored in extent-mapped blocks
Having both flags causes ext4_has_inline_data() to return true, skipping
extent tree validation in __ext4_iget(). The unvalidated out-of-order
extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
underflow when calculating hole sizes.
Fix this by detecting this invalid flag combination early in ext4_iget()
and rejecting the corrupted inode.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 4954d297c91d292630ab43ba4d195dc371ce65d3
(git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < f061f7c331fc16250fc82aa68964f35821687217 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 2e9e10657b04152ed0d6ecae8d0c02a3405e28f5 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1437c95ab2a28b138d4521653583729f61ccb48b (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < cb6039b68efa547b676a8a10fc4618d9d1865c23 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < de985264eef64be8a90595908f2e6a87946dad34 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1f5ccd22ff482639133f2a0fe08f6d19d0e68717 (git) Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1d3ad183943b38eec2acf72a0ae98e635dc8456b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4954d297c91d292630ab43ba4d195dc371ce65d3",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "f061f7c331fc16250fc82aa68964f35821687217",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "2e9e10657b04152ed0d6ecae8d0c02a3405e28f5",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1437c95ab2a28b138d4521653583729f61ccb48b",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "cb6039b68efa547b676a8a10fc4618d9d1865c23",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "de985264eef64be8a90595908f2e6a87946dad34",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1f5ccd22ff482639133f2a0fe08f6d19d0e68717",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
},
{
"lessThan": "1d3ad183943b38eec2acf72a0ae98e635dc8456b",
"status": "affected",
"version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.55",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: detect invalid INLINE_DATA + EXTENTS flag combination\n\nsyzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity\nfile on a corrupted ext4 filesystem mounted without a journal.\n\nThe issue is that the filesystem has an inode with both the INLINE_DATA\nand EXTENTS flags set:\n\n EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:\n comm syz.0.17: corrupted extent tree: lblk 0 \u003c prev 66\n\nInvestigation revealed that the inode has both flags set:\n DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1\n\nThis is an invalid combination since an inode should have either:\n- INLINE_DATA: data stored directly in the inode\n- EXTENTS: data stored in extent-mapped blocks\n\nHaving both flags causes ext4_has_inline_data() to return true, skipping\nextent tree validation in __ext4_iget(). The unvalidated out-of-order\nextents then trigger a BUG_ON in ext4_es_cache_extent() due to integer\nunderflow when calculating hole sizes.\n\nFix this by detecting this invalid flag combination early in ext4_iget()\nand rejecting the corrupted inode."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:06.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4d195dc371ce65d3"
},
{
"url": "https://git.kernel.org/stable/c/f061f7c331fc16250fc82aa68964f35821687217"
},
{
"url": "https://git.kernel.org/stable/c/2e9e10657b04152ed0d6ecae8d0c02a3405e28f5"
},
{
"url": "https://git.kernel.org/stable/c/1437c95ab2a28b138d4521653583729f61ccb48b"
},
{
"url": "https://git.kernel.org/stable/c/cb6039b68efa547b676a8a10fc4618d9d1865c23"
},
{
"url": "https://git.kernel.org/stable/c/de985264eef64be8a90595908f2e6a87946dad34"
},
{
"url": "https://git.kernel.org/stable/c/1f5ccd22ff482639133f2a0fe08f6d19d0e68717"
},
{
"url": "https://git.kernel.org/stable/c/1d3ad183943b38eec2acf72a0ae98e635dc8456b"
}
],
"title": "ext4: detect invalid INLINE_DATA + EXTENTS flag combination",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40167",
"datePublished": "2025-11-12T10:26:24.498Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-01-02T15:33:06.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50671 (GCVE-0-2022-50671)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
RDMA/rxe: Fix "kernel NULL pointer dereference" error
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix "kernel NULL pointer dereference" error
When rxe_queue_init in the function rxe_qp_init_req fails,
both qp->req.task.func and qp->req.task.arg are not initialized.
Because of creation of qp fails, the function rxe_create_qp will
call rxe_qp_do_cleanup to handle allocated resource.
Before calling __rxe_do_task, both qp->req.task.func and
qp->req.task.arg should be checked.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < 48cd7098e71735ccafa0b3cf27c53924f9cb5b2f
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < eca119693010032d6cc6e7e9b4fb2c363c7e12ce (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 9c5dd6993c794703e74c6ba17ac78ca0211ef940 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 0d773c58d702f0a7c16ee8d69617fd2c28350795 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < cdce36a88def550773142a34ef727a830cad96a8 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f2f405af70e6f0419e718d23fa304798a5405c41 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bb33fa65da77f5f02dbee6f25cebaeedfcd70028 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 3b8752f086eb6865cc3662ad13249b03024501e5 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < a625ca30eff806395175ebad3ac1399014bdb280 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48cd7098e71735ccafa0b3cf27c53924f9cb5b2f",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "eca119693010032d6cc6e7e9b4fb2c363c7e12ce",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "9c5dd6993c794703e74c6ba17ac78ca0211ef940",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "0d773c58d702f0a7c16ee8d69617fd2c28350795",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "cdce36a88def550773142a34ef727a830cad96a8",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "f2f405af70e6f0419e718d23fa304798a5405c41",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "bb33fa65da77f5f02dbee6f25cebaeedfcd70028",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "3b8752f086eb6865cc3662ad13249b03024501e5",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "a625ca30eff806395175ebad3ac1399014bdb280",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix \"kernel NULL pointer dereference\" error\n\nWhen rxe_queue_init in the function rxe_qp_init_req fails,\nboth qp-\u003ereq.task.func and qp-\u003ereq.task.arg are not initialized.\n\nBecause of creation of qp fails, the function rxe_create_qp will\ncall rxe_qp_do_cleanup to handle allocated resource.\n\nBefore calling __rxe_do_task, both qp-\u003ereq.task.func and\nqp-\u003ereq.task.arg should be checked."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:22.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48cd7098e71735ccafa0b3cf27c53924f9cb5b2f"
},
{
"url": "https://git.kernel.org/stable/c/eca119693010032d6cc6e7e9b4fb2c363c7e12ce"
},
{
"url": "https://git.kernel.org/stable/c/9c5dd6993c794703e74c6ba17ac78ca0211ef940"
},
{
"url": "https://git.kernel.org/stable/c/0d773c58d702f0a7c16ee8d69617fd2c28350795"
},
{
"url": "https://git.kernel.org/stable/c/cdce36a88def550773142a34ef727a830cad96a8"
},
{
"url": "https://git.kernel.org/stable/c/f2f405af70e6f0419e718d23fa304798a5405c41"
},
{
"url": "https://git.kernel.org/stable/c/bb33fa65da77f5f02dbee6f25cebaeedfcd70028"
},
{
"url": "https://git.kernel.org/stable/c/3b8752f086eb6865cc3662ad13249b03024501e5"
},
{
"url": "https://git.kernel.org/stable/c/a625ca30eff806395175ebad3ac1399014bdb280"
}
],
"title": "RDMA/rxe: Fix \"kernel NULL pointer dereference\" error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50671",
"datePublished": "2025-12-09T01:29:22.950Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:22.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40190 (GCVE-0-2025-40190)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ext4: guard against EA inode refcount underflow in xattr update
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: guard against EA inode refcount underflow in xattr update
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
inode refcount that is already <= 0 and then applies ref_change (often
-1). That lets the refcount underflow and we proceed with a bogus value,
triggering errors like:
EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
EXT4-fs warning: ea_inode dec ref err=-117
Make the invariant explicit: if the current refcount is non-positive,
treat this as on-disk corruption, emit ext4_error_inode(), and fail the
operation with -EFSCORRUPTED instead of updating the refcount. Delete the
WARN_ONCE() as negative refcounts are now impossible; keep error reporting
in ext4_error_inode().
This prevents the underflow and the follow-on orphan/cleanup churn.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ea39e712c2f5ae148ee5515798ae03523673e002
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 505e69f76ac497e788f4ea0267826ec7266b40c8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3d6269028246f4484bfed403c947a114bb583631 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 79ea7f3e11effe1bd9e753172981d9029133a278 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6b879c4c6bbaab03c0ad2a983953bd1410bb165e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 440b003f449a4ff2a00b08c8eab9ba5cd28f3943 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 57295e835408d8d425bef58da5253465db3d6888 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea39e712c2f5ae148ee5515798ae03523673e002",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cfb3e4ddbdc8e02e637b8852540bd4718bf4814",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "505e69f76ac497e788f4ea0267826ec7266b40c8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3d6269028246f4484bfed403c947a114bb583631",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "79ea7f3e11effe1bd9e753172981d9029133a278",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6b879c4c6bbaab03c0ad2a983953bd1410bb165e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "440b003f449a4ff2a00b08c8eab9ba5cd28f3943",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "57295e835408d8d425bef58da5253465db3d6888",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: guard against EA inode refcount underflow in xattr update\n\nsyzkaller found a path where ext4_xattr_inode_update_ref() reads an EA\ninode refcount that is already \u003c= 0 and then applies ref_change (often\n-1). That lets the refcount underflow and we proceed with a bogus value,\ntriggering errors like:\n\n EXT4-fs error: EA inode \u003cn\u003e ref underflow: ref_count=-1 ref_change=-1\n EXT4-fs warning: ea_inode dec ref err=-117\n\nMake the invariant explicit: if the current refcount is non-positive,\ntreat this as on-disk corruption, emit ext4_error_inode(), and fail the\noperation with -EFSCORRUPTED instead of updating the refcount. Delete the\nWARN_ONCE() as negative refcounts are now impossible; keep error reporting\nin ext4_error_inode().\n\nThis prevents the underflow and the follow-on orphan/cleanup churn."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:49.502Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002"
},
{
"url": "https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814"
},
{
"url": "https://git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8"
},
{
"url": "https://git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631"
},
{
"url": "https://git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278"
},
{
"url": "https://git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165e"
},
{
"url": "https://git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943"
},
{
"url": "https://git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888"
}
],
"title": "ext4: guard against EA inode refcount underflow in xattr update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40190",
"datePublished": "2025-11-12T21:56:30.914Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:49.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40244 (GCVE-0-2025-40244)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
The syzbot reported issue in __hfsplus_ext_cache_extent():
[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0
[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950
[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0
[ 70.199771][ T9350] ksys_write+0x23e/0x490
[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0
[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.202054][ T9350]
[ 70.202279][ T9350] Uninit was created at:
[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80
[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0
[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0
[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0
[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0
[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950
[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130
[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060
[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460
[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0
[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0
[ 70.207961][ T9350] ksys_write+0x23e/0x490
[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0
[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0
[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0
[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.210230][ T9350]
[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5
[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.212115][ T9350] =====================================================
[ 70.212734][ T9350] Disabling lock debugging due to kernel taint
[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...
[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5
[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE
[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.215999][ T9350] Call Trace:
[ 70.216309][ T9350] <TASK>
[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0
[ 70.217025][ T9350] dump_stack+0x1e/0x30
[ 70.217421][ T9350] panic+0x502/0xca0
[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...
kernel
:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0
set ...
[ 70.221254][ T9350] ? __msan_warning+0x96/0x120
[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990
[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0
[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0
[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0
[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950
[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130
[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060
[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460
[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0
[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0
[ 70.228997][ T9350] ? ksys_write+0x23e/0x490
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c1ec90bed504640a42bb20a5f413be39cd17ad71
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b8a72692aa42b7dcd179a96b90bc2763ac74576a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c135b8dca65526aa5b8814e9954e0ae317d9c598 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d7e313039a8f3a6ee072dc5ff4643234d2d735cf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a5bfb13b4f406aef1a450f99d22d3e48df01528c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 99202d94909d323a30d154ab0261c0a07166daec (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 14c673a2f3ecf650b694a52a88688f1d71849899 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4840ceadef4290c56cc422f0fc697655f3cbf070 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bfind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1ec90bed504640a42bb20a5f413be39cd17ad71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b8a72692aa42b7dcd179a96b90bc2763ac74576a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c135b8dca65526aa5b8814e9954e0ae317d9c598",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7e313039a8f3a6ee072dc5ff4643234d2d735cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a5bfb13b4f406aef1a450f99d22d3e48df01528c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "99202d94909d323a30d154ab0261c0a07166daec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "14c673a2f3ecf650b694a52a88688f1d71849899",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4840ceadef4290c56cc422f0fc697655f3cbf070",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bfind.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()\n\nThe syzbot reported issue in __hfsplus_ext_cache_extent():\n\n[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0\n[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0\n[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0\n[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950\n[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130\n[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060\n[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460\n[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0\n[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0\n[ 70.199771][ T9350] ksys_write+0x23e/0x490\n[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0\n[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0\n[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0\n[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.202054][ T9350]\n[ 70.202279][ T9350] Uninit was created at:\n[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80\n[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0\n[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0\n[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0\n[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0\n[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950\n[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130\n[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060\n[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460\n[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0\n[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0\n[ 70.207961][ T9350] ksys_write+0x23e/0x490\n[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0\n[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0\n[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0\n[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.210230][ T9350]\n[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5\n[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.212115][ T9350] =====================================================\n[ 70.212734][ T9350] Disabling lock debugging due to kernel taint\n[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ...\n[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5\n[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE\n[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.215999][ T9350] Call Trace:\n[ 70.216309][ T9350] \u003cTASK\u003e\n[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0\n[ 70.217025][ T9350] dump_stack+0x1e/0x30\n[ 70.217421][ T9350] panic+0x502/0xca0\n[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0\n\n[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ...\n kernel\n:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0\nset ...\n[ 70.221254][ T9350] ? __msan_warning+0x96/0x120\n[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990\n[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0\n[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0\n[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0\n[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950\n[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130\n[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060\n[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460\n[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0\n[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0\n[ 70.228997][ T9350] ? ksys_write+0x23e/0x490\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:14.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1ec90bed504640a42bb20a5f413be39cd17ad71"
},
{
"url": "https://git.kernel.org/stable/c/b8a72692aa42b7dcd179a96b90bc2763ac74576a"
},
{
"url": "https://git.kernel.org/stable/c/c135b8dca65526aa5b8814e9954e0ae317d9c598"
},
{
"url": "https://git.kernel.org/stable/c/d7e313039a8f3a6ee072dc5ff4643234d2d735cf"
},
{
"url": "https://git.kernel.org/stable/c/a5bfb13b4f406aef1a450f99d22d3e48df01528c"
},
{
"url": "https://git.kernel.org/stable/c/99202d94909d323a30d154ab0261c0a07166daec"
},
{
"url": "https://git.kernel.org/stable/c/14c673a2f3ecf650b694a52a88688f1d71849899"
},
{
"url": "https://git.kernel.org/stable/c/4840ceadef4290c56cc422f0fc697655f3cbf070"
}
],
"title": "hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40244",
"datePublished": "2025-12-04T15:31:33.249Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:14.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54294 (GCVE-0-2023-54294)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
md/raid10: fix memleak of md thread
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix memleak of md thread
In raid10_run(), if setup_conf() succeed and raid10_run() failed before
setting 'mddev->thread', then in the error path 'conf->thread' is not
freed.
Fix the problem by setting 'mddev->thread' right after setup_conf().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
43a521238aca0e24d50add1db125a61bda2a3527 , < abf4d67060c8f63caff096e5fca1564bfef1e5d4
(git)
Affected: 43a521238aca0e24d50add1db125a61bda2a3527 , < 3725b35fc0e5e4eea0434ef625f3d92f3059d080 (git) Affected: 43a521238aca0e24d50add1db125a61bda2a3527 , < 2a65555f7e0f4a05b663879908a991e6d9f81e51 (git) Affected: 43a521238aca0e24d50add1db125a61bda2a3527 , < d6cfcf98b824591cffa4c1e9889fb4fa619359fe (git) Affected: 43a521238aca0e24d50add1db125a61bda2a3527 , < 36ba0c7b86acd9c2ea80a273204d52c21c955471 (git) Affected: 43a521238aca0e24d50add1db125a61bda2a3527 , < 5d763f708b0f918fb87799e33c25113ae6081216 (git) Affected: 43a521238aca0e24d50add1db125a61bda2a3527 , < ec473e82e10d39a02eb59b0b95e546119a3bdb79 (git) Affected: 43a521238aca0e24d50add1db125a61bda2a3527 , < f0ddb83da3cbbf8a1f9087a642c448ff52ee9abd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abf4d67060c8f63caff096e5fca1564bfef1e5d4",
"status": "affected",
"version": "43a521238aca0e24d50add1db125a61bda2a3527",
"versionType": "git"
},
{
"lessThan": "3725b35fc0e5e4eea0434ef625f3d92f3059d080",
"status": "affected",
"version": "43a521238aca0e24d50add1db125a61bda2a3527",
"versionType": "git"
},
{
"lessThan": "2a65555f7e0f4a05b663879908a991e6d9f81e51",
"status": "affected",
"version": "43a521238aca0e24d50add1db125a61bda2a3527",
"versionType": "git"
},
{
"lessThan": "d6cfcf98b824591cffa4c1e9889fb4fa619359fe",
"status": "affected",
"version": "43a521238aca0e24d50add1db125a61bda2a3527",
"versionType": "git"
},
{
"lessThan": "36ba0c7b86acd9c2ea80a273204d52c21c955471",
"status": "affected",
"version": "43a521238aca0e24d50add1db125a61bda2a3527",
"versionType": "git"
},
{
"lessThan": "5d763f708b0f918fb87799e33c25113ae6081216",
"status": "affected",
"version": "43a521238aca0e24d50add1db125a61bda2a3527",
"versionType": "git"
},
{
"lessThan": "ec473e82e10d39a02eb59b0b95e546119a3bdb79",
"status": "affected",
"version": "43a521238aca0e24d50add1db125a61bda2a3527",
"versionType": "git"
},
{
"lessThan": "f0ddb83da3cbbf8a1f9087a642c448ff52ee9abd",
"status": "affected",
"version": "43a521238aca0e24d50add1db125a61bda2a3527",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix memleak of md thread\n\nIn raid10_run(), if setup_conf() succeed and raid10_run() failed before\nsetting \u0027mddev-\u003ethread\u0027, then in the error path \u0027conf-\u003ethread\u0027 is not\nfreed.\n\nFix the problem by setting \u0027mddev-\u003ethread\u0027 right after setup_conf()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:31.778Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abf4d67060c8f63caff096e5fca1564bfef1e5d4"
},
{
"url": "https://git.kernel.org/stable/c/3725b35fc0e5e4eea0434ef625f3d92f3059d080"
},
{
"url": "https://git.kernel.org/stable/c/2a65555f7e0f4a05b663879908a991e6d9f81e51"
},
{
"url": "https://git.kernel.org/stable/c/d6cfcf98b824591cffa4c1e9889fb4fa619359fe"
},
{
"url": "https://git.kernel.org/stable/c/36ba0c7b86acd9c2ea80a273204d52c21c955471"
},
{
"url": "https://git.kernel.org/stable/c/5d763f708b0f918fb87799e33c25113ae6081216"
},
{
"url": "https://git.kernel.org/stable/c/ec473e82e10d39a02eb59b0b95e546119a3bdb79"
},
{
"url": "https://git.kernel.org/stable/c/f0ddb83da3cbbf8a1f9087a642c448ff52ee9abd"
}
],
"title": "md/raid10: fix memleak of md thread",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54294",
"datePublished": "2025-12-30T12:23:31.778Z",
"dateReserved": "2025-12-30T12:06:44.527Z",
"dateUpdated": "2025-12-30T12:23:31.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54303 (GCVE-0-2023-54303)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
bpf: Disable preemption in bpf_perf_event_output
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Disable preemption in bpf_perf_event_output
The nesting protection in bpf_perf_event_output relies on disabled
preemption, which is guaranteed for kprobes and tracepoints.
However bpf_perf_event_output can be also called from uprobes context
through bpf_prog_run_array_sleepable function which disables migration,
but keeps preemption enabled.
This can cause task to be preempted by another one inside the nesting
protection and lead eventually to two tasks using same perf_sample_data
buffer and cause crashes like:
kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
BUG: unable to handle page fault for address: ffffffff82be3eea
...
Call Trace:
? __die+0x1f/0x70
? page_fault_oops+0x176/0x4d0
? exc_page_fault+0x132/0x230
? asm_exc_page_fault+0x22/0x30
? perf_output_sample+0x12b/0x910
? perf_event_output+0xd0/0x1d0
? bpf_perf_event_output+0x162/0x1d0
? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87
? __uprobe_perf_func+0x12b/0x540
? uprobe_dispatcher+0x2c4/0x430
? uprobe_notify_resume+0x2da/0xce0
? atomic_notifier_call_chain+0x7b/0x110
? exit_to_user_mode_prepare+0x13e/0x290
? irqentry_exit_to_user_mode+0x5/0x30
? asm_exc_int3+0x35/0x40
Fixing this by disabling preemption in bpf_perf_event_output.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 , < 3654ed5daf492463c3faa434c7000d45c2da2ace
(git)
Affected: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 , < a0ac32cf61e5a76e2429e486925a52ee41dd75e3 (git) Affected: 8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9 , < f2c67a3e60d1071b65848efaa8c3b66c363dd025 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/bpf_trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3654ed5daf492463c3faa434c7000d45c2da2ace",
"status": "affected",
"version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
"versionType": "git"
},
{
"lessThan": "a0ac32cf61e5a76e2429e486925a52ee41dd75e3",
"status": "affected",
"version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
"versionType": "git"
},
{
"lessThan": "f2c67a3e60d1071b65848efaa8c3b66c363dd025",
"status": "affected",
"version": "8c7dcb84e3b744b2b70baa7a44a9b1881c33a9c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/bpf_trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Disable preemption in bpf_perf_event_output\n\nThe nesting protection in bpf_perf_event_output relies on disabled\npreemption, which is guaranteed for kprobes and tracepoints.\n\nHowever bpf_perf_event_output can be also called from uprobes context\nthrough bpf_prog_run_array_sleepable function which disables migration,\nbut keeps preemption enabled.\n\nThis can cause task to be preempted by another one inside the nesting\nprotection and lead eventually to two tasks using same perf_sample_data\nbuffer and cause crashes like:\n\n kernel tried to execute NX-protected page - exploit attempt? (uid: 0)\n BUG: unable to handle page fault for address: ffffffff82be3eea\n ...\n Call Trace:\n ? __die+0x1f/0x70\n ? page_fault_oops+0x176/0x4d0\n ? exc_page_fault+0x132/0x230\n ? asm_exc_page_fault+0x22/0x30\n ? perf_output_sample+0x12b/0x910\n ? perf_event_output+0xd0/0x1d0\n ? bpf_perf_event_output+0x162/0x1d0\n ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87\n ? __uprobe_perf_func+0x12b/0x540\n ? uprobe_dispatcher+0x2c4/0x430\n ? uprobe_notify_resume+0x2da/0xce0\n ? atomic_notifier_call_chain+0x7b/0x110\n ? exit_to_user_mode_prepare+0x13e/0x290\n ? irqentry_exit_to_user_mode+0x5/0x30\n ? asm_exc_int3+0x35/0x40\n\nFixing this by disabling preemption in bpf_perf_event_output."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:37.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3654ed5daf492463c3faa434c7000d45c2da2ace"
},
{
"url": "https://git.kernel.org/stable/c/a0ac32cf61e5a76e2429e486925a52ee41dd75e3"
},
{
"url": "https://git.kernel.org/stable/c/f2c67a3e60d1071b65848efaa8c3b66c363dd025"
}
],
"title": "bpf: Disable preemption in bpf_perf_event_output",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54303",
"datePublished": "2025-12-30T12:23:37.827Z",
"dateReserved": "2025-12-30T12:06:44.529Z",
"dateUpdated": "2025-12-30T12:23:37.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53814 (GCVE-0-2023-53814)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
PCI: Fix dropping valid root bus resources with .end = zero
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix dropping valid root bus resources with .end = zero
On r8a7791/koelsch:
kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
# cat /sys/kernel/debug/kmemleak
unreferenced object 0xc3a34e00 (size 64):
comm "swapper/0", pid 1, jiffies 4294937460 (age 199.080s)
hex dump (first 32 bytes):
b4 5d 81 f0 b4 5d 81 f0 c0 b0 a2 c3 00 00 00 00 .]...]..........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<fe3aa979>] __kmalloc+0xf0/0x140
[<34bd6bc0>] resource_list_create_entry+0x18/0x38
[<767046bc>] pci_add_resource_offset+0x20/0x68
[<b3f3edf2>] devm_of_pci_get_host_bridge_resources.constprop.0+0xb0/0x390
When coalescing two resources for a contiguous aperture, the second
resource is enlarged to cover the full contiguous range, while the first
resource is marked invalid. This invalidation is done by clearing the
flags, start, and end members.
When adding the initial resources to the bus later, invalid resources are
skipped. Unfortunately, the check for an invalid resource considers only
the end member, causing false positives.
E.g. on r8a7791/koelsch, root bus resource 0 ("bus 00") is skipped, and no
longer registered with pci_bus_insert_busn_res() (causing the memory leak),
nor printed:
pci-rcar-gen2 ee090000.pci: host bridge /soc/pci@ee090000 ranges:
pci-rcar-gen2 ee090000.pci: MEM 0x00ee080000..0x00ee08ffff -> 0x00ee080000
pci-rcar-gen2 ee090000.pci: PCI: revision 11
pci-rcar-gen2 ee090000.pci: PCI host bridge to bus 0000:00
-pci_bus 0000:00: root bus resource [bus 00]
pci_bus 0000:00: root bus resource [mem 0xee080000-0xee08ffff]
Fix this by only skipping resources where all of the flags, start, and end
members are zero.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fd168b7d1d7cfc61cea561b1e3cc47aefc9e8f19 , < e4af080f3ef6a65b0d702988c2471a47c9ae2cc0
(git)
Affected: 7c3855c423b17f6ca211858afb0cef20569914c7 , < fe6a1fbe83f5b23d7db93596b793561230f06b40 (git) Affected: 7c3855c423b17f6ca211858afb0cef20569914c7 , < 7e6f2714d93cdf977b6124a80af2cf0e14e2d407 (git) Affected: 7c3855c423b17f6ca211858afb0cef20569914c7 , < 9d8ba74a181b1c81def21168795ed96cbe6f05ed (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/probe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4af080f3ef6a65b0d702988c2471a47c9ae2cc0",
"status": "affected",
"version": "fd168b7d1d7cfc61cea561b1e3cc47aefc9e8f19",
"versionType": "git"
},
{
"lessThan": "fe6a1fbe83f5b23d7db93596b793561230f06b40",
"status": "affected",
"version": "7c3855c423b17f6ca211858afb0cef20569914c7",
"versionType": "git"
},
{
"lessThan": "7e6f2714d93cdf977b6124a80af2cf0e14e2d407",
"status": "affected",
"version": "7c3855c423b17f6ca211858afb0cef20569914c7",
"versionType": "git"
},
{
"lessThan": "9d8ba74a181b1c81def21168795ed96cbe6f05ed",
"status": "affected",
"version": "7c3855c423b17f6ca211858afb0cef20569914c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/probe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix dropping valid root bus resources with .end = zero\n\nOn r8a7791/koelsch:\n\n kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\n # cat /sys/kernel/debug/kmemleak\n unreferenced object 0xc3a34e00 (size 64):\n comm \"swapper/0\", pid 1, jiffies 4294937460 (age 199.080s)\n hex dump (first 32 bytes):\n b4 5d 81 f0 b4 5d 81 f0 c0 b0 a2 c3 00 00 00 00 .]...]..........\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cfe3aa979\u003e] __kmalloc+0xf0/0x140\n [\u003c34bd6bc0\u003e] resource_list_create_entry+0x18/0x38\n [\u003c767046bc\u003e] pci_add_resource_offset+0x20/0x68\n [\u003cb3f3edf2\u003e] devm_of_pci_get_host_bridge_resources.constprop.0+0xb0/0x390\n\nWhen coalescing two resources for a contiguous aperture, the second\nresource is enlarged to cover the full contiguous range, while the first\nresource is marked invalid. This invalidation is done by clearing the\nflags, start, and end members.\n\nWhen adding the initial resources to the bus later, invalid resources are\nskipped. Unfortunately, the check for an invalid resource considers only\nthe end member, causing false positives.\n\nE.g. on r8a7791/koelsch, root bus resource 0 (\"bus 00\") is skipped, and no\nlonger registered with pci_bus_insert_busn_res() (causing the memory leak),\nnor printed:\n\n pci-rcar-gen2 ee090000.pci: host bridge /soc/pci@ee090000 ranges:\n pci-rcar-gen2 ee090000.pci: MEM 0x00ee080000..0x00ee08ffff -\u003e 0x00ee080000\n pci-rcar-gen2 ee090000.pci: PCI: revision 11\n pci-rcar-gen2 ee090000.pci: PCI host bridge to bus 0000:00\n -pci_bus 0000:00: root bus resource [bus 00]\n pci_bus 0000:00: root bus resource [mem 0xee080000-0xee08ffff]\n\nFix this by only skipping resources where all of the flags, start, and end\nmembers are zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:11.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4af080f3ef6a65b0d702988c2471a47c9ae2cc0"
},
{
"url": "https://git.kernel.org/stable/c/fe6a1fbe83f5b23d7db93596b793561230f06b40"
},
{
"url": "https://git.kernel.org/stable/c/7e6f2714d93cdf977b6124a80af2cf0e14e2d407"
},
{
"url": "https://git.kernel.org/stable/c/9d8ba74a181b1c81def21168795ed96cbe6f05ed"
}
],
"title": "PCI: Fix dropping valid root bus resources with .end = zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53814",
"datePublished": "2025-12-09T00:01:11.827Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:11.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54230 (GCVE-0-2023-54230)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
amba: bus: fix refcount leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
amba: bus: fix refcount leak
commit 5de1540b7bc4 ("drivers/amba: create devices from device tree")
increases the refcount of of_node, but not releases it in
amba_device_release, so there is refcount leak. By using of_node_put
to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5de1540b7bc4c23470f86add1e517be41e7fefe2 , < 94e398df32e850f26828690ee62f7441979583cc
(git)
Affected: 5de1540b7bc4c23470f86add1e517be41e7fefe2 , < 9062ce0ccbd82fbe81cc839a512c0ad90847e01c (git) Affected: 5de1540b7bc4c23470f86add1e517be41e7fefe2 , < 03db4fe7917bb160eeccf3968835475fa32b7e10 (git) Affected: 5de1540b7bc4c23470f86add1e517be41e7fefe2 , < 9baf2278b3eed2c50112169121257d8a6ee0606c (git) Affected: 5de1540b7bc4c23470f86add1e517be41e7fefe2 , < 4f1807fddd9bf175ee5e14fffc6b6106e4b297ef (git) Affected: 5de1540b7bc4c23470f86add1e517be41e7fefe2 , < 81ff633a88be2482c163d3acd2801d501261ce6a (git) Affected: 5de1540b7bc4c23470f86add1e517be41e7fefe2 , < 206fadb7278ceac7593dd0b945a77b9df856a674 (git) Affected: 5de1540b7bc4c23470f86add1e517be41e7fefe2 , < 8b60a706166de5de82314494704c2419e7657bf8 (git) Affected: 5de1540b7bc4c23470f86add1e517be41e7fefe2 , < e312cbdc11305568554a9e18a2ea5c2492c183f3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/amba/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "94e398df32e850f26828690ee62f7441979583cc",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
},
{
"lessThan": "9062ce0ccbd82fbe81cc839a512c0ad90847e01c",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
},
{
"lessThan": "03db4fe7917bb160eeccf3968835475fa32b7e10",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
},
{
"lessThan": "9baf2278b3eed2c50112169121257d8a6ee0606c",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
},
{
"lessThan": "4f1807fddd9bf175ee5e14fffc6b6106e4b297ef",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
},
{
"lessThan": "81ff633a88be2482c163d3acd2801d501261ce6a",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
},
{
"lessThan": "206fadb7278ceac7593dd0b945a77b9df856a674",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
},
{
"lessThan": "8b60a706166de5de82314494704c2419e7657bf8",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
},
{
"lessThan": "e312cbdc11305568554a9e18a2ea5c2492c183f3",
"status": "affected",
"version": "5de1540b7bc4c23470f86add1e517be41e7fefe2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/amba/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\namba: bus: fix refcount leak\n\ncommit 5de1540b7bc4 (\"drivers/amba: create devices from device tree\")\nincreases the refcount of of_node, but not releases it in\namba_device_release, so there is refcount leak. By using of_node_put\nto avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:22.230Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/94e398df32e850f26828690ee62f7441979583cc"
},
{
"url": "https://git.kernel.org/stable/c/9062ce0ccbd82fbe81cc839a512c0ad90847e01c"
},
{
"url": "https://git.kernel.org/stable/c/03db4fe7917bb160eeccf3968835475fa32b7e10"
},
{
"url": "https://git.kernel.org/stable/c/9baf2278b3eed2c50112169121257d8a6ee0606c"
},
{
"url": "https://git.kernel.org/stable/c/4f1807fddd9bf175ee5e14fffc6b6106e4b297ef"
},
{
"url": "https://git.kernel.org/stable/c/81ff633a88be2482c163d3acd2801d501261ce6a"
},
{
"url": "https://git.kernel.org/stable/c/206fadb7278ceac7593dd0b945a77b9df856a674"
},
{
"url": "https://git.kernel.org/stable/c/8b60a706166de5de82314494704c2419e7657bf8"
},
{
"url": "https://git.kernel.org/stable/c/e312cbdc11305568554a9e18a2ea5c2492c183f3"
}
],
"title": "amba: bus: fix refcount leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54230",
"datePublished": "2025-12-30T12:11:22.230Z",
"dateReserved": "2025-12-30T12:06:44.502Z",
"dateUpdated": "2025-12-30T12:11:22.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50848 (GCVE-0-2022-50848)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
drivers: dio: fix possible memory leak in dio_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drivers: dio: fix possible memory leak in dio_init()
If device_register() returns error, the 'dev' and name needs be
freed. Add a release function, and then call put_device() in the
error path, so the name is freed in kobject_cleanup() and to the
'dev' is freed in release function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2e4c77bea3d8b17d94f8ee382411f359b708560f , < affe3cea6b3148fa66796a48640664822ceccd48
(git)
Affected: 2e4c77bea3d8b17d94f8ee382411f359b708560f , < 4b68caa95064ac464f1b261d08ac677e753d1088 (git) Affected: 2e4c77bea3d8b17d94f8ee382411f359b708560f , < a524e7fed696a4dfef671e0fda3511bfd2dca0cf (git) Affected: 2e4c77bea3d8b17d94f8ee382411f359b708560f , < da64e01da40c6b71a54144126da53cc3b27201ac (git) Affected: 2e4c77bea3d8b17d94f8ee382411f359b708560f , < fce9890e1be4c0460dad850cc8c00414a9d25f0f (git) Affected: 2e4c77bea3d8b17d94f8ee382411f359b708560f , < a0ead7e8da84f4c3759417b8e928b65e0207c646 (git) Affected: 2e4c77bea3d8b17d94f8ee382411f359b708560f , < 8e002b9fe831b27d4506df6fa60cb33ba0730ac3 (git) Affected: 2e4c77bea3d8b17d94f8ee382411f359b708560f , < 78fddc0ff971f9874d53c854818cc4aafa144114 (git) Affected: 2e4c77bea3d8b17d94f8ee382411f359b708560f , < e63e99397b2613d50a5f4f02ed07307e67a190f1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dio/dio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "affe3cea6b3148fa66796a48640664822ceccd48",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
},
{
"lessThan": "4b68caa95064ac464f1b261d08ac677e753d1088",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
},
{
"lessThan": "a524e7fed696a4dfef671e0fda3511bfd2dca0cf",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
},
{
"lessThan": "da64e01da40c6b71a54144126da53cc3b27201ac",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
},
{
"lessThan": "fce9890e1be4c0460dad850cc8c00414a9d25f0f",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
},
{
"lessThan": "a0ead7e8da84f4c3759417b8e928b65e0207c646",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
},
{
"lessThan": "8e002b9fe831b27d4506df6fa60cb33ba0730ac3",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
},
{
"lessThan": "78fddc0ff971f9874d53c854818cc4aafa144114",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
},
{
"lessThan": "e63e99397b2613d50a5f4f02ed07307e67a190f1",
"status": "affected",
"version": "2e4c77bea3d8b17d94f8ee382411f359b708560f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dio/dio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: dio: fix possible memory leak in dio_init()\n\nIf device_register() returns error, the \u0027dev\u0027 and name needs be\nfreed. Add a release function, and then call put_device() in the\nerror path, so the name is freed in kobject_cleanup() and to the\n\u0027dev\u0027 is freed in release function."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:25.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/affe3cea6b3148fa66796a48640664822ceccd48"
},
{
"url": "https://git.kernel.org/stable/c/4b68caa95064ac464f1b261d08ac677e753d1088"
},
{
"url": "https://git.kernel.org/stable/c/a524e7fed696a4dfef671e0fda3511bfd2dca0cf"
},
{
"url": "https://git.kernel.org/stable/c/da64e01da40c6b71a54144126da53cc3b27201ac"
},
{
"url": "https://git.kernel.org/stable/c/fce9890e1be4c0460dad850cc8c00414a9d25f0f"
},
{
"url": "https://git.kernel.org/stable/c/a0ead7e8da84f4c3759417b8e928b65e0207c646"
},
{
"url": "https://git.kernel.org/stable/c/8e002b9fe831b27d4506df6fa60cb33ba0730ac3"
},
{
"url": "https://git.kernel.org/stable/c/78fddc0ff971f9874d53c854818cc4aafa144114"
},
{
"url": "https://git.kernel.org/stable/c/e63e99397b2613d50a5f4f02ed07307e67a190f1"
}
],
"title": "drivers: dio: fix possible memory leak in dio_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50848",
"datePublished": "2025-12-30T12:15:25.776Z",
"dateReserved": "2025-12-30T12:06:07.134Z",
"dateUpdated": "2025-12-30T12:15:25.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68239 (GCVE-0-2025-68239)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-16 14:21
VLAI?
EPSS
Title
binfmt_misc: restore write access before closing files opened by open_exec()
Summary
In the Linux kernel, the following vulnerability has been resolved:
binfmt_misc: restore write access before closing files opened by open_exec()
bm_register_write() opens an executable file using open_exec(), which
internally calls do_open_execat() and denies write access on the file to
avoid modification while it is being executed.
However, when an error occurs, bm_register_write() closes the file using
filp_close() directly. This does not restore the write permission, which
may cause subsequent write operations on the same file to fail.
Fix this by calling exe_file_allow_write_access() before filp_close() to
restore the write permission properly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e7850f4d844e0acfac7e570af611d89deade3146 , < e785f552ab04dbca01d31f0334f4561240b04459
(git)
Affected: e7850f4d844e0acfac7e570af611d89deade3146 , < 90f601b497d76f40fa66795c3ecf625b6aced9fd (git) Affected: 467a50d5db7deaf656e18a1f633be9ecd94b393a (git) Affected: 4a8b4124ea4156ca52918b66c750a69c6d932aa5 (git) Affected: 3fe116e33a855bbfdd32dc207e9be2a41e3ed3a6 (git) Affected: c0e0ab60d0b15469e69db93215dad009999f5a5b (git) Affected: 5ab9464a2a3c538eedbb438f1802f2fd98d0953f (git) Affected: d28492be82e19fc69cc69975fc2052b37ef0c821 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/binfmt_misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e785f552ab04dbca01d31f0334f4561240b04459",
"status": "affected",
"version": "e7850f4d844e0acfac7e570af611d89deade3146",
"versionType": "git"
},
{
"lessThan": "90f601b497d76f40fa66795c3ecf625b6aced9fd",
"status": "affected",
"version": "e7850f4d844e0acfac7e570af611d89deade3146",
"versionType": "git"
},
{
"status": "affected",
"version": "467a50d5db7deaf656e18a1f633be9ecd94b393a",
"versionType": "git"
},
{
"status": "affected",
"version": "4a8b4124ea4156ca52918b66c750a69c6d932aa5",
"versionType": "git"
},
{
"status": "affected",
"version": "3fe116e33a855bbfdd32dc207e9be2a41e3ed3a6",
"versionType": "git"
},
{
"status": "affected",
"version": "c0e0ab60d0b15469e69db93215dad009999f5a5b",
"versionType": "git"
},
{
"status": "affected",
"version": "5ab9464a2a3c538eedbb438f1802f2fd98d0953f",
"versionType": "git"
},
{
"status": "affected",
"version": "d28492be82e19fc69cc69975fc2052b37ef0c821",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/binfmt_misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_misc: restore write access before closing files opened by open_exec()\n\nbm_register_write() opens an executable file using open_exec(), which\ninternally calls do_open_execat() and denies write access on the file to\navoid modification while it is being executed.\n\nHowever, when an error occurs, bm_register_write() closes the file using\nfilp_close() directly. This does not restore the write permission, which\nmay cause subsequent write operations on the same file to fail.\n\nFix this by calling exe_file_allow_write_access() before filp_close() to\nrestore the write permission properly."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:21:16.889Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e785f552ab04dbca01d31f0334f4561240b04459"
},
{
"url": "https://git.kernel.org/stable/c/90f601b497d76f40fa66795c3ecf625b6aced9fd"
}
],
"title": "binfmt_misc: restore write access before closing files opened by open_exec()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68239",
"datePublished": "2025-12-16T14:21:16.889Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:21:16.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54014 (GCVE-0-2023-54014)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
Klocwork reported warning of rport maybe NULL and will be dereferenced.
rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.
Check valid rport returned by fc_bsg_to_rport().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < f35bd94b4e11c41de90cd0fa72c9062e8196822f
(git)
Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < ccd3bc595bda67db5a347b9050c2df28f292d3fb (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < 1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639 (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < 921d6844625527a92d1178262a633cc88a8e61bd (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < 1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < e466930717ef18c112585a39fc6174d8eb441df5 (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < ced5460eae772e847debbc0b65ef93aedab92d3f (git) Affected: 75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709 , < af73f23a27206ffb3c477cac75b5fcf03410556e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f35bd94b4e11c41de90cd0fa72c9062e8196822f",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "ccd3bc595bda67db5a347b9050c2df28f292d3fb",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "921d6844625527a92d1178262a633cc88a8e61bd",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "e466930717ef18c112585a39fc6174d8eb441df5",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "ced5460eae772e847debbc0b65ef93aedab92d3f",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
},
{
"lessThan": "af73f23a27206ffb3c477cac75b5fcf03410556e",
"status": "affected",
"version": "75cc8cfc6e13d42d50c2bf4307d0a68c2a70f709",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()\n\nKlocwork reported warning of rport maybe NULL and will be dereferenced.\nrport returned by call to fc_bsg_to_rport() could be NULL and dereferenced.\n\nCheck valid rport returned by fc_bsg_to_rport()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:27.355Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f35bd94b4e11c41de90cd0fa72c9062e8196822f"
},
{
"url": "https://git.kernel.org/stable/c/ccd3bc595bda67db5a347b9050c2df28f292d3fb"
},
{
"url": "https://git.kernel.org/stable/c/1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639"
},
{
"url": "https://git.kernel.org/stable/c/921d6844625527a92d1178262a633cc88a8e61bd"
},
{
"url": "https://git.kernel.org/stable/c/1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf"
},
{
"url": "https://git.kernel.org/stable/c/e466930717ef18c112585a39fc6174d8eb441df5"
},
{
"url": "https://git.kernel.org/stable/c/ced5460eae772e847debbc0b65ef93aedab92d3f"
},
{
"url": "https://git.kernel.org/stable/c/af73f23a27206ffb3c477cac75b5fcf03410556e"
}
],
"title": "scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54014",
"datePublished": "2025-12-24T10:55:46.255Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:27.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40213 (GCVE-0-2025-40213)
Vulnerability from cvelistv5 – Published: 2025-11-24 15:59 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete
There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to
memcpy from badly declared on-stack flexible array.
Another crash is in set_mesh_complete() due to double list_del via
mgmt_pending_valid + mgmt_pending_remove.
Use DEFINE_FLEX to declare the flexible array right, and don't memcpy
outside bounds.
As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,
and also report status on error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d71b98f253b079cbadc83266383f26fe7e9e103b , < 5c19daa93d9af29f1f46251b47e1ea66bcc8d679
(git)
Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 1c9aca1787e8395a2c59fef20e914467958969c5 (git) Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 (git) Affected: 87a1f16f07c6c43771754075e08f45b41d237421 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/mgmt.h",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c19daa93d9af29f1f46251b47e1ea66bcc8d679",
"status": "affected",
"version": "d71b98f253b079cbadc83266383f26fe7e9e103b",
"versionType": "git"
},
{
"lessThan": "1c9aca1787e8395a2c59fef20e914467958969c5",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"lessThan": "e8785404de06a69d89dcdd1e9a0b6ea42dc6d327",
"status": "affected",
"version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
"versionType": "git"
},
{
"status": "affected",
"version": "87a1f16f07c6c43771754075e08f45b41d237421",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/mgmt.h",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete\n\nThere is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to\nmemcpy from badly declared on-stack flexible array.\n\nAnother crash is in set_mesh_complete() due to double list_del via\nmgmt_pending_valid + mgmt_pending_remove.\n\nUse DEFINE_FLEX to declare the flexible array right, and don\u0027t memcpy\noutside bounds.\n\nAs mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,\nand also report status on error."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:19.302Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c19daa93d9af29f1f46251b47e1ea66bcc8d679"
},
{
"url": "https://git.kernel.org/stable/c/1c9aca1787e8395a2c59fef20e914467958969c5"
},
{
"url": "https://git.kernel.org/stable/c/e8785404de06a69d89dcdd1e9a0b6ea42dc6d327"
}
],
"title": "Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40213",
"datePublished": "2025-11-24T15:59:44.000Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:19.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50698 (GCVE-0-2022-50698)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()
If clk_hw_register() fails, the corresponding clk should not be
unregistered.
To handle errors from loops, clean up partial iterations before doing the
goto. So add a clk_hw_unregister().
Then use a while (--i >= 0) loop in the unwind section.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
78013a1cf2971684775f6956d5666237ac53a1aa , < 4993c1511d66326f1037bc5156b024a6a96d23ef
(git)
Affected: 78013a1cf2971684775f6956d5666237ac53a1aa , < f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176 (git) Affected: 78013a1cf2971684775f6956d5666237ac53a1aa , < ec692f0b51006de1138cd1f82cae625f0d2888d1 (git) Affected: 78013a1cf2971684775f6956d5666237ac53a1aa , < cefce8bee0e988f9a005fe40705b98a25cfb7f9d (git) Affected: 78013a1cf2971684775f6956d5666237ac53a1aa , < abb4e4349afe7eecdb0499582f1c777031e3a7c8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/da7219.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4993c1511d66326f1037bc5156b024a6a96d23ef",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
},
{
"lessThan": "f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
},
{
"lessThan": "ec692f0b51006de1138cd1f82cae625f0d2888d1",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
},
{
"lessThan": "cefce8bee0e988f9a005fe40705b98a25cfb7f9d",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
},
{
"lessThan": "abb4e4349afe7eecdb0499582f1c777031e3a7c8",
"status": "affected",
"version": "78013a1cf2971684775f6956d5666237ac53a1aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/da7219.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: da7219: Fix an error handling path in da7219_register_dai_clks()\n\nIf clk_hw_register() fails, the corresponding clk should not be\nunregistered.\n\nTo handle errors from loops, clean up partial iterations before doing the\ngoto. So add a clk_hw_unregister().\nThen use a while (--i \u003e= 0) loop in the unwind section."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:14.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4993c1511d66326f1037bc5156b024a6a96d23ef"
},
{
"url": "https://git.kernel.org/stable/c/f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176"
},
{
"url": "https://git.kernel.org/stable/c/ec692f0b51006de1138cd1f82cae625f0d2888d1"
},
{
"url": "https://git.kernel.org/stable/c/cefce8bee0e988f9a005fe40705b98a25cfb7f9d"
},
{
"url": "https://git.kernel.org/stable/c/abb4e4349afe7eecdb0499582f1c777031e3a7c8"
}
],
"title": "ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50698",
"datePublished": "2025-12-24T10:55:14.740Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2025-12-24T10:55:14.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50643 (GCVE-0-2022-50643)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
cifs: Fix xid leak in cifs_copy_file_range()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix xid leak in cifs_copy_file_range()
If the file is used by swap, before return -EOPNOTSUPP, should
free the xid, otherwise, the xid will be leaked.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4e8aea30f7751ce7c4b158aa0c04e7744d281cc3 , < bf49d4fe4ab7b8d812927a2c7b514864d5fc1bb2
(git)
Affected: 4e8aea30f7751ce7c4b158aa0c04e7744d281cc3 , < 27cfd3afaab000a455194338db3b7f2031fde9d0 (git) Affected: 4e8aea30f7751ce7c4b158aa0c04e7744d281cc3 , < dc283313d1ca378d787cb55c1e580dc3de852680 (git) Affected: 4e8aea30f7751ce7c4b158aa0c04e7744d281cc3 , < 9a97df404a402fe1174d2d1119f87ff2a0ca2fe9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf49d4fe4ab7b8d812927a2c7b514864d5fc1bb2",
"status": "affected",
"version": "4e8aea30f7751ce7c4b158aa0c04e7744d281cc3",
"versionType": "git"
},
{
"lessThan": "27cfd3afaab000a455194338db3b7f2031fde9d0",
"status": "affected",
"version": "4e8aea30f7751ce7c4b158aa0c04e7744d281cc3",
"versionType": "git"
},
{
"lessThan": "dc283313d1ca378d787cb55c1e580dc3de852680",
"status": "affected",
"version": "4e8aea30f7751ce7c4b158aa0c04e7744d281cc3",
"versionType": "git"
},
{
"lessThan": "9a97df404a402fe1174d2d1119f87ff2a0ca2fe9",
"status": "affected",
"version": "4e8aea30f7751ce7c4b158aa0c04e7744d281cc3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_copy_file_range()\n\nIf the file is used by swap, before return -EOPNOTSUPP, should\nfree the xid, otherwise, the xid will be leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:17.684Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf49d4fe4ab7b8d812927a2c7b514864d5fc1bb2"
},
{
"url": "https://git.kernel.org/stable/c/27cfd3afaab000a455194338db3b7f2031fde9d0"
},
{
"url": "https://git.kernel.org/stable/c/dc283313d1ca378d787cb55c1e580dc3de852680"
},
{
"url": "https://git.kernel.org/stable/c/9a97df404a402fe1174d2d1119f87ff2a0ca2fe9"
}
],
"title": "cifs: Fix xid leak in cifs_copy_file_range()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50643",
"datePublished": "2025-12-09T00:00:17.684Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:17.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54150 (GCVE-0-2023-54150)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:07 – Updated: 2026-01-05 10:34
VLAI?
EPSS
Title
drm/amd: Fix an out of bounds error in BIOS parser
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd: Fix an out of bounds error in BIOS parser
The array is hardcoded to 8 in atomfirmware.h, but firmware provides
a bigger one sometimes. Deferencing the larger array causes an out
of bounds error.
commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error
in bios parser") fixed some of this, but there are two other cases
not covered by it. Fix those as well.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ae79c310b1a6f97429a5784b65f125d9cc9c95b1 , < b8e7589f50b709b647b642531599e70707faf70c
(git)
Affected: ae79c310b1a6f97429a5784b65f125d9cc9c95b1 , < 66acfe798cd08b36cfbb65a30fab3159811304a7 (git) Affected: ae79c310b1a6f97429a5784b65f125d9cc9c95b1 , < 5675ecd2e0b00a4318ba1db1a1234e7d45b13d6b (git) Affected: ae79c310b1a6f97429a5784b65f125d9cc9c95b1 , < dea2dbec716c38a0b73b6ad01d91e2b120cc5f1e (git) Affected: ae79c310b1a6f97429a5784b65f125d9cc9c95b1 , < d116db180decec1b21bba31d2ff495ac4d8e1b83 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8e7589f50b709b647b642531599e70707faf70c",
"status": "affected",
"version": "ae79c310b1a6f97429a5784b65f125d9cc9c95b1",
"versionType": "git"
},
{
"lessThan": "66acfe798cd08b36cfbb65a30fab3159811304a7",
"status": "affected",
"version": "ae79c310b1a6f97429a5784b65f125d9cc9c95b1",
"versionType": "git"
},
{
"lessThan": "5675ecd2e0b00a4318ba1db1a1234e7d45b13d6b",
"status": "affected",
"version": "ae79c310b1a6f97429a5784b65f125d9cc9c95b1",
"versionType": "git"
},
{
"lessThan": "dea2dbec716c38a0b73b6ad01d91e2b120cc5f1e",
"status": "affected",
"version": "ae79c310b1a6f97429a5784b65f125d9cc9c95b1",
"versionType": "git"
},
{
"lessThan": "d116db180decec1b21bba31d2ff495ac4d8e1b83",
"status": "affected",
"version": "ae79c310b1a6f97429a5784b65f125d9cc9c95b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix an out of bounds error in BIOS parser\n\nThe array is hardcoded to 8 in atomfirmware.h, but firmware provides\na bigger one sometimes. Deferencing the larger array causes an out\nof bounds error.\n\ncommit 4fc1ba4aa589 (\"drm/amd/display: fix array index out of bound error\nin bios parser\") fixed some of this, but there are two other cases\nnot covered by it. Fix those as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:34:02.635Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8e7589f50b709b647b642531599e70707faf70c"
},
{
"url": "https://git.kernel.org/stable/c/66acfe798cd08b36cfbb65a30fab3159811304a7"
},
{
"url": "https://git.kernel.org/stable/c/5675ecd2e0b00a4318ba1db1a1234e7d45b13d6b"
},
{
"url": "https://git.kernel.org/stable/c/dea2dbec716c38a0b73b6ad01d91e2b120cc5f1e"
},
{
"url": "https://git.kernel.org/stable/c/d116db180decec1b21bba31d2ff495ac4d8e1b83"
}
],
"title": "drm/amd: Fix an out of bounds error in BIOS parser",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54150",
"datePublished": "2025-12-24T13:07:01.754Z",
"dateReserved": "2025-12-24T13:02:52.528Z",
"dateUpdated": "2026-01-05T10:34:02.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40315 (GCVE-0-2025-40315)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
A race condition occurs when ffs_func_eps_enable() runs concurrently
with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()
sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading
to a NULL pointer dereference when accessing epfile->ep in
ffs_func_eps_enable() after successful usb_ep_enable().
The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and
ffs_data_close() functions, and its modification is protected by the
spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function
is also protected by ffs->eps_lock.
Thus, add NULL pointer handling for ffs->epfiles in the
ffs_func_eps_enable() function to fix issues
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c9fc422c9a43e3d58d246334a71f3390401781dc , < b00d2572c16e8e59e979960d3383c2ae9cebd195
(git)
Affected: 0042178a69eb77a979e36a50dcce9794a3140ef8 , < 1c0dbd240be3f87cac321b14e17979b7e9cb6a8f (git) Affected: 72a8aee863af099d4434314c4536d6c9a61dcf3c , < 9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272 (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < c53e90563bc148e4e0ad09fe130ba2246d426ea6 (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < fc1141a530dfc91f0ee19b7f422a2d24829584bc (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < d62b808d5c68a931ad0849a00a5e3be3dd7e0019 (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < 30880e9df27332403dd638a82c27921134b3630b (git) Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 (git) Affected: 32048f4be071f9a6966744243f1786f45bb22dc2 (git) Affected: cfe5f6fd335d882bcc829a1c8a7d462a455c626e (git) Affected: 3e078b18753669615301d946297bafd69294ad2c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b00d2572c16e8e59e979960d3383c2ae9cebd195",
"status": "affected",
"version": "c9fc422c9a43e3d58d246334a71f3390401781dc",
"versionType": "git"
},
{
"lessThan": "1c0dbd240be3f87cac321b14e17979b7e9cb6a8f",
"status": "affected",
"version": "0042178a69eb77a979e36a50dcce9794a3140ef8",
"versionType": "git"
},
{
"lessThan": "9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272",
"status": "affected",
"version": "72a8aee863af099d4434314c4536d6c9a61dcf3c",
"versionType": "git"
},
{
"lessThan": "c53e90563bc148e4e0ad09fe130ba2246d426ea6",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "fc1141a530dfc91f0ee19b7f422a2d24829584bc",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "d62b808d5c68a931ad0849a00a5e3be3dd7e0019",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "30880e9df27332403dd638a82c27921134b3630b",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"lessThan": "cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4",
"status": "affected",
"version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
"versionType": "git"
},
{
"status": "affected",
"version": "32048f4be071f9a6966744243f1786f45bb22dc2",
"versionType": "git"
},
{
"status": "affected",
"version": "cfe5f6fd335d882bcc829a1c8a7d462a455c626e",
"versionType": "git"
},
{
"status": "affected",
"version": "3e078b18753669615301d946297bafd69294ad2c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.267",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.230",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix epfile null pointer access after ep enable.\n\nA race condition occurs when ffs_func_eps_enable() runs concurrently\nwith ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()\nsets ffs-\u003eepfiles to NULL before resetting ffs-\u003eeps_count to 0, leading\nto a NULL pointer dereference when accessing epfile-\u003eep in\nffs_func_eps_enable() after successful usb_ep_enable().\n\nThe ffs-\u003eepfiles pointer is set to NULL in both ffs_data_clear() and\nffs_data_close() functions, and its modification is protected by the\nspinlock ffs-\u003eeps_lock. And the whole ffs_func_eps_enable() function\nis also protected by ffs-\u003eeps_lock.\n\nThus, add NULL pointer handling for ffs-\u003eepfiles in the\nffs_func_eps_enable() function to fix issues"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:33.404Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b00d2572c16e8e59e979960d3383c2ae9cebd195"
},
{
"url": "https://git.kernel.org/stable/c/1c0dbd240be3f87cac321b14e17979b7e9cb6a8f"
},
{
"url": "https://git.kernel.org/stable/c/9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272"
},
{
"url": "https://git.kernel.org/stable/c/c53e90563bc148e4e0ad09fe130ba2246d426ea6"
},
{
"url": "https://git.kernel.org/stable/c/fc1141a530dfc91f0ee19b7f422a2d24829584bc"
},
{
"url": "https://git.kernel.org/stable/c/d62b808d5c68a931ad0849a00a5e3be3dd7e0019"
},
{
"url": "https://git.kernel.org/stable/c/30880e9df27332403dd638a82c27921134b3630b"
},
{
"url": "https://git.kernel.org/stable/c/cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4"
}
],
"title": "usb: gadget: f_fs: Fix epfile null pointer access after ep enable.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40315",
"datePublished": "2025-12-08T00:46:41.896Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:33.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40204 (GCVE-0-2025-40204)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
sctp: Fix MAC comparison to be constant-time
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Fix MAC comparison to be constant-time
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b93fa8dc521d00d2d44bf034fb90e0d79b036617
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0e8b8c326c2a6de4d837b1bb034ea704f4690d77 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c05d44ec24126fc283835b68f82dba3ae985209 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed3044b9c810c5c24eb2830053fbfe5fd134c5d4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8019b3699289fce3f10b63f98601db97b8d105b0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b32ff285ff6f6f1ac1d9495787ccce8837d6405 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd91c79e4f58fbe2898dac84858033700e0e99fb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b93fa8dc521d00d2d44bf034fb90e0d79b036617",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0e8b8c326c2a6de4d837b1bb034ea704f4690d77",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c05d44ec24126fc283835b68f82dba3ae985209",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed3044b9c810c5c24eb2830053fbfe5fd134c5d4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8019b3699289fce3f10b63f98601db97b8d105b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0b32ff285ff6f6f1ac1d9495787ccce8837d6405",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd91c79e4f58fbe2898dac84858033700e0e99fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_make_chunk.c",
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:07.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617"
},
{
"url": "https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77"
},
{
"url": "https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c"
},
{
"url": "https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209"
},
{
"url": "https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4"
},
{
"url": "https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0"
},
{
"url": "https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405"
},
{
"url": "https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb"
}
],
"title": "sctp: Fix MAC comparison to be constant-time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40204",
"datePublished": "2025-11-12T21:56:35.110Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:07.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40035 (GCVE-0-2025-40035)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.
Initialize ff_up_compat to zero before filling valid fields.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d56f3a32c0e62f99c043d2579840f9731fe5855 , < 1b317796013f666ae5040edbf0f230ec61496d42
(git)
Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < 877172b97786ed1678640dff0b2d35abb328844c (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < e63aade22a33e77b93c98c9f02db504d897a76b4 (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < 933b87c4590b42500299f00ff55f555903056803 (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < fd8a23ecbc602d00e47b27f20b07350867d0ebe5 (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < 48c96b7e9e03516936d6deba54b5553097eae817 (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < f5e1f3b85aadce74268c46676772c3e9fa79897e (git) Affected: 2d56f3a32c0e62f99c043d2579840f9731fe5855 , < d3366a04770eea807f2826cbdb96934dd8c9bf79 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b317796013f666ae5040edbf0f230ec61496d42",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "877172b97786ed1678640dff0b2d35abb328844c",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "e63aade22a33e77b93c98c9f02db504d897a76b4",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "933b87c4590b42500299f00ff55f555903056803",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "fd8a23ecbc602d00e47b27f20b07350867d0ebe5",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "48c96b7e9e03516936d6deba54b5553097eae817",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "f5e1f3b85aadce74268c46676772c3e9fa79897e",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
},
{
"lessThan": "d3366a04770eea807f2826cbdb96934dd8c9bf79",
"status": "affected",
"version": "2d56f3a32c0e62f99c043d2579840f9731fe5855",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/misc/uinput.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak\n\nStruct ff_effect_compat is embedded twice inside\nuinput_ff_upload_compat, contains internal padding. In particular, there\nis a hole after struct ff_replay to satisfy alignment requirements for\nthe following union member. Without clearing the structure,\ncopy_to_user() may leak stack data to userspace.\n\nInitialize ff_up_compat to zero before filling valid fields."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:38.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b317796013f666ae5040edbf0f230ec61496d42"
},
{
"url": "https://git.kernel.org/stable/c/877172b97786ed1678640dff0b2d35abb328844c"
},
{
"url": "https://git.kernel.org/stable/c/e63aade22a33e77b93c98c9f02db504d897a76b4"
},
{
"url": "https://git.kernel.org/stable/c/933b87c4590b42500299f00ff55f555903056803"
},
{
"url": "https://git.kernel.org/stable/c/fd8a23ecbc602d00e47b27f20b07350867d0ebe5"
},
{
"url": "https://git.kernel.org/stable/c/48c96b7e9e03516936d6deba54b5553097eae817"
},
{
"url": "https://git.kernel.org/stable/c/f5e1f3b85aadce74268c46676772c3e9fa79897e"
},
{
"url": "https://git.kernel.org/stable/c/d3366a04770eea807f2826cbdb96934dd8c9bf79"
}
],
"title": "Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40035",
"datePublished": "2025-10-28T11:48:17.030Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:38.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53994 (GCVE-0-2023-53994)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
ionic: remove WARN_ON to prevent panic_on_warn
Summary
In the Linux kernel, the following vulnerability has been resolved:
ionic: remove WARN_ON to prevent panic_on_warn
Remove unnecessary early code development check and the WARN_ON
that it uses. The irq alloc and free paths have long been
cleaned up and this check shouldn't have stuck around so long.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < 4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb
(git)
Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < f8cc4fd99a325505e15c3da95d6de266efd3d9b5 (git) Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < 1417dd787a5e55b410a00a28231b0dcb19172457 (git) Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < dc470466753ad0dd3a8c48aaefa05a992c119b9c (git) Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < daeaad114cb163ec51bcf14326cb7fe37d368459 (git) Affected: 77ceb68e29ccd25d923b6af59e74ecaf736cc4b7 , < abfb2a58a5377ebab717d4362d6180f901b6e5c1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/pensando/ionic/ionic_lif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "f8cc4fd99a325505e15c3da95d6de266efd3d9b5",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "1417dd787a5e55b410a00a28231b0dcb19172457",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "dc470466753ad0dd3a8c48aaefa05a992c119b9c",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "daeaad114cb163ec51bcf14326cb7fe37d368459",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
},
{
"lessThan": "abfb2a58a5377ebab717d4362d6180f901b6e5c1",
"status": "affected",
"version": "77ceb68e29ccd25d923b6af59e74ecaf736cc4b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/pensando/ionic/ionic_lif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nionic: remove WARN_ON to prevent panic_on_warn\n\nRemove unnecessary early code development check and the WARN_ON\nthat it uses. The irq alloc and free paths have long been\ncleaned up and this check shouldn\u0027t have stuck around so long."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:32.024Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb"
},
{
"url": "https://git.kernel.org/stable/c/f8cc4fd99a325505e15c3da95d6de266efd3d9b5"
},
{
"url": "https://git.kernel.org/stable/c/1417dd787a5e55b410a00a28231b0dcb19172457"
},
{
"url": "https://git.kernel.org/stable/c/dc470466753ad0dd3a8c48aaefa05a992c119b9c"
},
{
"url": "https://git.kernel.org/stable/c/daeaad114cb163ec51bcf14326cb7fe37d368459"
},
{
"url": "https://git.kernel.org/stable/c/abfb2a58a5377ebab717d4362d6180f901b6e5c1"
}
],
"title": "ionic: remove WARN_ON to prevent panic_on_warn",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53994",
"datePublished": "2025-12-24T10:55:32.024Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:32.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38588 (GCVE-0-2025-38588)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
ipv6: prevent infinite loop in rt6_nlmsg_size()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: prevent infinite loop in rt6_nlmsg_size()
While testing prior patch, I was able to trigger
an infinite loop in rt6_nlmsg_size() in the following place:
list_for_each_entry_rcu(sibling, &f6i->fib6_siblings,
fib6_siblings) {
rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len);
}
This is because fib6_del_route() and fib6_add_rt2node()
uses list_del_rcu(), which can confuse rcu readers,
because they might no longer see the head of the list.
Restart the loop if f6i->fib6_nsiblings is zero.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 , < 6d345136c9b875f065d226908a29c25cdf9343f8
(git)
Affected: 52da02521ede55fb86546c3fffd9377b3261b91f , < e1b7932af47f92432be8303d2439d1bf77b0be23 (git) Affected: 34a949e7a0869dfa31a40416d2a56973fae1807b , < cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38 (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < 3c13db3e47e170bab19e574404e7b6be45ea873d (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < 46aeb66e9e54ed0d56c18615e1c3dbd502b327ab (git) Affected: d9ccb18f83ea2bb654289b6ecf014fd267cc988b , < 54e6fe9dd3b0e7c481c2228782c9494d653546da (git) Affected: 11edcd026012ac18acee0f1514db3ed1b160fc6f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:13.723Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c",
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d345136c9b875f065d226908a29c25cdf9343f8",
"status": "affected",
"version": "d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2",
"versionType": "git"
},
{
"lessThan": "e1b7932af47f92432be8303d2439d1bf77b0be23",
"status": "affected",
"version": "52da02521ede55fb86546c3fffd9377b3261b91f",
"versionType": "git"
},
{
"lessThan": "cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38",
"status": "affected",
"version": "34a949e7a0869dfa31a40416d2a56973fae1807b",
"versionType": "git"
},
{
"lessThan": "3c13db3e47e170bab19e574404e7b6be45ea873d",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "46aeb66e9e54ed0d56c18615e1c3dbd502b327ab",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"lessThan": "54e6fe9dd3b0e7c481c2228782c9494d653546da",
"status": "affected",
"version": "d9ccb18f83ea2bb654289b6ecf014fd267cc988b",
"versionType": "git"
},
{
"status": "affected",
"version": "11edcd026012ac18acee0f1514db3ed1b160fc6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c",
"net/ipv6/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "6.1.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.6.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: prevent infinite loop in rt6_nlmsg_size()\n\nWhile testing prior patch, I was able to trigger\nan infinite loop in rt6_nlmsg_size() in the following place:\n\nlist_for_each_entry_rcu(sibling, \u0026f6i-\u003efib6_siblings,\n\t\t\tfib6_siblings) {\n\trt6_nh_nlmsg_size(sibling-\u003efib6_nh, \u0026nexthop_len);\n}\n\nThis is because fib6_del_route() and fib6_add_rt2node()\nuses list_del_rcu(), which can confuse rcu readers,\nbecause they might no longer see the head of the list.\n\nRestart the loop if f6i-\u003efib6_nsiblings is zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:20.550Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d345136c9b875f065d226908a29c25cdf9343f8"
},
{
"url": "https://git.kernel.org/stable/c/e1b7932af47f92432be8303d2439d1bf77b0be23"
},
{
"url": "https://git.kernel.org/stable/c/cd8d8bbd9ced4cc5d06d858f67d4aa87745e8f38"
},
{
"url": "https://git.kernel.org/stable/c/3c13db3e47e170bab19e574404e7b6be45ea873d"
},
{
"url": "https://git.kernel.org/stable/c/46aeb66e9e54ed0d56c18615e1c3dbd502b327ab"
},
{
"url": "https://git.kernel.org/stable/c/54e6fe9dd3b0e7c481c2228782c9494d653546da"
}
],
"title": "ipv6: prevent infinite loop in rt6_nlmsg_size()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38588",
"datePublished": "2025-08-19T17:03:09.856Z",
"dateReserved": "2025-04-16T04:51:24.026Z",
"dateUpdated": "2025-11-03T17:40:13.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54120 (GCVE-0-2023-54120)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
Bluetooth: Fix race condition in hidp_session_thread
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix race condition in hidp_session_thread
There is a potential race condition in hidp_session_thread that may
lead to use-after-free. For instance, the timer is active while
hidp_del_timer is called in hidp_session_thread(). After hidp_session_put,
then 'session' will be freed, causing kernel panic when hidp_idle_timeout
is running.
The solution is to use del_timer_sync instead of del_timer.
Here is the call trace:
? hidp_session_probe+0x780/0x780
call_timer_fn+0x2d/0x1e0
__run_timers.part.0+0x569/0x940
hidp_session_probe+0x780/0x780
call_timer_fn+0x1e0/0x1e0
ktime_get+0x5c/0xf0
lapic_next_deadline+0x2c/0x40
clockevents_program_event+0x205/0x320
run_timer_softirq+0xa9/0x1b0
__do_softirq+0x1b9/0x641
__irq_exit_rcu+0xdc/0x190
irq_exit_rcu+0xe/0x20
sysvec_apic_timer_interrupt+0xa1/0xc0
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 152f47bd6b995e0e98c85672f6d19894bc287ef2
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5f3d214d19899183d4e0cce7552998262112e4ab (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8a99e6200c38b78a45dcd12a6bdc43fdf4dc36be (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f7ec5ca433ceead8d9d78fd2febff094f289441d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0efb276d5848a3accc37c6f41b85e442c4768169 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f6719fd8f409fa1da8dc956e93822d25e1e8b360 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 248af9feca062a4ca9c3f2ccf67056c8a5eb817f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c95930abd687fcd1aa040dc4fe90dff947916460 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hidp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "152f47bd6b995e0e98c85672f6d19894bc287ef2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5f3d214d19899183d4e0cce7552998262112e4ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8a99e6200c38b78a45dcd12a6bdc43fdf4dc36be",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f7ec5ca433ceead8d9d78fd2febff094f289441d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0efb276d5848a3accc37c6f41b85e442c4768169",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6719fd8f409fa1da8dc956e93822d25e1e8b360",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "248af9feca062a4ca9c3f2ccf67056c8a5eb817f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c95930abd687fcd1aa040dc4fe90dff947916460",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hidp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.313",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix race condition in hidp_session_thread\n\nThere is a potential race condition in hidp_session_thread that may\nlead to use-after-free. For instance, the timer is active while\nhidp_del_timer is called in hidp_session_thread(). After hidp_session_put,\nthen \u0027session\u0027 will be freed, causing kernel panic when hidp_idle_timeout\nis running.\n\nThe solution is to use del_timer_sync instead of del_timer.\n\nHere is the call trace:\n\n? hidp_session_probe+0x780/0x780\ncall_timer_fn+0x2d/0x1e0\n__run_timers.part.0+0x569/0x940\nhidp_session_probe+0x780/0x780\ncall_timer_fn+0x1e0/0x1e0\nktime_get+0x5c/0xf0\nlapic_next_deadline+0x2c/0x40\nclockevents_program_event+0x205/0x320\nrun_timer_softirq+0xa9/0x1b0\n__do_softirq+0x1b9/0x641\n__irq_exit_rcu+0xdc/0x190\nirq_exit_rcu+0xe/0x20\nsysvec_apic_timer_interrupt+0xa1/0xc0"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:52.998Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/152f47bd6b995e0e98c85672f6d19894bc287ef2"
},
{
"url": "https://git.kernel.org/stable/c/5f3d214d19899183d4e0cce7552998262112e4ab"
},
{
"url": "https://git.kernel.org/stable/c/8a99e6200c38b78a45dcd12a6bdc43fdf4dc36be"
},
{
"url": "https://git.kernel.org/stable/c/f7ec5ca433ceead8d9d78fd2febff094f289441d"
},
{
"url": "https://git.kernel.org/stable/c/0efb276d5848a3accc37c6f41b85e442c4768169"
},
{
"url": "https://git.kernel.org/stable/c/f6719fd8f409fa1da8dc956e93822d25e1e8b360"
},
{
"url": "https://git.kernel.org/stable/c/248af9feca062a4ca9c3f2ccf67056c8a5eb817f"
},
{
"url": "https://git.kernel.org/stable/c/c95930abd687fcd1aa040dc4fe90dff947916460"
}
],
"title": "Bluetooth: Fix race condition in hidp_session_thread",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54120",
"datePublished": "2025-12-24T13:06:40.420Z",
"dateReserved": "2025-12-24T13:02:52.520Z",
"dateUpdated": "2026-01-05T10:33:52.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54030 (GCVE-0-2023-54030)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
io_uring/net: don't overflow multishot recv
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/net: don't overflow multishot recv
Don't allow overflowing multishot recv CQEs, it might get out of
hand, hurt performance, and in the worst case scenario OOM the task.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e2db9837be7d24a2a74eb3f3906d0872bee8907",
"status": "affected",
"version": "b3fdea6ecb55c3ceea866ff66486927e51a982b3",
"versionType": "git"
},
{
"lessThan": "b2e74db55dd93d6db22a813c9a775b5dbf87c560",
"status": "affected",
"version": "b3fdea6ecb55c3ceea866ff66486927e51a982b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: don\u0027t overflow multishot recv\n\nDon\u0027t allow overflowing multishot recv CQEs, it might get out of\nhand, hurt performance, and in the worst case scenario OOM the task."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:58.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e2db9837be7d24a2a74eb3f3906d0872bee8907"
},
{
"url": "https://git.kernel.org/stable/c/b2e74db55dd93d6db22a813c9a775b5dbf87c560"
}
],
"title": "io_uring/net: don\u0027t overflow multishot recv",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54030",
"datePublished": "2025-12-24T10:55:58.124Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:58.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40342 (GCVE-0-2025-40342)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
nvme-fc: use lock accessing port_state and rport state
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-fc: use lock accessing port_state and rport state
nvme_fc_unregister_remote removes the remote port on a lport object at
any point in time when there is no active association. This races with
with the reconnect logic, because nvme_fc_create_association is not
taking a lock to check the port_state and atomically increase the
active count on the rport.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e399441de9115cd472b8ace6c517708273ca7997 , < de3d91af47bc015031e7721b100a29989f6498a5
(git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < e8cde03de8674b05f2c5e0870729049eba517800 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 4253e0a4546138a2bf9cb6acf66b32fee677fc7c (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 25f4bf1f7979a7871974fd36c79d69ff1cf4b446 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 9950af4303942081dc8c7a5fdc3688c17c7eb6c0 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < a2f7fa75c4a2a07328fa22ccbef461db76790b55 (git) Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 891cdbb162ccdb079cd5228ae43bdeebce8597ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "de3d91af47bc015031e7721b100a29989f6498a5",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "e8cde03de8674b05f2c5e0870729049eba517800",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "4253e0a4546138a2bf9cb6acf66b32fee677fc7c",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "25f4bf1f7979a7871974fd36c79d69ff1cf4b446",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "9950af4303942081dc8c7a5fdc3688c17c7eb6c0",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "a2f7fa75c4a2a07328fa22ccbef461db76790b55",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
},
{
"lessThan": "891cdbb162ccdb079cd5228ae43bdeebce8597ad",
"status": "affected",
"version": "e399441de9115cd472b8ace6c517708273ca7997",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: use lock accessing port_state and rport state\n\nnvme_fc_unregister_remote removes the remote port on a lport object at\nany point in time when there is no active association. This races with\nwith the reconnect logic, because nvme_fc_create_association is not\ntaking a lock to check the port_state and atomically increase the\nactive count on the rport."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:12.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/de3d91af47bc015031e7721b100a29989f6498a5"
},
{
"url": "https://git.kernel.org/stable/c/e8cde03de8674b05f2c5e0870729049eba517800"
},
{
"url": "https://git.kernel.org/stable/c/4253e0a4546138a2bf9cb6acf66b32fee677fc7c"
},
{
"url": "https://git.kernel.org/stable/c/25f4bf1f7979a7871974fd36c79d69ff1cf4b446"
},
{
"url": "https://git.kernel.org/stable/c/9950af4303942081dc8c7a5fdc3688c17c7eb6c0"
},
{
"url": "https://git.kernel.org/stable/c/a2f7fa75c4a2a07328fa22ccbef461db76790b55"
},
{
"url": "https://git.kernel.org/stable/c/891cdbb162ccdb079cd5228ae43bdeebce8597ad"
}
],
"title": "nvme-fc: use lock accessing port_state and rport state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40342",
"datePublished": "2025-12-09T04:09:59.673Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:12.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50712 (GCVE-0-2022-50712)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
devlink: hold region lock when flushing snapshots
Summary
In the Linux kernel, the following vulnerability has been resolved:
devlink: hold region lock when flushing snapshots
Netdevsim triggers a splat on reload, when it destroys regions
with snapshots pending:
WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140
CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c #580
RIP: 0010:devlink_region_snapshot_del+0x12e/0x140
Call Trace:
<TASK>
devl_region_destroy+0x70/0x140
nsim_dev_reload_down+0x2f/0x60 [netdevsim]
devlink_reload+0x1f7/0x360
devlink_nl_cmd_reload+0x6ce/0x860
genl_family_rcv_msg_doit.isra.0+0x145/0x1c0
This is the locking assert in devlink_region_snapshot_del(),
we're supposed to be holding the region->snapshot_lock here.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2dec18ad826f52658f7781ee995d236cc449b678 , < 49383d4e59bb704341aaa1d51440ccce58270e61
(git)
Affected: 2dec18ad826f52658f7781ee995d236cc449b678 , < 6298cab4d80bfdb6fe01fe31fd9f0ba26317fdae (git) Affected: 2dec18ad826f52658f7781ee995d236cc449b678 , < b4cafb3d2c740f8d1b1234b43ac4a60e5291c960 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49383d4e59bb704341aaa1d51440ccce58270e61",
"status": "affected",
"version": "2dec18ad826f52658f7781ee995d236cc449b678",
"versionType": "git"
},
{
"lessThan": "6298cab4d80bfdb6fe01fe31fd9f0ba26317fdae",
"status": "affected",
"version": "2dec18ad826f52658f7781ee995d236cc449b678",
"versionType": "git"
},
{
"lessThan": "b4cafb3d2c740f8d1b1234b43ac4a60e5291c960",
"status": "affected",
"version": "2dec18ad826f52658f7781ee995d236cc449b678",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/devlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: hold region lock when flushing snapshots\n\nNetdevsim triggers a splat on reload, when it destroys regions\nwith snapshots pending:\n\n WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140\n CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c #580\n RIP: 0010:devlink_region_snapshot_del+0x12e/0x140\n Call Trace:\n \u003cTASK\u003e\n devl_region_destroy+0x70/0x140\n nsim_dev_reload_down+0x2f/0x60 [netdevsim]\n devlink_reload+0x1f7/0x360\n devlink_nl_cmd_reload+0x6ce/0x860\n genl_family_rcv_msg_doit.isra.0+0x145/0x1c0\n\nThis is the locking assert in devlink_region_snapshot_del(),\nwe\u0027re supposed to be holding the region-\u003esnapshot_lock here."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:37.676Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49383d4e59bb704341aaa1d51440ccce58270e61"
},
{
"url": "https://git.kernel.org/stable/c/6298cab4d80bfdb6fe01fe31fd9f0ba26317fdae"
},
{
"url": "https://git.kernel.org/stable/c/b4cafb3d2c740f8d1b1234b43ac4a60e5291c960"
}
],
"title": "devlink: hold region lock when flushing snapshots",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50712",
"datePublished": "2025-12-24T12:22:37.676Z",
"dateReserved": "2025-12-24T12:20:40.328Z",
"dateUpdated": "2025-12-24T12:22:37.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54116 (GCVE-0-2023-54116)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
drm/fbdev-generic: prohibit potential out-of-bounds access
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/fbdev-generic: prohibit potential out-of-bounds access
The fbdev test of IGT may write after EOF, which lead to out-of-bound
access for drm drivers with fbdev-generic. For example, run fbdev test
on a x86+ast2400 platform, with 1680x1050 resolution, will cause the
linux kernel hang with the following call trace:
Oops: 0000 [#1] PREEMPT SMP PTI
[IGT] fbdev: starting subtest eof
Workqueue: events drm_fb_helper_damage_work [drm_kms_helper]
[IGT] fbdev: starting subtest nullptr
RIP: 0010:memcpy_erms+0xa/0x20
RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246
RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0
RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000
RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0
R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80
R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30
FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0
Call Trace:
<TASK>
? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper]
drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper]
process_one_work+0x21f/0x430
worker_thread+0x4e/0x3c0
? __pfx_worker_thread+0x10/0x10
kthread+0xf4/0x120
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2c/0x50
</TASK>
CR2: ffffa17d40e0b000
---[ end trace 0000000000000000 ]---
The is because damage rectangles computed by
drm_fb_helper_memory_range_to_clip() function is not guaranteed to be
bound in the screen's active display area. Possible reasons are:
1) Buffers are allocated in the granularity of page size, for mmap system
call support. The shadow screen buffer consumed by fbdev emulation may
also choosed be page size aligned.
2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip()
will introduce off-by-one error.
For example, on a 16KB page size system, in order to store a 1920x1080
XRGB framebuffer, we need allocate 507 pages. Unfortunately, the size
1920*1080*4 can not be divided exactly by 16KB.
1920 * 1080 * 4 = 8294400 bytes
506 * 16 * 1024 = 8290304 bytes
507 * 16 * 1024 = 8306688 bytes
line_length = 1920*4 = 7680 bytes
507 * 16 * 1024 / 7680 = 1081.6
off / line_length = 507 * 16 * 1024 / 7680 = 1081
DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082
memcpy_toio() typically issue the copy line by line, when copy the last
line, out-of-bound access will be happen. Because:
1082 * line_length = 1082 * 7680 = 8309760, and 8309760 > 8306688
Note that userspace may still write to the invisiable area if a larger
buffer than width x stride is exposed. But it is not a big issue as
long as there still have memory resolve the access if not drafting so
far.
- Also limit the y1 (Daniel)
- keep fix patch it to minimal (Daniel)
- screen_size is page size aligned because of it need mmap (Thomas)
- Adding fixes tag (Thomas)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
aa15c677cc34e626789cb65b8e7375180851c03b , < efd2821b8abeccb6b51423002e2a62921481a26e
(git)
Affected: aa15c677cc34e626789cb65b8e7375180851c03b , < 251653fa974ea551a15d16cacfed7cde68cc7f87 (git) Affected: aa15c677cc34e626789cb65b8e7375180851c03b , < c8687694bb1f5c48134f152f8c5c2e53483eb99d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_fb_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efd2821b8abeccb6b51423002e2a62921481a26e",
"status": "affected",
"version": "aa15c677cc34e626789cb65b8e7375180851c03b",
"versionType": "git"
},
{
"lessThan": "251653fa974ea551a15d16cacfed7cde68cc7f87",
"status": "affected",
"version": "aa15c677cc34e626789cb65b8e7375180851c03b",
"versionType": "git"
},
{
"lessThan": "c8687694bb1f5c48134f152f8c5c2e53483eb99d",
"status": "affected",
"version": "aa15c677cc34e626789cb65b8e7375180851c03b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_fb_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-generic: prohibit potential out-of-bounds access\n\nThe fbdev test of IGT may write after EOF, which lead to out-of-bound\naccess for drm drivers with fbdev-generic. For example, run fbdev test\non a x86+ast2400 platform, with 1680x1050 resolution, will cause the\nlinux kernel hang with the following call trace:\n\n Oops: 0000 [#1] PREEMPT SMP PTI\n [IGT] fbdev: starting subtest eof\n Workqueue: events drm_fb_helper_damage_work [drm_kms_helper]\n [IGT] fbdev: starting subtest nullptr\n\n RIP: 0010:memcpy_erms+0xa/0x20\n RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246\n RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0\n RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000\n RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0\n R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80\n R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30\n FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0\n Call Trace:\n \u003cTASK\u003e\n ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper]\n drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper]\n process_one_work+0x21f/0x430\n worker_thread+0x4e/0x3c0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xf4/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n \u003c/TASK\u003e\n CR2: ffffa17d40e0b000\n ---[ end trace 0000000000000000 ]---\n\nThe is because damage rectangles computed by\ndrm_fb_helper_memory_range_to_clip() function is not guaranteed to be\nbound in the screen\u0027s active display area. Possible reasons are:\n\n1) Buffers are allocated in the granularity of page size, for mmap system\n call support. The shadow screen buffer consumed by fbdev emulation may\n also choosed be page size aligned.\n\n2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip()\n will introduce off-by-one error.\n\nFor example, on a 16KB page size system, in order to store a 1920x1080\nXRGB framebuffer, we need allocate 507 pages. Unfortunately, the size\n1920*1080*4 can not be divided exactly by 16KB.\n\n 1920 * 1080 * 4 = 8294400 bytes\n 506 * 16 * 1024 = 8290304 bytes\n 507 * 16 * 1024 = 8306688 bytes\n\n line_length = 1920*4 = 7680 bytes\n\n 507 * 16 * 1024 / 7680 = 1081.6\n\n off / line_length = 507 * 16 * 1024 / 7680 = 1081\n DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082\n\nmemcpy_toio() typically issue the copy line by line, when copy the last\nline, out-of-bound access will be happen. Because:\n\n 1082 * line_length = 1082 * 7680 = 8309760, and 8309760 \u003e 8306688\n\nNote that userspace may still write to the invisiable area if a larger\nbuffer than width x stride is exposed. But it is not a big issue as\nlong as there still have memory resolve the access if not drafting so\nfar.\n\n - Also limit the y1 (Daniel)\n - keep fix patch it to minimal (Daniel)\n - screen_size is page size aligned because of it need mmap (Thomas)\n - Adding fixes tag (Thomas)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:37.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efd2821b8abeccb6b51423002e2a62921481a26e"
},
{
"url": "https://git.kernel.org/stable/c/251653fa974ea551a15d16cacfed7cde68cc7f87"
},
{
"url": "https://git.kernel.org/stable/c/c8687694bb1f5c48134f152f8c5c2e53483eb99d"
}
],
"title": "drm/fbdev-generic: prohibit potential out-of-bounds access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54116",
"datePublished": "2025-12-24T13:06:37.591Z",
"dateReserved": "2025-12-24T13:02:52.519Z",
"dateUpdated": "2025-12-24T13:06:37.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53020 (GCVE-0-2023-53020)
Vulnerability from cvelistv5 – Published: 2025-03-27 16:43 – Updated: 2025-10-01 17:19
VLAI?
EPSS
Title
l2tp: close all race conditions in l2tp_tunnel_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: close all race conditions in l2tp_tunnel_register()
The code in l2tp_tunnel_register() is racy in several ways:
1. It modifies the tunnel socket _after_ publishing it.
2. It calls setup_udp_tunnel_sock() on an existing socket without
locking.
3. It changes sock lock class on fly, which triggers many syzbot
reports.
This patch amends all of them by moving socket initialization code
before publishing and under sock lock. As suggested by Jakub, the
l2tp lockdep class is not necessary as we can just switch to
bh_lock_sock_nested().
Severity ?
4.7 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
37159ef2c1ae1e696b24b260b241209a19f92c60 , < 2d77e5c0ad79004b5ef901895437e9cce6dfcc7e
(git)
Affected: 37159ef2c1ae1e696b24b260b241209a19f92c60 , < 77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce (git) Affected: 37159ef2c1ae1e696b24b260b241209a19f92c60 , < cef0845b6dcfa2f6c2c832e7f9622551456c741d (git) Affected: 37159ef2c1ae1e696b24b260b241209a19f92c60 , < 0b2c59720e65885a394a017d0cf9cab118914682 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T17:19:17.910133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T17:19:20.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d77e5c0ad79004b5ef901895437e9cce6dfcc7e",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "cef0845b6dcfa2f6c2c832e7f9622551456c741d",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "0b2c59720e65885a394a017d0cf9cab118914682",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: close all race conditions in l2tp_tunnel_register()\n\nThe code in l2tp_tunnel_register() is racy in several ways:\n\n1. It modifies the tunnel socket _after_ publishing it.\n\n2. It calls setup_udp_tunnel_sock() on an existing socket without\n locking.\n\n3. It changes sock lock class on fly, which triggers many syzbot\n reports.\n\nThis patch amends all of them by moving socket initialization code\nbefore publishing and under sock lock. As suggested by Jakub, the\nl2tp lockdep class is not necessary as we can just switch to\nbh_lock_sock_nested()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:49.986Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d77e5c0ad79004b5ef901895437e9cce6dfcc7e"
},
{
"url": "https://git.kernel.org/stable/c/77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce"
},
{
"url": "https://git.kernel.org/stable/c/cef0845b6dcfa2f6c2c832e7f9622551456c741d"
},
{
"url": "https://git.kernel.org/stable/c/0b2c59720e65885a394a017d0cf9cab118914682"
}
],
"title": "l2tp: close all race conditions in l2tp_tunnel_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53020",
"datePublished": "2025-03-27T16:43:47.151Z",
"dateReserved": "2025-03-27T16:40:15.752Z",
"dateUpdated": "2025-10-01T17:19:20.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40269 (GCVE-0-2025-40269)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
The PCM stream data in USB-audio driver is transferred over USB URB
packet buffers, and each packet size is determined dynamically. The
packet sizes are limited by some factors such as wMaxPacketSize USB
descriptor. OTOH, in the current code, the actually used packet sizes
are determined only by the rate and the PPS, which may be bigger than
the size limit above. This results in a buffer overflow, as reported
by syzbot.
Basically when the limit is smaller than the calculated packet size,
it implies that something is wrong, most likely a weird USB
descriptor. So the best option would be just to return an error at
the parameter setup time before doing any further operations.
This patch introduces such a sanity check, and returns -EINVAL when
the packet size is greater than maxpacksize. The comparison with
ep->packsize[1] alone should suffice since it's always equal or
greater than ep->packsize[0].
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
02c56650f3c118d3752122996d96173d26bb13aa , < 480a1490c595a242f27493a4544b3efb21b29f6a
(git)
Affected: 5ef30e443e6d3654cccecec99cf481a69a0a6d3b , < ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41 (git) Affected: 99703c921864a318e3e8aae74fde071b1ff35bea , < 282aba56713bbc58155716b55ca7222b2d9cf3c8 (git) Affected: 2d50acd7dbd0682a56968ad9551341d7fc5b6eaf , < c4dc012b027c9eb101583011089dea14d744e314 (git) Affected: aba41867dd66939d336fdf604e4d73b805d8039f , < e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360 (git) Affected: d288dc74f8cf95cb7ae0aaf245b7128627a49bf3 , < d67dde02049e632ba58d3c44a164a74b6a737154 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 6a5da3fa80affc948923f20a4e086177f505e86e (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 217d47255a2ec8b246f2725f5db9ac3f1d4109d7 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ef592bf2232a2daa9fffa8881881fc9957ea56e9 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ece3b981bb6620e47fac826a2156c090b1a936a0 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 98e9d5e33bda8db875cc1a4fe99c192658e45ab6 (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < d2c04f20ccc6c0d219e6d3038bab45bc66a178ad (git) Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "480a1490c595a242f27493a4544b3efb21b29f6a",
"status": "affected",
"version": "02c56650f3c118d3752122996d96173d26bb13aa",
"versionType": "git"
},
{
"lessThan": "ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41",
"status": "affected",
"version": "5ef30e443e6d3654cccecec99cf481a69a0a6d3b",
"versionType": "git"
},
{
"lessThan": "282aba56713bbc58155716b55ca7222b2d9cf3c8",
"status": "affected",
"version": "99703c921864a318e3e8aae74fde071b1ff35bea",
"versionType": "git"
},
{
"lessThan": "c4dc012b027c9eb101583011089dea14d744e314",
"status": "affected",
"version": "2d50acd7dbd0682a56968ad9551341d7fc5b6eaf",
"versionType": "git"
},
{
"lessThan": "e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360",
"status": "affected",
"version": "aba41867dd66939d336fdf604e4d73b805d8039f",
"versionType": "git"
},
{
"lessThan": "d67dde02049e632ba58d3c44a164a74b6a737154",
"status": "affected",
"version": "d288dc74f8cf95cb7ae0aaf245b7128627a49bf3",
"versionType": "git"
},
{
"lessThan": "6a5da3fa80affc948923f20a4e086177f505e86e",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "217d47255a2ec8b246f2725f5db9ac3f1d4109d7",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "ef592bf2232a2daa9fffa8881881fc9957ea56e9",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "ece3b981bb6620e47fac826a2156c090b1a936a0",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "98e9d5e33bda8db875cc1a4fe99c192658e45ab6",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "d2c04f20ccc6c0d219e6d3038bab45bc66a178ad",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
},
{
"lessThan": "05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf",
"status": "affected",
"version": "f0bd62b64016508938df9babe47f65c2c727d25c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.*",
"status": "unaffected",
"version": "4.4.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.7.*",
"status": "unaffected",
"version": "5.7.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.4.230",
"versionStartIncluding": "4.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.230",
"versionStartIncluding": "4.9.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.188",
"versionStartIncluding": "4.14.186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.132",
"versionStartIncluding": "4.19.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.51",
"versionStartIncluding": "5.4.49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.8",
"versionStartIncluding": "5.7.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential overflow of PCM transfer buffer\n\nThe PCM stream data in USB-audio driver is transferred over USB URB\npacket buffers, and each packet size is determined dynamically. The\npacket sizes are limited by some factors such as wMaxPacketSize USB\ndescriptor. OTOH, in the current code, the actually used packet sizes\nare determined only by the rate and the PPS, which may be bigger than\nthe size limit above. This results in a buffer overflow, as reported\nby syzbot.\n\nBasically when the limit is smaller than the calculated packet size,\nit implies that something is wrong, most likely a weird USB\ndescriptor. So the best option would be just to return an error at\nthe parameter setup time before doing any further operations.\n\nThis patch introduces such a sanity check, and returns -EINVAL when\nthe packet size is greater than maxpacksize. The comparison with\nep-\u003epacksize[1] alone should suffice since it\u0027s always equal or\ngreater than ep-\u003epacksize[0]."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:20.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a"
},
{
"url": "https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41"
},
{
"url": "https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8"
},
{
"url": "https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314"
},
{
"url": "https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360"
},
{
"url": "https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154"
},
{
"url": "https://git.kernel.org/stable/c/6a5da3fa80affc948923f20a4e086177f505e86e"
},
{
"url": "https://git.kernel.org/stable/c/217d47255a2ec8b246f2725f5db9ac3f1d4109d7"
},
{
"url": "https://git.kernel.org/stable/c/ef592bf2232a2daa9fffa8881881fc9957ea56e9"
},
{
"url": "https://git.kernel.org/stable/c/ece3b981bb6620e47fac826a2156c090b1a936a0"
},
{
"url": "https://git.kernel.org/stable/c/98e9d5e33bda8db875cc1a4fe99c192658e45ab6"
},
{
"url": "https://git.kernel.org/stable/c/d2c04f20ccc6c0d219e6d3038bab45bc66a178ad"
},
{
"url": "https://git.kernel.org/stable/c/05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf"
}
],
"title": "ALSA: usb-audio: Fix potential overflow of PCM transfer buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40269",
"datePublished": "2025-12-06T21:50:50.229Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2026-01-02T15:33:20.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40308 (GCVE-0-2025-40308)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
Bluetooth: bcsp: receive data only if registered
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: bcsp: receive data only if registered
Currently, bcsp_recv() can be called even when the BCSP protocol has not
been registered. This leads to a NULL pointer dereference, as shown in
the following stack trace:
KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]
RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590
Call Trace:
<TASK>
hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627
tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290
tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
To prevent this, ensure that the HCI_UART_REGISTERED flag is set before
processing received data. If the protocol is not registered, return
-EUNATCH.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
48effdb7a798232db945503cf3f51e0be8070cea , < 39a7d40314b6288cfa2d13269275e9247a7a055a
(git)
Affected: 45fa7bd82c6178f4fec0ab94891144a043ec5fe8 , < 164586725b47f9d61912e6bf17dbaffeff11710b (git) Affected: d71a57a34ab6bbc95dc461158403c02e8ff3f912 , < b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9 (git) Affected: 9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf , < 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa (git) Affected: 806464634e7fc6b523160defeeddb1ade2a72f81 , < 799cd62cbcc3f12ee04b33ef390ff7d41c37d671 (git) Affected: 6b7a32fa9bacdebd98c18b2a56994116995ee643 , < b420a4c7f915fc1c94ad1f6ca740acc046d94334 (git) Affected: 366ceff495f902182d42b6f41525c2474caf3f9a , < 55c1519fca830f59a10bbf9aa8209c87b06cf7bc (git) Affected: 366ceff495f902182d42b6f41525c2474caf3f9a , < ca94b2b036c22556c3a66f1b80f490882deef7a6 (git) Affected: 15543b7bbe7b5f744fdbb44f75b14f81a0117813 (git) Affected: a4b89a45b12b69bc82c8137346b150a118e02c26 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_bcsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39a7d40314b6288cfa2d13269275e9247a7a055a",
"status": "affected",
"version": "48effdb7a798232db945503cf3f51e0be8070cea",
"versionType": "git"
},
{
"lessThan": "164586725b47f9d61912e6bf17dbaffeff11710b",
"status": "affected",
"version": "45fa7bd82c6178f4fec0ab94891144a043ec5fe8",
"versionType": "git"
},
{
"lessThan": "b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9",
"status": "affected",
"version": "d71a57a34ab6bbc95dc461158403c02e8ff3f912",
"versionType": "git"
},
{
"lessThan": "8b892dbef3887dbe9afdc7176d1a5fd90e1636aa",
"status": "affected",
"version": "9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf",
"versionType": "git"
},
{
"lessThan": "799cd62cbcc3f12ee04b33ef390ff7d41c37d671",
"status": "affected",
"version": "806464634e7fc6b523160defeeddb1ade2a72f81",
"versionType": "git"
},
{
"lessThan": "b420a4c7f915fc1c94ad1f6ca740acc046d94334",
"status": "affected",
"version": "6b7a32fa9bacdebd98c18b2a56994116995ee643",
"versionType": "git"
},
{
"lessThan": "55c1519fca830f59a10bbf9aa8209c87b06cf7bc",
"status": "affected",
"version": "366ceff495f902182d42b6f41525c2474caf3f9a",
"versionType": "git"
},
{
"lessThan": "ca94b2b036c22556c3a66f1b80f490882deef7a6",
"status": "affected",
"version": "366ceff495f902182d42b6f41525c2474caf3f9a",
"versionType": "git"
},
{
"status": "affected",
"version": "15543b7bbe7b5f744fdbb44f75b14f81a0117813",
"versionType": "git"
},
{
"status": "affected",
"version": "a4b89a45b12b69bc82c8137346b150a118e02c26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/hci_bcsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bcsp: receive data only if registered\n\nCurrently, bcsp_recv() can be called even when the BCSP protocol has not\nbeen registered. This leads to a NULL pointer dereference, as shown in\nthe following stack trace:\n\n KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590\n Call Trace:\n \u003cTASK\u003e\n hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627\n tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290\n tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nTo prevent this, ensure that the HCI_UART_REGISTERED flag is set before\nprocessing received data. If the protocol is not registered, return\n-EUNATCH."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:29.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a"
},
{
"url": "https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b"
},
{
"url": "https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9"
},
{
"url": "https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa"
},
{
"url": "https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671"
},
{
"url": "https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334"
},
{
"url": "https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc"
},
{
"url": "https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6"
}
],
"title": "Bluetooth: bcsp: receive data only if registered",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40308",
"datePublished": "2025-12-08T00:46:33.729Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:29.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50636 (GCVE-0-2022-50636)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
PCI: Fix pci_device_is_present() for VFs by checking PF
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: Fix pci_device_is_present() for VFs by checking PF
pci_device_is_present() previously didn't work for VFs because it reads the
Vendor and Device ID, which are 0xffff for VFs, which looks like they
aren't present. Check the PF instead.
Wei Gong reported that if virtio I/O is in progress when the driver is
unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O
operation hangs, which may result in output like this:
task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002
Call Trace:
schedule+0x4f/0xc0
blk_mq_freeze_queue_wait+0x69/0xa0
blk_mq_freeze_queue+0x1b/0x20
blk_cleanup_queue+0x3d/0xd0
virtblk_remove+0x3c/0xb0 [virtio_blk]
virtio_dev_remove+0x4b/0x80
...
device_unregister+0x1b/0x60
unregister_virtio_device+0x18/0x30
virtio_pci_remove+0x41/0x80
pci_device_remove+0x3e/0xb0
This happened because pci_device_is_present(VF) returned "false" in
virtio_pci_remove(), so it called virtio_break_device(). The broken vq
meant that vring_interrupt() skipped the vq.callback() that would have
completed the virtio I/O operation via virtblk_done().
[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8496e85c20e7836b3dec97780e40f420a3ae2801 , < f4b44c7766dae2b8681f621941cabe9f14066d59
(git)
Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 643d77fda08d06f863af35e80a7e517ea61d9629 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 65bd0962992abd42e77a05e68c7b40e7c73726d1 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 99ef6cc791584495987dd11b14769b450dfa5820 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 81565e51ccaf6fff8910e997ee22e16b5e1dabc3 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 518573988a2f14f517403db2ece5ddaefba21e94 (git) Affected: 8496e85c20e7836b3dec97780e40f420a3ae2801 , < 98b04dd0b4577894520493d96bc4623387767445 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4b44c7766dae2b8681f621941cabe9f14066d59",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "643d77fda08d06f863af35e80a7e517ea61d9629",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "65bd0962992abd42e77a05e68c7b40e7c73726d1",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "99ef6cc791584495987dd11b14769b450dfa5820",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "81565e51ccaf6fff8910e997ee22e16b5e1dabc3",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "518573988a2f14f517403db2ece5ddaefba21e94",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
},
{
"lessThan": "98b04dd0b4577894520493d96bc4623387767445",
"status": "affected",
"version": "8496e85c20e7836b3dec97780e40f420a3ae2801",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix pci_device_is_present() for VFs by checking PF\n\npci_device_is_present() previously didn\u0027t work for VFs because it reads the\nVendor and Device ID, which are 0xffff for VFs, which looks like they\naren\u0027t present. Check the PF instead.\n\nWei Gong reported that if virtio I/O is in progress when the driver is\nunbound or \"0\" is written to /sys/.../sriov_numvfs, the virtio I/O\noperation hangs, which may result in output like this:\n\n task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002\n Call Trace:\n schedule+0x4f/0xc0\n blk_mq_freeze_queue_wait+0x69/0xa0\n blk_mq_freeze_queue+0x1b/0x20\n blk_cleanup_queue+0x3d/0xd0\n virtblk_remove+0x3c/0xb0 [virtio_blk]\n virtio_dev_remove+0x4b/0x80\n ...\n device_unregister+0x1b/0x60\n unregister_virtio_device+0x18/0x30\n virtio_pci_remove+0x41/0x80\n pci_device_remove+0x3e/0xb0\n\nThis happened because pci_device_is_present(VF) returned \"false\" in\nvirtio_pci_remove(), so it called virtio_break_device(). The broken vq\nmeant that vring_interrupt() skipped the vq.callback() that would have\ncompleted the virtio I/O operation via virtblk_done().\n\n[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:23.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4b44c7766dae2b8681f621941cabe9f14066d59"
},
{
"url": "https://git.kernel.org/stable/c/643d77fda08d06f863af35e80a7e517ea61d9629"
},
{
"url": "https://git.kernel.org/stable/c/65bd0962992abd42e77a05e68c7b40e7c73726d1"
},
{
"url": "https://git.kernel.org/stable/c/99ef6cc791584495987dd11b14769b450dfa5820"
},
{
"url": "https://git.kernel.org/stable/c/67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34"
},
{
"url": "https://git.kernel.org/stable/c/81565e51ccaf6fff8910e997ee22e16b5e1dabc3"
},
{
"url": "https://git.kernel.org/stable/c/518573988a2f14f517403db2ece5ddaefba21e94"
},
{
"url": "https://git.kernel.org/stable/c/98b04dd0b4577894520493d96bc4623387767445"
}
],
"title": "PCI: Fix pci_device_is_present() for VFs by checking PF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50636",
"datePublished": "2025-12-09T00:00:09.737Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-23T13:30:23.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50862 (GCVE-0-2022-50862)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
bpf: prevent decl_tag from being referenced in func_proto
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: prevent decl_tag from being referenced in func_proto
Syzkaller was able to hit the following issue:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946
btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946
Modules linked in:
CPU: 0 PID: 3609 Comm: syz-executor361 Not tainted
6.0.0-syzkaller-02734-g0326074ff465 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 09/22/2022
RIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946
Code: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91
e4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff <0f> 0b 45
31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44
RSP: 0018:ffffc90003cefb40 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005
RBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e
R10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011
FS: 000055555641b300(0000) GS:ffff8880b9a00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
btf_func_proto_check kernel/bpf/btf.c:4447 [inline]
btf_check_all_types kernel/bpf/btf.c:4723 [inline]
btf_parse_type_sec kernel/bpf/btf.c:4752 [inline]
btf_parse kernel/bpf/btf.c:5026 [inline]
btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892
bpf_btf_load kernel/bpf/syscall.c:4324 [inline]
__sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010
__do_sys_bpf kernel/bpf/syscall.c:5069 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5067 [inline]
__x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0fbae41c69
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69
RDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012
RBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Looks like it tries to create a func_proto which return type is
decl_tag. For the details, see Martin's spot on analysis in [0].
0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e9dbb4c539d058852b76937dcd7347d3f38054f2",
"status": "affected",
"version": "bd16dee66ae4de3f1726c69ac901d2b7a53b0c86",
"versionType": "git"
},
{
"lessThan": "ea68376c8bed5cd156900852aada20c3a0874d17",
"status": "affected",
"version": "bd16dee66ae4de3f1726c69ac901d2b7a53b0c86",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: prevent decl_tag from being referenced in func_proto\n\nSyzkaller was able to hit the following issue:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946\nbtf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946\nModules linked in:\nCPU: 0 PID: 3609 Comm: syz-executor361 Not tainted\n6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 09/22/2022\nRIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946\nCode: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91\ne4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff \u003c0f\u003e 0b 45\n31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44\nRSP: 0018:ffffc90003cefb40 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000\nRDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005\nRBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e\nR10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011\nFS: 000055555641b300(0000) GS:ffff8880b9a00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n btf_func_proto_check kernel/bpf/btf.c:4447 [inline]\n btf_check_all_types kernel/bpf/btf.c:4723 [inline]\n btf_parse_type_sec kernel/bpf/btf.c:4752 [inline]\n btf_parse kernel/bpf/btf.c:5026 [inline]\n btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892\n bpf_btf_load kernel/bpf/syscall.c:4324 [inline]\n __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010\n __do_sys_bpf kernel/bpf/syscall.c:5069 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5067 [inline]\n __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f0fbae41c69\nCode: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89\nf7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01\nf0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69\nRDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012\nRBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000\nR10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nLooks like it tries to create a func_proto which return type is\ndecl_tag. For the details, see Martin\u0027s spot on analysis in [0].\n\n0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:35.177Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e9dbb4c539d058852b76937dcd7347d3f38054f2"
},
{
"url": "https://git.kernel.org/stable/c/ea68376c8bed5cd156900852aada20c3a0874d17"
}
],
"title": "bpf: prevent decl_tag from being referenced in func_proto",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50862",
"datePublished": "2025-12-30T12:15:35.177Z",
"dateReserved": "2025-12-30T12:06:07.135Z",
"dateUpdated": "2025-12-30T12:15:35.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68765 (GCVE-0-2025-68765)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the
subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function
returns an error without freeing sskb, leading to a memory leak.
Fix this by calling dev_kfree_skb() on sskb in the error handling path
to ensure it is properly released.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
99c457d902cf90bdc0df5d57e6156ec108711068 , < d6c91fc732698642f70c688324c98551b97b412c
(git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 594ff8bb69e239678a8baa461827ce4bb90eff8f (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 1c3c234af9407256ed670c8752923a672eea4225 (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 278bfed4529a0c9c9119f5a52ddafe69db61a75c (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < fb905e69941b44e03fe1a24e95328d45442b6d6d (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49 (git) Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 53d1548612670aa8b5d89745116cc33d9d172863 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6c91fc732698642f70c688324c98551b97b412c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "594ff8bb69e239678a8baa461827ce4bb90eff8f",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "1c3c234af9407256ed670c8752923a672eea4225",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "278bfed4529a0c9c9119f5a52ddafe69db61a75c",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "fb905e69941b44e03fe1a24e95328d45442b6d6d",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
},
{
"lessThan": "53d1548612670aa8b5d89745116cc33d9d172863",
"status": "affected",
"version": "99c457d902cf90bdc0df5d57e6156ec108711068",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()\n\nIn mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the\nsubsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function\nreturns an error without freeing sskb, leading to a memory leak.\n\nFix this by calling dev_kfree_skb() on sskb in the error handling path\nto ensure it is properly released."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:48.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6c91fc732698642f70c688324c98551b97b412c"
},
{
"url": "https://git.kernel.org/stable/c/594ff8bb69e239678a8baa461827ce4bb90eff8f"
},
{
"url": "https://git.kernel.org/stable/c/1c3c234af9407256ed670c8752923a672eea4225"
},
{
"url": "https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c"
},
{
"url": "https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d"
},
{
"url": "https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49"
},
{
"url": "https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863"
}
],
"title": "mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68765",
"datePublished": "2026-01-05T09:44:13.242Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-19T12:18:48.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54283 (GCVE-0-2023-54283)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
bpf: Address KCSAN report on bpf_lru_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Address KCSAN report on bpf_lru_list
KCSAN reported a data-race when accessing node->ref.
Although node->ref does not have to be accurate,
take this chance to use a more common READ_ONCE() and WRITE_ONCE()
pattern instead of data_race().
There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref().
This patch also adds bpf_lru_node_clear_ref() to do the
WRITE_ONCE(node->ref, 0) also.
==================================================================
BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem
write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1:
__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline]
__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline]
__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240
bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline]
bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline]
bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499
prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline]
__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316
bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313
bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200
generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687
bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534
__sys_bpf+0x338/0x810
__do_sys_bpf kernel/bpf/syscall.c:5096 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5094 [inline]
__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0:
bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline]
__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332
bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313
bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200
generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687
bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534
__sys_bpf+0x338/0x810
__do_sys_bpf kernel/bpf/syscall.c:5096 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5094 [inline]
__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x01 -> 0x00
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
==================================================================
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3a08c2fd763450a927d1130de078d6f9e74944fb , < 6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90
(git)
Affected: 3a08c2fd763450a927d1130de078d6f9e74944fb , < a89d14410ea0352420f03cddc67e0002dcc8f9a5 (git) Affected: 3a08c2fd763450a927d1130de078d6f9e74944fb , < e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5 (git) Affected: 3a08c2fd763450a927d1130de078d6f9e74944fb , < b6d9a4062c944ad095b34dc112bf646a84156f60 (git) Affected: 3a08c2fd763450a927d1130de078d6f9e74944fb , < 819ca25444b377935faa2dbb0aa3547519b5c80f (git) Affected: 3a08c2fd763450a927d1130de078d6f9e74944fb , < c006fe361cfd947f51a56793deddf891e5cbfef8 (git) Affected: 3a08c2fd763450a927d1130de078d6f9e74944fb , < 6e5e83b56f50fbd1c8f7dca7df7d72c67be25571 (git) Affected: 3a08c2fd763450a927d1130de078d6f9e74944fb , < ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/bpf_lru_list.c",
"kernel/bpf/bpf_lru_list.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90",
"status": "affected",
"version": "3a08c2fd763450a927d1130de078d6f9e74944fb",
"versionType": "git"
},
{
"lessThan": "a89d14410ea0352420f03cddc67e0002dcc8f9a5",
"status": "affected",
"version": "3a08c2fd763450a927d1130de078d6f9e74944fb",
"versionType": "git"
},
{
"lessThan": "e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5",
"status": "affected",
"version": "3a08c2fd763450a927d1130de078d6f9e74944fb",
"versionType": "git"
},
{
"lessThan": "b6d9a4062c944ad095b34dc112bf646a84156f60",
"status": "affected",
"version": "3a08c2fd763450a927d1130de078d6f9e74944fb",
"versionType": "git"
},
{
"lessThan": "819ca25444b377935faa2dbb0aa3547519b5c80f",
"status": "affected",
"version": "3a08c2fd763450a927d1130de078d6f9e74944fb",
"versionType": "git"
},
{
"lessThan": "c006fe361cfd947f51a56793deddf891e5cbfef8",
"status": "affected",
"version": "3a08c2fd763450a927d1130de078d6f9e74944fb",
"versionType": "git"
},
{
"lessThan": "6e5e83b56f50fbd1c8f7dca7df7d72c67be25571",
"status": "affected",
"version": "3a08c2fd763450a927d1130de078d6f9e74944fb",
"versionType": "git"
},
{
"lessThan": "ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4",
"status": "affected",
"version": "3a08c2fd763450a927d1130de078d6f9e74944fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/bpf_lru_list.c",
"kernel/bpf/bpf_lru_list.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Address KCSAN report on bpf_lru_list\n\nKCSAN reported a data-race when accessing node-\u003eref.\nAlthough node-\u003eref does not have to be accurate,\ntake this chance to use a more common READ_ONCE() and WRITE_ONCE()\npattern instead of data_race().\n\nThere is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref().\nThis patch also adds bpf_lru_node_clear_ref() to do the\nWRITE_ONCE(node-\u003eref, 0) also.\n\n==================================================================\nBUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem\n\nwrite to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1:\n__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline]\n__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline]\n__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240\nbpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline]\nbpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline]\nbpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499\nprealloc_lru_pop kernel/bpf/hashtab.c:290 [inline]\n__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316\nbpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313\nbpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200\ngeneric_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687\nbpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534\n__sys_bpf+0x338/0x810\n__do_sys_bpf kernel/bpf/syscall.c:5096 [inline]\n__se_sys_bpf kernel/bpf/syscall.c:5094 [inline]\n__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nread to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0:\nbpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline]\n__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332\nbpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313\nbpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200\ngeneric_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687\nbpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534\n__sys_bpf+0x338/0x810\n__do_sys_bpf kernel/bpf/syscall.c:5096 [inline]\n__se_sys_bpf kernel/bpf/syscall.c:5094 [inline]\n__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nvalue changed: 0x01 -\u003e 0x00\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023\n=================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:16.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90"
},
{
"url": "https://git.kernel.org/stable/c/a89d14410ea0352420f03cddc67e0002dcc8f9a5"
},
{
"url": "https://git.kernel.org/stable/c/e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5"
},
{
"url": "https://git.kernel.org/stable/c/b6d9a4062c944ad095b34dc112bf646a84156f60"
},
{
"url": "https://git.kernel.org/stable/c/819ca25444b377935faa2dbb0aa3547519b5c80f"
},
{
"url": "https://git.kernel.org/stable/c/c006fe361cfd947f51a56793deddf891e5cbfef8"
},
{
"url": "https://git.kernel.org/stable/c/6e5e83b56f50fbd1c8f7dca7df7d72c67be25571"
},
{
"url": "https://git.kernel.org/stable/c/ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4"
}
],
"title": "bpf: Address KCSAN report on bpf_lru_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54283",
"datePublished": "2025-12-30T12:23:24.460Z",
"dateReserved": "2025-12-30T12:06:44.525Z",
"dateUpdated": "2026-01-05T11:37:16.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38476 (GCVE-0-2025-38476)
Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38
VLAI?
EPSS
Title
rpl: Fix use-after-free in rpl_do_srh_inline().
Summary
In the Linux kernel, the following vulnerability has been resolved:
rpl: Fix use-after-free in rpl_do_srh_inline().
Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers
the splat below [0].
rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after
skb_cow_head(), which is illegal as the header could be freed then.
Let's fix it by making oldhdr to a local struct instead of a pointer.
[0]:
[root@fedora net]# ./lwt_dst_cache_ref_loop.sh
...
TEST: rpl (input)
[ 57.631529] ==================================================================
BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
Read of size 40 at addr ffff888122bf96d8 by task ping6/1543
CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:122)
print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)
kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)
kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))
__asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))
rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)
lwtunnel_input (net/core/lwtunnel.c:459)
ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))
__netif_receive_skb_one_core (net/core/dev.c:5967)
process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)
__napi_poll.constprop.0 (net/core/dev.c:7452)
net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480 (discriminator 20))
</IRQ>
<TASK>
__local_bh_enable_ip (kernel/softirq.c:407)
__dev_queue_xmit (net/core/dev.c:4740)
ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)
ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)
ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)
ip6_send_skb (net/ipv6/ip6_output.c:1983)
rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)
__sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))
__x64_sys_sendto (net/socket.c:2231)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f68cffb2a06
Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08
RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06
RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003
RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4
R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0
</TASK>
Allocated by task 1543:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)
kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)
kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))
__alloc_skb (net/core/skbuff.c:669)
__ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))
ip6_
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a7a29f9c361f8542604ef959ae6627f423b7a412 , < c09e21dfc08d8afb92d9ea3bee3457adbe3ef297
(git)
Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < 8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc (git) Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < e8101506ab86dd78f823b7028f2036a380f3a12a (git) Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < 62dcd9d6e61c39122d2f251a26829e2e55b0a11d (git) Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < 06ec83b6c792fde1f710c1de3e836da6e257c4c4 (git) Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < 034b428aa3583373a5a20b1c5931bb2b3cae1f36 (git) Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < b640daa2822a39ff76e70200cb2b7b892b896dce (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:38:42.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/rpl_iptunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c09e21dfc08d8afb92d9ea3bee3457adbe3ef297",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "e8101506ab86dd78f823b7028f2036a380f3a12a",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "62dcd9d6e61c39122d2f251a26829e2e55b0a11d",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "06ec83b6c792fde1f710c1de3e836da6e257c4c4",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "034b428aa3583373a5a20b1c5931bb2b3cae1f36",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
},
{
"lessThan": "b640daa2822a39ff76e70200cb2b7b892b896dce",
"status": "affected",
"version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/rpl_iptunnel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet\u0027s fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[ 57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n \u003c/TASK\u003e\n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:43:12.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c09e21dfc08d8afb92d9ea3bee3457adbe3ef297"
},
{
"url": "https://git.kernel.org/stable/c/8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc"
},
{
"url": "https://git.kernel.org/stable/c/e8101506ab86dd78f823b7028f2036a380f3a12a"
},
{
"url": "https://git.kernel.org/stable/c/62dcd9d6e61c39122d2f251a26829e2e55b0a11d"
},
{
"url": "https://git.kernel.org/stable/c/06ec83b6c792fde1f710c1de3e836da6e257c4c4"
},
{
"url": "https://git.kernel.org/stable/c/034b428aa3583373a5a20b1c5931bb2b3cae1f36"
},
{
"url": "https://git.kernel.org/stable/c/b640daa2822a39ff76e70200cb2b7b892b896dce"
}
],
"title": "rpl: Fix use-after-free in rpl_do_srh_inline().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38476",
"datePublished": "2025-07-28T11:21:37.175Z",
"dateReserved": "2025-04-16T04:51:24.021Z",
"dateUpdated": "2025-11-03T17:38:42.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50709 (GCVE-0-2022-50709)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
with uninitialized memory and ath9k_htc_rx_msg() is reading from
uninitialized memory.
Since bytes accessed by ath9k_htc_rx_msg() is not known until
ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
ath9k_hif_usb_rx_stream().
We have two choices. One is to workaround by adding __GFP_ZERO so that
ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
the latter.
Note that I'm not sure threshold condition is correct, for I can't find
details on possible packet length used by this protocol.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fb9987d0f748c983bb795a86f47522313f701a08 , < f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a
(git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 84242f15f911f34aec9b22f99d1e9bff19723dbe (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 2c485f4f2a64258acc5228e78ffb828c68d9e770 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 9661724f6206bd606ecf13acada676a9975d230b (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < b1b4144508adfc585e43856b31baaf9008a3beb4 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 0d2649b288b7b9484e3d4380c0d6c4720a17e473 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 4891a50f5ed8bfcb8f2a4b816b0676f398687783 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < b383e8abed41cc6ff1a3b34de75df9397fa4878c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "84242f15f911f34aec9b22f99d1e9bff19723dbe",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "2c485f4f2a64258acc5228e78ffb828c68d9e770",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "9661724f6206bd606ecf13acada676a9975d230b",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "b1b4144508adfc585e43856b31baaf9008a3beb4",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "0d2649b288b7b9484e3d4380c0d6c4720a17e473",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "4891a50f5ed8bfcb8f2a4b816b0676f398687783",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "b383e8abed41cc6ff1a3b34de75df9397fa4878c",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()\n\nsyzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for\nioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with\npkt_len = 0 but ath9k_hif_usb_rx_stream() uses\n__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that\npkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb\nwith uninitialized memory and ath9k_htc_rx_msg() is reading from\nuninitialized memory.\n\nSince bytes accessed by ath9k_htc_rx_msg() is not known until\nath9k_htc_rx_msg() is called, it would be difficult to check minimal valid\npkt_len at \"if (pkt_len \u003e 2 * MAX_RX_BUF_SIZE) {\" line in\nath9k_hif_usb_rx_stream().\n\nWe have two choices. One is to workaround by adding __GFP_ZERO so that\nath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let\nath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose\nthe latter.\n\nNote that I\u0027m not sure threshold condition is correct, for I can\u0027t find\ndetails on possible packet length used by this protocol."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:58.202Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a"
},
{
"url": "https://git.kernel.org/stable/c/84242f15f911f34aec9b22f99d1e9bff19723dbe"
},
{
"url": "https://git.kernel.org/stable/c/2c485f4f2a64258acc5228e78ffb828c68d9e770"
},
{
"url": "https://git.kernel.org/stable/c/9661724f6206bd606ecf13acada676a9975d230b"
},
{
"url": "https://git.kernel.org/stable/c/b1b4144508adfc585e43856b31baaf9008a3beb4"
},
{
"url": "https://git.kernel.org/stable/c/0d2649b288b7b9484e3d4380c0d6c4720a17e473"
},
{
"url": "https://git.kernel.org/stable/c/4891a50f5ed8bfcb8f2a4b816b0676f398687783"
},
{
"url": "https://git.kernel.org/stable/c/b383e8abed41cc6ff1a3b34de75df9397fa4878c"
}
],
"title": "wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50709",
"datePublished": "2025-12-24T10:55:23.194Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2026-01-02T15:03:58.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68746 (GCVE-0-2025-68746)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
spi: tegra210-quad: Fix timeout handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: tegra210-quad: Fix timeout handling
When the CPU that the QSPI interrupt handler runs on (typically CPU 0)
is excessively busy, it can lead to rare cases of the IRQ thread not
running before the transfer timeout is reached.
While handling the timeouts, any pending transfers are cleaned up and
the message that they correspond to is marked as failed, which leaves
the curr_xfer field pointing at stale memory.
To avoid this, clear curr_xfer to NULL upon timeout and check for this
condition when the IRQ thread is finally run.
While at it, also make sure to clear interrupts on failure so that new
interrupts can be run.
A better, more involved, fix would move the interrupt clearing into a
hard IRQ handler. Ideally we would also want to signal that the IRQ
thread no longer needs to be run after the timeout is hit to avoid the
extra check for a valid transfer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 88db8bb7ed1bb474618acdf05ebd4f0758d244e2
(git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 83309dd551cfd60a5a1a98d9cab19f435b44d46d (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < c934e40246da2c5726d14e94719c514e30840df8 (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 551060efb156c50fe33799038ba8145418cfdeef (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < bb0c58be84f907285af45657c1d4847b960a12bf (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 01bbf25c767219b14c3235bfa85906b8d2cb8fbc (git) Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < b4e002d8a7cee3b1d70efad0e222567f92a73000 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "c934e40246da2c5726d14e94719c514e30840df8",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "551060efb156c50fe33799038ba8145418cfdeef",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "bb0c58be84f907285af45657c1d4847b960a12bf",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
},
{
"lessThan": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
"status": "affected",
"version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-tegra210-quad.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Fix timeout handling\n\nWhen the CPU that the QSPI interrupt handler runs on (typically CPU 0)\nis excessively busy, it can lead to rare cases of the IRQ thread not\nrunning before the transfer timeout is reached.\n\nWhile handling the timeouts, any pending transfers are cleaned up and\nthe message that they correspond to is marked as failed, which leaves\nthe curr_xfer field pointing at stale memory.\n\nTo avoid this, clear curr_xfer to NULL upon timeout and check for this\ncondition when the IRQ thread is finally run.\n\nWhile at it, also make sure to clear interrupts on failure so that new\ninterrupts can be run.\n\nA better, more involved, fix would move the interrupt clearing into a\nhard IRQ handler. Ideally we would also want to signal that the IRQ\nthread no longer needs to be run after the timeout is hit to avoid the\nextra check for a valid transfer."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:42.720Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2"
},
{
"url": "https://git.kernel.org/stable/c/83309dd551cfd60a5a1a98d9cab19f435b44d46d"
},
{
"url": "https://git.kernel.org/stable/c/c934e40246da2c5726d14e94719c514e30840df8"
},
{
"url": "https://git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeef"
},
{
"url": "https://git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bf"
},
{
"url": "https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc"
},
{
"url": "https://git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000"
}
],
"title": "spi: tegra210-quad: Fix timeout handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68746",
"datePublished": "2025-12-24T12:09:42.213Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-01-19T12:18:42.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54146 (GCVE-0-2023-54146)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
x86/kexec: Fix double-free of elf header buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/kexec: Fix double-free of elf header buffer
After
b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer"),
freeing image->elf_headers in the error path of crash_load_segments()
is not needed because kimage_file_post_load_cleanup() will take
care of that later. And not clearing it could result in a double-free.
Drop the superfluous vfree() call at the error path of
crash_load_segments().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
23cf39dccf7653650701a6f39b119e9116a27f1a , < 4c71a552b97fb4f46eb300224434fe56fcf4f254
(git)
Affected: 8765a423a87d74ef24ea02b43b2728fe4039f248 , < 554a880a1fff46dd5a355dec21cd77d542a0ddf2 (git) Affected: b3e34a47f98974d0844444c5121aaff123004e57 , < fbdbf8ac333d3d47c0d9ea81d7d445654431d100 (git) Affected: b3e34a47f98974d0844444c5121aaff123004e57 , < 5bd3c7abeb69fb4133418b846a1c6dc11313d6f0 (git) Affected: b3e34a47f98974d0844444c5121aaff123004e57 , < d00dd2f2645dca04cf399d8fc692f3f69b6dd996 (git) Affected: 115ee42a4c2f26ba2b4ace2668a3f004621f6833 (git) Affected: f675e3a9189d84a9324ab45b0cb19906c2bc8fcb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/crash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c71a552b97fb4f46eb300224434fe56fcf4f254",
"status": "affected",
"version": "23cf39dccf7653650701a6f39b119e9116a27f1a",
"versionType": "git"
},
{
"lessThan": "554a880a1fff46dd5a355dec21cd77d542a0ddf2",
"status": "affected",
"version": "8765a423a87d74ef24ea02b43b2728fe4039f248",
"versionType": "git"
},
{
"lessThan": "fbdbf8ac333d3d47c0d9ea81d7d445654431d100",
"status": "affected",
"version": "b3e34a47f98974d0844444c5121aaff123004e57",
"versionType": "git"
},
{
"lessThan": "5bd3c7abeb69fb4133418b846a1c6dc11313d6f0",
"status": "affected",
"version": "b3e34a47f98974d0844444c5121aaff123004e57",
"versionType": "git"
},
{
"lessThan": "d00dd2f2645dca04cf399d8fc692f3f69b6dd996",
"status": "affected",
"version": "b3e34a47f98974d0844444c5121aaff123004e57",
"versionType": "git"
},
{
"status": "affected",
"version": "115ee42a4c2f26ba2b4ace2668a3f004621f6833",
"versionType": "git"
},
{
"status": "affected",
"version": "f675e3a9189d84a9324ab45b0cb19906c2bc8fcb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/crash.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.15.46",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: Fix double-free of elf header buffer\n\nAfter\n\n b3e34a47f989 (\"x86/kexec: fix memory leak of elf header buffer\"),\n\nfreeing image-\u003eelf_headers in the error path of crash_load_segments()\nis not needed because kimage_file_post_load_cleanup() will take\ncare of that later. And not clearing it could result in a double-free.\n\nDrop the superfluous vfree() call at the error path of\ncrash_load_segments()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:58.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c71a552b97fb4f46eb300224434fe56fcf4f254"
},
{
"url": "https://git.kernel.org/stable/c/554a880a1fff46dd5a355dec21cd77d542a0ddf2"
},
{
"url": "https://git.kernel.org/stable/c/fbdbf8ac333d3d47c0d9ea81d7d445654431d100"
},
{
"url": "https://git.kernel.org/stable/c/5bd3c7abeb69fb4133418b846a1c6dc11313d6f0"
},
{
"url": "https://git.kernel.org/stable/c/d00dd2f2645dca04cf399d8fc692f3f69b6dd996"
}
],
"title": "x86/kexec: Fix double-free of elf header buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54146",
"datePublished": "2025-12-24T13:06:58.904Z",
"dateReserved": "2025-12-24T13:02:52.523Z",
"dateUpdated": "2025-12-24T13:06:58.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40225 (GCVE-0-2025-40225)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
drm/panthor: Fix kernel panic on partial unmap of a GPU VA region
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Fix kernel panic on partial unmap of a GPU VA region
This commit address a kernel panic issue that can happen if Userspace
tries to partially unmap a GPU virtual region (aka drm_gpuva).
The VM_BIND interface allows partial unmapping of a BO.
Panthor driver pre-allocates memory for the new drm_gpuva structures
that would be needed for the map/unmap operation, done using drm_gpuvm
layer. It expected that only one new drm_gpuva would be needed on umap
but a partial unmap can require 2 new drm_gpuva and that's why it
ended up doing a NULL pointer dereference causing a kernel panic.
Following dump was seen when partial unmap was exercised.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078
Mem abort info:
ESR = 0x0000000096000046
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
CM = 0, WnR = 1, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000
[000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000
Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP
<snip>
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]
sp : ffff800085d43970
x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000
x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000
x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010
x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c
x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58
x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c
x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7
x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001
x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078
Call trace:
panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
op_remap_cb.isra.22+0x50/0x80
__drm_gpuvm_sm_unmap+0x10c/0x1c8
drm_gpuvm_sm_unmap+0x40/0x60
panthor_vm_exec_op+0xb4/0x3d0 [panthor]
panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]
panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]
drm_ioctl_kernel+0xbc/0x138
drm_ioctl+0x240/0x500
__arm64_sys_ioctl+0xb0/0xf8
invoke_syscall+0x4c/0x110
el0_svc_common.constprop.1+0x98/0xf8
do_el0_svc+0x24/0x38
el0_svc+0x40/0xf8
el0t_64_sync_handler+0xa0/0xc8
el0t_64_sync+0x174/0x178
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
647810ec247641eb5aec8caef818919a4518a0b1 , < efe6dced3512066ebee2cf7c4c38d1c99625814e
(git)
Affected: 647810ec247641eb5aec8caef818919a4518a0b1 , < e9c19d19dd7e08db89cead5b0337c18590dc6645 (git) Affected: 647810ec247641eb5aec8caef818919a4518a0b1 , < 4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efe6dced3512066ebee2cf7c4c38d1c99625814e",
"status": "affected",
"version": "647810ec247641eb5aec8caef818919a4518a0b1",
"versionType": "git"
},
{
"lessThan": "e9c19d19dd7e08db89cead5b0337c18590dc6645",
"status": "affected",
"version": "647810ec247641eb5aec8caef818919a4518a0b1",
"versionType": "git"
},
{
"lessThan": "4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f",
"status": "affected",
"version": "647810ec247641eb5aec8caef818919a4518a0b1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix kernel panic on partial unmap of a GPU VA region\n\nThis commit address a kernel panic issue that can happen if Userspace\ntries to partially unmap a GPU virtual region (aka drm_gpuva).\nThe VM_BIND interface allows partial unmapping of a BO.\n\nPanthor driver pre-allocates memory for the new drm_gpuva structures\nthat would be needed for the map/unmap operation, done using drm_gpuvm\nlayer. It expected that only one new drm_gpuva would be needed on umap\nbut a partial unmap can require 2 new drm_gpuva and that\u0027s why it\nended up doing a NULL pointer dereference causing a kernel panic.\n\nFollowing dump was seen when partial unmap was exercised.\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078\n Mem abort info:\n ESR = 0x0000000096000046\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000\n [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000\n Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP\n \u003csnip\u003e\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\n lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]\n sp : ffff800085d43970\n x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000\n x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000\n x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180\n x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010\n x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c\n x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58\n x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c\n x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7\n x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001\n x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078\n Call trace:\n panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\n op_remap_cb.isra.22+0x50/0x80\n __drm_gpuvm_sm_unmap+0x10c/0x1c8\n drm_gpuvm_sm_unmap+0x40/0x60\n panthor_vm_exec_op+0xb4/0x3d0 [panthor]\n panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]\n panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]\n drm_ioctl_kernel+0xbc/0x138\n drm_ioctl+0x240/0x500\n __arm64_sys_ioctl+0xb0/0xf8\n invoke_syscall+0x4c/0x110\n el0_svc_common.constprop.1+0x98/0xf8\n do_el0_svc+0x24/0x38\n el0_svc+0x40/0xf8\n el0t_64_sync_handler+0xa0/0xc8\n el0t_64_sync+0x174/0x178"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:17.057Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efe6dced3512066ebee2cf7c4c38d1c99625814e"
},
{
"url": "https://git.kernel.org/stable/c/e9c19d19dd7e08db89cead5b0337c18590dc6645"
},
{
"url": "https://git.kernel.org/stable/c/4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f"
}
],
"title": "drm/panthor: Fix kernel panic on partial unmap of a GPU VA region",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40225",
"datePublished": "2025-12-04T15:31:17.057Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:17.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40258 (GCVE-0-2025-40258)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
mptcp: fix race condition in mptcp_schedule_work()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix race condition in mptcp_schedule_work()
syzbot reported use-after-free in mptcp_schedule_work() [1]
Issue here is that mptcp_schedule_work() schedules a work,
then gets a refcount on sk->sk_refcnt if the work was scheduled.
This refcount will be released by mptcp_worker().
[A] if (schedule_work(...)) {
[B] sock_hold(sk);
return true;
}
Problem is that mptcp_worker() can run immediately and complete before [B]
We need instead :
sock_hold(sk);
if (schedule_work(...))
return true;
sock_put(sk);
[1]
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
sock_hold include/net/sock.h:816 [inline]
mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943
mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x648/0x970 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b1d6210a9577369103330b0d802b0bf74b65e7f , < f865e6595acf33083168db76921e66ace8bf0e5b
(git)
Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 99908e2d601236842d705d5fd04fb349577316f5 (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < db4f7968a75250ca6c4ed70d0a78beabb2dcee18 (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 8f9ba1a99a89feef9b5867c15a0141a97e893309 (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < ac28dfddedf6f209190950fc71bcff65ec4ab47b (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 3fc7723ed01d1130d4bf7063c50e0af60ecccbb4 (git) Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 035bca3f017ee9dea3a5a756e77a6f7138cc6eea (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f865e6595acf33083168db76921e66ace8bf0e5b",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "99908e2d601236842d705d5fd04fb349577316f5",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "db4f7968a75250ca6c4ed70d0a78beabb2dcee18",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "8f9ba1a99a89feef9b5867c15a0141a97e893309",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "ac28dfddedf6f209190950fc71bcff65ec4ab47b",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "3fc7723ed01d1130d4bf7063c50e0af60ecccbb4",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
},
{
"lessThan": "035bca3f017ee9dea3a5a756e77a6f7138cc6eea",
"status": "affected",
"version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race condition in mptcp_schedule_work()\n\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\n\nIssue here is that mptcp_schedule_work() schedules a work,\nthen gets a refcount on sk-\u003esk_refcnt if the work was scheduled.\nThis refcount will be released by mptcp_worker().\n\n[A] if (schedule_work(...)) {\n[B] sock_hold(sk);\n return true;\n }\n\nProblem is that mptcp_worker() can run immediately and complete before [B]\n\nWe need instead :\n\n sock_hold(sk);\n if (schedule_work(...))\n return true;\n sock_put(sk);\n\n[1]\nrefcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\nCall Trace:\n \u003cTASK\u003e\n __refcount_add include/linux/refcount.h:-1 [inline]\n __refcount_inc include/linux/refcount.h:366 [inline]\n refcount_inc include/linux/refcount.h:383 [inline]\n sock_hold include/net/sock.h:816 [inline]\n mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\n mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n expire_timers kernel/time/timer.c:1798 [inline]\n __run_timers kernel/time/timer.c:2372 [inline]\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n run_timer_base kernel/time/timer.c:2393 [inline]\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n __do_softirq kernel/softirq.c:656 [inline]\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1138\n smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\n kthread+0x711/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:56.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f865e6595acf33083168db76921e66ace8bf0e5b"
},
{
"url": "https://git.kernel.org/stable/c/99908e2d601236842d705d5fd04fb349577316f5"
},
{
"url": "https://git.kernel.org/stable/c/db4f7968a75250ca6c4ed70d0a78beabb2dcee18"
},
{
"url": "https://git.kernel.org/stable/c/8f9ba1a99a89feef9b5867c15a0141a97e893309"
},
{
"url": "https://git.kernel.org/stable/c/ac28dfddedf6f209190950fc71bcff65ec4ab47b"
},
{
"url": "https://git.kernel.org/stable/c/3fc7723ed01d1130d4bf7063c50e0af60ecccbb4"
},
{
"url": "https://git.kernel.org/stable/c/035bca3f017ee9dea3a5a756e77a6f7138cc6eea"
}
],
"title": "mptcp: fix race condition in mptcp_schedule_work()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40258",
"datePublished": "2025-12-04T16:08:19.176Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:38:56.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50821 (GCVE-0-2022-50821)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < 76f2497a2faa6a4e91efb94a7f55705b403273fd
(git)
Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < aa91afe597401b78baa7d751c71eedb92c80bd4d (git) Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < 2cd6026e257362f030c8be57abaf7fc0049df60a (git) Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6 (git) Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < 67eb848161c2799f2007968ea3bc87adb15c9567 (git) Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < c9ded831e2552b9c3cab7e2591a190e94f9d29c0 (git) Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "76f2497a2faa6a4e91efb94a7f55705b403273fd",
"status": "affected",
"version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
"versionType": "git"
},
{
"lessThan": "aa91afe597401b78baa7d751c71eedb92c80bd4d",
"status": "affected",
"version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
"versionType": "git"
},
{
"lessThan": "2cd6026e257362f030c8be57abaf7fc0049df60a",
"status": "affected",
"version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
"versionType": "git"
},
{
"lessThan": "d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6",
"status": "affected",
"version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
"versionType": "git"
},
{
"lessThan": "67eb848161c2799f2007968ea3bc87adb15c9567",
"status": "affected",
"version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
"versionType": "git"
},
{
"lessThan": "c9ded831e2552b9c3cab7e2591a190e94f9d29c0",
"status": "affected",
"version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
"versionType": "git"
},
{
"lessThan": "da522b5fe1a5f8b7c20a0023e87b52a150e53bf5",
"status": "affected",
"version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/auth_gss/svcauth_gss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Don\u0027t leak netobj memory when gss_read_proxy_verf() fails"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:35.564Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/76f2497a2faa6a4e91efb94a7f55705b403273fd"
},
{
"url": "https://git.kernel.org/stable/c/aa91afe597401b78baa7d751c71eedb92c80bd4d"
},
{
"url": "https://git.kernel.org/stable/c/2cd6026e257362f030c8be57abaf7fc0049df60a"
},
{
"url": "https://git.kernel.org/stable/c/d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6"
},
{
"url": "https://git.kernel.org/stable/c/67eb848161c2799f2007968ea3bc87adb15c9567"
},
{
"url": "https://git.kernel.org/stable/c/c9ded831e2552b9c3cab7e2591a190e94f9d29c0"
},
{
"url": "https://git.kernel.org/stable/c/da522b5fe1a5f8b7c20a0023e87b52a150e53bf5"
}
],
"title": "SUNRPC: Don\u0027t leak netobj memory when gss_read_proxy_verf() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50821",
"datePublished": "2025-12-30T12:08:35.564Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2025-12-30T12:08:35.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53861 (GCVE-0-2023-53861)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
ext4: correct grp validation in ext4_mb_good_group
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: correct grp validation in ext4_mb_good_group
Group corruption check will access memory of grp and will trigger kernel
crash if grp is NULL. So do NULL check before corruption check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
100c0ad6c04597fefeaaba2bb1827cc015d95067 , < 245759d987b617d183061db6ab8886ebb5cc78e9
(git)
Affected: 620a3c28221bb219b81bc0bffd065cc187494302 , < 3e24082f16825279054a2b8a5e668d65070bbf07 (git) Affected: b4319e457d6e3fb33e443efeaf4634fc36e8a9ed , < 772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < 83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4 (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < e69d665987db0e37896adf78a7e718f9a0a75d3f (git) Affected: 5354b2af34064a4579be8bc0e2f15a7b70f14b5f , < a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93 (git) Affected: 31668cebf45adfb6283e465e641c4f5a21b07afa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "245759d987b617d183061db6ab8886ebb5cc78e9",
"status": "affected",
"version": "100c0ad6c04597fefeaaba2bb1827cc015d95067",
"versionType": "git"
},
{
"lessThan": "3e24082f16825279054a2b8a5e668d65070bbf07",
"status": "affected",
"version": "620a3c28221bb219b81bc0bffd065cc187494302",
"versionType": "git"
},
{
"lessThan": "772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d",
"status": "affected",
"version": "b4319e457d6e3fb33e443efeaf4634fc36e8a9ed",
"versionType": "git"
},
{
"lessThan": "83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"lessThan": "e69d665987db0e37896adf78a7e718f9a0a75d3f",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"lessThan": "a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93",
"status": "affected",
"version": "5354b2af34064a4579be8bc0e2f15a7b70f14b5f",
"versionType": "git"
},
{
"status": "affected",
"version": "31668cebf45adfb6283e465e641c4f5a21b07afa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: correct grp validation in ext4_mb_good_group\n\nGroup corruption check will access memory of grp and will trigger kernel\ncrash if grp is NULL. So do NULL check before corruption check."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:29.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/245759d987b617d183061db6ab8886ebb5cc78e9"
},
{
"url": "https://git.kernel.org/stable/c/3e24082f16825279054a2b8a5e668d65070bbf07"
},
{
"url": "https://git.kernel.org/stable/c/772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d"
},
{
"url": "https://git.kernel.org/stable/c/83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4"
},
{
"url": "https://git.kernel.org/stable/c/e69d665987db0e37896adf78a7e718f9a0a75d3f"
},
{
"url": "https://git.kernel.org/stable/c/a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93"
}
],
"title": "ext4: correct grp validation in ext4_mb_good_group",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53861",
"datePublished": "2025-12-09T01:30:29.423Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:29.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53744 (GCVE-0-2023-53744)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe
wkup_m3_ipc_get() takes refcount, which should be freed by
wkup_m3_ipc_put(). Add missing refcount release in the error paths.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32 , < 08310f810975c8c9e17c6ffb99fdb76a84e8adb7
(git)
Affected: 5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32 , < 6a50350033e0e0854acf59a8413913b4de04bd7d (git) Affected: 5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32 , < 6dbcc493a18dd60947c2168a39df0ec2fe7b5110 (git) Affected: 5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32 , < e6c6b40c9bf49ce9b5493b146bfeb96359937cfa (git) Affected: 5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32 , < 65305e8c0009a1933679dad5c8196060a10f3c8b (git) Affected: 5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32 , < 8f3c307b580a4a6425896007325bddefc36e8d91 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/ti/pm33xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08310f810975c8c9e17c6ffb99fdb76a84e8adb7",
"status": "affected",
"version": "5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32",
"versionType": "git"
},
{
"lessThan": "6a50350033e0e0854acf59a8413913b4de04bd7d",
"status": "affected",
"version": "5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32",
"versionType": "git"
},
{
"lessThan": "6dbcc493a18dd60947c2168a39df0ec2fe7b5110",
"status": "affected",
"version": "5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32",
"versionType": "git"
},
{
"lessThan": "e6c6b40c9bf49ce9b5493b146bfeb96359937cfa",
"status": "affected",
"version": "5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32",
"versionType": "git"
},
{
"lessThan": "65305e8c0009a1933679dad5c8196060a10f3c8b",
"status": "affected",
"version": "5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32",
"versionType": "git"
},
{
"lessThan": "8f3c307b580a4a6425896007325bddefc36e8d91",
"status": "affected",
"version": "5a99ae0092fe24fd581fdb6b9c2b48f94f92cf32",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/ti/pm33xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe\n\nwkup_m3_ipc_get() takes refcount, which should be freed by\nwkup_m3_ipc_put(). Add missing refcount release in the error paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:02.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08310f810975c8c9e17c6ffb99fdb76a84e8adb7"
},
{
"url": "https://git.kernel.org/stable/c/6a50350033e0e0854acf59a8413913b4de04bd7d"
},
{
"url": "https://git.kernel.org/stable/c/6dbcc493a18dd60947c2168a39df0ec2fe7b5110"
},
{
"url": "https://git.kernel.org/stable/c/e6c6b40c9bf49ce9b5493b146bfeb96359937cfa"
},
{
"url": "https://git.kernel.org/stable/c/65305e8c0009a1933679dad5c8196060a10f3c8b"
},
{
"url": "https://git.kernel.org/stable/c/8f3c307b580a4a6425896007325bddefc36e8d91"
}
],
"title": "soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53744",
"datePublished": "2025-12-08T01:19:02.965Z",
"dateReserved": "2025-12-08T01:18:04.278Z",
"dateUpdated": "2025-12-08T01:19:02.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54296 (GCVE-0-2023-54296)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration
Fix a goof where KVM tries to grab source vCPUs from the destination VM
when doing intrahost migration. Grabbing the wrong vCPU not only hoses
the guest, it also crashes the host due to the VMSA pointer being left
NULL.
BUG: unable to handle page fault for address: ffffe38687000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp--fff2e47e6c3b-next #151
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023
RIP: 0010:__free_pages+0x15/0xd0
RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000
RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000
R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
<TASK>
sev_free_vcpu+0xcb/0x110 [kvm_amd]
svm_vcpu_free+0x75/0xf0 [kvm_amd]
kvm_arch_vcpu_destroy+0x36/0x140 [kvm]
kvm_destroy_vcpus+0x67/0x100 [kvm]
kvm_arch_destroy_vm+0x161/0x1d0 [kvm]
kvm_put_kvm+0x276/0x560 [kvm]
kvm_vm_release+0x25/0x30 [kvm]
__fput+0x106/0x280
____fput+0x12/0x20
task_work_run+0x86/0xb0
do_exit+0x2e3/0x9c0
do_group_exit+0xb1/0xc0
__x64_sys_exit_group+0x1b/0x20
do_syscall_64+0x41/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
CR2: ffffe38687000000
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6defa24d3b12bbd418bc8526dea1cbc605265c06 , < 5c18ace750e4d4d58d7da02d1c669bf21c824158
(git)
Affected: 6defa24d3b12bbd418bc8526dea1cbc605265c06 , < 2ee4b180d51b12a45bdd3264629719ef6a572a73 (git) Affected: 6defa24d3b12bbd418bc8526dea1cbc605265c06 , < f1187ef24eb8f36e8ad8106d22615ceddeea6097 (git) Affected: 229334a8b1d0d5e60d3bdd091bbc4552d5321c97 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c18ace750e4d4d58d7da02d1c669bf21c824158",
"status": "affected",
"version": "6defa24d3b12bbd418bc8526dea1cbc605265c06",
"versionType": "git"
},
{
"lessThan": "2ee4b180d51b12a45bdd3264629719ef6a572a73",
"status": "affected",
"version": "6defa24d3b12bbd418bc8526dea1cbc605265c06",
"versionType": "git"
},
{
"lessThan": "f1187ef24eb8f36e8ad8106d22615ceddeea6097",
"status": "affected",
"version": "6defa24d3b12bbd418bc8526dea1cbc605265c06",
"versionType": "git"
},
{
"status": "affected",
"version": "229334a8b1d0d5e60d3bdd091bbc4552d5321c97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/sev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration\n\nFix a goof where KVM tries to grab source vCPUs from the destination VM\nwhen doing intrahost migration. Grabbing the wrong vCPU not only hoses\nthe guest, it also crashes the host due to the VMSA pointer being left\nNULL.\n\n BUG: unable to handle page fault for address: ffffe38687000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp--fff2e47e6c3b-next #151\n Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023\n RIP: 0010:__free_pages+0x15/0xd0\n RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100\n RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000\n RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000\n R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000\n R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n sev_free_vcpu+0xcb/0x110 [kvm_amd]\n svm_vcpu_free+0x75/0xf0 [kvm_amd]\n kvm_arch_vcpu_destroy+0x36/0x140 [kvm]\n kvm_destroy_vcpus+0x67/0x100 [kvm]\n kvm_arch_destroy_vm+0x161/0x1d0 [kvm]\n kvm_put_kvm+0x276/0x560 [kvm]\n kvm_vm_release+0x25/0x30 [kvm]\n __fput+0x106/0x280\n ____fput+0x12/0x20\n task_work_run+0x86/0xb0\n do_exit+0x2e3/0x9c0\n do_group_exit+0xb1/0xc0\n __x64_sys_exit_group+0x1b/0x20\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n CR2: ffffe38687000000"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:33.141Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c18ace750e4d4d58d7da02d1c669bf21c824158"
},
{
"url": "https://git.kernel.org/stable/c/2ee4b180d51b12a45bdd3264629719ef6a572a73"
},
{
"url": "https://git.kernel.org/stable/c/f1187ef24eb8f36e8ad8106d22615ceddeea6097"
}
],
"title": "KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54296",
"datePublished": "2025-12-30T12:23:33.141Z",
"dateReserved": "2025-12-30T12:06:44.528Z",
"dateUpdated": "2025-12-30T12:23:33.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40262 (GCVE-0-2025-40262)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:39
VLAI?
EPSS
Title
Input: imx_sc_key - fix memory corruption on unload
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: imx_sc_key - fix memory corruption on unload
This is supposed to be "priv" but we accidentally pass "&priv" which is
an address in the stack and so it will lead to memory corruption when
the imx_sc_key_action() function is called. Remove the &.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
768062fd1284529212daffd360314e9aa93abb62 , < 3e96803b169dc948847f0fc2bae729a80914eb7b
(git)
Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 4ce5218b101205b3425099fe3df88a61b58f9cc2 (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < a155292c3ce722036014da5477ee0e4c87b5e6b3 (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < ca9a08de9b294422376f47ade323d69590dbc6f2 (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 56881294915a6e866d31a46f9bcb5e19167cfbaa (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 6524a15d33951b18ac408ebbcb9c16e14e21c336 (git) Affected: 768062fd1284529212daffd360314e9aa93abb62 , < d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/imx_sc_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e96803b169dc948847f0fc2bae729a80914eb7b",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "4ce5218b101205b3425099fe3df88a61b58f9cc2",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "a155292c3ce722036014da5477ee0e4c87b5e6b3",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "ca9a08de9b294422376f47ade323d69590dbc6f2",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "56881294915a6e866d31a46f9bcb5e19167cfbaa",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "6524a15d33951b18ac408ebbcb9c16e14e21c336",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
},
{
"lessThan": "d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4",
"status": "affected",
"version": "768062fd1284529212daffd360314e9aa93abb62",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/imx_sc_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: imx_sc_key - fix memory corruption on unload\n\nThis is supposed to be \"priv\" but we accidentally pass \"\u0026priv\" which is\nan address in the stack and so it will lead to memory corruption when\nthe imx_sc_key_action() function is called. Remove the \u0026."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:39:03.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e96803b169dc948847f0fc2bae729a80914eb7b"
},
{
"url": "https://git.kernel.org/stable/c/4ce5218b101205b3425099fe3df88a61b58f9cc2"
},
{
"url": "https://git.kernel.org/stable/c/a155292c3ce722036014da5477ee0e4c87b5e6b3"
},
{
"url": "https://git.kernel.org/stable/c/ca9a08de9b294422376f47ade323d69590dbc6f2"
},
{
"url": "https://git.kernel.org/stable/c/56881294915a6e866d31a46f9bcb5e19167cfbaa"
},
{
"url": "https://git.kernel.org/stable/c/6524a15d33951b18ac408ebbcb9c16e14e21c336"
},
{
"url": "https://git.kernel.org/stable/c/d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4"
}
],
"title": "Input: imx_sc_key - fix memory corruption on unload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40262",
"datePublished": "2025-12-04T16:08:22.043Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2025-12-06T21:39:03.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38336 (GCVE-0-2025-38336)
Vulnerability from cvelistv5 – Published: 2025-07-10 08:15 – Updated: 2026-01-02 15:30
VLAI?
EPSS
Title
ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
Summary
In the Linux kernel, the following vulnerability has been resolved:
ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
The controller has a hardware bug that can hard hang the system when
doing ATAPI DMAs without any trace of what happened. Depending on the
device attached, it can also prevent the system from booting.
In this case, the system hangs when reading the ATIP from optical media
with cdrecord -vvv -atip on an _NEC DVD_RW ND-4571A 1-01 and an
Optiarc DVD RW AD-7200A 1.06 attached to an ASRock 990FX Extreme 4,
running at UDMA/33.
The issue can be reproduced by running the same command with a cygwin
build of cdrecord on WinXP, although it requires more attempts to cause
it. The hang in that case is also resolved by forcing PIO. It doesn't
appear that VIA has produced any drivers for that OS, thus no known
workaround exists.
HDDs attached to the controller do not suffer from any DMA issues.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5955c7a2cfb6a35429adea5dc480002b15ca8cfc , < 67d66a5e4583fd3bcf13d6f747e571df13cbad51
(git)
Affected: 5955c7a2cfb6a35429adea5dc480002b15ca8cfc , < 0d9a48dfa934f43ac839211ae4aeba34f666a9a5 (git) Affected: 5955c7a2cfb6a35429adea5dc480002b15ca8cfc , < 7fc89c218fc96a296a2840b1e37f4e0975f7a108 (git) Affected: 5955c7a2cfb6a35429adea5dc480002b15ca8cfc , < 8212cd92fe40aae6fe5a073bc70e758c42bb4bfc (git) Affected: 5955c7a2cfb6a35429adea5dc480002b15ca8cfc , < 8edfed4439b107d62151ff6c075958d169da3e71 (git) Affected: 5955c7a2cfb6a35429adea5dc480002b15ca8cfc , < 947f9304d3c876c6672b947b80c0ef51161c6d2f (git) Affected: 5955c7a2cfb6a35429adea5dc480002b15ca8cfc , < bb7212ee4ff086628a2c1c22336d082a87cb893d (git) Affected: 5955c7a2cfb6a35429adea5dc480002b15ca8cfc , < d29fc02caad7f94b62d56ee1b01c954f9c961ba7 (git) Affected: 466909ba06d0bfd5423cd5ca9bea22e43384377e (git) Affected: 95cfc84fd09cb77669da9ae6e9ad5ced027ca483 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:36:45.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ata/pata_via.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67d66a5e4583fd3bcf13d6f747e571df13cbad51",
"status": "affected",
"version": "5955c7a2cfb6a35429adea5dc480002b15ca8cfc",
"versionType": "git"
},
{
"lessThan": "0d9a48dfa934f43ac839211ae4aeba34f666a9a5",
"status": "affected",
"version": "5955c7a2cfb6a35429adea5dc480002b15ca8cfc",
"versionType": "git"
},
{
"lessThan": "7fc89c218fc96a296a2840b1e37f4e0975f7a108",
"status": "affected",
"version": "5955c7a2cfb6a35429adea5dc480002b15ca8cfc",
"versionType": "git"
},
{
"lessThan": "8212cd92fe40aae6fe5a073bc70e758c42bb4bfc",
"status": "affected",
"version": "5955c7a2cfb6a35429adea5dc480002b15ca8cfc",
"versionType": "git"
},
{
"lessThan": "8edfed4439b107d62151ff6c075958d169da3e71",
"status": "affected",
"version": "5955c7a2cfb6a35429adea5dc480002b15ca8cfc",
"versionType": "git"
},
{
"lessThan": "947f9304d3c876c6672b947b80c0ef51161c6d2f",
"status": "affected",
"version": "5955c7a2cfb6a35429adea5dc480002b15ca8cfc",
"versionType": "git"
},
{
"lessThan": "bb7212ee4ff086628a2c1c22336d082a87cb893d",
"status": "affected",
"version": "5955c7a2cfb6a35429adea5dc480002b15ca8cfc",
"versionType": "git"
},
{
"lessThan": "d29fc02caad7f94b62d56ee1b01c954f9c961ba7",
"status": "affected",
"version": "5955c7a2cfb6a35429adea5dc480002b15ca8cfc",
"versionType": "git"
},
{
"status": "affected",
"version": "466909ba06d0bfd5423cd5ca9bea22e43384377e",
"versionType": "git"
},
{
"status": "affected",
"version": "95cfc84fd09cb77669da9ae6e9ad5ced027ca483",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ata/pata_via.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.27.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.28.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330\n\nThe controller has a hardware bug that can hard hang the system when\ndoing ATAPI DMAs without any trace of what happened. Depending on the\ndevice attached, it can also prevent the system from booting.\n\nIn this case, the system hangs when reading the ATIP from optical media\nwith cdrecord -vvv -atip on an _NEC DVD_RW ND-4571A 1-01 and an\nOptiarc DVD RW AD-7200A 1.06 attached to an ASRock 990FX Extreme 4,\nrunning at UDMA/33.\n\nThe issue can be reproduced by running the same command with a cygwin\nbuild of cdrecord on WinXP, although it requires more attempts to cause\nit. The hang in that case is also resolved by forcing PIO. It doesn\u0027t\nappear that VIA has produced any drivers for that OS, thus no known\nworkaround exists.\n\nHDDs attached to the controller do not suffer from any DMA issues."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:30:24.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67d66a5e4583fd3bcf13d6f747e571df13cbad51"
},
{
"url": "https://git.kernel.org/stable/c/0d9a48dfa934f43ac839211ae4aeba34f666a9a5"
},
{
"url": "https://git.kernel.org/stable/c/7fc89c218fc96a296a2840b1e37f4e0975f7a108"
},
{
"url": "https://git.kernel.org/stable/c/8212cd92fe40aae6fe5a073bc70e758c42bb4bfc"
},
{
"url": "https://git.kernel.org/stable/c/8edfed4439b107d62151ff6c075958d169da3e71"
},
{
"url": "https://git.kernel.org/stable/c/947f9304d3c876c6672b947b80c0ef51161c6d2f"
},
{
"url": "https://git.kernel.org/stable/c/bb7212ee4ff086628a2c1c22336d082a87cb893d"
},
{
"url": "https://git.kernel.org/stable/c/d29fc02caad7f94b62d56ee1b01c954f9c961ba7"
}
],
"title": "ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38336",
"datePublished": "2025-07-10T08:15:07.700Z",
"dateReserved": "2025-04-16T04:51:24.005Z",
"dateUpdated": "2026-01-02T15:30:24.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53813 (GCVE-0-2023-53813)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
ext4: fix rbtree traversal bug in ext4_mb_use_preallocated
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix rbtree traversal bug in ext4_mb_use_preallocated
During allocations, while looking for preallocations(PA) in the per
inode rbtree, we can't do a direct traversal of the tree because
ext4_mb_discard_group_preallocation() can paralelly mark the pa deleted
and that can cause direct traversal to skip some entries. This was
leading to a BUG_ON() being hit [1] when we missed a PA that could satisfy
our request and ultimately tried to create a new PA that would overlap
with the missed one.
To makes sure we handle that case while still keeping the performance of
the rbtree, we make use of the fact that the only pa that could possibly
overlap the original goal start is the one that satisfies the below
conditions:
1. It must have it's logical start immediately to the left of
(ie less than) original logical start.
2. It must not be deleted
To find this pa we use the following traversal method:
1. Descend into the rbtree normally to find the immediate neighboring
PA. Here we keep descending irrespective of if the PA is deleted or if
it overlaps with our request etc. The goal is to find an immediately
adjacent PA.
2. If the found PA is on right of original goal, use rb_prev() to find
the left adjacent PA.
3. Check if this PA is deleted and keep moving left with rb_prev() until
a non deleted PA is found.
4. This is the PA we are looking for. Now we can check if it can satisfy
the original request and proceed accordingly.
This approach also takes care of having deleted PAs in the tree.
(While we are at it, also fix a possible overflow bug in calculating the
end of a PA)
[1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "339fee69a1daa71d6f97e47a867e2c32419a2406",
"status": "affected",
"version": "3872778664e36528caf8b27f355e75482f6d562d",
"versionType": "git"
},
{
"lessThan": "9d3de7ee192a6a253f475197fe4d2e2af10a731f",
"status": "affected",
"version": "3872778664e36528caf8b27f355e75482f6d562d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix rbtree traversal bug in ext4_mb_use_preallocated\n\nDuring allocations, while looking for preallocations(PA) in the per\ninode rbtree, we can\u0027t do a direct traversal of the tree because\next4_mb_discard_group_preallocation() can paralelly mark the pa deleted\nand that can cause direct traversal to skip some entries. This was\nleading to a BUG_ON() being hit [1] when we missed a PA that could satisfy\nour request and ultimately tried to create a new PA that would overlap\nwith the missed one.\n\nTo makes sure we handle that case while still keeping the performance of\nthe rbtree, we make use of the fact that the only pa that could possibly\noverlap the original goal start is the one that satisfies the below\nconditions:\n\n 1. It must have it\u0027s logical start immediately to the left of\n (ie less than) original logical start.\n\n 2. It must not be deleted\n\nTo find this pa we use the following traversal method:\n\n1. Descend into the rbtree normally to find the immediate neighboring\nPA. Here we keep descending irrespective of if the PA is deleted or if\nit overlaps with our request etc. The goal is to find an immediately\nadjacent PA.\n\n2. If the found PA is on right of original goal, use rb_prev() to find\nthe left adjacent PA.\n\n3. Check if this PA is deleted and keep moving left with rb_prev() until\na non deleted PA is found.\n\n4. This is the PA we are looking for. Now we can check if it can satisfy\nthe original request and proceed accordingly.\n\nThis approach also takes care of having deleted PAs in the tree.\n\n(While we are at it, also fix a possible overflow bug in calculating the\nend of a PA)\n\n[1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:10.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/339fee69a1daa71d6f97e47a867e2c32419a2406"
},
{
"url": "https://git.kernel.org/stable/c/9d3de7ee192a6a253f475197fe4d2e2af10a731f"
}
],
"title": "ext4: fix rbtree traversal bug in ext4_mb_use_preallocated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53813",
"datePublished": "2025-12-09T00:01:10.886Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:10.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40330 (GCVE-0-2025-40330)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
bnxt_en: Shutdown FW DMA in bnxt_shutdown()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Shutdown FW DMA in bnxt_shutdown()
The netif_close() call in bnxt_shutdown() only stops packet DMA. There
may be FW DMA for trace logging (recently added) that will continue. If
we kexec to a new kernel, the DMA will corrupt memory in the new kernel.
Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW.
This will stop the FW DMA. In case the call fails, call pcie_flr() to
reset the function and stop the DMA.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1a8a15c3f71d1199d510ccba4bc201cbd2204048",
"status": "affected",
"version": "24d694aec139e9e0a31c60993db79bd8ad575afe",
"versionType": "git"
},
{
"lessThan": "bc7208ca805ae6062f353a4753467d913d963bc6",
"status": "affected",
"version": "24d694aec139e9e0a31c60993db79bd8ad575afe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Shutdown FW DMA in bnxt_shutdown()\n\nThe netif_close() call in bnxt_shutdown() only stops packet DMA. There\nmay be FW DMA for trace logging (recently added) that will continue. If\nwe kexec to a new kernel, the DMA will corrupt memory in the new kernel.\n\nAdd bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW.\nThis will stop the FW DMA. In case the call fails, call pcie_flr() to\nreset the function and stop the DMA."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:47.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1a8a15c3f71d1199d510ccba4bc201cbd2204048"
},
{
"url": "https://git.kernel.org/stable/c/bc7208ca805ae6062f353a4753467d913d963bc6"
}
],
"title": "bnxt_en: Shutdown FW DMA in bnxt_shutdown()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40330",
"datePublished": "2025-12-09T04:09:47.251Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:47.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54224 (GCVE-0-2023-54224)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-05 11:36
VLAI?
EPSS
Title
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
When running delayed items we are holding a delayed node's mutex and then
we will attempt to modify a subvolume btree to insert/update/delete the
delayed items. However if have an error during the insertions for example,
btrfs_insert_delayed_items() may return with a path that has locked extent
buffers (a leaf at the very least), and then we attempt to release the
delayed node at __btrfs_run_delayed_items(), which requires taking the
delayed node's mutex, causing an ABBA type of deadlock. This was reported
by syzbot and the lockdep splat is the following:
WARNING: possible circular locking dependency detected
6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted
------------------------------------------------------
syz-executor.2/13257 is trying to acquire lock:
ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256
but task is already holding lock:
ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (btrfs-tree-00){++++}-{3:3}:
__lock_release kernel/locking/lockdep.c:5475 [inline]
lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781
up_write+0x79/0x580 kernel/locking/rwsem.c:1625
btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]
btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239
search_leaf fs/btrfs/ctree.c:1986 [inline]
btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230
btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376
btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]
btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]
__btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111
__btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153
flush_space+0x269/0xe70 fs/btrfs/space-info.c:723
btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078
process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600
worker_thread+0xa63/0x1210 kernel/workqueue.c:2751
kthread+0x2b8/0x350 kernel/kthread.c:389
ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
-> #0 (&delayed_node->mutex){+.+.}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3142 [inline]
check_prevs_add kernel/locking/lockdep.c:3261 [inline]
validate_chain kernel/locking/lockdep.c:3876 [inline]
__lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144
lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761
__mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603
__mutex_lock kernel/locking/mutex.c:747 [inline]
mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799
__btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256
btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]
__btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156
btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276
btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988
vfs_fsync_range fs/sync.c:188 [inline]
vfs_fsync fs/sync.c:202 [inline]
do_fsync fs/sync.c:212 [inline]
__do_sys_fsync fs/sync.c:220 [inline]
__se_sys_fsync fs/sync.c:218 [inline]
__x64_sys_fsync+0x196/0x1e0 fs/sync.c:218
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
other info that
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
506650dcb3a716ad98681f7091ba2f8e748c04b8 , < 779c3cf2749c7a7bad6f839cb2954a25ba92f4d6
(git)
Affected: 506650dcb3a716ad98681f7091ba2f8e748c04b8 , < 32247b9526bfdaeef85f7339d9b4f913c7370f92 (git) Affected: 506650dcb3a716ad98681f7091ba2f8e748c04b8 , < 36d918da3f1bf749178c7daf471a3be1730ed3ca (git) Affected: 506650dcb3a716ad98681f7091ba2f8e748c04b8 , < e110f8911ddb93e6f55da14ccbbe705397b30d0b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/delayed-inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "779c3cf2749c7a7bad6f839cb2954a25ba92f4d6",
"status": "affected",
"version": "506650dcb3a716ad98681f7091ba2f8e748c04b8",
"versionType": "git"
},
{
"lessThan": "32247b9526bfdaeef85f7339d9b4f913c7370f92",
"status": "affected",
"version": "506650dcb3a716ad98681f7091ba2f8e748c04b8",
"versionType": "git"
},
{
"lessThan": "36d918da3f1bf749178c7daf471a3be1730ed3ca",
"status": "affected",
"version": "506650dcb3a716ad98681f7091ba2f8e748c04b8",
"versionType": "git"
},
{
"lessThan": "e110f8911ddb93e6f55da14ccbbe705397b30d0b",
"status": "affected",
"version": "506650dcb3a716ad98681f7091ba2f8e748c04b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/delayed-inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix lockdep splat and potential deadlock after failure running delayed items\n\nWhen running delayed items we are holding a delayed node\u0027s mutex and then\nwe will attempt to modify a subvolume btree to insert/update/delete the\ndelayed items. However if have an error during the insertions for example,\nbtrfs_insert_delayed_items() may return with a path that has locked extent\nbuffers (a leaf at the very least), and then we attempt to release the\ndelayed node at __btrfs_run_delayed_items(), which requires taking the\ndelayed node\u0027s mutex, causing an ABBA type of deadlock. This was reported\nby syzbot and the lockdep splat is the following:\n\n WARNING: possible circular locking dependency detected\n 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted\n ------------------------------------------------------\n syz-executor.2/13257 is trying to acquire lock:\n ffff88801835c0c0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n\n but task is already holding lock:\n ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n __lock_release kernel/locking/lockdep.c:5475 [inline]\n lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781\n up_write+0x79/0x580 kernel/locking/rwsem.c:1625\n btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline]\n btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239\n search_leaf fs/btrfs/ctree.c:1986 [inline]\n btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230\n btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376\n btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline]\n btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline]\n __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111\n __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153\n flush_space+0x269/0xe70 fs/btrfs/space-info.c:723\n btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078\n process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600\n worker_thread+0xa63/0x1210 kernel/workqueue.c:2751\n kthread+0x2b8/0x350 kernel/kthread.c:389\n ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\n -\u003e #0 (\u0026delayed_node-\u003emutex){+.+.}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3142 [inline]\n check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n validate_chain kernel/locking/lockdep.c:3876 [inline]\n __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603\n __mutex_lock kernel/locking/mutex.c:747 [inline]\n mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799\n __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256\n btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline]\n __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156\n btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276\n btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988\n vfs_fsync_range fs/sync.c:188 [inline]\n vfs_fsync fs/sync.c:202 [inline]\n do_fsync fs/sync.c:212 [inline]\n __do_sys_fsync fs/sync.c:220 [inline]\n __se_sys_fsync fs/sync.c:218 [inline]\n __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n other info that\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:36:52.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6"
},
{
"url": "https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92"
},
{
"url": "https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca"
},
{
"url": "https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b"
}
],
"title": "btrfs: fix lockdep splat and potential deadlock after failure running delayed items",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54224",
"datePublished": "2025-12-30T12:11:18.076Z",
"dateReserved": "2025-12-30T12:06:44.501Z",
"dateUpdated": "2026-01-05T11:36:52.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40293 (GCVE-0-2025-40293)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
iommufd: Don't overflow during division for dirty tracking
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Don't overflow during division for dirty tracking
If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow
to 0 and this triggers divide by 0.
In this case the index should just be 0, so reorganize things to divide
by shift and avoid hitting any overflows.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < 07105e61882ff4a7d58db63cc5f9e90c6c60506c
(git)
Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < 4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69 (git) Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < de7f2c67ceb1941b05b04ac35458a03e93cc57b1 (git) Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < dbf316fc90aa954dcd5440817f4b944627ed63e0 (git) Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < cb30dfa75d55eced379a42fd67bd5fb7ec38555e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/iova_bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07105e61882ff4a7d58db63cc5f9e90c6c60506c",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
},
{
"lessThan": "4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
},
{
"lessThan": "de7f2c67ceb1941b05b04ac35458a03e93cc57b1",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
},
{
"lessThan": "dbf316fc90aa954dcd5440817f4b944627ed63e0",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
},
{
"lessThan": "cb30dfa75d55eced379a42fd67bd5fb7ec38555e",
"status": "affected",
"version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/iova_bitmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Don\u0027t overflow during division for dirty tracking\n\nIf pgshift is 63 then BITS_PER_TYPE(*bitmap-\u003ebitmap) * pgsize will overflow\nto 0 and this triggers divide by 0.\n\nIn this case the index should just be 0, so reorganize things to divide\nby shift and avoid hitting any overflows."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:16.850Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07105e61882ff4a7d58db63cc5f9e90c6c60506c"
},
{
"url": "https://git.kernel.org/stable/c/4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69"
},
{
"url": "https://git.kernel.org/stable/c/de7f2c67ceb1941b05b04ac35458a03e93cc57b1"
},
{
"url": "https://git.kernel.org/stable/c/dbf316fc90aa954dcd5440817f4b944627ed63e0"
},
{
"url": "https://git.kernel.org/stable/c/cb30dfa75d55eced379a42fd67bd5fb7ec38555e"
}
],
"title": "iommufd: Don\u0027t overflow during division for dirty tracking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40293",
"datePublished": "2025-12-08T00:46:16.850Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:16.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50662 (GCVE-0-2022-50662)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
RDMA/hns: fix memory leak in hns_roce_alloc_mr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: fix memory leak in hns_roce_alloc_mr()
When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not
released. Compiled test only.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < 164fa80330a81db67c26d10d071083941d29a510
(git)
Affected: 9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < 35f9cd060e68ff910e49bf37b1b0d336a311849a (git) Affected: 9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < fd32e378bc1dea0d48767adf2bbb478581bb0a95 (git) Affected: 9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < fc2c43bf41c89e7451fe750025ae55eb2e2a741d (git) Affected: 9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87 , < a115aa00b18f7b8982b8f458149632caf64a862a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hns/hns_roce_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "164fa80330a81db67c26d10d071083941d29a510",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
},
{
"lessThan": "35f9cd060e68ff910e49bf37b1b0d336a311849a",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
},
{
"lessThan": "fd32e378bc1dea0d48767adf2bbb478581bb0a95",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
},
{
"lessThan": "fc2c43bf41c89e7451fe750025ae55eb2e2a741d",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
},
{
"lessThan": "a115aa00b18f7b8982b8f458149632caf64a862a",
"status": "affected",
"version": "9b2cf76c9f052987ae5c4ad450ebebdc7c5d7b87",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hns/hns_roce_mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: fix memory leak in hns_roce_alloc_mr()\n\nWhen hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not\nreleased. Compiled test only."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:10.614Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/164fa80330a81db67c26d10d071083941d29a510"
},
{
"url": "https://git.kernel.org/stable/c/35f9cd060e68ff910e49bf37b1b0d336a311849a"
},
{
"url": "https://git.kernel.org/stable/c/fd32e378bc1dea0d48767adf2bbb478581bb0a95"
},
{
"url": "https://git.kernel.org/stable/c/fc2c43bf41c89e7451fe750025ae55eb2e2a741d"
},
{
"url": "https://git.kernel.org/stable/c/a115aa00b18f7b8982b8f458149632caf64a862a"
}
],
"title": "RDMA/hns: fix memory leak in hns_roce_alloc_mr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50662",
"datePublished": "2025-12-09T01:29:10.614Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:10.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54321 (GCVE-0-2023-54321)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
EPSS
Title
driver core: fix potential null-ptr-deref in device_add()
Summary
In the Linux kernel, the following vulnerability has been resolved:
driver core: fix potential null-ptr-deref in device_add()
I got the following null-ptr-deref report while doing fault injection test:
BUG: kernel NULL pointer dereference, address: 0000000000000058
CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+
RIP: 0010:klist_put+0x2d/0xd0
Call Trace:
<TASK>
klist_remove+0xf1/0x1c0
device_release_driver_internal+0x196/0x210
bus_remove_device+0x1bd/0x240
device_add+0xd3d/0x1100
w1_add_master_device+0x476/0x490 [wire]
ds2482_probe+0x303/0x3e0 [ds2482]
This is how it happened:
w1_alloc_dev()
// The dev->driver is set to w1_master_driver.
memcpy(&dev->dev, device, sizeof(struct device));
device_add()
bus_add_device()
dpm_sysfs_add() // It fails, calls bus_remove_device.
// error path
bus_remove_device()
// The dev->driver is not null, but driver is not bound.
__device_release_driver()
klist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref.
// normal path
bus_probe_device() // It's not called yet.
device_bind_driver()
If dev->driver is set, in the error path after calling bus_add_device()
in device_add(), bus_remove_device() is called, then the device will be
detached from driver. But device_bind_driver() is not called yet, so it
causes null-ptr-deref while access the 'knode_driver'. To fix this, set
dev->driver to null in the error path before calling bus_remove_device().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
57eee3d23e8833ca18708b374c648235691942ba , < 2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3
(git)
Affected: 57eee3d23e8833ca18708b374c648235691942ba , < 7cf515bf9e8c2908dc170ecf2df117162a16c9c5 (git) Affected: 57eee3d23e8833ca18708b374c648235691942ba , < 17982304806c5c10924e73f7ca5556e0d7378452 (git) Affected: 57eee3d23e8833ca18708b374c648235691942ba , < f6837f34a34973ef6600c08195ed300e24e97317 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3",
"status": "affected",
"version": "57eee3d23e8833ca18708b374c648235691942ba",
"versionType": "git"
},
{
"lessThan": "7cf515bf9e8c2908dc170ecf2df117162a16c9c5",
"status": "affected",
"version": "57eee3d23e8833ca18708b374c648235691942ba",
"versionType": "git"
},
{
"lessThan": "17982304806c5c10924e73f7ca5556e0d7378452",
"status": "affected",
"version": "57eee3d23e8833ca18708b374c648235691942ba",
"versionType": "git"
},
{
"lessThan": "f6837f34a34973ef6600c08195ed300e24e97317",
"status": "affected",
"version": "57eee3d23e8833ca18708b374c648235691942ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential null-ptr-deref in device_add()\n\nI got the following null-ptr-deref report while doing fault injection test:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000058\nCPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+\nRIP: 0010:klist_put+0x2d/0xd0\nCall Trace:\n \u003cTASK\u003e\n klist_remove+0xf1/0x1c0\n device_release_driver_internal+0x196/0x210\n bus_remove_device+0x1bd/0x240\n device_add+0xd3d/0x1100\n w1_add_master_device+0x476/0x490 [wire]\n ds2482_probe+0x303/0x3e0 [ds2482]\n\nThis is how it happened:\n\nw1_alloc_dev()\n // The dev-\u003edriver is set to w1_master_driver.\n memcpy(\u0026dev-\u003edev, device, sizeof(struct device));\n device_add()\n bus_add_device()\n dpm_sysfs_add() // It fails, calls bus_remove_device.\n\n // error path\n bus_remove_device()\n // The dev-\u003edriver is not null, but driver is not bound.\n __device_release_driver()\n klist_remove(\u0026dev-\u003ep-\u003eknode_driver) \u003c-- It causes null-ptr-deref.\n\n // normal path\n bus_probe_device() // It\u0027s not called yet.\n device_bind_driver()\n\nIf dev-\u003edriver is set, in the error path after calling bus_add_device()\nin device_add(), bus_remove_device() is called, then the device will be\ndetached from driver. But device_bind_driver() is not called yet, so it\ncauses null-ptr-deref while access the \u0027knode_driver\u0027. To fix this, set\ndev-\u003edriver to null in the error path before calling bus_remove_device()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:34:14.793Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3"
},
{
"url": "https://git.kernel.org/stable/c/7cf515bf9e8c2908dc170ecf2df117162a16c9c5"
},
{
"url": "https://git.kernel.org/stable/c/17982304806c5c10924e73f7ca5556e0d7378452"
},
{
"url": "https://git.kernel.org/stable/c/f6837f34a34973ef6600c08195ed300e24e97317"
}
],
"title": "driver core: fix potential null-ptr-deref in device_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54321",
"datePublished": "2025-12-30T12:34:14.793Z",
"dateReserved": "2025-12-30T12:28:53.860Z",
"dateUpdated": "2025-12-30T12:34:14.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53851 (GCVE-0-2023-53851)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
drm/msm/dp: Drop aux devices together with DP controller
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: Drop aux devices together with DP controller
Using devres to depopulate the aux bus made sure that upon a probe
deferral the EDP panel device would be destroyed and recreated upon next
attempt.
But the struct device which the devres is tied to is the DPUs
(drm_dev->dev), which may be happen after the DP controller is torn
down.
Indications of this can be seen in the commonly seen EDID-hexdump full
of zeros in the log, or the occasional/rare KASAN fault where the
panel's attempt to read the EDID information causes a use after free on
DP resources.
It's tempting to move the devres to the DP controller's struct device,
but the resources used by the device(s) on the aux bus are explicitly
torn down in the error path. The KASAN-reported use-after-free also
remains, as the DP aux "module" explicitly frees its devres-allocated
memory in this code path.
As such, explicitly depopulate the aux bus in the error path, and in the
component unbind path, to avoid these issues.
Patchwork: https://patchwork.freedesktop.org/patch/542163/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2b57f726611e294dc4297dd48eb8c98ef1938e82 , < e09ed06938807cb113cddd0708ed74bd8cdaff33
(git)
Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < 2fde37445807e6e6d7981402d0bf1be0e5d81291 (git) Affected: 2b57f726611e294dc4297dd48eb8c98ef1938e82 , < a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d (git) Affected: 8768663188e4169333f66583e4d2432e65c421df (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e09ed06938807cb113cddd0708ed74bd8cdaff33",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"lessThan": "2fde37445807e6e6d7981402d0bf1be0e5d81291",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"lessThan": "a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d",
"status": "affected",
"version": "2b57f726611e294dc4297dd48eb8c98ef1938e82",
"versionType": "git"
},
{
"status": "affected",
"version": "8768663188e4169333f66583e4d2432e65c421df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: Drop aux devices together with DP controller\n\nUsing devres to depopulate the aux bus made sure that upon a probe\ndeferral the EDP panel device would be destroyed and recreated upon next\nattempt.\n\nBut the struct device which the devres is tied to is the DPUs\n(drm_dev-\u003edev), which may be happen after the DP controller is torn\ndown.\n\nIndications of this can be seen in the commonly seen EDID-hexdump full\nof zeros in the log, or the occasional/rare KASAN fault where the\npanel\u0027s attempt to read the EDID information causes a use after free on\nDP resources.\n\nIt\u0027s tempting to move the devres to the DP controller\u0027s struct device,\nbut the resources used by the device(s) on the aux bus are explicitly\ntorn down in the error path. The KASAN-reported use-after-free also\nremains, as the DP aux \"module\" explicitly frees its devres-allocated\nmemory in this code path.\n\nAs such, explicitly depopulate the aux bus in the error path, and in the\ncomponent unbind path, to avoid these issues.\n\nPatchwork: https://patchwork.freedesktop.org/patch/542163/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:16.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e09ed06938807cb113cddd0708ed74bd8cdaff33"
},
{
"url": "https://git.kernel.org/stable/c/2fde37445807e6e6d7981402d0bf1be0e5d81291"
},
{
"url": "https://git.kernel.org/stable/c/a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d"
}
],
"title": "drm/msm/dp: Drop aux devices together with DP controller",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53851",
"datePublished": "2025-12-09T01:30:16.081Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:16.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54314 (GCVE-0-2023-54314)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach af9005_i2c_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
af4e067e1dcf926d9523dff11e46c45fd9fa9da2 , < 98c12abb275b75a98ff62de9466d21e4daa98536
(git)
Affected: af4e067e1dcf926d9523dff11e46c45fd9fa9da2 , < 63d962ac7a52c0ff4cd09af2e284dce5e5955dfe (git) Affected: af4e067e1dcf926d9523dff11e46c45fd9fa9da2 , < 0c02eb70b1dd4ae9bb304ce6cdadbc6faba2b2e9 (git) Affected: af4e067e1dcf926d9523dff11e46c45fd9fa9da2 , < c7e5ac737db25d7387fe517cb5207706782b6cf8 (git) Affected: af4e067e1dcf926d9523dff11e46c45fd9fa9da2 , < 033b0c0780adee32dde218179e9bc51d2525108f (git) Affected: af4e067e1dcf926d9523dff11e46c45fd9fa9da2 , < abb6fd93e05e80668d2317fe1110bc99b05034c3 (git) Affected: af4e067e1dcf926d9523dff11e46c45fd9fa9da2 , < e595ff350b2fd600823ee8491df7df693ae4b7c5 (git) Affected: af4e067e1dcf926d9523dff11e46c45fd9fa9da2 , < f4ee84f27625ce1fdf41e8483fa0561a1b837d10 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/af9005.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98c12abb275b75a98ff62de9466d21e4daa98536",
"status": "affected",
"version": "af4e067e1dcf926d9523dff11e46c45fd9fa9da2",
"versionType": "git"
},
{
"lessThan": "63d962ac7a52c0ff4cd09af2e284dce5e5955dfe",
"status": "affected",
"version": "af4e067e1dcf926d9523dff11e46c45fd9fa9da2",
"versionType": "git"
},
{
"lessThan": "0c02eb70b1dd4ae9bb304ce6cdadbc6faba2b2e9",
"status": "affected",
"version": "af4e067e1dcf926d9523dff11e46c45fd9fa9da2",
"versionType": "git"
},
{
"lessThan": "c7e5ac737db25d7387fe517cb5207706782b6cf8",
"status": "affected",
"version": "af4e067e1dcf926d9523dff11e46c45fd9fa9da2",
"versionType": "git"
},
{
"lessThan": "033b0c0780adee32dde218179e9bc51d2525108f",
"status": "affected",
"version": "af4e067e1dcf926d9523dff11e46c45fd9fa9da2",
"versionType": "git"
},
{
"lessThan": "abb6fd93e05e80668d2317fe1110bc99b05034c3",
"status": "affected",
"version": "af4e067e1dcf926d9523dff11e46c45fd9fa9da2",
"versionType": "git"
},
{
"lessThan": "e595ff350b2fd600823ee8491df7df693ae4b7c5",
"status": "affected",
"version": "af4e067e1dcf926d9523dff11e46c45fd9fa9da2",
"versionType": "git"
},
{
"lessThan": "f4ee84f27625ce1fdf41e8483fa0561a1b837d10",
"status": "affected",
"version": "af4e067e1dcf926d9523dff11e46c45fd9fa9da2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/af9005.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.23"
},
{
"lessThan": "2.6.23",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "2.6.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: af9005: Fix null-ptr-deref in af9005_i2c_xfer\n\nIn af9005_i2c_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach af9005_i2c_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:23.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98c12abb275b75a98ff62de9466d21e4daa98536"
},
{
"url": "https://git.kernel.org/stable/c/63d962ac7a52c0ff4cd09af2e284dce5e5955dfe"
},
{
"url": "https://git.kernel.org/stable/c/0c02eb70b1dd4ae9bb304ce6cdadbc6faba2b2e9"
},
{
"url": "https://git.kernel.org/stable/c/c7e5ac737db25d7387fe517cb5207706782b6cf8"
},
{
"url": "https://git.kernel.org/stable/c/033b0c0780adee32dde218179e9bc51d2525108f"
},
{
"url": "https://git.kernel.org/stable/c/abb6fd93e05e80668d2317fe1110bc99b05034c3"
},
{
"url": "https://git.kernel.org/stable/c/e595ff350b2fd600823ee8491df7df693ae4b7c5"
},
{
"url": "https://git.kernel.org/stable/c/f4ee84f27625ce1fdf41e8483fa0561a1b837d10"
}
],
"title": "media: af9005: Fix null-ptr-deref in af9005_i2c_xfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54314",
"datePublished": "2025-12-30T12:23:45.179Z",
"dateReserved": "2025-12-30T12:06:44.531Z",
"dateUpdated": "2026-01-05T11:37:23.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50824 (GCVE-0-2022-50824)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak
In check_acpi_tpm2(), we get the TPM2 table just to make
sure the table is there, not used after the init, so the
acpi_put_table() should be added to release the ACPI memory.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4cb586a188d468e05649575f0689dd2bf8c122e6 , < 8bc6c10d3f389693410adb14b4e9deec01ff6334
(git)
Affected: 4cb586a188d468e05649575f0689dd2bf8c122e6 , < de667a2704ae799f697fd45cf4317623d8c79fb7 (git) Affected: 4cb586a188d468e05649575f0689dd2bf8c122e6 , < e027f3b9fabd2b410a4e6a7651e7a45b87019f23 (git) Affected: 4cb586a188d468e05649575f0689dd2bf8c122e6 , < 3b6c822238da9ee8984803355601bcc603d49cb5 (git) Affected: 4cb586a188d468e05649575f0689dd2bf8c122e6 , < 43135fb098126ef2cd6ed584900fd7bfa25f95ce (git) Affected: 4cb586a188d468e05649575f0689dd2bf8c122e6 , < e0d1cf8ef84bb14a673215699fb8acc187aa2c4a (git) Affected: 4cb586a188d468e05649575f0689dd2bf8c122e6 , < e60fa800a32a693d672b1a091424d780278c4587 (git) Affected: 4cb586a188d468e05649575f0689dd2bf8c122e6 , < db9622f762104459ff87ecdf885cc42c18053fd9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm_tis.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bc6c10d3f389693410adb14b4e9deec01ff6334",
"status": "affected",
"version": "4cb586a188d468e05649575f0689dd2bf8c122e6",
"versionType": "git"
},
{
"lessThan": "de667a2704ae799f697fd45cf4317623d8c79fb7",
"status": "affected",
"version": "4cb586a188d468e05649575f0689dd2bf8c122e6",
"versionType": "git"
},
{
"lessThan": "e027f3b9fabd2b410a4e6a7651e7a45b87019f23",
"status": "affected",
"version": "4cb586a188d468e05649575f0689dd2bf8c122e6",
"versionType": "git"
},
{
"lessThan": "3b6c822238da9ee8984803355601bcc603d49cb5",
"status": "affected",
"version": "4cb586a188d468e05649575f0689dd2bf8c122e6",
"versionType": "git"
},
{
"lessThan": "43135fb098126ef2cd6ed584900fd7bfa25f95ce",
"status": "affected",
"version": "4cb586a188d468e05649575f0689dd2bf8c122e6",
"versionType": "git"
},
{
"lessThan": "e0d1cf8ef84bb14a673215699fb8acc187aa2c4a",
"status": "affected",
"version": "4cb586a188d468e05649575f0689dd2bf8c122e6",
"versionType": "git"
},
{
"lessThan": "e60fa800a32a693d672b1a091424d780278c4587",
"status": "affected",
"version": "4cb586a188d468e05649575f0689dd2bf8c122e6",
"versionType": "git"
},
{
"lessThan": "db9622f762104459ff87ecdf885cc42c18053fd9",
"status": "affected",
"version": "4cb586a188d468e05649575f0689dd2bf8c122e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/tpm/tpm_tis.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak\n\nIn check_acpi_tpm2(), we get the TPM2 table just to make\nsure the table is there, not used after the init, so the\nacpi_put_table() should be added to release the ACPI memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:37.580Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bc6c10d3f389693410adb14b4e9deec01ff6334"
},
{
"url": "https://git.kernel.org/stable/c/de667a2704ae799f697fd45cf4317623d8c79fb7"
},
{
"url": "https://git.kernel.org/stable/c/e027f3b9fabd2b410a4e6a7651e7a45b87019f23"
},
{
"url": "https://git.kernel.org/stable/c/3b6c822238da9ee8984803355601bcc603d49cb5"
},
{
"url": "https://git.kernel.org/stable/c/43135fb098126ef2cd6ed584900fd7bfa25f95ce"
},
{
"url": "https://git.kernel.org/stable/c/e0d1cf8ef84bb14a673215699fb8acc187aa2c4a"
},
{
"url": "https://git.kernel.org/stable/c/e60fa800a32a693d672b1a091424d780278c4587"
},
{
"url": "https://git.kernel.org/stable/c/db9622f762104459ff87ecdf885cc42c18053fd9"
}
],
"title": "tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50824",
"datePublished": "2025-12-30T12:08:37.580Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2025-12-30T12:08:37.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68347 (GCVE-0-2025-68347)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
The DSP event handling code in hwdep_read() could write more bytes to
the user buffer than requested, when a user provides a buffer smaller
than the event header size (8 bytes).
Fix by using min_t() to clamp the copy size, This ensures we never copy
more than the user requested.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
634ec0b2906efd46f6f57977e172aa3470aca432 , < 16620f0617400746984362c3d6ac547eeae1d35f
(git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6275fd726d53a8ec724f20201cf3bd862711e17b (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 161291bac551821bba98eb4ea84c82338578d1b0 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < cdda0d06f8650e33255f79839f188bbece44117c (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16620f0617400746984362c3d6ac547eeae1d35f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6275fd726d53a8ec724f20201cf3bd862711e17b",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "161291bac551821bba98eb4ea84c82338578d1b0",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "cdda0d06f8650e33255f79839f188bbece44117c",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "210d77cca3d0494ed30a5c628b20c1d95fa04fb1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events\n\nThe DSP event handling code in hwdep_read() could write more bytes to\nthe user buffer than requested, when a user provides a buffer smaller\nthan the event header size (8 bytes).\n\nFix by using min_t() to clamp the copy size, This ensures we never copy\nmore than the user requested."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:52.270Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16620f0617400746984362c3d6ac547eeae1d35f"
},
{
"url": "https://git.kernel.org/stable/c/ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe"
},
{
"url": "https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b"
},
{
"url": "https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0"
},
{
"url": "https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c"
},
{
"url": "https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1"
}
],
"title": "ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68347",
"datePublished": "2025-12-24T10:32:39.804Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-01-11T16:29:52.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53844 (GCVE-0-2023-53844)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
drm/ttm: Don't leak a resource on swapout move error
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Don't leak a resource on swapout move error
If moving the bo to system for swapout failed, we were leaking
a resource. Fix.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834
(git)
Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < f037f6038736bd038ddb9c72de979a08cc1ee3b5 (git) Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < 4a5b37ea6797d7a53e6dd004aa37e149f40199ce (git) Affected: bfa3357ef9abc9d56a2910222d2deeb9f15c91ff , < a590f03d8de7c4cb7ce4916dc7f2fd10711faabe (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "f037f6038736bd038ddb9c72de979a08cc1ee3b5",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "4a5b37ea6797d7a53e6dd004aa37e149f40199ce",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
},
{
"lessThan": "a590f03d8de7c4cb7ce4916dc7f2fd10711faabe",
"status": "affected",
"version": "bfa3357ef9abc9d56a2910222d2deeb9f15c91ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Don\u0027t leak a resource on swapout move error\n\nIf moving the bo to system for swapout failed, we were leaking\na resource. Fix."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:06.863Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834"
},
{
"url": "https://git.kernel.org/stable/c/f037f6038736bd038ddb9c72de979a08cc1ee3b5"
},
{
"url": "https://git.kernel.org/stable/c/4a5b37ea6797d7a53e6dd004aa37e149f40199ce"
},
{
"url": "https://git.kernel.org/stable/c/a590f03d8de7c4cb7ce4916dc7f2fd10711faabe"
}
],
"title": "drm/ttm: Don\u0027t leak a resource on swapout move error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53844",
"datePublished": "2025-12-09T01:30:06.863Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:06.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50629 (GCVE-0-2022-50629)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
wifi: rsi: Fix memory leak in rsi_coex_attach()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rsi: Fix memory leak in rsi_coex_attach()
The coex_cb needs to be freed when rsi_create_kthread() failed in
rsi_coex_attach().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2108df3c4b1856588ca2e7f641900c2bbf38467e , < 98259e0b6cf7f021da9fe4e11fbcce6ad6705ffe
(git)
Affected: 2108df3c4b1856588ca2e7f641900c2bbf38467e , < fe4d7280cf4ddbea6536b596297c07662c7856fc (git) Affected: 2108df3c4b1856588ca2e7f641900c2bbf38467e , < efc8df970561ff708379b89b348e16d3b410cc7b (git) Affected: 2108df3c4b1856588ca2e7f641900c2bbf38467e , < b56e60b3b158a93bc713437e8e466f401ff8cc9f (git) Affected: 2108df3c4b1856588ca2e7f641900c2bbf38467e , < c4f1ded67a90fb3b2e679e2c90b78921d9246044 (git) Affected: 2108df3c4b1856588ca2e7f641900c2bbf38467e , < ace789b1d465fae104cd37e49f6e1bcd1c8ff417 (git) Affected: 2108df3c4b1856588ca2e7f641900c2bbf38467e , < 956fb851a6e19da5ab491e19c1bc323bb2c2cf6f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_coex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98259e0b6cf7f021da9fe4e11fbcce6ad6705ffe",
"status": "affected",
"version": "2108df3c4b1856588ca2e7f641900c2bbf38467e",
"versionType": "git"
},
{
"lessThan": "fe4d7280cf4ddbea6536b596297c07662c7856fc",
"status": "affected",
"version": "2108df3c4b1856588ca2e7f641900c2bbf38467e",
"versionType": "git"
},
{
"lessThan": "efc8df970561ff708379b89b348e16d3b410cc7b",
"status": "affected",
"version": "2108df3c4b1856588ca2e7f641900c2bbf38467e",
"versionType": "git"
},
{
"lessThan": "b56e60b3b158a93bc713437e8e466f401ff8cc9f",
"status": "affected",
"version": "2108df3c4b1856588ca2e7f641900c2bbf38467e",
"versionType": "git"
},
{
"lessThan": "c4f1ded67a90fb3b2e679e2c90b78921d9246044",
"status": "affected",
"version": "2108df3c4b1856588ca2e7f641900c2bbf38467e",
"versionType": "git"
},
{
"lessThan": "ace789b1d465fae104cd37e49f6e1bcd1c8ff417",
"status": "affected",
"version": "2108df3c4b1856588ca2e7f641900c2bbf38467e",
"versionType": "git"
},
{
"lessThan": "956fb851a6e19da5ab491e19c1bc323bb2c2cf6f",
"status": "affected",
"version": "2108df3c4b1856588ca2e7f641900c2bbf38467e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_coex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Fix memory leak in rsi_coex_attach()\n\nThe coex_cb needs to be freed when rsi_create_kthread() failed in\nrsi_coex_attach()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:44.466Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98259e0b6cf7f021da9fe4e11fbcce6ad6705ffe"
},
{
"url": "https://git.kernel.org/stable/c/fe4d7280cf4ddbea6536b596297c07662c7856fc"
},
{
"url": "https://git.kernel.org/stable/c/efc8df970561ff708379b89b348e16d3b410cc7b"
},
{
"url": "https://git.kernel.org/stable/c/b56e60b3b158a93bc713437e8e466f401ff8cc9f"
},
{
"url": "https://git.kernel.org/stable/c/c4f1ded67a90fb3b2e679e2c90b78921d9246044"
},
{
"url": "https://git.kernel.org/stable/c/ace789b1d465fae104cd37e49f6e1bcd1c8ff417"
},
{
"url": "https://git.kernel.org/stable/c/956fb851a6e19da5ab491e19c1bc323bb2c2cf6f"
}
],
"title": "wifi: rsi: Fix memory leak in rsi_coex_attach()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50629",
"datePublished": "2025-12-08T01:16:44.466Z",
"dateReserved": "2025-12-08T01:14:55.192Z",
"dateUpdated": "2025-12-08T01:16:44.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53785 (GCVE-0-2023-53785)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
mt76: mt7921: don't assume adequate headroom for SDIO headers
Summary
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7921: don't assume adequate headroom for SDIO headers
mt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and
mt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that
adequate headroom will be available in the passed skb. This assumption
typically is satisfied when the skb was allocated in the net core for
transmission via the mt7921 netdev (although even that is only an
optimization and is not strictly guaranteed), but the assumption is
sometimes not satisfied when the skb originated in the receive path of
another netdev and was passed through to the mt7921, such as by the
bridge layer. Blindly prepending bytes to an skb is always wrong.
This commit introduces a call to skb_cow_head() before the call to
mt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to
ensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be
pushed onto the skb.
Without this fix, I can trivially cause kernel panics by bridging an
MT7921AU-based USB 802.11ax interface with an Ethernet interface on an
Intel Atom-based x86 system using its onboard RTL8169 PCI Ethernet
adapter and also on an ARM-based Raspberry Pi 1 using its onboard
SMSC9512 USB Ethernet adapter. Note that the panics do not occur in
every system configuration, as they occur only if the receiving netdev
leaves less headroom in its received skbs than the mt7921 needs for its
SDIO headers.
Here is an example stack trace of this panic on Raspberry Pi OS Lite
2023-02-21 running kernel 6.1.24+ [1]:
skb_panic from skb_push+0x44/0x48
skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common]
mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb]
mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76]
__mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76]
mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76]
mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common]
mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76]
__mt76_worker_fn [mt76] from kthread+0xbc/0xe0
kthread from ret_from_fork+0x14/0x34
After this fix, bridging the mt7921 interface works fine on both of my
previously problematic systems.
[1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e0f9fdda81bd32371ddac9222487e612027d8de2 , < 5c8bbb79c7cbca65534badf360f3b1145759c7bc
(git)
Affected: e0f9fdda81bd32371ddac9222487e612027d8de2 , < 414c0c04703423b78bc9dea1aa6493334dc61f6e (git) Affected: e0f9fdda81bd32371ddac9222487e612027d8de2 , < 98c4d0abf5c478db1ad126ff0c187dbb84c0803c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c8bbb79c7cbca65534badf360f3b1145759c7bc",
"status": "affected",
"version": "e0f9fdda81bd32371ddac9222487e612027d8de2",
"versionType": "git"
},
{
"lessThan": "414c0c04703423b78bc9dea1aa6493334dc61f6e",
"status": "affected",
"version": "e0f9fdda81bd32371ddac9222487e612027d8de2",
"versionType": "git"
},
{
"lessThan": "98c4d0abf5c478db1ad126ff0c187dbb84c0803c",
"status": "affected",
"version": "e0f9fdda81bd32371ddac9222487e612027d8de2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7921: don\u0027t assume adequate headroom for SDIO headers\n\nmt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and\nmt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that\nadequate headroom will be available in the passed skb. This assumption\ntypically is satisfied when the skb was allocated in the net core for\ntransmission via the mt7921 netdev (although even that is only an\noptimization and is not strictly guaranteed), but the assumption is\nsometimes not satisfied when the skb originated in the receive path of\nanother netdev and was passed through to the mt7921, such as by the\nbridge layer. Blindly prepending bytes to an skb is always wrong.\n\nThis commit introduces a call to skb_cow_head() before the call to\nmt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to\nensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be\npushed onto the skb.\n\nWithout this fix, I can trivially cause kernel panics by bridging an\nMT7921AU-based USB 802.11ax interface with an Ethernet interface on an\nIntel Atom-based x86 system using its onboard RTL8169 PCI Ethernet\nadapter and also on an ARM-based Raspberry Pi 1 using its onboard\nSMSC9512 USB Ethernet adapter. Note that the panics do not occur in\nevery system configuration, as they occur only if the receiving netdev\nleaves less headroom in its received skbs than the mt7921 needs for its\nSDIO headers.\n\nHere is an example stack trace of this panic on Raspberry Pi OS Lite\n2023-02-21 running kernel 6.1.24+ [1]:\n\n skb_panic from skb_push+0x44/0x48\n skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common]\n mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb]\n mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76]\n __mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76]\n mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76]\n mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common]\n mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76]\n __mt76_worker_fn [mt76] from kthread+0xbc/0xe0\n kthread from ret_from_fork+0x14/0x34\n\nAfter this fix, bridging the mt7921 interface works fine on both of my\npreviously problematic systems.\n\n[1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:21.529Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c8bbb79c7cbca65534badf360f3b1145759c7bc"
},
{
"url": "https://git.kernel.org/stable/c/414c0c04703423b78bc9dea1aa6493334dc61f6e"
},
{
"url": "https://git.kernel.org/stable/c/98c4d0abf5c478db1ad126ff0c187dbb84c0803c"
}
],
"title": "mt76: mt7921: don\u0027t assume adequate headroom for SDIO headers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53785",
"datePublished": "2025-12-09T00:00:40.505Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2025-12-20T08:51:21.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50774 (GCVE-0-2022-50774)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
crypto: qat - fix DMA transfer direction
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - fix DMA transfer direction
When CONFIG_DMA_API_DEBUG is selected, while running the crypto self
test on the QAT crypto algorithms, the function add_dma_entry() reports
a warning similar to the one below, saying that overlapping mappings
are not supported. This occurs in tests where the input and the output
scatter list point to the same buffers (i.e. two different scatter lists
which point to the same chunks of memory).
The logic that implements the mapping uses the flag DMA_BIDIRECTIONAL
for both the input and the output scatter lists which leads to
overlapped write mappings. These are not supported by the DMA layer.
Fix by specifying the correct DMA transfer directions when mapping
buffers. For in-place operations where the input scatter list
matches the output scatter list, buffers are mapped once with
DMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag
DMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE.
Overlapping a read mapping with a write mapping is a valid case in
dma-coherent devices like QAT.
The function that frees and unmaps the buffers, qat_alg_free_bufl()
has been changed accordingly to the changes to the mapping function.
DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren't supported
WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270
...
Call Trace:
dma_map_page_attrs+0x82/0x2d0
? preempt_count_add+0x6a/0xa0
qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat]
qat_alg_aead_dec+0x71/0x250 [intel_qat]
crypto_aead_decrypt+0x3d/0x70
test_aead_vec_cfg+0x649/0x810
? number+0x310/0x3a0
? vsnprintf+0x2a3/0x550
? scnprintf+0x42/0x70
? valid_sg_divisions.constprop.0+0x86/0xa0
? test_aead_vec+0xdf/0x120
test_aead_vec+0xdf/0x120
alg_test_aead+0x185/0x400
alg_test+0x3d8/0x500
? crypto_acomp_scomp_free_ctx+0x30/0x30
? __schedule+0x32a/0x12a0
? ttwu_queue_wakelist+0xbf/0x110
? _raw_spin_unlock_irqrestore+0x23/0x40
? try_to_wake_up+0x83/0x570
? _raw_spin_unlock_irqrestore+0x23/0x40
? __set_cpus_allowed_ptr_locked+0xea/0x1b0
? crypto_acomp_scomp_free_ctx+0x30/0x30
cryptomgr_test+0x27/0x50
kthread+0xe6/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x1f/0x30
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d370cec3219490656d72f5ae6e5df32c113c5a44 , < 426d5bc089e7731e36b514d1beca19e777a2d653
(git)
Affected: d370cec3219490656d72f5ae6e5df32c113c5a44 , < 1f1ab76e251521bd2fa5244473efcf663792745d (git) Affected: d370cec3219490656d72f5ae6e5df32c113c5a44 , < 429348d4f675e9eb418d0829064c4d7d06bd66a3 (git) Affected: d370cec3219490656d72f5ae6e5df32c113c5a44 , < c4c9d9edf4848aed89516b23b88950b194beff6a (git) Affected: d370cec3219490656d72f5ae6e5df32c113c5a44 , < cf5bb835b7c8a5fee7f26455099cca7feb57f5e9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "426d5bc089e7731e36b514d1beca19e777a2d653",
"status": "affected",
"version": "d370cec3219490656d72f5ae6e5df32c113c5a44",
"versionType": "git"
},
{
"lessThan": "1f1ab76e251521bd2fa5244473efcf663792745d",
"status": "affected",
"version": "d370cec3219490656d72f5ae6e5df32c113c5a44",
"versionType": "git"
},
{
"lessThan": "429348d4f675e9eb418d0829064c4d7d06bd66a3",
"status": "affected",
"version": "d370cec3219490656d72f5ae6e5df32c113c5a44",
"versionType": "git"
},
{
"lessThan": "c4c9d9edf4848aed89516b23b88950b194beff6a",
"status": "affected",
"version": "d370cec3219490656d72f5ae6e5df32c113c5a44",
"versionType": "git"
},
{
"lessThan": "cf5bb835b7c8a5fee7f26455099cca7feb57f5e9",
"status": "affected",
"version": "d370cec3219490656d72f5ae6e5df32c113c5a44",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - fix DMA transfer direction\n\nWhen CONFIG_DMA_API_DEBUG is selected, while running the crypto self\ntest on the QAT crypto algorithms, the function add_dma_entry() reports\na warning similar to the one below, saying that overlapping mappings\nare not supported. This occurs in tests where the input and the output\nscatter list point to the same buffers (i.e. two different scatter lists\nwhich point to the same chunks of memory).\n\nThe logic that implements the mapping uses the flag DMA_BIDIRECTIONAL\nfor both the input and the output scatter lists which leads to\noverlapped write mappings. These are not supported by the DMA layer.\n\nFix by specifying the correct DMA transfer directions when mapping\nbuffers. For in-place operations where the input scatter list\nmatches the output scatter list, buffers are mapped once with\nDMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag\nDMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE.\nOverlapping a read mapping with a write mapping is a valid case in\ndma-coherent devices like QAT.\nThe function that frees and unmaps the buffers, qat_alg_free_bufl()\nhas been changed accordingly to the changes to the mapping function.\n\n DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren\u0027t supported\n WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270\n ...\n Call Trace:\n dma_map_page_attrs+0x82/0x2d0\n ? preempt_count_add+0x6a/0xa0\n qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat]\n qat_alg_aead_dec+0x71/0x250 [intel_qat]\n crypto_aead_decrypt+0x3d/0x70\n test_aead_vec_cfg+0x649/0x810\n ? number+0x310/0x3a0\n ? vsnprintf+0x2a3/0x550\n ? scnprintf+0x42/0x70\n ? valid_sg_divisions.constprop.0+0x86/0xa0\n ? test_aead_vec+0xdf/0x120\n test_aead_vec+0xdf/0x120\n alg_test_aead+0x185/0x400\n alg_test+0x3d8/0x500\n ? crypto_acomp_scomp_free_ctx+0x30/0x30\n ? __schedule+0x32a/0x12a0\n ? ttwu_queue_wakelist+0xbf/0x110\n ? _raw_spin_unlock_irqrestore+0x23/0x40\n ? try_to_wake_up+0x83/0x570\n ? _raw_spin_unlock_irqrestore+0x23/0x40\n ? __set_cpus_allowed_ptr_locked+0xea/0x1b0\n ? crypto_acomp_scomp_free_ctx+0x30/0x30\n cryptomgr_test+0x27/0x50\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:04.391Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/426d5bc089e7731e36b514d1beca19e777a2d653"
},
{
"url": "https://git.kernel.org/stable/c/1f1ab76e251521bd2fa5244473efcf663792745d"
},
{
"url": "https://git.kernel.org/stable/c/429348d4f675e9eb418d0829064c4d7d06bd66a3"
},
{
"url": "https://git.kernel.org/stable/c/c4c9d9edf4848aed89516b23b88950b194beff6a"
},
{
"url": "https://git.kernel.org/stable/c/cf5bb835b7c8a5fee7f26455099cca7feb57f5e9"
}
],
"title": "crypto: qat - fix DMA transfer direction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50774",
"datePublished": "2025-12-24T13:06:04.391Z",
"dateReserved": "2025-12-24T13:02:21.547Z",
"dateUpdated": "2025-12-24T13:06:04.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50638 (GCVE-0-2022-50638)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
We got a issue as fllows:
==================================================================
kernel BUG at fs/ext4/extents_status.c:203!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349
RIP: 0010:ext4_es_end.isra.0+0x34/0x42
RSP: 0018:ffffc9000143b768 EFLAGS: 00010203
RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff
RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0
R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000
FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__es_tree_search.isra.0+0x6d/0xf5
ext4_es_cache_extent+0xfa/0x230
ext4_cache_extents+0xd2/0x110
ext4_find_extent+0x5d5/0x8c0
ext4_ext_map_blocks+0x9c/0x1d30
ext4_map_blocks+0x431/0xa50
ext4_mpage_readpages+0x48e/0xe40
ext4_readahead+0x47/0x50
read_pages+0x82/0x530
page_cache_ra_unbounded+0x199/0x2a0
do_page_cache_ra+0x47/0x70
page_cache_ra_order+0x242/0x400
ondemand_readahead+0x1e8/0x4b0
page_cache_sync_ra+0xf4/0x110
filemap_get_pages+0x131/0xb20
filemap_read+0xda/0x4b0
generic_file_read_iter+0x13a/0x250
ext4_file_read_iter+0x59/0x1d0
vfs_read+0x28f/0x460
ksys_read+0x73/0x160
__x64_sys_read+0x1e/0x30
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
==================================================================
In the above issue, ioctl invokes the swap_inode_boot_loader function to
swap inode<5> and inode<12>. However, inode<5> contain incorrect imode and
disordered extents, and i_nlink is set to 1. The extents check for inode in
the ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.
While links_count is set to 1, the extents are not initialized in
swap_inode_boot_loader. After the ioctl command is executed successfully,
the extents are swapped to inode<12>, in this case, run the `cat` command
to view inode<12>. And Bug_ON is triggered due to the incorrect extents.
When the boot loader inode is not initialized, its imode can be one of the
following:
1) the imode is a bad type, which is marked as bad_inode in ext4_iget and
set to S_IFREG.
2) the imode is good type but not S_IFREG.
3) the imode is S_IFREG.
The BUG_ON may be triggered by bypassing the check in cases 1 and 2.
Therefore, when the boot loader inode is bad_inode or its imode is not
S_IFREG, initialize the inode to avoid triggering the BUG.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
393d1d1d76933886d5e1ce603214c9987589c6d5 , < e76ede9d2c9e0af4573342b56d7cdbf757c18084
(git)
Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < a95ba369255ddcdc5e43d38bc5203537bdf3a518 (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 5f8d36abd2059bf1bd016b17d1fe78d8613deddd (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 78e335fb573e6a85718c4c24d5a052718a99a9ed (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 71e99ec1315fe98d322b17b9a28f204aaf15ffee (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < d480a49c15c465cb9a16db1379f4996e9b5bb9cc (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < feec0ea94c5ef4aa118750284c8a921698733ef2 (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < a125c8806b7d3c3815b6f9f59d395b9d7527b0ef (git) Affected: 393d1d1d76933886d5e1ce603214c9987589c6d5 , < 991ed014de0840c5dc405b679168924afb2952ac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e76ede9d2c9e0af4573342b56d7cdbf757c18084",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "a95ba369255ddcdc5e43d38bc5203537bdf3a518",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "5f8d36abd2059bf1bd016b17d1fe78d8613deddd",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "78e335fb573e6a85718c4c24d5a052718a99a9ed",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "71e99ec1315fe98d322b17b9a28f204aaf15ffee",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "d480a49c15c465cb9a16db1379f4996e9b5bb9cc",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "feec0ea94c5ef4aa118750284c8a921698733ef2",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "a125c8806b7d3c3815b6f9f59d395b9d7527b0ef",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
},
{
"lessThan": "991ed014de0840c5dc405b679168924afb2952ac",
"status": "affected",
"version": "393d1d1d76933886d5e1ce603214c9987589c6d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search caused by bad boot loader inode\n\nWe got a issue as fllows:\n==================================================================\n kernel BUG at fs/ext4/extents_status.c:203!\n invalid opcode: 0000 [#1] PREEMPT SMP\n CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349\n RIP: 0010:ext4_es_end.isra.0+0x34/0x42\n RSP: 0018:ffffc9000143b768 EFLAGS: 00010203\n RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff\n RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8\n R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0\n R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000\n FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n __es_tree_search.isra.0+0x6d/0xf5\n ext4_es_cache_extent+0xfa/0x230\n ext4_cache_extents+0xd2/0x110\n ext4_find_extent+0x5d5/0x8c0\n ext4_ext_map_blocks+0x9c/0x1d30\n ext4_map_blocks+0x431/0xa50\n ext4_mpage_readpages+0x48e/0xe40\n ext4_readahead+0x47/0x50\n read_pages+0x82/0x530\n page_cache_ra_unbounded+0x199/0x2a0\n do_page_cache_ra+0x47/0x70\n page_cache_ra_order+0x242/0x400\n ondemand_readahead+0x1e8/0x4b0\n page_cache_sync_ra+0xf4/0x110\n filemap_get_pages+0x131/0xb20\n filemap_read+0xda/0x4b0\n generic_file_read_iter+0x13a/0x250\n ext4_file_read_iter+0x59/0x1d0\n vfs_read+0x28f/0x460\n ksys_read+0x73/0x160\n __x64_sys_read+0x1e/0x30\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n==================================================================\n\nIn the above issue, ioctl invokes the swap_inode_boot_loader function to\nswap inode\u003c5\u003e and inode\u003c12\u003e. However, inode\u003c5\u003e contain incorrect imode and\ndisordered extents, and i_nlink is set to 1. The extents check for inode in\nthe ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.\nWhile links_count is set to 1, the extents are not initialized in\nswap_inode_boot_loader. After the ioctl command is executed successfully,\nthe extents are swapped to inode\u003c12\u003e, in this case, run the `cat` command\nto view inode\u003c12\u003e. And Bug_ON is triggered due to the incorrect extents.\n\nWhen the boot loader inode is not initialized, its imode can be one of the\nfollowing:\n1) the imode is a bad type, which is marked as bad_inode in ext4_iget and\n set to S_IFREG.\n2) the imode is good type but not S_IFREG.\n3) the imode is S_IFREG.\n\nThe BUG_ON may be triggered by bypassing the check in cases 1 and 2.\nTherefore, when the boot loader inode is bad_inode or its imode is not\nS_IFREG, initialize the inode to avoid triggering the BUG."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:24.717Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e76ede9d2c9e0af4573342b56d7cdbf757c18084"
},
{
"url": "https://git.kernel.org/stable/c/a95ba369255ddcdc5e43d38bc5203537bdf3a518"
},
{
"url": "https://git.kernel.org/stable/c/5f8d36abd2059bf1bd016b17d1fe78d8613deddd"
},
{
"url": "https://git.kernel.org/stable/c/78e335fb573e6a85718c4c24d5a052718a99a9ed"
},
{
"url": "https://git.kernel.org/stable/c/71e99ec1315fe98d322b17b9a28f204aaf15ffee"
},
{
"url": "https://git.kernel.org/stable/c/d480a49c15c465cb9a16db1379f4996e9b5bb9cc"
},
{
"url": "https://git.kernel.org/stable/c/feec0ea94c5ef4aa118750284c8a921698733ef2"
},
{
"url": "https://git.kernel.org/stable/c/a125c8806b7d3c3815b6f9f59d395b9d7527b0ef"
},
{
"url": "https://git.kernel.org/stable/c/991ed014de0840c5dc405b679168924afb2952ac"
}
],
"title": "ext4: fix bug_on in __es_tree_search caused by bad boot loader inode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50638",
"datePublished": "2025-12-09T00:00:11.665Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-23T13:30:24.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54181 (GCVE-0-2023-54181)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2026-01-05 10:51
VLAI?
EPSS
Title
bpf: Fix issue in verifying allow_ptr_leaks
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix issue in verifying allow_ptr_leaks
After we converted the capabilities of our networking-bpf program from
cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
failed to start. Because it failed the bpf verifier, and the error log
is "R3 pointer comparison prohibited".
A simple reproducer as follows,
SEC("cls-ingress")
int ingress(struct __sk_buff *skb)
{
struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
if ((long)(iph + 1) > (long)skb->data_end)
return TC_ACT_STOLEN;
return TC_ACT_OK;
}
Per discussion with Yonghong and Alexei [1], comparison of two packet
pointers is not a pointer leak. This patch fixes it.
Our local kernel is 6.1.y and we expect this fix to be backported to
6.1.y, so stable is CCed.
[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366 , < c96c67991aac6401b4c6996093bccb704bb2ea4b
(git)
Affected: 2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366 , < 5927f0172d2809d8fc09c1ba667280b0387e9f73 (git) Affected: 2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366 , < acfdc8b77016c8e648aadc283177546c88083dd3 (git) Affected: 2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366 , < d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c96c67991aac6401b4c6996093bccb704bb2ea4b",
"status": "affected",
"version": "2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366",
"versionType": "git"
},
{
"lessThan": "5927f0172d2809d8fc09c1ba667280b0387e9f73",
"status": "affected",
"version": "2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366",
"versionType": "git"
},
{
"lessThan": "acfdc8b77016c8e648aadc283177546c88083dd3",
"status": "affected",
"version": "2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366",
"versionType": "git"
},
{
"lessThan": "d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2",
"status": "affected",
"version": "2c78ee898d8f10ae6fb2fa23a3fbaec96b1b7366",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix issue in verifying allow_ptr_leaks\n\nAfter we converted the capabilities of our networking-bpf program from\ncap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program\nfailed to start. Because it failed the bpf verifier, and the error log\nis \"R3 pointer comparison prohibited\".\n\nA simple reproducer as follows,\n\nSEC(\"cls-ingress\")\nint ingress(struct __sk_buff *skb)\n{\n\tstruct iphdr *iph = (void *)(long)skb-\u003edata + sizeof(struct ethhdr);\n\n\tif ((long)(iph + 1) \u003e (long)skb-\u003edata_end)\n\t\treturn TC_ACT_STOLEN;\n\treturn TC_ACT_OK;\n}\n\nPer discussion with Yonghong and Alexei [1], comparison of two packet\npointers is not a pointer leak. This patch fixes it.\n\nOur local kernel is 6.1.y and we expect this fix to be backported to\n6.1.y, so stable is CCed.\n\n[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:51:18.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c96c67991aac6401b4c6996093bccb704bb2ea4b"
},
{
"url": "https://git.kernel.org/stable/c/5927f0172d2809d8fc09c1ba667280b0387e9f73"
},
{
"url": "https://git.kernel.org/stable/c/acfdc8b77016c8e648aadc283177546c88083dd3"
},
{
"url": "https://git.kernel.org/stable/c/d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2"
}
],
"title": "bpf: Fix issue in verifying allow_ptr_leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54181",
"datePublished": "2025-12-30T12:08:52.376Z",
"dateReserved": "2025-12-30T12:06:44.497Z",
"dateUpdated": "2026-01-05T10:51:18.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54289 (GCVE-0-2023-54289)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
scsi: qedf: Fix NULL dereference in error handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qedf: Fix NULL dereference in error handling
Smatch reported:
drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues()
warn: missing unwind goto?
At this point in the function, nothing has been allocated so we can return
directly. In particular the "qedf->global_queues" have not been allocated
so calling qedf_free_global_queues() will lead to a NULL dereference when
we check if (!gl[i]) and "gl" is NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
61d8658b4a435eac729966cc94cdda077a8df5cd , < 961c8370c5f7e80a267680476e1bcff34bffe71a
(git)
Affected: 61d8658b4a435eac729966cc94cdda077a8df5cd , < ac64019e4d4b08c23edb117e0b2590985e33de1d (git) Affected: 61d8658b4a435eac729966cc94cdda077a8df5cd , < b1de5105d29b145b727b797e2d5de071ab3a7ca1 (git) Affected: 61d8658b4a435eac729966cc94cdda077a8df5cd , < c316bde418af4c2a9df51149ed01d1bd8ca5bebf (git) Affected: 61d8658b4a435eac729966cc94cdda077a8df5cd , < 08c001c1e9444a3046c79a99aa93ac48073b18cc (git) Affected: 61d8658b4a435eac729966cc94cdda077a8df5cd , < 271c9b2eb60149afbeab28cb39e52f73bde9900c (git) Affected: 61d8658b4a435eac729966cc94cdda077a8df5cd , < f025312b089474a54e4859f3453771314d9e3d4f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qedf/qedf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "961c8370c5f7e80a267680476e1bcff34bffe71a",
"status": "affected",
"version": "61d8658b4a435eac729966cc94cdda077a8df5cd",
"versionType": "git"
},
{
"lessThan": "ac64019e4d4b08c23edb117e0b2590985e33de1d",
"status": "affected",
"version": "61d8658b4a435eac729966cc94cdda077a8df5cd",
"versionType": "git"
},
{
"lessThan": "b1de5105d29b145b727b797e2d5de071ab3a7ca1",
"status": "affected",
"version": "61d8658b4a435eac729966cc94cdda077a8df5cd",
"versionType": "git"
},
{
"lessThan": "c316bde418af4c2a9df51149ed01d1bd8ca5bebf",
"status": "affected",
"version": "61d8658b4a435eac729966cc94cdda077a8df5cd",
"versionType": "git"
},
{
"lessThan": "08c001c1e9444a3046c79a99aa93ac48073b18cc",
"status": "affected",
"version": "61d8658b4a435eac729966cc94cdda077a8df5cd",
"versionType": "git"
},
{
"lessThan": "271c9b2eb60149afbeab28cb39e52f73bde9900c",
"status": "affected",
"version": "61d8658b4a435eac729966cc94cdda077a8df5cd",
"versionType": "git"
},
{
"lessThan": "f025312b089474a54e4859f3453771314d9e3d4f",
"status": "affected",
"version": "61d8658b4a435eac729966cc94cdda077a8df5cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qedf/qedf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedf: Fix NULL dereference in error handling\n\nSmatch reported:\n\ndrivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues()\nwarn: missing unwind goto?\n\nAt this point in the function, nothing has been allocated so we can return\ndirectly. In particular the \"qedf-\u003eglobal_queues\" have not been allocated\nso calling qedf_free_global_queues() will lead to a NULL dereference when\nwe check if (!gl[i]) and \"gl\" is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:28.430Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/961c8370c5f7e80a267680476e1bcff34bffe71a"
},
{
"url": "https://git.kernel.org/stable/c/ac64019e4d4b08c23edb117e0b2590985e33de1d"
},
{
"url": "https://git.kernel.org/stable/c/b1de5105d29b145b727b797e2d5de071ab3a7ca1"
},
{
"url": "https://git.kernel.org/stable/c/c316bde418af4c2a9df51149ed01d1bd8ca5bebf"
},
{
"url": "https://git.kernel.org/stable/c/08c001c1e9444a3046c79a99aa93ac48073b18cc"
},
{
"url": "https://git.kernel.org/stable/c/271c9b2eb60149afbeab28cb39e52f73bde9900c"
},
{
"url": "https://git.kernel.org/stable/c/f025312b089474a54e4859f3453771314d9e3d4f"
}
],
"title": "scsi: qedf: Fix NULL dereference in error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54289",
"datePublished": "2025-12-30T12:23:28.430Z",
"dateReserved": "2025-12-30T12:06:44.526Z",
"dateUpdated": "2025-12-30T12:23:28.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54253 (GCVE-0-2023-54253)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
btrfs: set page extent mapped after read_folio in relocate_one_page
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: set page extent mapped after read_folio in relocate_one_page
One of the CI runs triggered the following panic
assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229
------------[ cut here ]------------
kernel BUG at fs/btrfs/subpage.c:229!
Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1
pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : btrfs_subpage_assert+0xbc/0xf0
lr : btrfs_subpage_assert+0xbc/0xf0
sp : ffff800093213720
x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000
x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff
x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880
x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff
x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028
x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000
x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c
x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8
x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f
Call trace:
btrfs_subpage_assert+0xbc/0xf0
btrfs_subpage_set_dirty+0x38/0xa0
btrfs_page_set_dirty+0x58/0x88
relocate_one_page+0x204/0x5f0
relocate_file_extent_cluster+0x11c/0x180
relocate_data_extent+0xd0/0xf8
relocate_block_group+0x3d0/0x4e8
btrfs_relocate_block_group+0x2d8/0x490
btrfs_relocate_chunk+0x54/0x1a8
btrfs_balance+0x7f4/0x1150
btrfs_ioctl+0x10f0/0x20b8
__arm64_sys_ioctl+0x120/0x11d8
invoke_syscall.constprop.0+0x80/0xd8
do_el0_svc+0x6c/0x158
el0_svc+0x50/0x1b0
el0t_64_sync_handler+0x120/0x130
el0t_64_sync+0x194/0x198
Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000)
This is the same problem outlined in 17b17fcd6d44 ("btrfs:
set_page_extent_mapped after read_folio in btrfs_cont_expand") , and the
fix is the same. I originally looked for the same pattern elsewhere in
our code, but mistakenly skipped over this code because I saw the page
cache readahead before we set_page_extent_mapped, not realizing that
this was only in the !page case, that we can still end up with a
!uptodate page and then do the btrfs_read_folio further down.
The fix here is the same as the above mentioned patch, move the
set_page_extent_mapped call to after the btrfs_read_folio() block to
make sure that we have the subpage blocksize stuff setup properly before
using the page.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
32443de3382be98c0a8b8f6f50d23da2e10c4117 , < 08daa38ca212d87f77beae839bc9be71079c7abf
(git)
Affected: 32443de3382be98c0a8b8f6f50d23da2e10c4117 , < 9d1e020ed9649cf140fcfafd052cfdcce9e9d67d (git) Affected: 32443de3382be98c0a8b8f6f50d23da2e10c4117 , < e7f1326cc24e22b38afc3acd328480a1183f9e79 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/relocation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08daa38ca212d87f77beae839bc9be71079c7abf",
"status": "affected",
"version": "32443de3382be98c0a8b8f6f50d23da2e10c4117",
"versionType": "git"
},
{
"lessThan": "9d1e020ed9649cf140fcfafd052cfdcce9e9d67d",
"status": "affected",
"version": "32443de3382be98c0a8b8f6f50d23da2e10c4117",
"versionType": "git"
},
{
"lessThan": "e7f1326cc24e22b38afc3acd328480a1183f9e79",
"status": "affected",
"version": "32443de3382be98c0a8b8f6f50d23da2e10c4117",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/relocation.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set page extent mapped after read_folio in relocate_one_page\n\nOne of the CI runs triggered the following panic\n\n assertion failed: PagePrivate(page) \u0026\u0026 page-\u003eprivate, in fs/btrfs/subpage.c:229\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/subpage.c:229!\n Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1\n pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n pc : btrfs_subpage_assert+0xbc/0xf0\n lr : btrfs_subpage_assert+0xbc/0xf0\n sp : ffff800093213720\n x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000\n x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff\n x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880\n x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff\n x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028\n x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000\n x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c\n x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8\n x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f\n Call trace:\n btrfs_subpage_assert+0xbc/0xf0\n btrfs_subpage_set_dirty+0x38/0xa0\n btrfs_page_set_dirty+0x58/0x88\n relocate_one_page+0x204/0x5f0\n relocate_file_extent_cluster+0x11c/0x180\n relocate_data_extent+0xd0/0xf8\n relocate_block_group+0x3d0/0x4e8\n btrfs_relocate_block_group+0x2d8/0x490\n btrfs_relocate_chunk+0x54/0x1a8\n btrfs_balance+0x7f4/0x1150\n btrfs_ioctl+0x10f0/0x20b8\n __arm64_sys_ioctl+0x120/0x11d8\n invoke_syscall.constprop.0+0x80/0xd8\n do_el0_svc+0x6c/0x158\n el0_svc+0x50/0x1b0\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x194/0x198\n Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000)\n\nThis is the same problem outlined in 17b17fcd6d44 (\"btrfs:\nset_page_extent_mapped after read_folio in btrfs_cont_expand\") , and the\nfix is the same. I originally looked for the same pattern elsewhere in\nour code, but mistakenly skipped over this code because I saw the page\ncache readahead before we set_page_extent_mapped, not realizing that\nthis was only in the !page case, that we can still end up with a\n!uptodate page and then do the btrfs_read_folio further down.\n\nThe fix here is the same as the above mentioned patch, move the\nset_page_extent_mapped call to after the btrfs_read_folio() block to\nmake sure that we have the subpage blocksize stuff setup properly before\nusing the page."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:05.809Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08daa38ca212d87f77beae839bc9be71079c7abf"
},
{
"url": "https://git.kernel.org/stable/c/9d1e020ed9649cf140fcfafd052cfdcce9e9d67d"
},
{
"url": "https://git.kernel.org/stable/c/e7f1326cc24e22b38afc3acd328480a1183f9e79"
}
],
"title": "btrfs: set page extent mapped after read_folio in relocate_one_page",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54253",
"datePublished": "2025-12-30T12:15:49.460Z",
"dateReserved": "2025-12-30T12:06:44.515Z",
"dateUpdated": "2026-01-05T11:37:05.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54270 (GCVE-0-2023-54270)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16
VLAI?
EPSS
Title
media: usb: siano: Fix use after free bugs caused by do_submit_urb
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: usb: siano: Fix use after free bugs caused by do_submit_urb
There are UAF bugs caused by do_submit_urb(). One of the KASan reports
is shown below:
[ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890
[ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49
[ 36.408316]
[ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8
[ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584
[ 36.416157] Workqueue: 0x0 (events)
[ 36.417654] Call Trace:
[ 36.418546] <TASK>
[ 36.419320] dump_stack_lvl+0x96/0xd0
[ 36.420522] print_address_description+0x75/0x350
[ 36.421992] print_report+0x11b/0x250
[ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0
[ 36.424806] ? __virt_addr_valid+0xcf/0x170
[ 36.426069] ? worker_thread+0x4a2/0x890
[ 36.427355] kasan_report+0x131/0x160
[ 36.428556] ? worker_thread+0x4a2/0x890
[ 36.430053] worker_thread+0x4a2/0x890
[ 36.431297] ? worker_clr_flags+0x90/0x90
[ 36.432479] kthread+0x166/0x190
[ 36.433493] ? kthread_blkcg+0x50/0x50
[ 36.434669] ret_from_fork+0x22/0x30
[ 36.435923] </TASK>
[ 36.436684]
[ 36.437215] Allocated by task 24:
[ 36.438289] kasan_set_track+0x50/0x80
[ 36.439436] __kasan_kmalloc+0x89/0xa0
[ 36.440566] smsusb_probe+0x374/0xc90
[ 36.441920] usb_probe_interface+0x2d1/0x4c0
[ 36.443253] really_probe+0x1d5/0x580
[ 36.444539] __driver_probe_device+0xe3/0x130
[ 36.446085] driver_probe_device+0x49/0x220
[ 36.447423] __device_attach_driver+0x19e/0x1b0
[ 36.448931] bus_for_each_drv+0xcb/0x110
[ 36.450217] __device_attach+0x132/0x1f0
[ 36.451470] bus_probe_device+0x59/0xf0
[ 36.452563] device_add+0x4ec/0x7b0
[ 36.453830] usb_set_configuration+0xc63/0xe10
[ 36.455230] usb_generic_driver_probe+0x3b/0x80
[ 36.456166] printk: console [ttyGS0] disabled
[ 36.456569] usb_probe_device+0x90/0x110
[ 36.459523] really_probe+0x1d5/0x580
[ 36.461027] __driver_probe_device+0xe3/0x130
[ 36.462465] driver_probe_device+0x49/0x220
[ 36.463847] __device_attach_driver+0x19e/0x1b0
[ 36.465229] bus_for_each_drv+0xcb/0x110
[ 36.466466] __device_attach+0x132/0x1f0
[ 36.467799] bus_probe_device+0x59/0xf0
[ 36.469010] device_add+0x4ec/0x7b0
[ 36.470125] usb_new_device+0x863/0xa00
[ 36.471374] hub_event+0x18c7/0x2220
[ 36.472746] process_one_work+0x34c/0x5b0
[ 36.474041] worker_thread+0x4b7/0x890
[ 36.475216] kthread+0x166/0x190
[ 36.476267] ret_from_fork+0x22/0x30
[ 36.477447]
[ 36.478160] Freed by task 24:
[ 36.479239] kasan_set_track+0x50/0x80
[ 36.480512] kasan_save_free_info+0x2b/0x40
[ 36.481808] ____kasan_slab_free+0x122/0x1a0
[ 36.483173] __kmem_cache_free+0xc4/0x200
[ 36.484563] smsusb_term_device+0xcd/0xf0
[ 36.485896] smsusb_probe+0xc85/0xc90
[ 36.486976] usb_probe_interface+0x2d1/0x4c0
[ 36.488303] really_probe+0x1d5/0x580
[ 36.489498] __driver_probe_device+0xe3/0x130
[ 36.491140] driver_probe_device+0x49/0x220
[ 36.492475] __device_attach_driver+0x19e/0x1b0
[ 36.493988] bus_for_each_drv+0xcb/0x110
[ 36.495171] __device_attach+0x132/0x1f0
[ 36.496617] bus_probe_device+0x59/0xf0
[ 36.497875] device_add+0x4ec/0x7b0
[ 36.498972] usb_set_configuration+0xc63/0xe10
[ 36.500264] usb_generic_driver_probe+0x3b/0x80
[ 36.501740] usb_probe_device+0x90/0x110
[ 36.503084] really_probe+0x1d5/0x580
[ 36.504241] __driver_probe_device+0xe3/0x130
[ 36.505548] driver_probe_device+0x49/0x220
[ 36.506766] __device_attach_driver+0x19e/0x1b0
[ 36.508368] bus_for_each_drv+0xcb/0x110
[ 36.509646] __device_attach+0x132/0x1f0
[ 36.510911] bus_probe_device+0x59/0xf0
[ 36.512103] device_add+0x4ec/0x7b0
[ 36.513215] usb_new_device+0x863/0xa00
[ 36.514736] hub_event+0x18c7/0x2220
[ 36.516130] process_one_work+
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < c379272ea9c2ee36f0a1327b0fb8889c975093f7
(git)
Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 1477b00ff582970df110fc9e15a5e2021acb9222 (git) Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < a41bb59eff7a58a6772f84a5b70ad7ec26dad074 (git) Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 42f8ba8355682f6c4125b75503cac0cef4ac91d3 (git) Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 114f768e7314ca9e1fdbebe11267c4403e89e7f2 (git) Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 479796534a450fd44189080d51bebefa3b42c6fc (git) Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 19aadf0eb70edae7180285dbb9bfa237d1ddb34d (git) Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < ebad8e731c1c06adf04621d6fd327b860c0861b5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/siano/smsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c379272ea9c2ee36f0a1327b0fb8889c975093f7",
"status": "affected",
"version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
"versionType": "git"
},
{
"lessThan": "1477b00ff582970df110fc9e15a5e2021acb9222",
"status": "affected",
"version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
"versionType": "git"
},
{
"lessThan": "a41bb59eff7a58a6772f84a5b70ad7ec26dad074",
"status": "affected",
"version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
"versionType": "git"
},
{
"lessThan": "42f8ba8355682f6c4125b75503cac0cef4ac91d3",
"status": "affected",
"version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
"versionType": "git"
},
{
"lessThan": "114f768e7314ca9e1fdbebe11267c4403e89e7f2",
"status": "affected",
"version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
"versionType": "git"
},
{
"lessThan": "479796534a450fd44189080d51bebefa3b42c6fc",
"status": "affected",
"version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
"versionType": "git"
},
{
"lessThan": "19aadf0eb70edae7180285dbb9bfa237d1ddb34d",
"status": "affected",
"version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
"versionType": "git"
},
{
"lessThan": "ebad8e731c1c06adf04621d6fd327b860c0861b5",
"status": "affected",
"version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/siano/smsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usb: siano: Fix use after free bugs caused by do_submit_urb\n\nThere are UAF bugs caused by do_submit_urb(). One of the KASan reports\nis shown below:\n\n[ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890\n[ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49\n[ 36.408316]\n[ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8\n[ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584\n[ 36.416157] Workqueue: 0x0 (events)\n[ 36.417654] Call Trace:\n[ 36.418546] \u003cTASK\u003e\n[ 36.419320] dump_stack_lvl+0x96/0xd0\n[ 36.420522] print_address_description+0x75/0x350\n[ 36.421992] print_report+0x11b/0x250\n[ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0\n[ 36.424806] ? __virt_addr_valid+0xcf/0x170\n[ 36.426069] ? worker_thread+0x4a2/0x890\n[ 36.427355] kasan_report+0x131/0x160\n[ 36.428556] ? worker_thread+0x4a2/0x890\n[ 36.430053] worker_thread+0x4a2/0x890\n[ 36.431297] ? worker_clr_flags+0x90/0x90\n[ 36.432479] kthread+0x166/0x190\n[ 36.433493] ? kthread_blkcg+0x50/0x50\n[ 36.434669] ret_from_fork+0x22/0x30\n[ 36.435923] \u003c/TASK\u003e\n[ 36.436684]\n[ 36.437215] Allocated by task 24:\n[ 36.438289] kasan_set_track+0x50/0x80\n[ 36.439436] __kasan_kmalloc+0x89/0xa0\n[ 36.440566] smsusb_probe+0x374/0xc90\n[ 36.441920] usb_probe_interface+0x2d1/0x4c0\n[ 36.443253] really_probe+0x1d5/0x580\n[ 36.444539] __driver_probe_device+0xe3/0x130\n[ 36.446085] driver_probe_device+0x49/0x220\n[ 36.447423] __device_attach_driver+0x19e/0x1b0\n[ 36.448931] bus_for_each_drv+0xcb/0x110\n[ 36.450217] __device_attach+0x132/0x1f0\n[ 36.451470] bus_probe_device+0x59/0xf0\n[ 36.452563] device_add+0x4ec/0x7b0\n[ 36.453830] usb_set_configuration+0xc63/0xe10\n[ 36.455230] usb_generic_driver_probe+0x3b/0x80\n[ 36.456166] printk: console [ttyGS0] disabled\n[ 36.456569] usb_probe_device+0x90/0x110\n[ 36.459523] really_probe+0x1d5/0x580\n[ 36.461027] __driver_probe_device+0xe3/0x130\n[ 36.462465] driver_probe_device+0x49/0x220\n[ 36.463847] __device_attach_driver+0x19e/0x1b0\n[ 36.465229] bus_for_each_drv+0xcb/0x110\n[ 36.466466] __device_attach+0x132/0x1f0\n[ 36.467799] bus_probe_device+0x59/0xf0\n[ 36.469010] device_add+0x4ec/0x7b0\n[ 36.470125] usb_new_device+0x863/0xa00\n[ 36.471374] hub_event+0x18c7/0x2220\n[ 36.472746] process_one_work+0x34c/0x5b0\n[ 36.474041] worker_thread+0x4b7/0x890\n[ 36.475216] kthread+0x166/0x190\n[ 36.476267] ret_from_fork+0x22/0x30\n[ 36.477447]\n[ 36.478160] Freed by task 24:\n[ 36.479239] kasan_set_track+0x50/0x80\n[ 36.480512] kasan_save_free_info+0x2b/0x40\n[ 36.481808] ____kasan_slab_free+0x122/0x1a0\n[ 36.483173] __kmem_cache_free+0xc4/0x200\n[ 36.484563] smsusb_term_device+0xcd/0xf0\n[ 36.485896] smsusb_probe+0xc85/0xc90\n[ 36.486976] usb_probe_interface+0x2d1/0x4c0\n[ 36.488303] really_probe+0x1d5/0x580\n[ 36.489498] __driver_probe_device+0xe3/0x130\n[ 36.491140] driver_probe_device+0x49/0x220\n[ 36.492475] __device_attach_driver+0x19e/0x1b0\n[ 36.493988] bus_for_each_drv+0xcb/0x110\n[ 36.495171] __device_attach+0x132/0x1f0\n[ 36.496617] bus_probe_device+0x59/0xf0\n[ 36.497875] device_add+0x4ec/0x7b0\n[ 36.498972] usb_set_configuration+0xc63/0xe10\n[ 36.500264] usb_generic_driver_probe+0x3b/0x80\n[ 36.501740] usb_probe_device+0x90/0x110\n[ 36.503084] really_probe+0x1d5/0x580\n[ 36.504241] __driver_probe_device+0xe3/0x130\n[ 36.505548] driver_probe_device+0x49/0x220\n[ 36.506766] __device_attach_driver+0x19e/0x1b0\n[ 36.508368] bus_for_each_drv+0xcb/0x110\n[ 36.509646] __device_attach+0x132/0x1f0\n[ 36.510911] bus_probe_device+0x59/0xf0\n[ 36.512103] device_add+0x4ec/0x7b0\n[ 36.513215] usb_new_device+0x863/0xa00\n[ 36.514736] hub_event+0x18c7/0x2220\n[ 36.516130] process_one_work+\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:16:00.990Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c379272ea9c2ee36f0a1327b0fb8889c975093f7"
},
{
"url": "https://git.kernel.org/stable/c/1477b00ff582970df110fc9e15a5e2021acb9222"
},
{
"url": "https://git.kernel.org/stable/c/a41bb59eff7a58a6772f84a5b70ad7ec26dad074"
},
{
"url": "https://git.kernel.org/stable/c/42f8ba8355682f6c4125b75503cac0cef4ac91d3"
},
{
"url": "https://git.kernel.org/stable/c/114f768e7314ca9e1fdbebe11267c4403e89e7f2"
},
{
"url": "https://git.kernel.org/stable/c/479796534a450fd44189080d51bebefa3b42c6fc"
},
{
"url": "https://git.kernel.org/stable/c/19aadf0eb70edae7180285dbb9bfa237d1ddb34d"
},
{
"url": "https://git.kernel.org/stable/c/ebad8e731c1c06adf04621d6fd327b860c0861b5"
}
],
"title": "media: usb: siano: Fix use after free bugs caused by do_submit_urb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54270",
"datePublished": "2025-12-30T12:16:00.990Z",
"dateReserved": "2025-12-30T12:06:44.519Z",
"dateUpdated": "2025-12-30T12:16:00.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40328 (GCVE-0-2025-40328)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
smb: client: fix potential UAF in smb2_close_cached_fid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix potential UAF in smb2_close_cached_fid()
find_or_create_cached_dir() could grab a new reference after kref_put()
had seen the refcount drop to zero but before cfid_list_lock is acquired
in smb2_close_cached_fid(), leading to use-after-free.
Switch to kref_put_lock() so cfid_release() is called with
cfid_list_lock held, closing that gap.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < cb52d9c86d70298de0ab7c7953653898cbc0efd6
(git)
Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < 065bd62412271a2d734810dd50336cae88c54427 (git) Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < bdb596ceb4b7c3f28786a33840263728217fbcf5 (git) Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < 734e99623c5b65bf2c03e35978a0b980ebc3c2f8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb52d9c86d70298de0ab7c7953653898cbc0efd6",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "065bd62412271a2d734810dd50336cae88c54427",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "bdb596ceb4b7c3f28786a33840263728217fbcf5",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
},
{
"lessThan": "734e99623c5b65bf2c03e35978a0b980ebc3c2f8",
"status": "affected",
"version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_close_cached_fid()\n\nfind_or_create_cached_dir() could grab a new reference after kref_put()\nhad seen the refcount drop to zero but before cfid_list_lock is acquired\nin smb2_close_cached_fid(), leading to use-after-free.\n\nSwitch to kref_put_lock() so cfid_release() is called with\ncfid_list_lock held, closing that gap."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:44.876Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb52d9c86d70298de0ab7c7953653898cbc0efd6"
},
{
"url": "https://git.kernel.org/stable/c/065bd62412271a2d734810dd50336cae88c54427"
},
{
"url": "https://git.kernel.org/stable/c/bdb596ceb4b7c3f28786a33840263728217fbcf5"
},
{
"url": "https://git.kernel.org/stable/c/734e99623c5b65bf2c03e35978a0b980ebc3c2f8"
}
],
"title": "smb: client: fix potential UAF in smb2_close_cached_fid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40328",
"datePublished": "2025-12-09T04:09:44.876Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:44.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54027 (GCVE-0-2023-54027)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
iio: core: Prevent invalid memory access when there is no parent
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: core: Prevent invalid memory access when there is no parent
Commit 813665564b3d ("iio: core: Convert to use firmware node handle
instead of OF node") switched the kind of nodes to use for label
retrieval in device registration. Probably an unwanted change in that
commit was that if the device has no parent then NULL pointer is
accessed. This is what happens in the stock IIO dummy driver when a
new entry is created in configfs:
# mkdir /sys/kernel/config/iio/devices/dummy/foo
BUG: kernel NULL pointer dereference, address: ...
...
Call Trace:
__iio_device_register
iio_dummy_probe
Since there seems to be no reason to make a parent device of an IIO
dummy device mandatory, let’s prevent the invalid memory access in
__iio_device_register when the parent device is NULL. With this
change, the IIO dummy driver works fine with configfs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
813665564b3d7c74412fe2877520f1d254ce948a , < 312f04ede209f0a186799fe8e64a19b49700d5dc
(git)
Affected: 813665564b3d7c74412fe2877520f1d254ce948a , < a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97 (git) Affected: 813665564b3d7c74412fe2877520f1d254ce948a , < b2a69969908fcaf68596dfc04369af0fe2e1d2f7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/industrialio-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "312f04ede209f0a186799fe8e64a19b49700d5dc",
"status": "affected",
"version": "813665564b3d7c74412fe2877520f1d254ce948a",
"versionType": "git"
},
{
"lessThan": "a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97",
"status": "affected",
"version": "813665564b3d7c74412fe2877520f1d254ce948a",
"versionType": "git"
},
{
"lessThan": "b2a69969908fcaf68596dfc04369af0fe2e1d2f7",
"status": "affected",
"version": "813665564b3d7c74412fe2877520f1d254ce948a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/industrialio-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: Prevent invalid memory access when there is no parent\n\nCommit 813665564b3d (\"iio: core: Convert to use firmware node handle\ninstead of OF node\") switched the kind of nodes to use for label\nretrieval in device registration. Probably an unwanted change in that\ncommit was that if the device has no parent then NULL pointer is\naccessed. This is what happens in the stock IIO dummy driver when a\nnew entry is created in configfs:\n\n # mkdir /sys/kernel/config/iio/devices/dummy/foo\n BUG: kernel NULL pointer dereference, address: ...\n ...\n Call Trace:\n __iio_device_register\n iio_dummy_probe\n\nSince there seems to be no reason to make a parent device of an IIO\ndummy device mandatory, let\u2019s prevent the invalid memory access in\n__iio_device_register when the parent device is NULL. With this\nchange, the IIO dummy driver works fine with configfs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:55.890Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/312f04ede209f0a186799fe8e64a19b49700d5dc"
},
{
"url": "https://git.kernel.org/stable/c/a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97"
},
{
"url": "https://git.kernel.org/stable/c/b2a69969908fcaf68596dfc04369af0fe2e1d2f7"
}
],
"title": "iio: core: Prevent invalid memory access when there is no parent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54027",
"datePublished": "2025-12-24T10:55:55.890Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:55.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40179 (GCVE-0-2025-40179)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ext4: verify orphan file size is not too big
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: verify orphan file size is not too big
In principle orphan file can be arbitrarily large. However orphan replay
needs to traverse it all and we also pin all its buffers in memory. Thus
filesystems with absurdly large orphan files can lead to big amounts of
memory consumed. Limit orphan file size to a sane value and also use
kvmalloc() for allocating array of block descriptor structures to avoid
large order allocations for sane but large orphan files.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 95a21611b14ae0a401720645245a8db16f040995
(git)
Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 566a1d6084563bd07433025aa23bcea4427de107 (git) Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 304fc34ff6fc8261138fd81f119e024ac3a129e9 (git) Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < a2d803fab8a6c6a874277cb80156dc114db91921 (git) Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 2b9da798ff0f4d026c5f0f815047393ebe7d8859 (git) Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 0a6ce20c156442a4ce2a404747bb0fb05d54eeb3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/orphan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95a21611b14ae0a401720645245a8db16f040995",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "566a1d6084563bd07433025aa23bcea4427de107",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "304fc34ff6fc8261138fd81f119e024ac3a129e9",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "a2d803fab8a6c6a874277cb80156dc114db91921",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "2b9da798ff0f4d026c5f0f815047393ebe7d8859",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
},
{
"lessThan": "0a6ce20c156442a4ce2a404747bb0fb05d54eeb3",
"status": "affected",
"version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/orphan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: verify orphan file size is not too big\n\nIn principle orphan file can be arbitrarily large. However orphan replay\nneeds to traverse it all and we also pin all its buffers in memory. Thus\nfilesystems with absurdly large orphan files can lead to big amounts of\nmemory consumed. Limit orphan file size to a sane value and also use\nkvmalloc() for allocating array of block descriptor structures to avoid\nlarge order allocations for sane but large orphan files."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:35.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95a21611b14ae0a401720645245a8db16f040995"
},
{
"url": "https://git.kernel.org/stable/c/566a1d6084563bd07433025aa23bcea4427de107"
},
{
"url": "https://git.kernel.org/stable/c/304fc34ff6fc8261138fd81f119e024ac3a129e9"
},
{
"url": "https://git.kernel.org/stable/c/a2d803fab8a6c6a874277cb80156dc114db91921"
},
{
"url": "https://git.kernel.org/stable/c/2b9da798ff0f4d026c5f0f815047393ebe7d8859"
},
{
"url": "https://git.kernel.org/stable/c/0a6ce20c156442a4ce2a404747bb0fb05d54eeb3"
}
],
"title": "ext4: verify orphan file size is not too big",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40179",
"datePublished": "2025-11-12T21:56:24.882Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:35.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53093 (GCVE-0-2024-53093)
Vulnerability from cvelistv5 – Published: 2024-11-21 18:17 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
nvme-multipath: defer partition scanning
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-multipath: defer partition scanning
We need to suppress the partition scan from occuring within the
controller's scan_work context. If a path error occurs here, the IO will
wait until a path becomes available or all paths are torn down, but that
action also occurs within scan_work, so it would deadlock. Defer the
partion scan to a different context that does not block scan_work.
Severity ?
5.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
32acab3181c7053c775ca128c3a5c6ce50197d7f , < 60de2e03f984cfbcdc12fa552f95087c35a05a98
(git)
Affected: 32acab3181c7053c775ca128c3a5c6ce50197d7f , < 4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e (git) Affected: 32acab3181c7053c775ca128c3a5c6ce50197d7f , < a91b7eddf45afeeb9c5ece11dddff5de0921b00f (git) Affected: 32acab3181c7053c775ca128c3a5c6ce50197d7f , < 1f021341eef41e77a633186e9be5223de2ce5d48 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T20:11:24.276538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T20:17:13.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T22:29:08.209Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/multipath.c",
"drivers/nvme/host/nvme.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60de2e03f984cfbcdc12fa552f95087c35a05a98",
"status": "affected",
"version": "32acab3181c7053c775ca128c3a5c6ce50197d7f",
"versionType": "git"
},
{
"lessThan": "4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e",
"status": "affected",
"version": "32acab3181c7053c775ca128c3a5c6ce50197d7f",
"versionType": "git"
},
{
"lessThan": "a91b7eddf45afeeb9c5ece11dddff5de0921b00f",
"status": "affected",
"version": "32acab3181c7053c775ca128c3a5c6ce50197d7f",
"versionType": "git"
},
{
"lessThan": "1f021341eef41e77a633186e9be5223de2ce5d48",
"status": "affected",
"version": "32acab3181c7053c775ca128c3a5c6ce50197d7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/multipath.c",
"drivers/nvme/host/nvme.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.11.*",
"status": "unaffected",
"version": "6.11.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.12",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.118",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.62",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.11.9",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-multipath: defer partition scanning\n\nWe need to suppress the partition scan from occuring within the\ncontroller\u0027s scan_work context. If a path error occurs here, the IO will\nwait until a path becomes available or all paths are torn down, but that\naction also occurs within scan_work, so it would deadlock. Defer the\npartion scan to a different context that does not block scan_work."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:40.234Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60de2e03f984cfbcdc12fa552f95087c35a05a98"
},
{
"url": "https://git.kernel.org/stable/c/4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e"
},
{
"url": "https://git.kernel.org/stable/c/a91b7eddf45afeeb9c5ece11dddff5de0921b00f"
},
{
"url": "https://git.kernel.org/stable/c/1f021341eef41e77a633186e9be5223de2ce5d48"
}
],
"title": "nvme-multipath: defer partition scanning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-53093",
"datePublished": "2024-11-21T18:17:09.807Z",
"dateReserved": "2024-11-19T17:17:24.982Z",
"dateUpdated": "2025-12-20T08:51:40.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50744 (GCVE-0-2022-50744)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs
During I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a
hard lockup similar to the call trace below may occur.
The spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer
interrupts as expected, so change the strength of the spin lock to _irq.
Kernel panic - not syncing: Hard LOCKUP
CPU: 3 PID: 110402 Comm: cat Kdump: loaded
exception RIP: native_queued_spin_lock_slowpath+91
[IRQ stack]
native_queued_spin_lock_slowpath at ffffffffb814e30b
_raw_spin_lock at ffffffffb89a667a
lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc]
lpfc_cmf_timer at ffffffffc0abbc67 [lpfc]
__hrtimer_run_queues at ffffffffb8184250
hrtimer_interrupt at ffffffffb8184ab0
smp_apic_timer_interrupt at ffffffffb8a026ba
apic_timer_interrupt at ffffffffb8a01c4f
[End of IRQ stack]
apic_timer_interrupt at ffffffffb8a01c4f
lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc]
lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc]
full_proxy_read at ffffffffb83e7fc3
vfs_read at ffffffffb833fe71
ksys_read at ffffffffb83402af
do_syscall_64 at ffffffffb800430b
entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
21d65b35169112af9b6f873c8eeab972e60107c2 , < 2cf66428a2545bb33beb9624124a2377468bb478
(git)
Affected: 2c9b5b8326b953f2f48338a7c889e6af457d146f , < cd542900ee5147028bbe603b238efcab8d720838 (git) Affected: bd269188ea94e40ab002cad7b0df8f12b8f0de54 , < 39761417ea7b654217d6d9085afbf7c87ba3675d (git) Affected: bd269188ea94e40ab002cad7b0df8f12b8f0de54 , < c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e (git) Affected: 147d397e08a406f5997f8a1c7f747fe546bf8395 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2cf66428a2545bb33beb9624124a2377468bb478",
"status": "affected",
"version": "21d65b35169112af9b6f873c8eeab972e60107c2",
"versionType": "git"
},
{
"lessThan": "cd542900ee5147028bbe603b238efcab8d720838",
"status": "affected",
"version": "2c9b5b8326b953f2f48338a7c889e6af457d146f",
"versionType": "git"
},
{
"lessThan": "39761417ea7b654217d6d9085afbf7c87ba3675d",
"status": "affected",
"version": "bd269188ea94e40ab002cad7b0df8f12b8f0de54",
"versionType": "git"
},
{
"lessThan": "c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e",
"status": "affected",
"version": "bd269188ea94e40ab002cad7b0df8f12b8f0de54",
"versionType": "git"
},
{
"status": "affected",
"version": "147d397e08a406f5997f8a1c7f747fe546bf8395",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_sli.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.15.78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs\n\nDuring I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a\nhard lockup similar to the call trace below may occur.\n\nThe spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer\ninterrupts as expected, so change the strength of the spin lock to _irq.\n\nKernel panic - not syncing: Hard LOCKUP\nCPU: 3 PID: 110402 Comm: cat Kdump: loaded\n\nexception RIP: native_queued_spin_lock_slowpath+91\n\n[IRQ stack]\n native_queued_spin_lock_slowpath at ffffffffb814e30b\n _raw_spin_lock at ffffffffb89a667a\n lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc]\n lpfc_cmf_timer at ffffffffc0abbc67 [lpfc]\n __hrtimer_run_queues at ffffffffb8184250\n hrtimer_interrupt at ffffffffb8184ab0\n smp_apic_timer_interrupt at ffffffffb8a026ba\n apic_timer_interrupt at ffffffffb8a01c4f\n[End of IRQ stack]\n\n apic_timer_interrupt at ffffffffb8a01c4f\n lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc]\n lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc]\n full_proxy_read at ffffffffb83e7fc3\n vfs_read at ffffffffb833fe71\n ksys_read at ffffffffb83402af\n do_syscall_64 at ffffffffb800430b\n entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:22.034Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2cf66428a2545bb33beb9624124a2377468bb478"
},
{
"url": "https://git.kernel.org/stable/c/cd542900ee5147028bbe603b238efcab8d720838"
},
{
"url": "https://git.kernel.org/stable/c/39761417ea7b654217d6d9085afbf7c87ba3675d"
},
{
"url": "https://git.kernel.org/stable/c/c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e"
}
],
"title": "scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50744",
"datePublished": "2025-12-24T13:05:41.138Z",
"dateReserved": "2025-12-24T13:02:21.543Z",
"dateUpdated": "2026-01-02T15:04:22.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40316 (GCVE-0-2025-40316)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
drm/mediatek: Fix device use-after-free on unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: Fix device use-after-free on unbind
A recent change fixed device reference leaks when looking up drm
platform device driver data during bind() but failed to remove a partial
fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix
kobject put for component sub-drivers").
This results in a reference imbalance on component bind() failures and
on unbind() which could lead to a user-after-free.
Make sure to only drop the references after retrieving the driver data
by effectively reverting the previous partial fix.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7d98166183d627c0b9daca7672b2191fae0f8a03 , < a5a896f8315de358a2932e2c23c42d550256046a
(git)
Affected: 31ce7c089b50c3d3056c37e0e25e7535e4428ae1 , < 0142fe895986addf35885b43440718e567121155 (git) Affected: 1f403699c40f0806a707a9a6eed3b8904224021a , < 8ba827e09eb586e952d10e39406fa02d10bb591e (git) Affected: 1f403699c40f0806a707a9a6eed3b8904224021a , < 926d002e6d7e2f1fd5c1b53cf6208153ee7d380d (git) Affected: fae58d0155a979a8c414bbc12db09dd4b2f910d0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5a896f8315de358a2932e2c23c42d550256046a",
"status": "affected",
"version": "7d98166183d627c0b9daca7672b2191fae0f8a03",
"versionType": "git"
},
{
"lessThan": "0142fe895986addf35885b43440718e567121155",
"status": "affected",
"version": "31ce7c089b50c3d3056c37e0e25e7535e4428ae1",
"versionType": "git"
},
{
"lessThan": "8ba827e09eb586e952d10e39406fa02d10bb591e",
"status": "affected",
"version": "1f403699c40f0806a707a9a6eed3b8904224021a",
"versionType": "git"
},
{
"lessThan": "926d002e6d7e2f1fd5c1b53cf6208153ee7d380d",
"status": "affected",
"version": "1f403699c40f0806a707a9a6eed3b8904224021a",
"versionType": "git"
},
{
"status": "affected",
"version": "fae58d0155a979a8c414bbc12db09dd4b2f910d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_drm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.12.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix device use-after-free on unbind\n\nA recent change fixed device reference leaks when looking up drm\nplatform device driver data during bind() but failed to remove a partial\nfix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix\nkobject put for component sub-drivers\").\n\nThis results in a reference imbalance on component bind() failures and\non unbind() which could lead to a user-after-free.\n\nMake sure to only drop the references after retrieving the driver data\nby effectively reverting the previous partial fix.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:43.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5a896f8315de358a2932e2c23c42d550256046a"
},
{
"url": "https://git.kernel.org/stable/c/0142fe895986addf35885b43440718e567121155"
},
{
"url": "https://git.kernel.org/stable/c/8ba827e09eb586e952d10e39406fa02d10bb591e"
},
{
"url": "https://git.kernel.org/stable/c/926d002e6d7e2f1fd5c1b53cf6208153ee7d380d"
}
],
"title": "drm/mediatek: Fix device use-after-free on unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40316",
"datePublished": "2025-12-08T00:46:43.210Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:43.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50640 (GCVE-0-2022-50640)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
mmc: core: Fix kernel panic when remove non-standard SDIO card
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: core: Fix kernel panic when remove non-standard SDIO card
SDIO tuple is only allocated for standard SDIO card, especially it causes
memory corruption issues when the non-standard SDIO card has removed, which
is because the card device's reference counter does not increase for it at
sdio_init_func(), but all SDIO card device reference counter gets decreased
at sdio_release_func().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < b8b2965932e702b21e335ff30e1bb550f5a23b6f
(git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < b3275dde570b6420106a715bb58a0af041b94d95 (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 1fb79478695d92bab1c120ad3dad05252b02a29d (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 7a09c64b7da0abdec3919812e3d93ecc44069ed0 (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 8bf037279b5869ae9331c42bb1527d2680ebba96 (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 1e8cd93ae536581562bab4e1d8c5315bbc2548bf (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 66d461a92f32b6995b630625d350259b6b1f961b (git) Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 9972e6b404884adae9eec7463e30d9b3c9a70b18 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/core/sdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8b2965932e702b21e335ff30e1bb550f5a23b6f",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "b3275dde570b6420106a715bb58a0af041b94d95",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "1fb79478695d92bab1c120ad3dad05252b02a29d",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "7a09c64b7da0abdec3919812e3d93ecc44069ed0",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "8bf037279b5869ae9331c42bb1527d2680ebba96",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "1e8cd93ae536581562bab4e1d8c5315bbc2548bf",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "66d461a92f32b6995b630625d350259b6b1f961b",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
},
{
"lessThan": "9972e6b404884adae9eec7463e30d9b3c9a70b18",
"status": "affected",
"version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/core/sdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Fix kernel panic when remove non-standard SDIO card\n\nSDIO tuple is only allocated for standard SDIO card, especially it causes\nmemory corruption issues when the non-standard SDIO card has removed, which\nis because the card device\u0027s reference counter does not increase for it at\nsdio_init_func(), but all SDIO card device reference counter gets decreased\nat sdio_release_func()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:13.871Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8b2965932e702b21e335ff30e1bb550f5a23b6f"
},
{
"url": "https://git.kernel.org/stable/c/b3275dde570b6420106a715bb58a0af041b94d95"
},
{
"url": "https://git.kernel.org/stable/c/1fb79478695d92bab1c120ad3dad05252b02a29d"
},
{
"url": "https://git.kernel.org/stable/c/7a09c64b7da0abdec3919812e3d93ecc44069ed0"
},
{
"url": "https://git.kernel.org/stable/c/8bf037279b5869ae9331c42bb1527d2680ebba96"
},
{
"url": "https://git.kernel.org/stable/c/1e8cd93ae536581562bab4e1d8c5315bbc2548bf"
},
{
"url": "https://git.kernel.org/stable/c/66d461a92f32b6995b630625d350259b6b1f961b"
},
{
"url": "https://git.kernel.org/stable/c/9972e6b404884adae9eec7463e30d9b3c9a70b18"
}
],
"title": "mmc: core: Fix kernel panic when remove non-standard SDIO card",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50640",
"datePublished": "2025-12-09T00:00:13.871Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:13.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50876 (GCVE-0-2022-50876)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
usb: musb: Fix musb_gadget.c rxstate overflow bug
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: musb: Fix musb_gadget.c rxstate overflow bug
The usb function device call musb_gadget_queue() adds the passed
request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz)
and (is_buffer_mapped(req) return false),the rxstate() will copy all data
in fifo to request->buf which may cause request->buf out of bounds.
Fix it by add the length check :
fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < 826f84ab04a5cafe484ea9c2c85a3930068e5cb7
(git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < a1008c8b9f357691ce6a8fdb8f157aecb2d79167 (git) Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < 7c80f3a918ba9aa26fb699ee887064ec3af0396a (git) Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < d6afcab1b48f4051211c50145b9e91be3b1b42c9 (git) Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < acf0006f2b2b2ca672988875fd154429aafb2a9b (git) Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < 3c84c7f592c4ba38f54ddaddd0115acc443025db (git) Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96 (git) Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < 523313881f0aa5cbbdb548ce575b6e58b202bd76 (git) Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < eea4c860c3b366369eff0489d94ee4f0571d467d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/musb/musb_gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "826f84ab04a5cafe484ea9c2c85a3930068e5cb7",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
},
{
"lessThan": "a1008c8b9f357691ce6a8fdb8f157aecb2d79167",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
},
{
"lessThan": "7c80f3a918ba9aa26fb699ee887064ec3af0396a",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
},
{
"lessThan": "d6afcab1b48f4051211c50145b9e91be3b1b42c9",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
},
{
"lessThan": "acf0006f2b2b2ca672988875fd154429aafb2a9b",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
},
{
"lessThan": "3c84c7f592c4ba38f54ddaddd0115acc443025db",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
},
{
"lessThan": "a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
},
{
"lessThan": "523313881f0aa5cbbdb548ce575b6e58b202bd76",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
},
{
"lessThan": "eea4c860c3b366369eff0489d94ee4f0571d467d",
"status": "affected",
"version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/musb/musb_gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: Fix musb_gadget.c rxstate overflow bug\n\nThe usb function device call musb_gadget_queue() adds the passed\nrequest to musb_ep::req_list,If the (request-\u003elength \u003e musb_ep-\u003epacket_sz)\nand (is_buffer_mapped(req) return false),the rxstate() will copy all data\nin fifo to request-\u003ebuf which may cause request-\u003ebuf out of bounds.\n\nFix it by add the length check :\nfifocnt = min_t(unsigned, request-\u003elength - request-\u003eactual, fifocnt);"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:10.481Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/826f84ab04a5cafe484ea9c2c85a3930068e5cb7"
},
{
"url": "https://git.kernel.org/stable/c/a1008c8b9f357691ce6a8fdb8f157aecb2d79167"
},
{
"url": "https://git.kernel.org/stable/c/7c80f3a918ba9aa26fb699ee887064ec3af0396a"
},
{
"url": "https://git.kernel.org/stable/c/d6afcab1b48f4051211c50145b9e91be3b1b42c9"
},
{
"url": "https://git.kernel.org/stable/c/acf0006f2b2b2ca672988875fd154429aafb2a9b"
},
{
"url": "https://git.kernel.org/stable/c/3c84c7f592c4ba38f54ddaddd0115acc443025db"
},
{
"url": "https://git.kernel.org/stable/c/a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96"
},
{
"url": "https://git.kernel.org/stable/c/523313881f0aa5cbbdb548ce575b6e58b202bd76"
},
{
"url": "https://git.kernel.org/stable/c/eea4c860c3b366369eff0489d94ee4f0571d467d"
}
],
"title": "usb: musb: Fix musb_gadget.c rxstate overflow bug",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50876",
"datePublished": "2025-12-30T12:23:16.790Z",
"dateReserved": "2025-12-30T12:06:07.137Z",
"dateUpdated": "2026-01-02T15:05:10.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53843 (GCVE-0-2023-53843)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
net: openvswitch: reject negative ifindex
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: reject negative ifindex
Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs
in an xarray")) refactored the handling of pre-assigned ifindexes
and let syzbot surface a latent problem in ovs. ovs does not validate
ifindex, making it possible to create netdev ports with negative
ifindex values. It's easy to repro with YNL:
$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \
--do new \
--json '{"upcall-pid": 1, "name":"my-dp"}'
$ ./cli.py --spec netlink/specs/ovs_vport.yaml \
--do new \
--json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}'
$ ip link show
-65536: some-port0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff
...
Validate the inputs. Now the second command correctly returns:
$ ./cli.py --spec netlink/specs/ovs_vport.yaml \
--do new \
--json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}'
lib.ynl.NlError: Netlink error: Numerical result out of range
nl_len = 108 (92) nl_flags = 0x300 nl_type = 2
error: -34 extack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00'], 'bad-attr': '.ifindex'}
Accept 0 since it used to be silently ignored.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
54c4ef34c4b6f9720fded620e2893894f9f2c554 , < c965a58376146dcfdda186819462e8eb3aadef3a
(git)
Affected: 54c4ef34c4b6f9720fded620e2893894f9f2c554 , < 881faff9e548a7ddfb11595be7c1c649217d27db (git) Affected: 54c4ef34c4b6f9720fded620e2893894f9f2c554 , < a552bfa16bab4ce901ee721346a28c4e483f4066 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c965a58376146dcfdda186819462e8eb3aadef3a",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
},
{
"lessThan": "881faff9e548a7ddfb11595be7c1c649217d27db",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
},
{
"lessThan": "a552bfa16bab4ce901ee721346a28c4e483f4066",
"status": "affected",
"version": "54c4ef34c4b6f9720fded620e2893894f9f2c554",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: reject negative ifindex\n\nRecent changes in net-next (commit 759ab1edb56c (\"net: store netdevs\nin an xarray\")) refactored the handling of pre-assigned ifindexes\nand let syzbot surface a latent problem in ovs. ovs does not validate\nifindex, making it possible to create netdev ports with negative\nifindex values. It\u0027s easy to repro with YNL:\n\n$ ./cli.py --spec netlink/specs/ovs_datapath.yaml \\\n --do new \\\n\t --json \u0027{\"upcall-pid\": 1, \"name\":\"my-dp\"}\u0027\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json \u0027{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}\u0027\n\n$ ip link show\n-65536: some-port0: \u003cBROADCAST,MULTICAST\u003e mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000\n link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff\n...\n\nValidate the inputs. Now the second command correctly returns:\n\n$ ./cli.py --spec netlink/specs/ovs_vport.yaml \\\n\t --do new \\\n\t --json \u0027{\"upcall-pid\": \"00000001\", \"name\": \"some-port0\", \"dp-ifindex\":3,\"ifindex\":4294901760,\"type\":2}\u0027\n\nlib.ynl.NlError: Netlink error: Numerical result out of range\nnl_len = 108 (92) nl_flags = 0x300 nl_type = 2\n\terror: -34\textack: {\u0027msg\u0027: \u0027integer out of range\u0027, \u0027unknown\u0027: [[type:4 len:36] b\u0027\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x03\\x00\\xff\\xff\\xff\\x7f\\x00\\x00\\x00\\x00\\x08\\x00\\x01\\x00\\x08\\x00\\x00\\x00\u0027], \u0027bad-attr\u0027: \u0027.ifindex\u0027}\n\nAccept 0 since it used to be silently ignored."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:05.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c965a58376146dcfdda186819462e8eb3aadef3a"
},
{
"url": "https://git.kernel.org/stable/c/881faff9e548a7ddfb11595be7c1c649217d27db"
},
{
"url": "https://git.kernel.org/stable/c/a552bfa16bab4ce901ee721346a28c4e483f4066"
}
],
"title": "net: openvswitch: reject negative ifindex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53843",
"datePublished": "2025-12-09T01:30:05.698Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:30:05.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53850 (GCVE-0-2023-53850)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
iavf: use internal state to free traffic IRQs
Summary
In the Linux kernel, the following vulnerability has been resolved:
iavf: use internal state to free traffic IRQs
If the system tries to close the netdev while iavf_reset_task() is
running, __LINK_STATE_START will be cleared and netif_running() will
return false in iavf_reinit_interrupt_scheme(). This will result in
iavf_free_traffic_irqs() not being called and a leak as follows:
[7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0'
[7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0
is shown when pci_disable_msix() is later called. Fix by using the
internal adapter state. The traffic IRQs will always exist if
state == __IAVF_RUNNING.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < 6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff
(git)
Affected: 5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < 5e9db32eec628481f5da97a5b1aedb84a5240d18 (git) Affected: 5b36e8d04b4439c9ceb814bfdfe1284737f9c632 , < a77ed5c5b768e9649be240a2d864e5cd9c6a2015 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
},
{
"lessThan": "5e9db32eec628481f5da97a5b1aedb84a5240d18",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
},
{
"lessThan": "a77ed5c5b768e9649be240a2d864e5cd9c6a2015",
"status": "affected",
"version": "5b36e8d04b4439c9ceb814bfdfe1284737f9c632",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/iavf/iavf_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: use internal state to free traffic IRQs\n\nIf the system tries to close the netdev while iavf_reset_task() is\nrunning, __LINK_STATE_START will be cleared and netif_running() will\nreturn false in iavf_reinit_interrupt_scheme(). This will result in\niavf_free_traffic_irqs() not being called and a leak as follows:\n\n [7632.489326] remove_proc_entry: removing non-empty directory \u0027irq/999\u0027, leaking at least \u0027iavf-enp24s0f0v0-TxRx-0\u0027\n [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0\n\nis shown when pci_disable_msix() is later called. Fix by using the\ninternal adapter state. The traffic IRQs will always exist if\nstate == __IAVF_RUNNING."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:14.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff"
},
{
"url": "https://git.kernel.org/stable/c/5e9db32eec628481f5da97a5b1aedb84a5240d18"
},
{
"url": "https://git.kernel.org/stable/c/a77ed5c5b768e9649be240a2d864e5cd9c6a2015"
}
],
"title": "iavf: use internal state to free traffic IRQs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53850",
"datePublished": "2025-12-09T01:30:14.740Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:14.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40242 (GCVE-0-2025-40242)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
gfs2: Fix unlikely race in gdlm_put_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix unlikely race in gdlm_put_lock
In gdlm_put_lock(), there is a small window of time in which the
DFL_UNMOUNT flag has been set but the lockspace hasn't been released,
yet. In that window, dlm may still call gdlm_ast() and gdlm_bast().
To prevent it from dereferencing freed glock objects, only free the
glock if the lockspace has actually been released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d1340f80f0b8066321b499a376780da00560e857 , < 279bde3bbb0ac0bad5c729dfa85983d75a5d7641
(git)
Affected: d1340f80f0b8066321b499a376780da00560e857 , < 64c61b4ac645222fa7b724cef616c1f862a72a40 (git) Affected: d1340f80f0b8066321b499a376780da00560e857 , < 28c4d9bc0708956c1a736a9e49fee71b65deee81 (git) Affected: 6aa628c45875e7b8cca81ed9447a12a0e8f3504a (git) Affected: a97e75203733be0a4263a78fb7b29352be150c1c (git) Affected: 3554b46204e67333e1fb8be0e93936fb08267c80 (git) Affected: 5cff77b9827a956d076168b56775aad23bce87e4 (git) Affected: 8deedce385d220f90e435f534d71d27526273515 (git) Affected: 2225a5cd2fbc2ef0e0f78e585db3844f60416a39 (git) Affected: 02e838963fdaa6ce8570b5389aecdc6cf1fb40b0 (git) Affected: 01eb3106f43335fdc02111358dae80a5c3fd324d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/lock_dlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "279bde3bbb0ac0bad5c729dfa85983d75a5d7641",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"lessThan": "64c61b4ac645222fa7b724cef616c1f862a72a40",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"lessThan": "28c4d9bc0708956c1a736a9e49fee71b65deee81",
"status": "affected",
"version": "d1340f80f0b8066321b499a376780da00560e857",
"versionType": "git"
},
{
"status": "affected",
"version": "6aa628c45875e7b8cca81ed9447a12a0e8f3504a",
"versionType": "git"
},
{
"status": "affected",
"version": "a97e75203733be0a4263a78fb7b29352be150c1c",
"versionType": "git"
},
{
"status": "affected",
"version": "3554b46204e67333e1fb8be0e93936fb08267c80",
"versionType": "git"
},
{
"status": "affected",
"version": "5cff77b9827a956d076168b56775aad23bce87e4",
"versionType": "git"
},
{
"status": "affected",
"version": "8deedce385d220f90e435f534d71d27526273515",
"versionType": "git"
},
{
"status": "affected",
"version": "2225a5cd2fbc2ef0e0f78e585db3844f60416a39",
"versionType": "git"
},
{
"status": "affected",
"version": "02e838963fdaa6ce8570b5389aecdc6cf1fb40b0",
"versionType": "git"
},
{
"status": "affected",
"version": "01eb3106f43335fdc02111358dae80a5c3fd324d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/lock_dlm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.247",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix unlikely race in gdlm_put_lock\n\nIn gdlm_put_lock(), there is a small window of time in which the\nDFL_UNMOUNT flag has been set but the lockspace hasn\u0027t been released,\nyet. In that window, dlm may still call gdlm_ast() and gdlm_bast().\nTo prevent it from dereferencing freed glock objects, only free the\nglock if the lockspace has actually been released."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:11.131Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/279bde3bbb0ac0bad5c729dfa85983d75a5d7641"
},
{
"url": "https://git.kernel.org/stable/c/64c61b4ac645222fa7b724cef616c1f862a72a40"
},
{
"url": "https://git.kernel.org/stable/c/28c4d9bc0708956c1a736a9e49fee71b65deee81"
}
],
"title": "gfs2: Fix unlikely race in gdlm_put_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40242",
"datePublished": "2025-12-04T15:31:31.497Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-02T15:33:11.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54122 (GCVE-0-2023-54122)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
drm/msm/dpu: Add check for cstate
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Add check for cstate
As kzalloc may fail and return NULL pointer,
it should be better to check cstate
in order to avoid the NULL pointer dereference
in __drm_atomic_helper_crtc_reset.
Patchwork: https://patchwork.freedesktop.org/patch/514163/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1cff7440a86e04a613665803b42034c467f035fa , < a6afb8293ec0932f4ed0b7aecfc0ccc00f44dc2b
(git)
Affected: 1cff7440a86e04a613665803b42034c467f035fa , < 31f2f8de0ea7387cde18a24f94ba5e0b886b9842 (git) Affected: 1cff7440a86e04a613665803b42034c467f035fa , < d4ba50614cb3f0686bbdb505af685d78e75861dc (git) Affected: 1cff7440a86e04a613665803b42034c467f035fa , < 42442d42c57b9fbc35cb5ef72c7e5347c5f7d082 (git) Affected: 1cff7440a86e04a613665803b42034c467f035fa , < a52e5a002d18bffabff66f6f59a74f8e9aac5afe (git) Affected: 1cff7440a86e04a613665803b42034c467f035fa , < c96988b7d99327bb08bd9efd29a203b22cd88ace (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6afb8293ec0932f4ed0b7aecfc0ccc00f44dc2b",
"status": "affected",
"version": "1cff7440a86e04a613665803b42034c467f035fa",
"versionType": "git"
},
{
"lessThan": "31f2f8de0ea7387cde18a24f94ba5e0b886b9842",
"status": "affected",
"version": "1cff7440a86e04a613665803b42034c467f035fa",
"versionType": "git"
},
{
"lessThan": "d4ba50614cb3f0686bbdb505af685d78e75861dc",
"status": "affected",
"version": "1cff7440a86e04a613665803b42034c467f035fa",
"versionType": "git"
},
{
"lessThan": "42442d42c57b9fbc35cb5ef72c7e5347c5f7d082",
"status": "affected",
"version": "1cff7440a86e04a613665803b42034c467f035fa",
"versionType": "git"
},
{
"lessThan": "a52e5a002d18bffabff66f6f59a74f8e9aac5afe",
"status": "affected",
"version": "1cff7440a86e04a613665803b42034c467f035fa",
"versionType": "git"
},
{
"lessThan": "c96988b7d99327bb08bd9efd29a203b22cd88ace",
"status": "affected",
"version": "1cff7440a86e04a613665803b42034c467f035fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add check for cstate\n\nAs kzalloc may fail and return NULL pointer,\nit should be better to check cstate\nin order to avoid the NULL pointer dereference\nin __drm_atomic_helper_crtc_reset.\n\nPatchwork: https://patchwork.freedesktop.org/patch/514163/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:41.900Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6afb8293ec0932f4ed0b7aecfc0ccc00f44dc2b"
},
{
"url": "https://git.kernel.org/stable/c/31f2f8de0ea7387cde18a24f94ba5e0b886b9842"
},
{
"url": "https://git.kernel.org/stable/c/d4ba50614cb3f0686bbdb505af685d78e75861dc"
},
{
"url": "https://git.kernel.org/stable/c/42442d42c57b9fbc35cb5ef72c7e5347c5f7d082"
},
{
"url": "https://git.kernel.org/stable/c/a52e5a002d18bffabff66f6f59a74f8e9aac5afe"
},
{
"url": "https://git.kernel.org/stable/c/c96988b7d99327bb08bd9efd29a203b22cd88ace"
}
],
"title": "drm/msm/dpu: Add check for cstate",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54122",
"datePublished": "2025-12-24T13:06:41.900Z",
"dateReserved": "2025-12-24T13:02:52.521Z",
"dateUpdated": "2025-12-24T13:06:41.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40347 (GCVE-0-2025-40347)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30
VLAI?
EPSS
Title
net: enetc: fix the deadlock of enetc_mdio_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: enetc: fix the deadlock of enetc_mdio_lock
After applying the workaround for err050089, the LS1028A platform
experiences RCU stalls on RT kernel. This issue is caused by the
recursive acquisition of the read lock enetc_mdio_lock. Here list some
of the call stacks identified under the enetc_poll path that may lead to
a deadlock:
enetc_poll
-> enetc_lock_mdio
-> enetc_clean_rx_ring OR napi_complete_done
-> napi_gro_receive
-> enetc_start_xmit
-> enetc_lock_mdio
-> enetc_map_tx_buffs
-> enetc_unlock_mdio
-> enetc_unlock_mdio
After enetc_poll acquires the read lock, a higher-priority writer attempts
to acquire the lock, causing preemption. The writer detects that a
read lock is already held and is scheduled out. However, readers under
enetc_poll cannot acquire the read lock again because a writer is already
waiting, leading to a thread hang.
Currently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent
recursive lock acquisition.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 2781ca82ce8cad263d80b617addb727e6a84c9e5
(git)
Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 1f92f5bd057a4fad9dab6af17963cdd21e5da6ed (git) Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa (git) Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 50bd33f6b3922a6b760aa30d409cae891cec8fb5 (git) Affected: bf9c564716a13dde6a990d3b02c27cd6e39608bf (git) Affected: ff966263f5f9fdf9740f03fed0762ce73c230a6a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/enetc/enetc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2781ca82ce8cad263d80b617addb727e6a84c9e5",
"status": "affected",
"version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
"versionType": "git"
},
{
"lessThan": "1f92f5bd057a4fad9dab6af17963cdd21e5da6ed",
"status": "affected",
"version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
"versionType": "git"
},
{
"lessThan": "2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa",
"status": "affected",
"version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
"versionType": "git"
},
{
"lessThan": "50bd33f6b3922a6b760aa30d409cae891cec8fb5",
"status": "affected",
"version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
"versionType": "git"
},
{
"status": "affected",
"version": "bf9c564716a13dde6a990d3b02c27cd6e39608bf",
"versionType": "git"
},
{
"status": "affected",
"version": "ff966263f5f9fdf9740f03fed0762ce73c230a6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/enetc/enetc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix the deadlock of enetc_mdio_lock\n\nAfter applying the workaround for err050089, the LS1028A platform\nexperiences RCU stalls on RT kernel. This issue is caused by the\nrecursive acquisition of the read lock enetc_mdio_lock. Here list some\nof the call stacks identified under the enetc_poll path that may lead to\na deadlock:\n\nenetc_poll\n -\u003e enetc_lock_mdio\n -\u003e enetc_clean_rx_ring OR napi_complete_done\n -\u003e napi_gro_receive\n -\u003e enetc_start_xmit\n -\u003e enetc_lock_mdio\n -\u003e enetc_map_tx_buffs\n -\u003e enetc_unlock_mdio\n -\u003e enetc_unlock_mdio\n\nAfter enetc_poll acquires the read lock, a higher-priority writer attempts\nto acquire the lock, causing preemption. The writer detects that a\nread lock is already held and is scheduled out. However, readers under\nenetc_poll cannot acquire the read lock again because a writer is already\nwaiting, leading to a thread hang.\n\nCurrently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent\nrecursive lock acquisition."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:30:21.539Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2781ca82ce8cad263d80b617addb727e6a84c9e5"
},
{
"url": "https://git.kernel.org/stable/c/1f92f5bd057a4fad9dab6af17963cdd21e5da6ed"
},
{
"url": "https://git.kernel.org/stable/c/2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa"
},
{
"url": "https://git.kernel.org/stable/c/50bd33f6b3922a6b760aa30d409cae891cec8fb5"
}
],
"title": "net: enetc: fix the deadlock of enetc_mdio_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40347",
"datePublished": "2025-12-16T13:30:21.539Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:30:21.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54138 (GCVE-0-2023-54138)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
drm/msm: fix NULL-deref on irq uninstall
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix NULL-deref on irq uninstall
In case of early initialisation errors and on platforms that do not use
the DPU controller, the deinitilisation code can be called with the kms
pointer set to NULL.
Patchwork: https://patchwork.freedesktop.org/patch/525104/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f026e431cf861197dc03217d1920b38b80b31dd9 , < e2d1cc82ad509c07a9ab0ab4bf88b6613fbf784b
(git)
Affected: f026e431cf861197dc03217d1920b38b80b31dd9 , < dd8ce825b165acf997689c5ffa45d6a7a1fc0260 (git) Affected: f026e431cf861197dc03217d1920b38b80b31dd9 , < bafa985acff9b0ed53957beff33c18be08d6b9a6 (git) Affected: f026e431cf861197dc03217d1920b38b80b31dd9 , < 72092e34742e8b34accdadfa7bd9a13cf255a531 (git) Affected: f026e431cf861197dc03217d1920b38b80b31dd9 , < cd459c005de3e2b855a8cc7768e633ce9d018e9f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2d1cc82ad509c07a9ab0ab4bf88b6613fbf784b",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
},
{
"lessThan": "dd8ce825b165acf997689c5ffa45d6a7a1fc0260",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
},
{
"lessThan": "bafa985acff9b0ed53957beff33c18be08d6b9a6",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
},
{
"lessThan": "72092e34742e8b34accdadfa7bd9a13cf255a531",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
},
{
"lessThan": "cd459c005de3e2b855a8cc7768e633ce9d018e9f",
"status": "affected",
"version": "f026e431cf861197dc03217d1920b38b80b31dd9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix NULL-deref on irq uninstall\n\nIn case of early initialisation errors and on platforms that do not use\nthe DPU controller, the deinitilisation code can be called with the kms\npointer set to NULL.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525104/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:53.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2d1cc82ad509c07a9ab0ab4bf88b6613fbf784b"
},
{
"url": "https://git.kernel.org/stable/c/dd8ce825b165acf997689c5ffa45d6a7a1fc0260"
},
{
"url": "https://git.kernel.org/stable/c/bafa985acff9b0ed53957beff33c18be08d6b9a6"
},
{
"url": "https://git.kernel.org/stable/c/72092e34742e8b34accdadfa7bd9a13cf255a531"
},
{
"url": "https://git.kernel.org/stable/c/cd459c005de3e2b855a8cc7768e633ce9d018e9f"
}
],
"title": "drm/msm: fix NULL-deref on irq uninstall",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54138",
"datePublished": "2025-12-24T13:06:53.365Z",
"dateReserved": "2025-12-24T13:02:52.522Z",
"dateUpdated": "2025-12-24T13:06:53.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54058 (GCVE-0-2023-54058)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
firmware: arm_ffa: Check if ffa_driver remove is present before executing
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_ffa: Check if ffa_driver remove is present before executing
Currently ffa_drv->remove() is called unconditionally from
ffa_device_remove(). Since the driver registration doesn't check for it
and allows it to be registered without .remove callback, we need to check
for the presence of it before executing it from ffa_device_remove() to
above a NULL pointer dereference like the one below:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
| Mem abort info:
| ESR = 0x0000000086000004
| EC = 0x21: IABT (current EL), IL = 32 bits
| SET = 0, FnV = 0
| EA = 0, S1PTW = 0
| FSC = 0x04: level 0 translation fault
| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000
| [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
| Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
| CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6
| Hardware name: FVP Base RevC (DT)
| pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c)
| pc : 0x0
| lr : ffa_device_remove+0x20/0x2c
| Call trace:
| 0x0
| device_release_driver_internal+0x16c/0x260
| driver_detach+0x90/0xd0
| bus_remove_driver+0xdc/0x11c
| driver_unregister+0x30/0x54
| ffa_driver_unregister+0x14/0x20
| cleanup_module+0x18/0xeec
| __arm64_sys_delete_module+0x234/0x378
| invoke_syscall+0x40/0x108
| el0_svc_common+0xb4/0xf0
| do_el0_svc+0x30/0xa4
| el0_svc+0x2c/0x7c
| el0t_64_sync_handler+0x84/0xf0
| el0t_64_sync+0x190/0x194
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
244f5d597e1ea519c2085fbd9819458688775e42 , < 6a26c62625c59b8dd7f52c518cb4f60a63470a0e
(git)
Affected: 244f5d597e1ea519c2085fbd9819458688775e42 , < ad73dc7263ea90302d6c7eeb7e9f7cbcfa0b0617 (git) Affected: 244f5d597e1ea519c2085fbd9819458688775e42 , < 48399c297c46b4c8e77ebcf071bb586a42d0ca4e (git) Affected: 244f5d597e1ea519c2085fbd9819458688775e42 , < b71b55248a580e9c9befc4ae060539f1f8e477da (git) Affected: 06560ba731e2775441c6dc9f0bf39f9f3606fbb7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_ffa/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6a26c62625c59b8dd7f52c518cb4f60a63470a0e",
"status": "affected",
"version": "244f5d597e1ea519c2085fbd9819458688775e42",
"versionType": "git"
},
{
"lessThan": "ad73dc7263ea90302d6c7eeb7e9f7cbcfa0b0617",
"status": "affected",
"version": "244f5d597e1ea519c2085fbd9819458688775e42",
"versionType": "git"
},
{
"lessThan": "48399c297c46b4c8e77ebcf071bb586a42d0ca4e",
"status": "affected",
"version": "244f5d597e1ea519c2085fbd9819458688775e42",
"versionType": "git"
},
{
"lessThan": "b71b55248a580e9c9befc4ae060539f1f8e477da",
"status": "affected",
"version": "244f5d597e1ea519c2085fbd9819458688775e42",
"versionType": "git"
},
{
"status": "affected",
"version": "06560ba731e2775441c6dc9f0bf39f9f3606fbb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_ffa/bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_ffa: Check if ffa_driver remove is present before executing\n\nCurrently ffa_drv-\u003eremove() is called unconditionally from\nffa_device_remove(). Since the driver registration doesn\u0027t check for it\nand allows it to be registered without .remove callback, we need to check\nfor the presence of it before executing it from ffa_device_remove() to\nabove a NULL pointer dereference like the one below:\n\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000086000004\n | EC = 0x21: IABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP\n | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6\n | Hardware name: FVP Base RevC (DT)\n | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c)\n | pc : 0x0\n | lr : ffa_device_remove+0x20/0x2c\n | Call trace:\n | 0x0\n | device_release_driver_internal+0x16c/0x260\n | driver_detach+0x90/0xd0\n | bus_remove_driver+0xdc/0x11c\n | driver_unregister+0x30/0x54\n | ffa_driver_unregister+0x14/0x20\n | cleanup_module+0x18/0xeec\n | __arm64_sys_delete_module+0x234/0x378\n | invoke_syscall+0x40/0x108\n | el0_svc_common+0xb4/0xf0\n | do_el0_svc+0x30/0xa4\n | el0_svc+0x2c/0x7c\n | el0t_64_sync_handler+0x84/0xf0\n | el0t_64_sync+0x190/0x194"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:05.899Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6a26c62625c59b8dd7f52c518cb4f60a63470a0e"
},
{
"url": "https://git.kernel.org/stable/c/ad73dc7263ea90302d6c7eeb7e9f7cbcfa0b0617"
},
{
"url": "https://git.kernel.org/stable/c/48399c297c46b4c8e77ebcf071bb586a42d0ca4e"
},
{
"url": "https://git.kernel.org/stable/c/b71b55248a580e9c9befc4ae060539f1f8e477da"
}
],
"title": "firmware: arm_ffa: Check if ffa_driver remove is present before executing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54058",
"datePublished": "2025-12-24T12:23:05.899Z",
"dateReserved": "2025-12-24T12:21:05.091Z",
"dateUpdated": "2025-12-24T12:23:05.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54044 (GCVE-0-2023-54044)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
spmi: Add a check for remove callback when removing a SPMI driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
spmi: Add a check for remove callback when removing a SPMI driver
When removing a SPMI driver, there can be a crash due to NULL pointer
dereference if it does not have a remove callback defined. This is
one such call trace observed when removing the QCOM SPMI PMIC driver:
dump_backtrace.cfi_jt+0x0/0x8
dump_stack_lvl+0xd8/0x16c
panic+0x188/0x498
__cfi_slowpath+0x0/0x214
__cfi_slowpath+0x1dc/0x214
spmi_drv_remove+0x16c/0x1e0
device_release_driver_internal+0x468/0x79c
driver_detach+0x11c/0x1a0
bus_remove_driver+0xc4/0x124
driver_unregister+0x58/0x84
cleanup_module+0x1c/0xc24 [qcom_spmi_pmic]
__do_sys_delete_module+0x3ec/0x53c
__arm64_sys_delete_module+0x18/0x28
el0_svc_common+0xdc/0x294
el0_svc+0x38/0x9c
el0_sync_handler+0x8c/0xf0
el0_sync+0x1b4/0x1c0
If a driver has all its resources allocated through devm_() APIs and
does not need any other explicit cleanup, it would not require a
remove callback to be defined. Hence, add a check for remove callback
presence before calling it when removing a SPMI driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5a86bf343976b9c8ab2f240bc866451fa67e5573 , < b95a69214daea4aab1c8bad96571d988a62e2c97
(git)
Affected: 5a86bf343976b9c8ab2f240bc866451fa67e5573 , < 699949219e35fe29fd42ccf8cd92c989c3d15109 (git) Affected: 5a86bf343976b9c8ab2f240bc866451fa67e5573 , < 54dda732225555dc6d660e95793c54a0a44b612c (git) Affected: 5a86bf343976b9c8ab2f240bc866451fa67e5573 , < c45ab3ab9c371c9ac22bbe1217e5abb2e55a3d4b (git) Affected: 5a86bf343976b9c8ab2f240bc866451fa67e5573 , < ee0b6146317a98bfec848d7bde5586beb245a38f (git) Affected: 5a86bf343976b9c8ab2f240bc866451fa67e5573 , < 428cc252701d6864151f3a296ffc23e1e49a7408 (git) Affected: 5a86bf343976b9c8ab2f240bc866451fa67e5573 , < af763c29b9e7040fedd0077bca053b101438a3a4 (git) Affected: 5a86bf343976b9c8ab2f240bc866451fa67e5573 , < 0f3ef30c1c05502f5de3b73b3715d5994845c1b4 (git) Affected: 5a86bf343976b9c8ab2f240bc866451fa67e5573 , < b56eef3e16d888883fefab47425036de80dd38fc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spmi/spmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b95a69214daea4aab1c8bad96571d988a62e2c97",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
},
{
"lessThan": "699949219e35fe29fd42ccf8cd92c989c3d15109",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
},
{
"lessThan": "54dda732225555dc6d660e95793c54a0a44b612c",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
},
{
"lessThan": "c45ab3ab9c371c9ac22bbe1217e5abb2e55a3d4b",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
},
{
"lessThan": "ee0b6146317a98bfec848d7bde5586beb245a38f",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
},
{
"lessThan": "428cc252701d6864151f3a296ffc23e1e49a7408",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
},
{
"lessThan": "af763c29b9e7040fedd0077bca053b101438a3a4",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
},
{
"lessThan": "0f3ef30c1c05502f5de3b73b3715d5994845c1b4",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
},
{
"lessThan": "b56eef3e16d888883fefab47425036de80dd38fc",
"status": "affected",
"version": "5a86bf343976b9c8ab2f240bc866451fa67e5573",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spmi/spmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: Add a check for remove callback when removing a SPMI driver\n\nWhen removing a SPMI driver, there can be a crash due to NULL pointer\ndereference if it does not have a remove callback defined. This is\none such call trace observed when removing the QCOM SPMI PMIC driver:\n\n dump_backtrace.cfi_jt+0x0/0x8\n dump_stack_lvl+0xd8/0x16c\n panic+0x188/0x498\n __cfi_slowpath+0x0/0x214\n __cfi_slowpath+0x1dc/0x214\n spmi_drv_remove+0x16c/0x1e0\n device_release_driver_internal+0x468/0x79c\n driver_detach+0x11c/0x1a0\n bus_remove_driver+0xc4/0x124\n driver_unregister+0x58/0x84\n cleanup_module+0x1c/0xc24 [qcom_spmi_pmic]\n __do_sys_delete_module+0x3ec/0x53c\n __arm64_sys_delete_module+0x18/0x28\n el0_svc_common+0xdc/0x294\n el0_svc+0x38/0x9c\n el0_sync_handler+0x8c/0xf0\n el0_sync+0x1b4/0x1c0\n\nIf a driver has all its resources allocated through devm_() APIs and\ndoes not need any other explicit cleanup, it would not require a\nremove callback to be defined. Hence, add a check for remove callback\npresence before calling it when removing a SPMI driver."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:56.072Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b95a69214daea4aab1c8bad96571d988a62e2c97"
},
{
"url": "https://git.kernel.org/stable/c/699949219e35fe29fd42ccf8cd92c989c3d15109"
},
{
"url": "https://git.kernel.org/stable/c/54dda732225555dc6d660e95793c54a0a44b612c"
},
{
"url": "https://git.kernel.org/stable/c/c45ab3ab9c371c9ac22bbe1217e5abb2e55a3d4b"
},
{
"url": "https://git.kernel.org/stable/c/ee0b6146317a98bfec848d7bde5586beb245a38f"
},
{
"url": "https://git.kernel.org/stable/c/428cc252701d6864151f3a296ffc23e1e49a7408"
},
{
"url": "https://git.kernel.org/stable/c/af763c29b9e7040fedd0077bca053b101438a3a4"
},
{
"url": "https://git.kernel.org/stable/c/0f3ef30c1c05502f5de3b73b3715d5994845c1b4"
},
{
"url": "https://git.kernel.org/stable/c/b56eef3e16d888883fefab47425036de80dd38fc"
}
],
"title": "spmi: Add a check for remove callback when removing a SPMI driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54044",
"datePublished": "2025-12-24T12:22:56.072Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T12:22:56.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54098 (GCVE-0-2023-54098)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
drm/i915/gvt: fix gvt debugfs destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gvt: fix gvt debugfs destroy
When gvt debug fs is destroyed, need to have a sane check if drm
minor's debugfs root is still available or not, otherwise in case like
device remove through unbinding, drm minor's debugfs directory has
already been removed, then intel_gvt_debugfs_clean() would act upon
dangling pointer like below oops.
i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2
i915 0000:00:02.0: MDEV: Registered
Console: switching to colour dummy device 80x25
i915 0000:00:02.0: MDEV: Unregistering
BUG: kernel NULL pointer dereference, address: 00000000000000a0
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15
Hardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020
RIP: 0010:down_write+0x1f/0x90
Code: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01
RSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000
RDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8
RBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0
R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000
R13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0
FS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0
Call Trace:
<TASK>
simple_recursive_removal+0x9f/0x2a0
? start_creating.part.0+0x120/0x120
? _raw_spin_lock+0x13/0x40
debugfs_remove+0x40/0x60
intel_gvt_debugfs_clean+0x15/0x30 [kvmgt]
intel_gvt_clean_device+0x49/0xe0 [kvmgt]
intel_gvt_driver_remove+0x2f/0xb0
i915_driver_remove+0xa4/0xf0
i915_pci_remove+0x1a/0x30
pci_device_remove+0x33/0xa0
device_release_driver_internal+0x1b2/0x230
unbind_store+0xe0/0x110
kernfs_fop_write_iter+0x11b/0x1f0
vfs_write+0x203/0x3d0
ksys_write+0x63/0xe0
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6947cb5190
Code: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
RSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190
RDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001
RBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001
R13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0
</TASK>
Modules linked in: kvmgt
CR2: 00000000000000a0
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bc7b0be316aebac42eb9e8e54c984609555944da , < bb7c7b2c89d2feb347b6f9bffc1c75987adb1048
(git)
Affected: bc7b0be316aebac42eb9e8e54c984609555944da , < ae9a61511736cc71a99f01e8b7b90f6fb6128ed8 (git) Affected: bc7b0be316aebac42eb9e8e54c984609555944da , < b85c8536fda3d1ed07c6d87a661ffe18d6eb214b (git) Affected: bc7b0be316aebac42eb9e8e54c984609555944da , < fe340500baf84b6531c9fc508b167525b9bf6446 (git) Affected: bc7b0be316aebac42eb9e8e54c984609555944da , < c4b850d1f448a901fbf4f7f36dec38c84009b489 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gvt/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb7c7b2c89d2feb347b6f9bffc1c75987adb1048",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "ae9a61511736cc71a99f01e8b7b90f6fb6128ed8",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "b85c8536fda3d1ed07c6d87a661ffe18d6eb214b",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "fe340500baf84b6531c9fc508b167525b9bf6446",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "c4b850d1f448a901fbf4f7f36dec38c84009b489",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gvt/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gvt: fix gvt debugfs destroy\n\nWhen gvt debug fs is destroyed, need to have a sane check if drm\nminor\u0027s debugfs root is still available or not, otherwise in case like\ndevice remove through unbinding, drm minor\u0027s debugfs directory has\nalready been removed, then intel_gvt_debugfs_clean() would act upon\ndangling pointer like below oops.\n\ni915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2\ni915 0000:00:02.0: MDEV: Registered\nConsole: switching to colour dummy device 80x25\ni915 0000:00:02.0: MDEV: Unregistering\nBUG: kernel NULL pointer dereference, address: 00000000000000a0\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15\nHardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020\nRIP: 0010:down_write+0x1f/0x90\nCode: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 \u003cf0\u003e 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01\nRSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000\nRDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8\nRBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0\nR10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0\nFS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0\nCall Trace:\n \u003cTASK\u003e\n simple_recursive_removal+0x9f/0x2a0\n ? start_creating.part.0+0x120/0x120\n ? _raw_spin_lock+0x13/0x40\n debugfs_remove+0x40/0x60\n intel_gvt_debugfs_clean+0x15/0x30 [kvmgt]\n intel_gvt_clean_device+0x49/0xe0 [kvmgt]\n intel_gvt_driver_remove+0x2f/0xb0\n i915_driver_remove+0xa4/0xf0\n i915_pci_remove+0x1a/0x30\n pci_device_remove+0x33/0xa0\n device_release_driver_internal+0x1b2/0x230\n unbind_store+0xe0/0x110\n kernfs_fop_write_iter+0x11b/0x1f0\n vfs_write+0x203/0x3d0\n ksys_write+0x63/0xe0\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f6947cb5190\nCode: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\nRSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190\nRDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001\nRBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001\nR13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0\n \u003c/TASK\u003e\nModules linked in: kvmgt\nCR2: 00000000000000a0\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:25.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb7c7b2c89d2feb347b6f9bffc1c75987adb1048"
},
{
"url": "https://git.kernel.org/stable/c/ae9a61511736cc71a99f01e8b7b90f6fb6128ed8"
},
{
"url": "https://git.kernel.org/stable/c/b85c8536fda3d1ed07c6d87a661ffe18d6eb214b"
},
{
"url": "https://git.kernel.org/stable/c/fe340500baf84b6531c9fc508b167525b9bf6446"
},
{
"url": "https://git.kernel.org/stable/c/c4b850d1f448a901fbf4f7f36dec38c84009b489"
}
],
"title": "drm/i915/gvt: fix gvt debugfs destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54098",
"datePublished": "2025-12-24T13:06:25.197Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:25.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40160 (GCVE-0-2025-40160)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:24 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
xen/events: Return -EEXIST for bound VIRQs
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/events: Return -EEXIST for bound VIRQs
Change find_virq() to return -EEXIST when a VIRQ is bound to a
different CPU than the one passed in. With that, remove the BUG_ON()
from bind_virq_to_irq() to propogate the error upwards.
Some VIRQs are per-cpu, but others are per-domain or global. Those must
be bound to CPU0 and can then migrate elsewhere. The lookup for
per-domain and global will probably fail when migrated off CPU 0,
especially when the current CPU is tracked. This now returns -EEXIST
instead of BUG_ON().
A second call to bind a per-domain or global VIRQ is not expected, but
make it non-fatal to avoid trying to look up the irq, since we don't
know which per_cpu(virq_to_irq) it will be in.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < 612ef6056855c0aacb9b25d1d853c435754483f7
(git)
Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa (git) Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < f81db055a793eca9d05f79658ff62adafb41d664 (git) Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < 07ce121d93a5e5fb2440a24da3dbf408fcee978e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/events/events_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "612ef6056855c0aacb9b25d1d853c435754483f7",
"status": "affected",
"version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
"versionType": "git"
},
{
"lessThan": "a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa",
"status": "affected",
"version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
"versionType": "git"
},
{
"lessThan": "f81db055a793eca9d05f79658ff62adafb41d664",
"status": "affected",
"version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
"versionType": "git"
},
{
"lessThan": "07ce121d93a5e5fb2440a24da3dbf408fcee978e",
"status": "affected",
"version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/events/events_base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: Return -EEXIST for bound VIRQs\n\nChange find_virq() to return -EEXIST when a VIRQ is bound to a\ndifferent CPU than the one passed in. With that, remove the BUG_ON()\nfrom bind_virq_to_irq() to propogate the error upwards.\n\nSome VIRQs are per-cpu, but others are per-domain or global. Those must\nbe bound to CPU0 and can then migrate elsewhere. The lookup for\nper-domain and global will probably fail when migrated off CPU 0,\nespecially when the current CPU is tracked. This now returns -EEXIST\ninstead of BUG_ON().\n\nA second call to bind a per-domain or global VIRQ is not expected, but\nmake it non-fatal to avoid trying to look up the irq, since we don\u0027t\nknow which per_cpu(virq_to_irq) it will be in."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:05.136Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/612ef6056855c0aacb9b25d1d853c435754483f7"
},
{
"url": "https://git.kernel.org/stable/c/a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa"
},
{
"url": "https://git.kernel.org/stable/c/f81db055a793eca9d05f79658ff62adafb41d664"
},
{
"url": "https://git.kernel.org/stable/c/07ce121d93a5e5fb2440a24da3dbf408fcee978e"
}
],
"title": "xen/events: Return -EEXIST for bound VIRQs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40160",
"datePublished": "2025-11-12T10:24:36.429Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-01-02T15:33:05.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38617 (GCVE-0-2025-38617)
Vulnerability from cvelistv5 – Published: 2025-08-22 13:01 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
net/packet: fix a race in packet_set_ring() and packet_notifier()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/packet: fix a race in packet_set_ring() and packet_notifier()
When packet_set_ring() releases po->bind_lock, another thread can
run packet_notifier() and process an NETDEV_UP event.
This race and the fix are both similar to that of commit 15fe076edea7
("net/packet: fix a race in packet_bind() and packet_notifier()").
There too the packet_notifier NETDEV_UP event managed to run while a
po->bind_lock critical section had to be temporarily released. And
the fix was similarly to temporarily set po->num to zero to keep
the socket unhooked until the lock is retaken.
The po->bind_lock in packet_set_ring and packet_notifier precede the
introduction of git history.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18f13f2a83eb81be349a9757ba2141ff1da9ad73
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7da733f117533e9b2ebbd530a22ae4028713955c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ba2257034755ae773722f15f4c3ad1dcdad15ca9 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7de07705007c7e34995a5599aaab1d23e762d7ca (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 88caf46db8239e6471413d28aabaa6b8bd552805 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2e8fcfd2b1bc754920108b7f2cd75082c5a18df (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e50ccfaca9e3c671cae917dcb994831a859cf588 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f1791fd7b845bea0ce9674fcf2febee7bc87a893 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 01d3c8417b9c1b884a8a981a3b886da556512f36 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:28.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18f13f2a83eb81be349a9757ba2141ff1da9ad73",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7da733f117533e9b2ebbd530a22ae4028713955c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ba2257034755ae773722f15f4c3ad1dcdad15ca9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7de07705007c7e34995a5599aaab1d23e762d7ca",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "88caf46db8239e6471413d28aabaa6b8bd552805",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2e8fcfd2b1bc754920108b7f2cd75082c5a18df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e50ccfaca9e3c671cae917dcb994831a859cf588",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f1791fd7b845bea0ce9674fcf2febee7bc87a893",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "01d3c8417b9c1b884a8a981a3b886da556512f36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/packet/af_packet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix a race in packet_set_ring() and packet_notifier()\n\nWhen packet_set_ring() releases po-\u003ebind_lock, another thread can\nrun packet_notifier() and process an NETDEV_UP event.\n\nThis race and the fix are both similar to that of commit 15fe076edea7\n(\"net/packet: fix a race in packet_bind() and packet_notifier()\").\n\nThere too the packet_notifier NETDEV_UP event managed to run while a\npo-\u003ebind_lock critical section had to be temporarily released. And\nthe fix was similarly to temporarily set po-\u003enum to zero to keep\nthe socket unhooked until the lock is retaken.\n\nThe po-\u003ebind_lock in packet_set_ring and packet_notifier precede the\nintroduction of git history."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:52.280Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18f13f2a83eb81be349a9757ba2141ff1da9ad73"
},
{
"url": "https://git.kernel.org/stable/c/7da733f117533e9b2ebbd530a22ae4028713955c"
},
{
"url": "https://git.kernel.org/stable/c/ba2257034755ae773722f15f4c3ad1dcdad15ca9"
},
{
"url": "https://git.kernel.org/stable/c/7de07705007c7e34995a5599aaab1d23e762d7ca"
},
{
"url": "https://git.kernel.org/stable/c/88caf46db8239e6471413d28aabaa6b8bd552805"
},
{
"url": "https://git.kernel.org/stable/c/f2e8fcfd2b1bc754920108b7f2cd75082c5a18df"
},
{
"url": "https://git.kernel.org/stable/c/e50ccfaca9e3c671cae917dcb994831a859cf588"
},
{
"url": "https://git.kernel.org/stable/c/f1791fd7b845bea0ce9674fcf2febee7bc87a893"
},
{
"url": "https://git.kernel.org/stable/c/01d3c8417b9c1b884a8a981a3b886da556512f36"
}
],
"title": "net/packet: fix a race in packet_set_ring() and packet_notifier()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38617",
"datePublished": "2025-08-22T13:01:23.963Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-11-03T17:40:28.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54311 (GCVE-0-2023-54311)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
ext4: fix deadlock when converting an inline directory in nojournal mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix deadlock when converting an inline directory in nojournal mode
In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock
by calling ext4_handle_dirty_dirblock() when it already has taken the
directory lock. There is a similar self-deadlock in
ext4_incvert_inline_data_nolock() for data files which we'll fix at
the same time.
A simple reproducer demonstrating the problem:
mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64
mount -t ext4 -o dirsync /dev/vdc /vdc
cd /vdc
mkdir file0
cd file0
touch file0
touch file1
attr -s BurnSpaceInEA -V abcde .
touch supercalifragilisticexpialidocious
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3c47d54170b6a678875566b1b8d6dcf57904e49b , < b4fa4768c9acff77245d672d855d2c88294850b1
(git)
Affected: 3c47d54170b6a678875566b1b8d6dcf57904e49b , < 5f8b55136ad787aed2c184f7cb3e93772ae637a3 (git) Affected: 3c47d54170b6a678875566b1b8d6dcf57904e49b , < 640c8c365999c6f23447ac766437236ad88317c5 (git) Affected: 3c47d54170b6a678875566b1b8d6dcf57904e49b , < 665cc3ba50330049524c1d275bc840a8f28dde73 (git) Affected: 3c47d54170b6a678875566b1b8d6dcf57904e49b , < 0b1c4357bb21d9770451a1bdb8d419ea10bada88 (git) Affected: 3c47d54170b6a678875566b1b8d6dcf57904e49b , < 804de0c72cd473e186ca4e1f6287d45431b14e5a (git) Affected: 3c47d54170b6a678875566b1b8d6dcf57904e49b , < f4ce24f54d9cca4f09a395f3eecce20d6bec4663 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b4fa4768c9acff77245d672d855d2c88294850b1",
"status": "affected",
"version": "3c47d54170b6a678875566b1b8d6dcf57904e49b",
"versionType": "git"
},
{
"lessThan": "5f8b55136ad787aed2c184f7cb3e93772ae637a3",
"status": "affected",
"version": "3c47d54170b6a678875566b1b8d6dcf57904e49b",
"versionType": "git"
},
{
"lessThan": "640c8c365999c6f23447ac766437236ad88317c5",
"status": "affected",
"version": "3c47d54170b6a678875566b1b8d6dcf57904e49b",
"versionType": "git"
},
{
"lessThan": "665cc3ba50330049524c1d275bc840a8f28dde73",
"status": "affected",
"version": "3c47d54170b6a678875566b1b8d6dcf57904e49b",
"versionType": "git"
},
{
"lessThan": "0b1c4357bb21d9770451a1bdb8d419ea10bada88",
"status": "affected",
"version": "3c47d54170b6a678875566b1b8d6dcf57904e49b",
"versionType": "git"
},
{
"lessThan": "804de0c72cd473e186ca4e1f6287d45431b14e5a",
"status": "affected",
"version": "3c47d54170b6a678875566b1b8d6dcf57904e49b",
"versionType": "git"
},
{
"lessThan": "f4ce24f54d9cca4f09a395f3eecce20d6bec4663",
"status": "affected",
"version": "3c47d54170b6a678875566b1b8d6dcf57904e49b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix deadlock when converting an inline directory in nojournal mode\n\nIn no journal mode, ext4_finish_convert_inline_dir() can self-deadlock\nby calling ext4_handle_dirty_dirblock() when it already has taken the\ndirectory lock. There is a similar self-deadlock in\next4_incvert_inline_data_nolock() for data files which we\u0027ll fix at\nthe same time.\n\nA simple reproducer demonstrating the problem:\n\n mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64\n mount -t ext4 -o dirsync /dev/vdc /vdc\n cd /vdc\n mkdir file0\n cd file0\n touch file0\n touch file1\n attr -s BurnSpaceInEA -V abcde .\n touch supercalifragilisticexpialidocious"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:22.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b4fa4768c9acff77245d672d855d2c88294850b1"
},
{
"url": "https://git.kernel.org/stable/c/5f8b55136ad787aed2c184f7cb3e93772ae637a3"
},
{
"url": "https://git.kernel.org/stable/c/640c8c365999c6f23447ac766437236ad88317c5"
},
{
"url": "https://git.kernel.org/stable/c/665cc3ba50330049524c1d275bc840a8f28dde73"
},
{
"url": "https://git.kernel.org/stable/c/0b1c4357bb21d9770451a1bdb8d419ea10bada88"
},
{
"url": "https://git.kernel.org/stable/c/804de0c72cd473e186ca4e1f6287d45431b14e5a"
},
{
"url": "https://git.kernel.org/stable/c/f4ce24f54d9cca4f09a395f3eecce20d6bec4663"
}
],
"title": "ext4: fix deadlock when converting an inline directory in nojournal mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54311",
"datePublished": "2025-12-30T12:23:43.174Z",
"dateReserved": "2025-12-30T12:06:44.530Z",
"dateUpdated": "2026-01-05T11:37:22.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50703 (GCVE-0-2022-50703)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
There are two refcount leak bugs in qcom_smsm_probe():
(1) The 'local_node' is escaped out from for_each_child_of_node() as
the break of iteration, we should call of_node_put() for it in error
path or when it is not used anymore.
(2) The 'node' is escaped out from for_each_available_child_of_node()
as the 'goto', we should call of_node_put() for it in goto target.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c97c4090ff72297a878a37715bd301624b71c885 , < 1bbe75d466e5118b7d49ef4a346c3ce5742da4e8
(git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43 (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 42df28994eba7b56c762f7bbe7efd5611a1cd15b (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 1e3ed59370c712df436791efed120f0c082aa9bc (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 39781c98ad46b4e85053345dff797240c1ed7935 (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 96e0028debdd07a6d582f0dfadf9a3ec2b5fffff (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 8fb6112bd49c0e49f2cf51604231d85ff00284bb (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d (git) Affected: c97c4090ff72297a878a37715bd301624b71c885 , < af8f6f39b8afd772fda4f8e61823ef8c021bf382 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/smsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1bbe75d466e5118b7d49ef4a346c3ce5742da4e8",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "42df28994eba7b56c762f7bbe7efd5611a1cd15b",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "1e3ed59370c712df436791efed120f0c082aa9bc",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "39781c98ad46b4e85053345dff797240c1ed7935",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "96e0028debdd07a6d582f0dfadf9a3ec2b5fffff",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "8fb6112bd49c0e49f2cf51604231d85ff00284bb",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
},
{
"lessThan": "af8f6f39b8afd772fda4f8e61823ef8c021bf382",
"status": "affected",
"version": "c97c4090ff72297a878a37715bd301624b71c885",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/soc/qcom/smsm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()\n\nThere are two refcount leak bugs in qcom_smsm_probe():\n\n(1) The \u0027local_node\u0027 is escaped out from for_each_child_of_node() as\nthe break of iteration, we should call of_node_put() for it in error\npath or when it is not used anymore.\n(2) The \u0027node\u0027 is escaped out from for_each_available_child_of_node()\nas the \u0027goto\u0027, we should call of_node_put() for it in goto target."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:18.548Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1bbe75d466e5118b7d49ef4a346c3ce5742da4e8"
},
{
"url": "https://git.kernel.org/stable/c/bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43"
},
{
"url": "https://git.kernel.org/stable/c/42df28994eba7b56c762f7bbe7efd5611a1cd15b"
},
{
"url": "https://git.kernel.org/stable/c/1e3ed59370c712df436791efed120f0c082aa9bc"
},
{
"url": "https://git.kernel.org/stable/c/39781c98ad46b4e85053345dff797240c1ed7935"
},
{
"url": "https://git.kernel.org/stable/c/96e0028debdd07a6d582f0dfadf9a3ec2b5fffff"
},
{
"url": "https://git.kernel.org/stable/c/8fb6112bd49c0e49f2cf51604231d85ff00284bb"
},
{
"url": "https://git.kernel.org/stable/c/ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d"
},
{
"url": "https://git.kernel.org/stable/c/af8f6f39b8afd772fda4f8e61823ef8c021bf382"
}
],
"title": "soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50703",
"datePublished": "2025-12-24T10:55:18.548Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:18.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54083 (GCVE-0-2023-54083)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
phy: tegra: xusb: Clear the driver reference in usb-phy dev
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: tegra: xusb: Clear the driver reference in usb-phy dev
For the dual-role port, it will assign the phy dev to usb-phy dev and
use the port dev driver as the dev driver of usb-phy.
When we try to destroy the port dev, it will destroy its dev driver
as well. But we did not remove the reference from usb-phy dev. This
might cause the use-after-free issue in KASAN.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e8f7d2f409a15c519d5a6085777d85c1c4bab73a , < b6a107c52073496d2e5d2837915f59fb3103832f
(git)
Affected: e8f7d2f409a15c519d5a6085777d85c1c4bab73a , < b84998a407a882991916b1a61d987c400d8a0ce6 (git) Affected: e8f7d2f409a15c519d5a6085777d85c1c4bab73a , < 238edc04ddb9d272b38f5419bcd419ad3b92b91b (git) Affected: e8f7d2f409a15c519d5a6085777d85c1c4bab73a , < 82187460347ad58fd6b06d2883da73c3f2df9631 (git) Affected: e8f7d2f409a15c519d5a6085777d85c1c4bab73a , < c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/tegra/xusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6a107c52073496d2e5d2837915f59fb3103832f",
"status": "affected",
"version": "e8f7d2f409a15c519d5a6085777d85c1c4bab73a",
"versionType": "git"
},
{
"lessThan": "b84998a407a882991916b1a61d987c400d8a0ce6",
"status": "affected",
"version": "e8f7d2f409a15c519d5a6085777d85c1c4bab73a",
"versionType": "git"
},
{
"lessThan": "238edc04ddb9d272b38f5419bcd419ad3b92b91b",
"status": "affected",
"version": "e8f7d2f409a15c519d5a6085777d85c1c4bab73a",
"versionType": "git"
},
{
"lessThan": "82187460347ad58fd6b06d2883da73c3f2df9631",
"status": "affected",
"version": "e8f7d2f409a15c519d5a6085777d85c1c4bab73a",
"versionType": "git"
},
{
"lessThan": "c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d",
"status": "affected",
"version": "e8f7d2f409a15c519d5a6085777d85c1c4bab73a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/tegra/xusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: tegra: xusb: Clear the driver reference in usb-phy dev\n\nFor the dual-role port, it will assign the phy dev to usb-phy dev and\nuse the port dev driver as the dev driver of usb-phy.\n\nWhen we try to destroy the port dev, it will destroy its dev driver\nas well. But we did not remove the reference from usb-phy dev. This\nmight cause the use-after-free issue in KASAN."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:14.771Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6a107c52073496d2e5d2837915f59fb3103832f"
},
{
"url": "https://git.kernel.org/stable/c/b84998a407a882991916b1a61d987c400d8a0ce6"
},
{
"url": "https://git.kernel.org/stable/c/238edc04ddb9d272b38f5419bcd419ad3b92b91b"
},
{
"url": "https://git.kernel.org/stable/c/82187460347ad58fd6b06d2883da73c3f2df9631"
},
{
"url": "https://git.kernel.org/stable/c/c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d"
}
],
"title": "phy: tegra: xusb: Clear the driver reference in usb-phy dev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54083",
"datePublished": "2025-12-24T13:06:14.771Z",
"dateReserved": "2025-12-24T13:02:52.515Z",
"dateUpdated": "2025-12-24T13:06:14.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40289 (GCVE-0-2025-40289)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM
Otherwise accessing them can cause a crash.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 39a1c8c860e32d775f29917939e87b6a7c08ebb1
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < a67a9f99ce1306898d7129a199d42876bc06a0f0 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 33cc891b56b93cad1a83263eaf2e417436f70c82 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39a1c8c860e32d775f29917939e87b6a7c08ebb1",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "a67a9f99ce1306898d7129a199d42876bc06a0f0",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "33cc891b56b93cad1a83263eaf2e417436f70c82",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM\n\nOtherwise accessing them can cause a crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:56.224Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39a1c8c860e32d775f29917939e87b6a7c08ebb1"
},
{
"url": "https://git.kernel.org/stable/c/a67a9f99ce1306898d7129a199d42876bc06a0f0"
},
{
"url": "https://git.kernel.org/stable/c/33cc891b56b93cad1a83263eaf2e417436f70c82"
}
],
"title": "drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40289",
"datePublished": "2025-12-06T21:51:15.555Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-20T08:51:56.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50726 (GCVE-0-2022-50726)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
net/mlx5: Fix possible use-after-free in async command interface
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix possible use-after-free in async command interface
mlx5_cmd_cleanup_async_ctx should return only after all its callback
handlers were completed. Before this patch, the below race between
mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and
lead to a use-after-free:
1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.
elevated by 1, a single inflight callback).
2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.
3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and
is about to call wake_up().
4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns
immediately as the condition (num_inflight == 0) holds.
5. mlx5_cmd_cleanup_async_ctx returns.
6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx
object.
7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed
object.
Fix it by syncing using a completion object. Mark it completed when
num_inflight reaches 0.
Trace:
BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270
Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0
CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x57/0x7d
print_report.cold+0x2d5/0x684
? do_raw_spin_lock+0x23d/0x270
kasan_report+0xb1/0x1a0
? do_raw_spin_lock+0x23d/0x270
do_raw_spin_lock+0x23d/0x270
? rwlock_bug.part.0+0x90/0x90
? __delete_object+0xb8/0x100
? lock_downgrade+0x6e0/0x6e0
_raw_spin_lock_irqsave+0x43/0x60
? __wake_up_common_lock+0xb9/0x140
__wake_up_common_lock+0xb9/0x140
? __wake_up_common+0x650/0x650
? destroy_tis_callback+0x53/0x70 [mlx5_core]
? kasan_set_track+0x21/0x30
? destroy_tis_callback+0x53/0x70 [mlx5_core]
? kfree+0x1ba/0x520
? do_raw_spin_unlock+0x54/0x220
mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]
? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]
? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]
mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]
? dump_command+0xcc0/0xcc0 [mlx5_core]
? lockdep_hardirqs_on_prepare+0x400/0x400
? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]
cmd_comp_notifier+0x7e/0xb0 [mlx5_core]
atomic_notifier_call_chain+0xd7/0x1d0
mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]
atomic_notifier_call_chain+0xd7/0x1d0
? irq_release+0x140/0x140 [mlx5_core]
irq_int_handler+0x19/0x30 [mlx5_core]
__handle_irq_event_percpu+0x1f2/0x620
handle_irq_event+0xb2/0x1d0
handle_edge_irq+0x21e/0xb00
__common_interrupt+0x79/0x1a0
common_interrupt+0x78/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
RIP: 0010:default_idle+0x42/0x60
Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00
RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242
RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110
RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc
RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3
R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005
R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000
? default_idle_call+0xcc/0x450
default_idle_call+0xec/0x450
do_idle+0x394/0x450
? arch_cpu_idle_exit+0x40/0x40
? do_idle+0x17/0x450
cpu_startup_entry+0x19/0x20
start_secondary+0x221/0x2b0
? set_cpu_sibling_map+0x2070/0x2070
secondary_startup_64_no_verify+0xcd/0xdb
</TASK>
Allocated by task 49502:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
kvmalloc_node+0x48/0xe0
mlx5e_bulk_async_init+0x35/0x110 [mlx5_core]
mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]
mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]
mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]
mlx5e_detach_netdev+0x1c
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e355477ed9e4f401e3931043df97325d38552d54 , < 69dd3ad406c49aa69ce4852c15231ac56af8caf9
(git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < bbcc06933f35651294ea1e963757502312c2171f (git) Affected: e355477ed9e4f401e3931043df97325d38552d54 , < ab3de780c176bb91995c6166a576b370d9726e17 (git) Affected: e355477ed9e4f401e3931043df97325d38552d54 , < 0aa3ee1e4e5c9ed5dda11249450d609c3072c54e (git) Affected: e355477ed9e4f401e3931043df97325d38552d54 , < bacd22df95147ed673bec4692ab2d4d585935241 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/cmd.c",
"include/linux/mlx5/driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69dd3ad406c49aa69ce4852c15231ac56af8caf9",
"status": "affected",
"version": "e355477ed9e4f401e3931043df97325d38552d54",
"versionType": "git"
},
{
"lessThan": "bbcc06933f35651294ea1e963757502312c2171f",
"status": "affected",
"version": "e355477ed9e4f401e3931043df97325d38552d54",
"versionType": "git"
},
{
"lessThan": "ab3de780c176bb91995c6166a576b370d9726e17",
"status": "affected",
"version": "e355477ed9e4f401e3931043df97325d38552d54",
"versionType": "git"
},
{
"lessThan": "0aa3ee1e4e5c9ed5dda11249450d609c3072c54e",
"status": "affected",
"version": "e355477ed9e4f401e3931043df97325d38552d54",
"versionType": "git"
},
{
"lessThan": "bacd22df95147ed673bec4692ab2d4d585935241",
"status": "affected",
"version": "e355477ed9e4f401e3931043df97325d38552d54",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/cmd.c",
"include/linux/mlx5/driver.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix possible use-after-free in async command interface\n\nmlx5_cmd_cleanup_async_ctx should return only after all its callback\nhandlers were completed. Before this patch, the below race between\nmlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and\nlead to a use-after-free:\n\n1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.\n elevated by 1, a single inflight callback).\n2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.\n3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and\n is about to call wake_up().\n4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns\n immediately as the condition (num_inflight == 0) holds.\n5. mlx5_cmd_cleanup_async_ctx returns.\n6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx\n object.\n7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed\n object.\n\nFix it by syncing using a completion object. Mark it completed when\nnum_inflight reaches 0.\n\nTrace:\n\nBUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270\nRead of size 4 at addr ffff888139cd12f4 by task swapper/5/0\n\nCPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x57/0x7d\n print_report.cold+0x2d5/0x684\n ? do_raw_spin_lock+0x23d/0x270\n kasan_report+0xb1/0x1a0\n ? do_raw_spin_lock+0x23d/0x270\n do_raw_spin_lock+0x23d/0x270\n ? rwlock_bug.part.0+0x90/0x90\n ? __delete_object+0xb8/0x100\n ? lock_downgrade+0x6e0/0x6e0\n _raw_spin_lock_irqsave+0x43/0x60\n ? __wake_up_common_lock+0xb9/0x140\n __wake_up_common_lock+0xb9/0x140\n ? __wake_up_common+0x650/0x650\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kasan_set_track+0x21/0x30\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kfree+0x1ba/0x520\n ? do_raw_spin_unlock+0x54/0x220\n mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]\n ? dump_command+0xcc0/0xcc0 [mlx5_core]\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n ? irq_release+0x140/0x140 [mlx5_core]\n irq_int_handler+0x19/0x30 [mlx5_core]\n __handle_irq_event_percpu+0x1f2/0x620\n handle_irq_event+0xb2/0x1d0\n handle_edge_irq+0x21e/0xb00\n __common_interrupt+0x79/0x1a0\n common_interrupt+0x78/0xa0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0x42/0x60\nCode: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 \u003cc3\u003e 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00\nRSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242\nRAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110\nRDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc\nRBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3\nR10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005\nR13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000\n ? default_idle_call+0xcc/0x450\n default_idle_call+0xec/0x450\n do_idle+0x394/0x450\n ? arch_cpu_idle_exit+0x40/0x40\n ? do_idle+0x17/0x450\n cpu_startup_entry+0x19/0x20\n start_secondary+0x221/0x2b0\n ? set_cpu_sibling_map+0x2070/0x2070\n secondary_startup_64_no_verify+0xcd/0xdb\n \u003c/TASK\u003e\n\nAllocated by task 49502:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n kvmalloc_node+0x48/0xe0\n mlx5e_bulk_async_init+0x35/0x110 [mlx5_core]\n mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]\n mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]\n mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]\n mlx5e_detach_netdev+0x1c\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:47.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69dd3ad406c49aa69ce4852c15231ac56af8caf9"
},
{
"url": "https://git.kernel.org/stable/c/bbcc06933f35651294ea1e963757502312c2171f"
},
{
"url": "https://git.kernel.org/stable/c/ab3de780c176bb91995c6166a576b370d9726e17"
},
{
"url": "https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5dda11249450d609c3072c54e"
},
{
"url": "https://git.kernel.org/stable/c/bacd22df95147ed673bec4692ab2d4d585935241"
}
],
"title": "net/mlx5: Fix possible use-after-free in async command interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50726",
"datePublished": "2025-12-24T12:22:47.625Z",
"dateReserved": "2025-12-24T12:20:40.330Z",
"dateUpdated": "2025-12-24T12:22:47.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50809 (GCVE-0-2022-50809)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
xhci: dbc: Fix memory leak in xhci_alloc_dbc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
xhci: dbc: Fix memory leak in xhci_alloc_dbc()
If DbC is already in use, then the allocated memory for the xhci_dbc struct
doesn't get freed before returning NULL, which leads to a memleak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d7afb4a13f6c6ee7df7d0bfc67b4ef19ece6d802 , < 103b459590e1eb4d80b02761eb36c7cae1d9b58e
(git)
Affected: 534675942e901959b5d8dc11ea526c4e48817d8e , < 116d6a6964986ea7eb516daa36128d270f1f248d (git) Affected: 534675942e901959b5d8dc11ea526c4e48817d8e , < 69e67c804d09a6b1bcda1f4f242f151f813eeb4a (git) Affected: 534675942e901959b5d8dc11ea526c4e48817d8e , < d591b32e519603524a35b172156db71df9116902 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-dbgcap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "103b459590e1eb4d80b02761eb36c7cae1d9b58e",
"status": "affected",
"version": "d7afb4a13f6c6ee7df7d0bfc67b4ef19ece6d802",
"versionType": "git"
},
{
"lessThan": "116d6a6964986ea7eb516daa36128d270f1f248d",
"status": "affected",
"version": "534675942e901959b5d8dc11ea526c4e48817d8e",
"versionType": "git"
},
{
"lessThan": "69e67c804d09a6b1bcda1f4f242f151f813eeb4a",
"status": "affected",
"version": "534675942e901959b5d8dc11ea526c4e48817d8e",
"versionType": "git"
},
{
"lessThan": "d591b32e519603524a35b172156db71df9116902",
"status": "affected",
"version": "534675942e901959b5d8dc11ea526c4e48817d8e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-dbgcap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.15.58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: dbc: Fix memory leak in xhci_alloc_dbc()\n\nIf DbC is already in use, then the allocated memory for the xhci_dbc struct\ndoesn\u0027t get freed before returning NULL, which leads to a memleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:27.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/103b459590e1eb4d80b02761eb36c7cae1d9b58e"
},
{
"url": "https://git.kernel.org/stable/c/116d6a6964986ea7eb516daa36128d270f1f248d"
},
{
"url": "https://git.kernel.org/stable/c/69e67c804d09a6b1bcda1f4f242f151f813eeb4a"
},
{
"url": "https://git.kernel.org/stable/c/d591b32e519603524a35b172156db71df9116902"
}
],
"title": "xhci: dbc: Fix memory leak in xhci_alloc_dbc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50809",
"datePublished": "2025-12-30T12:08:27.242Z",
"dateReserved": "2025-12-30T12:06:07.129Z",
"dateUpdated": "2025-12-30T12:08:27.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53823 (GCVE-0-2023-53823)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
block/rq_qos: protect rq_qos apis with a new lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
block/rq_qos: protect rq_qos apis with a new lock
commit 50e34d78815e ("block: disable the elevator int del_gendisk")
move rq_qos_exit() from disk_release() to del_gendisk(), this will
introduce some problems:
1) If rq_qos_add() is triggered by enabling iocost/iolatency through
cgroupfs, then it can concurrent with del_gendisk(), it's not safe to
write 'q->rq_qos' concurrently.
2) Activate cgroup policy that is relied on rq_qos will call
rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is
called in the middle, null-ptr-dereference will be triggered in
blkcg_activate_policy().
3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the
disk, then if rq_qos_exit() from del_gendisk() is done before
rq_qos_add(), then memory will be leaked.
This patch add a new disk level mutex 'rq_qos_mutex':
1) The lock will protect rq_qos_exit() directly.
2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be
called from disk initialization for now because wbt can't be
destructed until rq_qos_exit(), so it's safe not to protect wbt for
now. Hoever, in case that rq_qos dynamically destruction is supported
in the furture, this patch also protect rq_qos_add() from wbt_init()
directly, this is enough because blk-sysfs already synchronize
writers with disk removal.
3) For iocost and iolatency, in order to synchronize disk removal and
cgroup configuration, the lock is held after blkdev_get_no_open()
from blkg_conf_open_bdev(), and is released in blkg_conf_exit().
In order to fix the above memory leak, disk_live() is checked after
holding the new lock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c",
"block/blk-core.c",
"block/blk-rq-qos.c",
"block/blk-wbt.c",
"include/linux/blkdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "16398b4638b5cd8c1dc95fc940a1591a801d53ce",
"status": "affected",
"version": "50e34d78815e474d410f342fbe783b18192ca518",
"versionType": "git"
},
{
"lessThan": "a13bd91be22318768d55470cbc0b0f4488ef9edf",
"status": "affected",
"version": "50e34d78815e474d410f342fbe783b18192ca518",
"versionType": "git"
},
{
"status": "affected",
"version": "f28699fafc047ec33299da01e928c3a0073c5cc6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c",
"block/blk-core.c",
"block/blk-rq-qos.c",
"block/blk-wbt.c",
"include/linux/blkdev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rq_qos: protect rq_qos apis with a new lock\n\ncommit 50e34d78815e (\"block: disable the elevator int del_gendisk\")\nmove rq_qos_exit() from disk_release() to del_gendisk(), this will\nintroduce some problems:\n\n1) If rq_qos_add() is triggered by enabling iocost/iolatency through\n cgroupfs, then it can concurrent with del_gendisk(), it\u0027s not safe to\n write \u0027q-\u003erq_qos\u0027 concurrently.\n\n2) Activate cgroup policy that is relied on rq_qos will call\n rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is\n called in the middle, null-ptr-dereference will be triggered in\n blkcg_activate_policy().\n\n3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the\n disk, then if rq_qos_exit() from del_gendisk() is done before\n rq_qos_add(), then memory will be leaked.\n\nThis patch add a new disk level mutex \u0027rq_qos_mutex\u0027:\n\n1) The lock will protect rq_qos_exit() directly.\n\n2) For wbt that doesn\u0027t relied on blk-cgroup, rq_qos_add() can only be\n called from disk initialization for now because wbt can\u0027t be\n destructed until rq_qos_exit(), so it\u0027s safe not to protect wbt for\n now. Hoever, in case that rq_qos dynamically destruction is supported\n in the furture, this patch also protect rq_qos_add() from wbt_init()\n directly, this is enough because blk-sysfs already synchronize\n writers with disk removal.\n\n3) For iocost and iolatency, in order to synchronize disk removal and\n cgroup configuration, the lock is held after blkdev_get_no_open()\n from blkg_conf_open_bdev(), and is released in blkg_conf_exit().\n In order to fix the above memory leak, disk_live() is checked after\n holding the new lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:36.343Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/16398b4638b5cd8c1dc95fc940a1591a801d53ce"
},
{
"url": "https://git.kernel.org/stable/c/a13bd91be22318768d55470cbc0b0f4488ef9edf"
}
],
"title": "block/rq_qos: protect rq_qos apis with a new lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53823",
"datePublished": "2025-12-09T01:29:36.343Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-09T01:29:36.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50719 (GCVE-0-2022-50719)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
ALSA: line6: fix stack overflow in line6_midi_transmit
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: line6: fix stack overflow in line6_midi_transmit
Correctly calculate available space including the size of the chunk
buffer. This fixes a buffer overflow when multiple MIDI sysex
messages are sent to a PODxt device.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2459201c72e8f8553644505eed19954d4c3a023 , < b026af92b2cea907c780f7168c730c816cd33311
(git)
Affected: f2459201c72e8f8553644505eed19954d4c3a023 , < 49cb7737e733013ec86aa77ed2e19b94a68eaa05 (git) Affected: f2459201c72e8f8553644505eed19954d4c3a023 , < 0c76087449ee4ed45a88b10017d02c6694caedb1 (git) Affected: f2459201c72e8f8553644505eed19954d4c3a023 , < 25e8c6ecb46843a955f254b8f0d77894e4a53dc4 (git) Affected: f2459201c72e8f8553644505eed19954d4c3a023 , < 66f359ad66d49f75d39ac729f9114dabf90b81bb (git) Affected: f2459201c72e8f8553644505eed19954d4c3a023 , < 0c9118e381ff538874e00fd4e66a768273c150fb (git) Affected: f2459201c72e8f8553644505eed19954d4c3a023 , < 61e4be4a60cc6de723f8c574ddbcb3025eb44cac (git) Affected: f2459201c72e8f8553644505eed19954d4c3a023 , < 389d34c2a8b52acc351fd932ed4bea41fee5a39b (git) Affected: f2459201c72e8f8553644505eed19954d4c3a023 , < b8800d324abb50160560c636bfafe2c81001b66c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/line6/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b026af92b2cea907c780f7168c730c816cd33311",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
},
{
"lessThan": "49cb7737e733013ec86aa77ed2e19b94a68eaa05",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
},
{
"lessThan": "0c76087449ee4ed45a88b10017d02c6694caedb1",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
},
{
"lessThan": "25e8c6ecb46843a955f254b8f0d77894e4a53dc4",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
},
{
"lessThan": "66f359ad66d49f75d39ac729f9114dabf90b81bb",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
},
{
"lessThan": "0c9118e381ff538874e00fd4e66a768273c150fb",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
},
{
"lessThan": "61e4be4a60cc6de723f8c574ddbcb3025eb44cac",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
},
{
"lessThan": "389d34c2a8b52acc351fd932ed4bea41fee5a39b",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
},
{
"lessThan": "b8800d324abb50160560c636bfafe2c81001b66c",
"status": "affected",
"version": "f2459201c72e8f8553644505eed19954d4c3a023",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/line6/midi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: line6: fix stack overflow in line6_midi_transmit\n\nCorrectly calculate available space including the size of the chunk\nbuffer. This fixes a buffer overflow when multiple MIDI sysex\nmessages are sent to a PODxt device."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:05.447Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b026af92b2cea907c780f7168c730c816cd33311"
},
{
"url": "https://git.kernel.org/stable/c/49cb7737e733013ec86aa77ed2e19b94a68eaa05"
},
{
"url": "https://git.kernel.org/stable/c/0c76087449ee4ed45a88b10017d02c6694caedb1"
},
{
"url": "https://git.kernel.org/stable/c/25e8c6ecb46843a955f254b8f0d77894e4a53dc4"
},
{
"url": "https://git.kernel.org/stable/c/66f359ad66d49f75d39ac729f9114dabf90b81bb"
},
{
"url": "https://git.kernel.org/stable/c/0c9118e381ff538874e00fd4e66a768273c150fb"
},
{
"url": "https://git.kernel.org/stable/c/61e4be4a60cc6de723f8c574ddbcb3025eb44cac"
},
{
"url": "https://git.kernel.org/stable/c/389d34c2a8b52acc351fd932ed4bea41fee5a39b"
},
{
"url": "https://git.kernel.org/stable/c/b8800d324abb50160560c636bfafe2c81001b66c"
}
],
"title": "ALSA: line6: fix stack overflow in line6_midi_transmit",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50719",
"datePublished": "2025-12-24T12:22:42.697Z",
"dateReserved": "2025-12-24T12:20:40.329Z",
"dateUpdated": "2026-01-02T15:04:05.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54142 (GCVE-0-2023-54142)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
gtp: Fix use-after-free in __gtp_encap_destroy().
Summary
In the Linux kernel, the following vulnerability has been resolved:
gtp: Fix use-after-free in __gtp_encap_destroy().
syzkaller reported use-after-free in __gtp_encap_destroy(). [0]
It shows the same process freed sk and touched it illegally.
Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock()
and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data,
but release_sock() is called after sock_put() releases the last refcnt.
[0]:
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]
BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401
CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:351 [inline]
print_report+0xcc/0x620 mm/kasan/report.c:462
kasan_report+0xb2/0xe0 mm/kasan/report.c:572
check_region_inline mm/kasan/generic.c:181 [inline]
kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
do_raw_spin_lock include/linux/spinlock.h:186 [inline]
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
_raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:355 [inline]
release_sock+0x1f/0x1a0 net/core/sock.c:3526
gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]
gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664
gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728
unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841
rtnl_delete_link net/core/rtnetlink.c:3216 [inline]
rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268
rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423
netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg+0x1b7/0x200 net/socket.c:747
____sys_sendmsg+0x75a/0x990 net/socket.c:2493
___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547
__sys_sendmsg+0xfe/0x1d0 net/socket.c:2576
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f1168b1fe5d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d
RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003
RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000
</TASK>
Allocated by task 1483:
kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
01f3c64e405ab3d25887d080a103ad76f30661d2 , < d38039697184aacff1cf576e14ef583112fdefef
(git)
Affected: e117a04133c673cc54292e12086a8177cd9bd4a4 , < e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 9c9662e2512b5e4ee7b03108802c5222e0fa77a4 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < bccc7ace12e69dee4684a3bb4b69737972e570d6 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < ebd6d2077a083329110695a996c00e8ca94bc640 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 17d6b6354f0025b7c10a56da783fd0cbb3819c5d (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < dae6095bdb24f537b4798ffd9201515b97bac94e (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 58fa341327fdb4bdf92597fd8796a9abc8d20ea3 (git) Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < ce3aee7114c575fab32a5e9e939d4bbb3dcca79f (git) Affected: bf75202df8e473d4ee914894542f213158066d8b (git) Affected: 76357f65f18f180f44ccbbbf713461881d0ab219 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/gtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d38039697184aacff1cf576e14ef583112fdefef",
"status": "affected",
"version": "01f3c64e405ab3d25887d080a103ad76f30661d2",
"versionType": "git"
},
{
"lessThan": "e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6",
"status": "affected",
"version": "e117a04133c673cc54292e12086a8177cd9bd4a4",
"versionType": "git"
},
{
"lessThan": "9c9662e2512b5e4ee7b03108802c5222e0fa77a4",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "bccc7ace12e69dee4684a3bb4b69737972e570d6",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "ebd6d2077a083329110695a996c00e8ca94bc640",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "17d6b6354f0025b7c10a56da783fd0cbb3819c5d",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "dae6095bdb24f537b4798ffd9201515b97bac94e",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "58fa341327fdb4bdf92597fd8796a9abc8d20ea3",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"lessThan": "ce3aee7114c575fab32a5e9e939d4bbb3dcca79f",
"status": "affected",
"version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
"versionType": "git"
},
{
"status": "affected",
"version": "bf75202df8e473d4ee914894542f213158066d8b",
"versionType": "git"
},
{
"status": "affected",
"version": "76357f65f18f180f44ccbbbf713461881d0ab219",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/gtp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.14.135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.19.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.1.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Fix use-after-free in __gtp_encap_destroy().\n\nsyzkaller reported use-after-free in __gtp_encap_destroy(). [0]\n\nIt shows the same process freed sk and touched it illegally.\n\nCommit e198987e7dd7 (\"gtp: fix suspicious RCU usage\") added lock_sock()\nand release_sock() in __gtp_encap_destroy() to protect sk-\u003esk_user_data,\nbut release_sock() is called after sock_put() releases the last refcnt.\n\n[0]:\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\nBUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\nWrite of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401\n\nCPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:351 [inline]\n print_report+0xcc/0x620 mm/kasan/report.c:462\n kasan_report+0xb2/0xe0 mm/kasan/report.c:572\n check_region_inline mm/kasan/generic.c:181 [inline]\n kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\n queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\n do_raw_spin_lock include/linux/spinlock.h:186 [inline]\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\n _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:355 [inline]\n release_sock+0x1f/0x1a0 net/core/sock.c:3526\n gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]\n gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664\n gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728\n unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841\n rtnl_delete_link net/core/rtnetlink.c:3216 [inline]\n rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268\n rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423\n netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x1b7/0x200 net/socket.c:747\n ____sys_sendmsg+0x75a/0x990 net/socket.c:2493\n ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547\n __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f1168b1fe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d\nRDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 1483:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:56.204Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d38039697184aacff1cf576e14ef583112fdefef"
},
{
"url": "https://git.kernel.org/stable/c/e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6"
},
{
"url": "https://git.kernel.org/stable/c/9c9662e2512b5e4ee7b03108802c5222e0fa77a4"
},
{
"url": "https://git.kernel.org/stable/c/bccc7ace12e69dee4684a3bb4b69737972e570d6"
},
{
"url": "https://git.kernel.org/stable/c/ebd6d2077a083329110695a996c00e8ca94bc640"
},
{
"url": "https://git.kernel.org/stable/c/17d6b6354f0025b7c10a56da783fd0cbb3819c5d"
},
{
"url": "https://git.kernel.org/stable/c/dae6095bdb24f537b4798ffd9201515b97bac94e"
},
{
"url": "https://git.kernel.org/stable/c/58fa341327fdb4bdf92597fd8796a9abc8d20ea3"
},
{
"url": "https://git.kernel.org/stable/c/ce3aee7114c575fab32a5e9e939d4bbb3dcca79f"
}
],
"title": "gtp: Fix use-after-free in __gtp_encap_destroy().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54142",
"datePublished": "2025-12-24T13:06:56.204Z",
"dateReserved": "2025-12-24T13:02:52.523Z",
"dateUpdated": "2025-12-24T13:06:56.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54022 (GCVE-0-2023-54022)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
ALSA: usb-audio: Fix potential memory leaks at error path for UMP open
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential memory leaks at error path for UMP open
The allocation and initialization errors at alloc_midi_urbs() that is
called at MIDI 2.0 / UMP device are supposed to be handled at the
caller side by invoking free_midi_urbs(). However, free_midi_urbs()
loops only for ep->num_urbs entries, and since ep->num_entries wasn't
updated yet at the allocation / init error in alloc_midi_urbs(), this
entry won't be released.
The intention of free_midi_urbs() is to release the whole elements, so
change the loop size to NUM_URBS to scan over all elements for fixing
the missed releases.
Also, the call of free_midi_urbs() is missing at
snd_usb_midi_v2_open(). Although it'll be released later at
reopen/close or disconnection, it's better to release immediately at
the error path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/midi2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f819b343aa95d24d5f7d6e06660c7f62591abc5f",
"status": "affected",
"version": "ff49d1df79aef7580fe3ac99d17c3f886655d080",
"versionType": "git"
},
{
"lessThan": "b1757fa30ef14f254f4719bf6f7d54a4c8207216",
"status": "affected",
"version": "ff49d1df79aef7580fe3ac99d17c3f886655d080",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/midi2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential memory leaks at error path for UMP open\n\nThe allocation and initialization errors at alloc_midi_urbs() that is\ncalled at MIDI 2.0 / UMP device are supposed to be handled at the\ncaller side by invoking free_midi_urbs(). However, free_midi_urbs()\nloops only for ep-\u003enum_urbs entries, and since ep-\u003enum_entries wasn\u0027t\nupdated yet at the allocation / init error in alloc_midi_urbs(), this\nentry won\u0027t be released.\n\nThe intention of free_midi_urbs() is to release the whole elements, so\nchange the loop size to NUM_URBS to scan over all elements for fixing\nthe missed releases.\n\nAlso, the call of free_midi_urbs() is missing at\nsnd_usb_midi_v2_open(). Although it\u0027ll be released later at\nreopen/close or disconnection, it\u0027s better to release immediately at\nthe error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:52.045Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f819b343aa95d24d5f7d6e06660c7f62591abc5f"
},
{
"url": "https://git.kernel.org/stable/c/b1757fa30ef14f254f4719bf6f7d54a4c8207216"
}
],
"title": "ALSA: usb-audio: Fix potential memory leaks at error path for UMP open",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54022",
"datePublished": "2025-12-24T10:55:52.045Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:52.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53846 (GCVE-0-2023-53846)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
f2fs: fix to do sanity check on direct node in truncate_dnode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on direct node in truncate_dnode()
syzbot reports below bug:
BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574
Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000
CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
print_report mm/kasan/report.c:462 [inline]
kasan_report+0x11c/0x130 mm/kasan/report.c:572
f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574
truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944
f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154
f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721
f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749
f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799
f2fs_truncate include/linux/fs.h:825 [inline]
f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006
notify_change+0xb2c/0x1180 fs/attr.c:483
do_truncate+0x143/0x200 fs/open.c:66
handle_truncate fs/namei.c:3295 [inline]
do_open fs/namei.c:3640 [inline]
path_openat+0x2083/0x2750 fs/namei.c:3791
do_filp_open+0x1ba/0x410 fs/namei.c:3818
do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
do_sys_open fs/open.c:1372 [inline]
__do_sys_creat fs/open.c:1448 [inline]
__se_sys_creat fs/open.c:1442 [inline]
__x64_sys_creat+0xcd/0x120 fs/open.c:1442
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root cause is, inodeA references inodeB via inodeB's ino, once inodeA
is truncated, it calls truncate_dnode() to truncate data blocks in inodeB's
node page, it traverse mapping data from node->i.i_addr[0] to
node->i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.
This patch fixes to add sanity check on dnode page in truncate_dnode(),
so that, it can help to avoid triggering such issue, and once it encounters
such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE
error into superblock, later fsck can detect such issue and try repairing.
Also, it removes f2fs_truncate_data_blocks() for cleanup due to the
function has only one caller, and uses f2fs_truncate_data_blocks_range()
instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af0f716ad3b039cab9d426da63a5ee6c88751185",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
},
{
"lessThan": "a6ec83786ab9f13f25fb18166dee908845713a95",
"status": "affected",
"version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/f2fs.h",
"fs/f2fs/file.c",
"fs/f2fs/node.c",
"include/linux/f2fs_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on direct node in truncate_dnode()\n\nsyzbot reports below bug:\n\nBUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574\nRead of size 4 at addr ffff88802a25c000 by task syz-executor148/5000\n\nCPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106\n print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351\n print_report mm/kasan/report.c:462 [inline]\n kasan_report+0x11c/0x130 mm/kasan/report.c:572\n f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574\n truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944\n f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154\n f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721\n f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749\n f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799\n f2fs_truncate include/linux/fs.h:825 [inline]\n f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006\n notify_change+0xb2c/0x1180 fs/attr.c:483\n do_truncate+0x143/0x200 fs/open.c:66\n handle_truncate fs/namei.c:3295 [inline]\n do_open fs/namei.c:3640 [inline]\n path_openat+0x2083/0x2750 fs/namei.c:3791\n do_filp_open+0x1ba/0x410 fs/namei.c:3818\n do_sys_openat2+0x16d/0x4c0 fs/open.c:1356\n do_sys_open fs/open.c:1372 [inline]\n __do_sys_creat fs/open.c:1448 [inline]\n __se_sys_creat fs/open.c:1442 [inline]\n __x64_sys_creat+0xcd/0x120 fs/open.c:1442\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is, inodeA references inodeB via inodeB\u0027s ino, once inodeA\nis truncated, it calls truncate_dnode() to truncate data blocks in inodeB\u0027s\nnode page, it traverse mapping data from node-\u003ei.i_addr[0] to\nnode-\u003ei.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access.\n\nThis patch fixes to add sanity check on dnode page in truncate_dnode(),\nso that, it can help to avoid triggering such issue, and once it encounters\nsuch issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE\nerror into superblock, later fsck can detect such issue and try repairing.\n\nAlso, it removes f2fs_truncate_data_blocks() for cleanup due to the\nfunction has only one caller, and uses f2fs_truncate_data_blocks_range()\ninstead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:30.232Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af0f716ad3b039cab9d426da63a5ee6c88751185"
},
{
"url": "https://git.kernel.org/stable/c/a6ec83786ab9f13f25fb18166dee908845713a95"
}
],
"title": "f2fs: fix to do sanity check on direct node in truncate_dnode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53846",
"datePublished": "2025-12-09T01:30:09.202Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-20T08:51:30.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40233 (GCVE-0-2025-40233)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
ocfs2: clear extent cache after moving/defragmenting extents
Summary
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: clear extent cache after moving/defragmenting extents
The extent map cache can become stale when extents are moved or
defragmented, causing subsequent operations to see outdated extent flags.
This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().
The problem occurs when:
1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED
2. ioctl(FITRIM) triggers ocfs2_move_extents()
3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)
4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()
which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)
5. The extent map cache is not invalidated after the move
6. Later write() operations read stale cached flags (0x2) but disk has
updated flags (0x0), causing a mismatch
7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers
Fix by clearing the extent map cache after each extent move/defrag
operation in __ocfs2_move_extents_range(). This ensures subsequent
operations read fresh extent data from disk.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 93166bc53c0e3587058327a4121daea34b4fecd5
(git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < a7ee72286efba1d407c6f15a0528e43593fb7007 (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 93b1ab422f1966b71561158e1aedce4ec100f357 (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < e92af7737a94a729225d2a5d180eaaa77fe0bbc1 (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < aa6a21409dd6221bb268b56bb410e031c632ff9a (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < bb69928ed578f881e68d26aaf1a8f6e7faab3b44 (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < a21750df2f6169af6e039a3bb4893d6c9564e48d (git) Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 78a63493f8e352296dbc7cb7b3f4973105e8679e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93166bc53c0e3587058327a4121daea34b4fecd5",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "a7ee72286efba1d407c6f15a0528e43593fb7007",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "93b1ab422f1966b71561158e1aedce4ec100f357",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "e92af7737a94a729225d2a5d180eaaa77fe0bbc1",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "aa6a21409dd6221bb268b56bb410e031c632ff9a",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "bb69928ed578f881e68d26aaf1a8f6e7faab3b44",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "a21750df2f6169af6e039a3bb4893d6c9564e48d",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
},
{
"lessThan": "78a63493f8e352296dbc7cb7b3f4973105e8679e",
"status": "affected",
"version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ocfs2/move_extents.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: clear extent cache after moving/defragmenting extents\n\nThe extent map cache can become stale when extents are moved or\ndefragmented, causing subsequent operations to see outdated extent flags. \nThis triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().\n\nThe problem occurs when:\n1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED\n2. ioctl(FITRIM) triggers ocfs2_move_extents()\n3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)\n4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()\n which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)\n5. The extent map cache is not invalidated after the move\n6. Later write() operations read stale cached flags (0x2) but disk has\n updated flags (0x0), causing a mismatch\n7. BUG_ON(!(rec-\u003ee_flags \u0026 OCFS2_EXT_REFCOUNTED)) triggers\n\nFix by clearing the extent map cache after each extent move/defrag\noperation in __ocfs2_move_extents_range(). This ensures subsequent\noperations read fresh extent data from disk."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:23.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93166bc53c0e3587058327a4121daea34b4fecd5"
},
{
"url": "https://git.kernel.org/stable/c/a7ee72286efba1d407c6f15a0528e43593fb7007"
},
{
"url": "https://git.kernel.org/stable/c/93b1ab422f1966b71561158e1aedce4ec100f357"
},
{
"url": "https://git.kernel.org/stable/c/e92af7737a94a729225d2a5d180eaaa77fe0bbc1"
},
{
"url": "https://git.kernel.org/stable/c/aa6a21409dd6221bb268b56bb410e031c632ff9a"
},
{
"url": "https://git.kernel.org/stable/c/bb69928ed578f881e68d26aaf1a8f6e7faab3b44"
},
{
"url": "https://git.kernel.org/stable/c/a21750df2f6169af6e039a3bb4893d6c9564e48d"
},
{
"url": "https://git.kernel.org/stable/c/78a63493f8e352296dbc7cb7b3f4973105e8679e"
}
],
"title": "ocfs2: clear extent cache after moving/defragmenting extents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40233",
"datePublished": "2025-12-04T15:31:23.891Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:23.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54170 (GCVE-0-2023-54170)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
keys: Fix linking a duplicate key to a keyring's assoc_array
Summary
In the Linux kernel, the following vulnerability has been resolved:
keys: Fix linking a duplicate key to a keyring's assoc_array
When making a DNS query inside the kernel using dns_query(), the request
code can in rare cases end up creating a duplicate index key in the
assoc_array of the destination keyring. It is eventually found by
a BUG_ON() check in the assoc_array implementation and results in
a crash.
Example report:
[2158499.700025] kernel BUG at ../lib/assoc_array.c:652!
[2158499.700039] invalid opcode: 0000 [#1] SMP PTI
[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3
[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs]
[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40
[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f
[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282
[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005
[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000
[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000
[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28
[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740
[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000
[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0
[2158499.700702] Call Trace:
[2158499.700741] ? key_alloc+0x447/0x4b0
[2158499.700768] ? __key_link_begin+0x43/0xa0
[2158499.700790] __key_link_begin+0x43/0xa0
[2158499.700814] request_key_and_link+0x2c7/0x730
[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver]
[2158499.700873] ? key_default_cmp+0x20/0x20
[2158499.700898] request_key_tag+0x43/0xa0
[2158499.700926] dns_query+0x114/0x2ca [dns_resolver]
[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs]
[2158499.701164] ? scnprintf+0x49/0x90
[2158499.701190] ? __switch_to_asm+0x40/0x70
[2158499.701211] ? __switch_to_asm+0x34/0x70
[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs]
[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs]
[2158499.701632] process_one_work+0x1f8/0x3e0
[2158499.701658] worker_thread+0x2d/0x3f0
[2158499.701682] ? process_one_work+0x3e0/0x3e0
[2158499.701703] kthread+0x10d/0x130
[2158499.701723] ? kthread_park+0xb0/0xb0
[2158499.701746] ret_from_fork+0x1f/0x40
The situation occurs as follows:
* Some kernel facility invokes dns_query() to resolve a hostname, for
example, "abcdef". The function registers its global DNS resolver
cache as current->cred.thread_keyring and passes the query to
request_key_net() -> request_key_tag() -> request_key_and_link().
* Function request_key_and_link() creates a keyring_search_context
object. Its match_data.cmp method gets set via a call to
type->match_preparse() (resolves to dns_resolver_match_preparse()) to
dns_resolver_cmp().
* Function request_key_and_link() continues and invokes
search_process_keyrings_rcu() which returns that a given key was not
found. The control is then passed to request_key_and_link() ->
construct_alloc_key().
* Concurrently to that, a second task similarly makes a DNS query for
"abcdef." and its result gets inserted into the DNS resolver cache.
* Back on the first task, function construct_alloc_key() first runs
__key_link_begin() to determine an assoc_array_edit operation to
insert a new key. Index keys in the array are compared exactly as-is,
using keyring_compare_object(). The operation
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
df593ee23e05cdda16c8c995e5818779431bb29f , < 65bd66a794bfa059375ec834885bb610d75c0182
(git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 0a6b0ca58685be34979236f83f2b322635b80b32 (git) Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 9aecfebea24fe6071ace5cc9fd6d690b87276bbb (git) Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 00edfa6d4fe022942e2f2e6f3294ff13ef78b15c (git) Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < e091bb55af9a930801f83df78195a908a76e1479 (git) Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < d55901522f96082a43b9842d34867363c0cdbac5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/keys/request_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65bd66a794bfa059375ec834885bb610d75c0182",
"status": "affected",
"version": "df593ee23e05cdda16c8c995e5818779431bb29f",
"versionType": "git"
},
{
"lessThan": "0a6b0ca58685be34979236f83f2b322635b80b32",
"status": "affected",
"version": "df593ee23e05cdda16c8c995e5818779431bb29f",
"versionType": "git"
},
{
"lessThan": "9aecfebea24fe6071ace5cc9fd6d690b87276bbb",
"status": "affected",
"version": "df593ee23e05cdda16c8c995e5818779431bb29f",
"versionType": "git"
},
{
"lessThan": "00edfa6d4fe022942e2f2e6f3294ff13ef78b15c",
"status": "affected",
"version": "df593ee23e05cdda16c8c995e5818779431bb29f",
"versionType": "git"
},
{
"lessThan": "e091bb55af9a930801f83df78195a908a76e1479",
"status": "affected",
"version": "df593ee23e05cdda16c8c995e5818779431bb29f",
"versionType": "git"
},
{
"lessThan": "d55901522f96082a43b9842d34867363c0cdbac5",
"status": "affected",
"version": "df593ee23e05cdda16c8c995e5818779431bb29f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/keys/request_key.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix linking a duplicate key to a keyring\u0027s assoc_array\n\nWhen making a DNS query inside the kernel using dns_query(), the request\ncode can in rare cases end up creating a duplicate index key in the\nassoc_array of the destination keyring. It is eventually found by\na BUG_ON() check in the assoc_array implementation and results in\na crash.\n\nExample report:\n[2158499.700025] kernel BUG at ../lib/assoc_array.c:652!\n[2158499.700039] invalid opcode: 0000 [#1] SMP PTI\n[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3\n[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs]\n[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40\n[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff \u003c0f\u003e 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f\n[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282\n[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005\n[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000\n[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000\n[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28\n[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740\n[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000\n[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0\n[2158499.700702] Call Trace:\n[2158499.700741] ? key_alloc+0x447/0x4b0\n[2158499.700768] ? __key_link_begin+0x43/0xa0\n[2158499.700790] __key_link_begin+0x43/0xa0\n[2158499.700814] request_key_and_link+0x2c7/0x730\n[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver]\n[2158499.700873] ? key_default_cmp+0x20/0x20\n[2158499.700898] request_key_tag+0x43/0xa0\n[2158499.700926] dns_query+0x114/0x2ca [dns_resolver]\n[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs]\n[2158499.701164] ? scnprintf+0x49/0x90\n[2158499.701190] ? __switch_to_asm+0x40/0x70\n[2158499.701211] ? __switch_to_asm+0x34/0x70\n[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs]\n[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs]\n[2158499.701632] process_one_work+0x1f8/0x3e0\n[2158499.701658] worker_thread+0x2d/0x3f0\n[2158499.701682] ? process_one_work+0x3e0/0x3e0\n[2158499.701703] kthread+0x10d/0x130\n[2158499.701723] ? kthread_park+0xb0/0xb0\n[2158499.701746] ret_from_fork+0x1f/0x40\n\nThe situation occurs as follows:\n* Some kernel facility invokes dns_query() to resolve a hostname, for\n example, \"abcdef\". The function registers its global DNS resolver\n cache as current-\u003ecred.thread_keyring and passes the query to\n request_key_net() -\u003e request_key_tag() -\u003e request_key_and_link().\n* Function request_key_and_link() creates a keyring_search_context\n object. Its match_data.cmp method gets set via a call to\n type-\u003ematch_preparse() (resolves to dns_resolver_match_preparse()) to\n dns_resolver_cmp().\n* Function request_key_and_link() continues and invokes\n search_process_keyrings_rcu() which returns that a given key was not\n found. The control is then passed to request_key_and_link() -\u003e\n construct_alloc_key().\n* Concurrently to that, a second task similarly makes a DNS query for\n \"abcdef.\" and its result gets inserted into the DNS resolver cache.\n* Back on the first task, function construct_alloc_key() first runs\n __key_link_begin() to determine an assoc_array_edit operation to\n insert a new key. Index keys in the array are compared exactly as-is,\n using keyring_compare_object(). The operation \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:44.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65bd66a794bfa059375ec834885bb610d75c0182"
},
{
"url": "https://git.kernel.org/stable/c/0a6b0ca58685be34979236f83f2b322635b80b32"
},
{
"url": "https://git.kernel.org/stable/c/9aecfebea24fe6071ace5cc9fd6d690b87276bbb"
},
{
"url": "https://git.kernel.org/stable/c/00edfa6d4fe022942e2f2e6f3294ff13ef78b15c"
},
{
"url": "https://git.kernel.org/stable/c/e091bb55af9a930801f83df78195a908a76e1479"
},
{
"url": "https://git.kernel.org/stable/c/d55901522f96082a43b9842d34867363c0cdbac5"
}
],
"title": "keys: Fix linking a duplicate key to a keyring\u0027s assoc_array",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54170",
"datePublished": "2025-12-30T12:08:44.763Z",
"dateReserved": "2025-12-30T12:06:44.496Z",
"dateUpdated": "2025-12-30T12:08:44.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40231 (GCVE-0-2025-40231)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
vsock: fix lock inversion in vsock_assign_transport()
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: fix lock inversion in vsock_assign_transport()
Syzbot reported a potential lock inversion deadlock between
vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.
The issue was introduced by commit 687aa0c5581b ("vsock: Fix
transport_* TOCTOU") which added vsock_register_mutex locking in
vsock_assign_transport() around the transport->release() call, that can
call vsock_linger(). vsock_assign_transport() can be called with sk_lock
held. vsock_linger() calls sk_wait_event() that temporarily releases and
re-acquires sk_lock. During this window, if another thread hold
vsock_register_mutex while trying to acquire sk_lock, a circular
dependency is created.
Fix this by releasing vsock_register_mutex before calling
transport->release() and vsock_deassign_transport(). This is safe
because we don't need to hold vsock_register_mutex while releasing the
old transport, and we ensure the new transport won't disappear by
obtaining a module reference first via try_module_get().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8667e8d0eb46bc54fdae30ba2f4786407d3d88eb , < ce4f856c64f0bc30e29302a0ce41f4295ca391c5
(git)
Affected: 36a439049b34cca0b3661276049b84a1f76cc21a , < 09bba278ccde25a14b6e5088a9e65a8717d0cccf (git) Affected: 9ce53e744f18e73059d3124070e960f3aa9902bf , < b44182c116778feaa05da52a426aeb9da1878dcf (git) Affected: 9d24bb6780282b0255b9929abe5e8f98007e2c6e , < 42ed0784d11adebf748711e503af0eb9f1e6d81d (git) Affected: ae2c712ba39c7007de63cb0c75b51ce1caaf1da5 , < 251caee792a21eb0b781aab91362b422c945e162 (git) Affected: 687aa0c5581b8d4aa87fd92973e4ee576b550cdf , < a2a4346eea8b4cb75037dbcb20b98cb454324f80 (git) Affected: 687aa0c5581b8d4aa87fd92973e4ee576b550cdf , < f7c877e7535260cc7a21484c994e8ce7e8cb6780 (git) Affected: 7b73bddf54777fb62d4d8c7729d0affe6df04477 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce4f856c64f0bc30e29302a0ce41f4295ca391c5",
"status": "affected",
"version": "8667e8d0eb46bc54fdae30ba2f4786407d3d88eb",
"versionType": "git"
},
{
"lessThan": "09bba278ccde25a14b6e5088a9e65a8717d0cccf",
"status": "affected",
"version": "36a439049b34cca0b3661276049b84a1f76cc21a",
"versionType": "git"
},
{
"lessThan": "b44182c116778feaa05da52a426aeb9da1878dcf",
"status": "affected",
"version": "9ce53e744f18e73059d3124070e960f3aa9902bf",
"versionType": "git"
},
{
"lessThan": "42ed0784d11adebf748711e503af0eb9f1e6d81d",
"status": "affected",
"version": "9d24bb6780282b0255b9929abe5e8f98007e2c6e",
"versionType": "git"
},
{
"lessThan": "251caee792a21eb0b781aab91362b422c945e162",
"status": "affected",
"version": "ae2c712ba39c7007de63cb0c75b51ce1caaf1da5",
"versionType": "git"
},
{
"lessThan": "a2a4346eea8b4cb75037dbcb20b98cb454324f80",
"status": "affected",
"version": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
"versionType": "git"
},
{
"lessThan": "f7c877e7535260cc7a21484c994e8ce7e8cb6780",
"status": "affected",
"version": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
"versionType": "git"
},
{
"status": "affected",
"version": "7b73bddf54777fb62d4d8c7729d0affe6df04477",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.10.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.15.189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "6.1.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "6.6.99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "6.12.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix lock inversion in vsock_assign_transport()\n\nSyzbot reported a potential lock inversion deadlock between\nvsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.\n\nThe issue was introduced by commit 687aa0c5581b (\"vsock: Fix\ntransport_* TOCTOU\") which added vsock_register_mutex locking in\nvsock_assign_transport() around the transport-\u003erelease() call, that can\ncall vsock_linger(). vsock_assign_transport() can be called with sk_lock\nheld. vsock_linger() calls sk_wait_event() that temporarily releases and\nre-acquires sk_lock. During this window, if another thread hold\nvsock_register_mutex while trying to acquire sk_lock, a circular\ndependency is created.\n\nFix this by releasing vsock_register_mutex before calling\ntransport-\u003erelease() and vsock_deassign_transport(). This is safe\nbecause we don\u0027t need to hold vsock_register_mutex while releasing the\nold transport, and we ensure the new transport won\u0027t disappear by\nobtaining a module reference first via try_module_get()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:22.199Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5"
},
{
"url": "https://git.kernel.org/stable/c/09bba278ccde25a14b6e5088a9e65a8717d0cccf"
},
{
"url": "https://git.kernel.org/stable/c/b44182c116778feaa05da52a426aeb9da1878dcf"
},
{
"url": "https://git.kernel.org/stable/c/42ed0784d11adebf748711e503af0eb9f1e6d81d"
},
{
"url": "https://git.kernel.org/stable/c/251caee792a21eb0b781aab91362b422c945e162"
},
{
"url": "https://git.kernel.org/stable/c/a2a4346eea8b4cb75037dbcb20b98cb454324f80"
},
{
"url": "https://git.kernel.org/stable/c/f7c877e7535260cc7a21484c994e8ce7e8cb6780"
}
],
"title": "vsock: fix lock inversion in vsock_assign_transport()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40231",
"datePublished": "2025-12-04T15:31:22.199Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:22.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54050 (GCVE-0-2023-54050)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
ubifs: Fix memleak when insert_old_idx() failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix memleak when insert_old_idx() failed
Following process will cause a memleak for copied up znode:
dirty_cow_znode
zn = copy_znode(c, znode);
err = insert_old_idx(c, zbr->lnum, zbr->offs);
if (unlikely(err))
return ERR_PTR(err); // No one refers to zn.
Fetch a reproducer in [Link].
Function copy_znode() is split into 2 parts: resource allocation
and znode replacement, insert_old_idx() is split in similar way,
so resource cleanup could be done in error handling path without
corrupting metadata(mem & disk).
It's okay that old index inserting is put behind of add_idx_dirt(),
old index is used in layout_leb_in_gaps(), so the two processes do
not depend on each other.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d , < cc29c7216d7f057eb0613b97dc38c7e1962a88d2
(git)
Affected: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d , < 6f2eee5457bc48b0426dedfd78cdbdea241a6edb (git) Affected: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d , < 66e9f2fb3e753f820bec2a98e8c6387029988320 (git) Affected: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d , < 3ae75f82c33fa1b4ca2006b55c84f4ef4a428d4d (git) Affected: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d , < ef9aac603659e9ffe7d69ae16e3f0fc0991a965b (git) Affected: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d , < 79079cebbeed624b9d01cfcf1e3254ae1a1f6e14 (git) Affected: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d , < a6da0ab9847779e05a7416c7a98148b549de69ef (git) Affected: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d , < b5fda08ef213352ac2df7447611eb4d383cce929 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ubifs/tnc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc29c7216d7f057eb0613b97dc38c7e1962a88d2",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "6f2eee5457bc48b0426dedfd78cdbdea241a6edb",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "66e9f2fb3e753f820bec2a98e8c6387029988320",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "3ae75f82c33fa1b4ca2006b55c84f4ef4a428d4d",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "ef9aac603659e9ffe7d69ae16e3f0fc0991a965b",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "79079cebbeed624b9d01cfcf1e3254ae1a1f6e14",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "a6da0ab9847779e05a7416c7a98148b549de69ef",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
},
{
"lessThan": "b5fda08ef213352ac2df7447611eb4d383cce929",
"status": "affected",
"version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ubifs/tnc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memleak when insert_old_idx() failed\n\nFollowing process will cause a memleak for copied up znode:\n\ndirty_cow_znode\n zn = copy_znode(c, znode);\n err = insert_old_idx(c, zbr-\u003elnum, zbr-\u003eoffs);\n if (unlikely(err))\n return ERR_PTR(err); // No one refers to zn.\n\nFetch a reproducer in [Link].\n\nFunction copy_znode() is split into 2 parts: resource allocation\nand znode replacement, insert_old_idx() is split in similar way,\nso resource cleanup could be done in error handling path without\ncorrupting metadata(mem \u0026 disk).\nIt\u0027s okay that old index inserting is put behind of add_idx_dirt(),\nold index is used in layout_leb_in_gaps(), so the two processes do\nnot depend on each other."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:00.366Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc29c7216d7f057eb0613b97dc38c7e1962a88d2"
},
{
"url": "https://git.kernel.org/stable/c/6f2eee5457bc48b0426dedfd78cdbdea241a6edb"
},
{
"url": "https://git.kernel.org/stable/c/66e9f2fb3e753f820bec2a98e8c6387029988320"
},
{
"url": "https://git.kernel.org/stable/c/3ae75f82c33fa1b4ca2006b55c84f4ef4a428d4d"
},
{
"url": "https://git.kernel.org/stable/c/ef9aac603659e9ffe7d69ae16e3f0fc0991a965b"
},
{
"url": "https://git.kernel.org/stable/c/79079cebbeed624b9d01cfcf1e3254ae1a1f6e14"
},
{
"url": "https://git.kernel.org/stable/c/a6da0ab9847779e05a7416c7a98148b549de69ef"
},
{
"url": "https://git.kernel.org/stable/c/b5fda08ef213352ac2df7447611eb4d383cce929"
}
],
"title": "ubifs: Fix memleak when insert_old_idx() failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54050",
"datePublished": "2025-12-24T12:23:00.366Z",
"dateReserved": "2025-12-24T12:21:05.090Z",
"dateUpdated": "2025-12-24T12:23:00.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54153 (GCVE-0-2023-54153)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:07 – Updated: 2025-12-24 13:07
VLAI?
EPSS
Title
ext4: turn quotas off if mount failed after enabling quotas
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: turn quotas off if mount failed after enabling quotas
Yi found during a review of the patch "ext4: don't BUG on inconsistent
journal feature" that when ext4_mark_recovery_complete() returns an error
value, the error handling path does not turn off the enabled quotas,
which triggers the following kmemleak:
================================================================
unreferenced object 0xffff8cf68678e7c0 (size 64):
comm "mount", pid 746, jiffies 4294871231 (age 11.540s)
hex dump (first 32 bytes):
00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A...
c7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H...
backtrace:
[<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880
[<00000000d4e621d7>] kmalloc_trace+0x39/0x140
[<00000000837eee74>] v2_read_file_info+0x18a/0x3a0
[<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770
[<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0
[<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4]
[<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4]
[<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4]
[<000000004a9489c4>] get_tree_bdev+0x1dc/0x370
[<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4]
[<00000000c7cb663d>] vfs_get_tree+0x31/0x160
[<00000000320e1bed>] do_new_mount+0x1d5/0x480
[<00000000c074654c>] path_mount+0x22e/0xbe0
[<0000000003e97a8e>] do_mount+0x95/0xc0
[<000000002f3d3736>] __x64_sys_mount+0xc4/0x160
[<0000000027d2140c>] do_syscall_64+0x3f/0x90
================================================================
To solve this problem, we add a "failed_mount10" tag, and call
ext4_quota_off_umount() in this tag to release the enabled qoutas.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
11215630aada28307ba555a43138db6ac54fa825 , < c327b83c59ee938792a0300df646efac39c7d6a7
(git)
Affected: 11215630aada28307ba555a43138db6ac54fa825 , < deef86fa3005cbb61ae8aa5729324c09b3f4ba73 (git) Affected: 11215630aada28307ba555a43138db6ac54fa825 , < 77c3ca1108eb4a26db4f256c42b271a430cebc7d (git) Affected: 11215630aada28307ba555a43138db6ac54fa825 , < d13f99632748462c32fc95d729f5e754bab06064 (git) Affected: 60e2824ab30a19c7aaf5a3932bc155d18b2cd816 (git) Affected: a6d49257cbe53c7bca1a0353a6443f53cbed9cc7 (git) Affected: 2e7312ddaf629eecf4702b662da477a3bc39c31a (git) Affected: d558851e5ff443b020245b7a1a455c55accf740b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c327b83c59ee938792a0300df646efac39c7d6a7",
"status": "affected",
"version": "11215630aada28307ba555a43138db6ac54fa825",
"versionType": "git"
},
{
"lessThan": "deef86fa3005cbb61ae8aa5729324c09b3f4ba73",
"status": "affected",
"version": "11215630aada28307ba555a43138db6ac54fa825",
"versionType": "git"
},
{
"lessThan": "77c3ca1108eb4a26db4f256c42b271a430cebc7d",
"status": "affected",
"version": "11215630aada28307ba555a43138db6ac54fa825",
"versionType": "git"
},
{
"lessThan": "d13f99632748462c32fc95d729f5e754bab06064",
"status": "affected",
"version": "11215630aada28307ba555a43138db6ac54fa825",
"versionType": "git"
},
{
"status": "affected",
"version": "60e2824ab30a19c7aaf5a3932bc155d18b2cd816",
"versionType": "git"
},
{
"status": "affected",
"version": "a6d49257cbe53c7bca1a0353a6443f53cbed9cc7",
"versionType": "git"
},
{
"status": "affected",
"version": "2e7312ddaf629eecf4702b662da477a3bc39c31a",
"versionType": "git"
},
{
"status": "affected",
"version": "d558851e5ff443b020245b7a1a455c55accf740b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: turn quotas off if mount failed after enabling quotas\n\nYi found during a review of the patch \"ext4: don\u0027t BUG on inconsistent\njournal feature\" that when ext4_mark_recovery_complete() returns an error\nvalue, the error handling path does not turn off the enabled quotas,\nwhich triggers the following kmemleak:\n\n================================================================\nunreferenced object 0xffff8cf68678e7c0 (size 64):\ncomm \"mount\", pid 746, jiffies 4294871231 (age 11.540s)\nhex dump (first 32 bytes):\n00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A...\nc7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H...\nbacktrace:\n[\u003c00000000c561ef24\u003e] __kmem_cache_alloc_node+0x4d4/0x880\n[\u003c00000000d4e621d7\u003e] kmalloc_trace+0x39/0x140\n[\u003c00000000837eee74\u003e] v2_read_file_info+0x18a/0x3a0\n[\u003c0000000088f6c877\u003e] dquot_load_quota_sb+0x2ed/0x770\n[\u003c00000000340a4782\u003e] dquot_load_quota_inode+0xc6/0x1c0\n[\u003c0000000089a18bd5\u003e] ext4_enable_quotas+0x17e/0x3a0 [ext4]\n[\u003c000000003a0268fa\u003e] __ext4_fill_super+0x3448/0x3910 [ext4]\n[\u003c00000000b0f2a8a8\u003e] ext4_fill_super+0x13d/0x340 [ext4]\n[\u003c000000004a9489c4\u003e] get_tree_bdev+0x1dc/0x370\n[\u003c000000006e723bf1\u003e] ext4_get_tree+0x1d/0x30 [ext4]\n[\u003c00000000c7cb663d\u003e] vfs_get_tree+0x31/0x160\n[\u003c00000000320e1bed\u003e] do_new_mount+0x1d5/0x480\n[\u003c00000000c074654c\u003e] path_mount+0x22e/0xbe0\n[\u003c0000000003e97a8e\u003e] do_mount+0x95/0xc0\n[\u003c000000002f3d3736\u003e] __x64_sys_mount+0xc4/0x160\n[\u003c0000000027d2140c\u003e] do_syscall_64+0x3f/0x90\n================================================================\n\nTo solve this problem, we add a \"failed_mount10\" tag, and call\next4_quota_off_umount() in this tag to release the enabled qoutas."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:07:04.007Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c327b83c59ee938792a0300df646efac39c7d6a7"
},
{
"url": "https://git.kernel.org/stable/c/deef86fa3005cbb61ae8aa5729324c09b3f4ba73"
},
{
"url": "https://git.kernel.org/stable/c/77c3ca1108eb4a26db4f256c42b271a430cebc7d"
},
{
"url": "https://git.kernel.org/stable/c/d13f99632748462c32fc95d729f5e754bab06064"
}
],
"title": "ext4: turn quotas off if mount failed after enabling quotas",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54153",
"datePublished": "2025-12-24T13:07:04.007Z",
"dateReserved": "2025-12-24T13:02:52.529Z",
"dateUpdated": "2025-12-24T13:07:04.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54126 (GCVE-0-2023-54126)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
crypto: safexcel - Cleanup ring IRQ workqueues on load failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: safexcel - Cleanup ring IRQ workqueues on load failure
A failure loading the safexcel driver results in the following warning
on boot, because the IRQ affinity has not been correctly cleaned up.
Ensure we clean up the affinity and workqueues on a failure to load the
driver.
crypto-safexcel: probe of f2800000.crypto failed with error -2
------------[ cut here ]------------
WARNING: CPU: 1 PID: 232 at kernel/irq/manage.c:1913 free_irq+0x300/0x340
Modules linked in: hwmon mdio_i2c crypto_safexcel(+) md5 sha256_generic libsha256 authenc libdes omap_rng rng_core nft_masq nft_nat nft_chain_nat nf_nat nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink fuse autofs4
CPU: 1 PID: 232 Comm: systemd-udevd Tainted: G W 6.1.6-00002-g9d4898824677 #3
Hardware name: MikroTik RB5009 (DT)
pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : free_irq+0x300/0x340
lr : free_irq+0x2e0/0x340
sp : ffff800008fa3890
x29: ffff800008fa3890 x28: 0000000000000000 x27: 0000000000000000
x26: ffff8000008e6dc0 x25: ffff000009034cac x24: ffff000009034d50
x23: 0000000000000000 x22: 000000000000004a x21: ffff0000093e0d80
x20: ffff000009034c00 x19: ffff00000615fc00 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 000075f5c1584c5e
x14: 0000000000000017 x13: 0000000000000000 x12: 0000000000000040
x11: ffff000000579b60 x10: ffff000000579b62 x9 : ffff800008bbe370
x8 : ffff000000579dd0 x7 : 0000000000000000 x6 : ffff000000579e18
x5 : ffff000000579da8 x4 : ffff800008ca0000 x3 : ffff800008ca0188
x2 : 0000000013033204 x1 : ffff000009034c00 x0 : ffff8000087eadf0
Call trace:
free_irq+0x300/0x340
devm_irq_release+0x14/0x20
devres_release_all+0xa0/0x100
device_unbind_cleanup+0x14/0x60
really_probe+0x198/0x2d4
__driver_probe_device+0x74/0xdc
driver_probe_device+0x3c/0x110
__driver_attach+0x8c/0x190
bus_for_each_dev+0x6c/0xc0
driver_attach+0x20/0x30
bus_add_driver+0x148/0x1fc
driver_register+0x74/0x120
__platform_driver_register+0x24/0x30
safexcel_init+0x48/0x1000 [crypto_safexcel]
do_one_initcall+0x4c/0x1b0
do_init_module+0x44/0x1cc
load_module+0x1724/0x1be4
__do_sys_finit_module+0xbc/0x110
__arm64_sys_finit_module+0x1c/0x24
invoke_syscall+0x44/0x110
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x20/0x80
el0_svc+0x14/0x4c
el0t_64_sync_handler+0xb0/0xb4
el0t_64_sync+0x148/0x14c
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce , < 4f4de392f4926820ec1fd3573a016c704a68893d
(git)
Affected: 1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce , < 0a89d4a075524cf1f865cfdbb9cf38ab8e3e5409 (git) Affected: 1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce , < 09e177d6f7edd0873a63f51abe914902ec0f4400 (git) Affected: 1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce , < 4d9d2fd86766ee3ec077c011aa482e85b6c9595c (git) Affected: 1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce , < 162f9daf0c22480f88b24fd46d16abae46c10fce (git) Affected: 1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce , < ab573af2655ba509e2a167897de9b5585c2ca44d (git) Affected: 1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce , < ca25c00ccbc5f942c63897ed23584cfc66e8ec81 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/inside-secure/safexcel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f4de392f4926820ec1fd3573a016c704a68893d",
"status": "affected",
"version": "1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce",
"versionType": "git"
},
{
"lessThan": "0a89d4a075524cf1f865cfdbb9cf38ab8e3e5409",
"status": "affected",
"version": "1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce",
"versionType": "git"
},
{
"lessThan": "09e177d6f7edd0873a63f51abe914902ec0f4400",
"status": "affected",
"version": "1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce",
"versionType": "git"
},
{
"lessThan": "4d9d2fd86766ee3ec077c011aa482e85b6c9595c",
"status": "affected",
"version": "1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce",
"versionType": "git"
},
{
"lessThan": "162f9daf0c22480f88b24fd46d16abae46c10fce",
"status": "affected",
"version": "1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce",
"versionType": "git"
},
{
"lessThan": "ab573af2655ba509e2a167897de9b5585c2ca44d",
"status": "affected",
"version": "1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce",
"versionType": "git"
},
{
"lessThan": "ca25c00ccbc5f942c63897ed23584cfc66e8ec81",
"status": "affected",
"version": "1b44c5a60c137e5fd0c2c8b86e58fdbc9cd181ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/inside-secure/safexcel.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: safexcel - Cleanup ring IRQ workqueues on load failure\n\nA failure loading the safexcel driver results in the following warning\non boot, because the IRQ affinity has not been correctly cleaned up.\nEnsure we clean up the affinity and workqueues on a failure to load the\ndriver.\n\ncrypto-safexcel: probe of f2800000.crypto failed with error -2\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 232 at kernel/irq/manage.c:1913 free_irq+0x300/0x340\nModules linked in: hwmon mdio_i2c crypto_safexcel(+) md5 sha256_generic libsha256 authenc libdes omap_rng rng_core nft_masq nft_nat nft_chain_nat nf_nat nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink fuse autofs4\nCPU: 1 PID: 232 Comm: systemd-udevd Tainted: G W 6.1.6-00002-g9d4898824677 #3\nHardware name: MikroTik RB5009 (DT)\npstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : free_irq+0x300/0x340\nlr : free_irq+0x2e0/0x340\nsp : ffff800008fa3890\nx29: ffff800008fa3890 x28: 0000000000000000 x27: 0000000000000000\nx26: ffff8000008e6dc0 x25: ffff000009034cac x24: ffff000009034d50\nx23: 0000000000000000 x22: 000000000000004a x21: ffff0000093e0d80\nx20: ffff000009034c00 x19: ffff00000615fc00 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 000075f5c1584c5e\nx14: 0000000000000017 x13: 0000000000000000 x12: 0000000000000040\nx11: ffff000000579b60 x10: ffff000000579b62 x9 : ffff800008bbe370\nx8 : ffff000000579dd0 x7 : 0000000000000000 x6 : ffff000000579e18\nx5 : ffff000000579da8 x4 : ffff800008ca0000 x3 : ffff800008ca0188\nx2 : 0000000013033204 x1 : ffff000009034c00 x0 : ffff8000087eadf0\nCall trace:\n free_irq+0x300/0x340\n devm_irq_release+0x14/0x20\n devres_release_all+0xa0/0x100\n device_unbind_cleanup+0x14/0x60\n really_probe+0x198/0x2d4\n __driver_probe_device+0x74/0xdc\n driver_probe_device+0x3c/0x110\n __driver_attach+0x8c/0x190\n bus_for_each_dev+0x6c/0xc0\n driver_attach+0x20/0x30\n bus_add_driver+0x148/0x1fc\n driver_register+0x74/0x120\n __platform_driver_register+0x24/0x30\n safexcel_init+0x48/0x1000 [crypto_safexcel]\n do_one_initcall+0x4c/0x1b0\n do_init_module+0x44/0x1cc\n load_module+0x1724/0x1be4\n __do_sys_finit_module+0xbc/0x110\n __arm64_sys_finit_module+0x1c/0x24\n invoke_syscall+0x44/0x110\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x20/0x80\n el0_svc+0x14/0x4c\n el0t_64_sync_handler+0xb0/0xb4\n el0t_64_sync+0x148/0x14c\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:44.687Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f4de392f4926820ec1fd3573a016c704a68893d"
},
{
"url": "https://git.kernel.org/stable/c/0a89d4a075524cf1f865cfdbb9cf38ab8e3e5409"
},
{
"url": "https://git.kernel.org/stable/c/09e177d6f7edd0873a63f51abe914902ec0f4400"
},
{
"url": "https://git.kernel.org/stable/c/4d9d2fd86766ee3ec077c011aa482e85b6c9595c"
},
{
"url": "https://git.kernel.org/stable/c/162f9daf0c22480f88b24fd46d16abae46c10fce"
},
{
"url": "https://git.kernel.org/stable/c/ab573af2655ba509e2a167897de9b5585c2ca44d"
},
{
"url": "https://git.kernel.org/stable/c/ca25c00ccbc5f942c63897ed23584cfc66e8ec81"
}
],
"title": "crypto: safexcel - Cleanup ring IRQ workqueues on load failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54126",
"datePublished": "2025-12-24T13:06:44.687Z",
"dateReserved": "2025-12-24T13:02:52.521Z",
"dateUpdated": "2025-12-24T13:06:44.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68170 (GCVE-0-2025-68170)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42
VLAI?
EPSS
Title
drm/radeon: Do not kfree() devres managed rdev
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: Do not kfree() devres managed rdev
Since the allocation of the drivers main structure was changed to
devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling
kfree() on it.
This fixes things exploding if the driver probe fails and devres cleans up
the rdev after we already free'd it.
(cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < f7482516002a11317912e29577bbf33cf59a0fb1
(git)
Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < 2413bbd1d692aed245c2aa38a369a1fa7590db84 (git) Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < 3328443363a0895fd9c096edfe8ecd372ca9145e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7482516002a11317912e29577bbf33cf59a0fb1",
"status": "affected",
"version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
"versionType": "git"
},
{
"lessThan": "2413bbd1d692aed245c2aa38a369a1fa7590db84",
"status": "affected",
"version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
"versionType": "git"
},
{
"lessThan": "3328443363a0895fd9c096edfe8ecd372ca9145e",
"status": "affected",
"version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Do not kfree() devres managed rdev\n\nSince the allocation of the drivers main structure was changed to\ndevm_drm_dev_alloc() rdev is managed by devres and we shouldn\u0027t be calling\nkfree() on it.\n\nThis fixes things exploding if the driver probe fails and devres cleans up\nthe rdev after we already free\u0027d it.\n\n(cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:42:50.201Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7482516002a11317912e29577bbf33cf59a0fb1"
},
{
"url": "https://git.kernel.org/stable/c/2413bbd1d692aed245c2aa38a369a1fa7590db84"
},
{
"url": "https://git.kernel.org/stable/c/3328443363a0895fd9c096edfe8ecd372ca9145e"
}
],
"title": "drm/radeon: Do not kfree() devres managed rdev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68170",
"datePublished": "2025-12-16T13:42:50.201Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2025-12-16T13:42:50.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38616 (GCVE-0-2025-38616)
Vulnerability from cvelistv5 – Published: 2025-08-22 13:01 – Updated: 2025-09-29 05:54
VLAI?
EPSS
Title
tls: handle data disappearing from under the TLS ULP
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: handle data disappearing from under the TLS ULP
TLS expects that it owns the receive queue of the TCP socket.
This cannot be guaranteed in case the reader of the TCP socket
entered before the TLS ULP was installed, or uses some non-standard
read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy
early exit (which leaves anchor pointing to a freed skb) with real
error handling. Wipe the parsing state and tell the reader to retry.
We already reload the anchor every time we (re)acquire the socket lock,
so the only condition we need to avoid is an out of bounds read
(not having enough bytes in the socket for previously parsed record len).
If some data was read from under TLS but there's enough in the queue
we'll reload and decrypt what is most likely not a valid TLS record.
Leading to some undefined behavior from TLS perspective (corrupting
a stream? missing an alert? missing an attack?) but no kernel crash
should take place.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < f1fe99919f629f980d0b8a7ff16950bffe06a859
(git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < eb0336f213fe88bbdb7d2b19c9c9ec19245a3155 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < db3658a12d5ec4db7185ae7476151a50521b7207 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 6db015fc4b5d5f63a64a193f65d98da3a7fc811d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls.h",
"net/tls/tls_strp.c",
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1fe99919f629f980d0b8a7ff16950bffe06a859",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "eb0336f213fe88bbdb7d2b19c9c9ec19245a3155",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "db3658a12d5ec4db7185ae7476151a50521b7207",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "6db015fc4b5d5f63a64a193f65d98da3a7fc811d",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls.h",
"net/tls/tls_strp.c",
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: handle data disappearing from under the TLS ULP\n\nTLS expects that it owns the receive queue of the TCP socket.\nThis cannot be guaranteed in case the reader of the TCP socket\nentered before the TLS ULP was installed, or uses some non-standard\nread API (eg. zerocopy ones). Replace the WARN_ON() and a buggy\nearly exit (which leaves anchor pointing to a freed skb) with real\nerror handling. Wipe the parsing state and tell the reader to retry.\n\nWe already reload the anchor every time we (re)acquire the socket lock,\nso the only condition we need to avoid is an out of bounds read\n(not having enough bytes in the socket for previously parsed record len).\n\nIf some data was read from under TLS but there\u0027s enough in the queue\nwe\u0027ll reload and decrypt what is most likely not a valid TLS record.\nLeading to some undefined behavior from TLS perspective (corrupting\na stream? missing an alert? missing an attack?) but no kernel crash\nshould take place."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:51.143Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1fe99919f629f980d0b8a7ff16950bffe06a859"
},
{
"url": "https://git.kernel.org/stable/c/eb0336f213fe88bbdb7d2b19c9c9ec19245a3155"
},
{
"url": "https://git.kernel.org/stable/c/db3658a12d5ec4db7185ae7476151a50521b7207"
},
{
"url": "https://git.kernel.org/stable/c/2fb97ed9e2672b4f6e24ce206ac1a875ce4bcb38"
},
{
"url": "https://git.kernel.org/stable/c/6db015fc4b5d5f63a64a193f65d98da3a7fc811d"
}
],
"title": "tls: handle data disappearing from under the TLS ULP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38616",
"datePublished": "2025-08-22T13:01:23.217Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-09-29T05:54:51.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40220 (GCVE-0-2025-40220)
Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50
VLAI?
EPSS
Title
fuse: fix livelock in synchronous file put from fuseblk workers
Summary
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix livelock in synchronous file put from fuseblk workers
I observed a hang when running generic/323 against a fuseblk server.
This test opens a file, initiates a lot of AIO writes to that file
descriptor, and closes the file descriptor before the writes complete.
Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for
responses from the fuseblk server:
# cat /proc/372265/task/372313/stack
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_do_getattr+0xfc/0x1f0 [fuse]
[<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse]
[<0>] aio_read+0x130/0x1e0
[<0>] io_submit_one+0x542/0x860
[<0>] __x64_sys_io_submit+0x98/0x1a0
[<0>] do_syscall_64+0x37/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
But the /weird/ part is that the fuseblk server threads are waiting for
responses from itself:
# cat /proc/372210/task/372232/stack
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_file_put+0x9a/0xd0 [fuse]
[<0>] fuse_release+0x36/0x50 [fuse]
[<0>] __fput+0xec/0x2b0
[<0>] task_work_run+0x55/0x90
[<0>] syscall_exit_to_user_mode+0xe9/0x100
[<0>] do_syscall_64+0x43/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
The fuseblk server is fuse2fs so there's nothing all that exciting in
the server itself. So why is the fuse server calling fuse_file_put?
The commit message for the fstest sheds some light on that:
"By closing the file descriptor before calling io_destroy, you pretty
much guarantee that the last put on the ioctx will be done in interrupt
context (during I/O completion).
Aha. AIO fgets a new struct file from the fd when it queues the ioctx.
The completion of the FUSE_WRITE command from userspace causes the fuse
server to call the AIO completion function. The completion puts the
struct file, queuing a delayed fput to the fuse server task. When the
fuse server task returns to userspace, it has to run the delayed fput,
which in the case of a fuseblk server, it does synchronously.
Sending the FUSE_RELEASE command sychronously from fuse server threads
is a bad idea because a client program can initiate enough simultaneous
AIOs such that all the fuse server threads end up in delayed_fput, and
now there aren't any threads left to handle the queued fuse commands.
Fix this by only using asynchronous fputs when closing files, and leave
a comment explaining why.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 548e1f2bac1d4df91a6138f26bb4ab00323fd948
(git)
Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < cfd1aa3e2b71f3327cb373c45a897c9028c62b35 (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 83b375c6efef69b1066ad2d79601221e7892745a (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < bfd17b6138df0122a95989457d8e18ce0b86165e (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < b26923512dbe57ae4917bafd31396d22a9d1691a (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < f19a1390af448d9e193c08e28ea5f727bf3c3049 (git) Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 (git) Affected: 9efe56738fecd591b5bf366a325440f9b457ebd6 (git) Affected: 5c46eb076e0a1b2c1769287cd6942e4594ade1b1 (git) Affected: 83e6726210d6c815ce044437106c738eda5ff6f6 (git) Affected: 23d154c71721fd0fa6199851078f32e6bd765664 (git) Affected: ca3edc920f5fd7d8ac040caaf109f925c24620a0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "548e1f2bac1d4df91a6138f26bb4ab00323fd948",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "cfd1aa3e2b71f3327cb373c45a897c9028c62b35",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "83b375c6efef69b1066ad2d79601221e7892745a",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "bfd17b6138df0122a95989457d8e18ce0b86165e",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "b26923512dbe57ae4917bafd31396d22a9d1691a",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "f19a1390af448d9e193c08e28ea5f727bf3c3049",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"lessThan": "26e5c67deb2e1f42a951f022fdf5b9f7eb747b01",
"status": "affected",
"version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
"versionType": "git"
},
{
"status": "affected",
"version": "9efe56738fecd591b5bf366a325440f9b457ebd6",
"versionType": "git"
},
{
"status": "affected",
"version": "5c46eb076e0a1b2c1769287cd6942e4594ade1b1",
"versionType": "git"
},
{
"status": "affected",
"version": "83e6726210d6c815ce044437106c738eda5ff6f6",
"versionType": "git"
},
{
"status": "affected",
"version": "23d154c71721fd0fa6199851078f32e6bd765664",
"versionType": "git"
},
{
"status": "affected",
"version": "ca3edc920f5fd7d8ac040caaf109f925c24620a0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fuse/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.33.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.34.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.35.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.37.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix livelock in synchronous file put from fuseblk workers\n\nI observed a hang when running generic/323 against a fuseblk server.\nThis test opens a file, initiates a lot of AIO writes to that file\ndescriptor, and closes the file descriptor before the writes complete.\nUnsurprisingly, the AIO exerciser threads are mostly stuck waiting for\nresponses from the fuseblk server:\n\n# cat /proc/372265/task/372313/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_do_getattr+0xfc/0x1f0 [fuse]\n[\u003c0\u003e] fuse_file_read_iter+0xbe/0x1c0 [fuse]\n[\u003c0\u003e] aio_read+0x130/0x1e0\n[\u003c0\u003e] io_submit_one+0x542/0x860\n[\u003c0\u003e] __x64_sys_io_submit+0x98/0x1a0\n[\u003c0\u003e] do_syscall_64+0x37/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nBut the /weird/ part is that the fuseblk server threads are waiting for\nresponses from itself:\n\n# cat /proc/372210/task/372232/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_file_put+0x9a/0xd0 [fuse]\n[\u003c0\u003e] fuse_release+0x36/0x50 [fuse]\n[\u003c0\u003e] __fput+0xec/0x2b0\n[\u003c0\u003e] task_work_run+0x55/0x90\n[\u003c0\u003e] syscall_exit_to_user_mode+0xe9/0x100\n[\u003c0\u003e] do_syscall_64+0x43/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe fuseblk server is fuse2fs so there\u0027s nothing all that exciting in\nthe server itself. So why is the fuse server calling fuse_file_put?\nThe commit message for the fstest sheds some light on that:\n\n\"By closing the file descriptor before calling io_destroy, you pretty\nmuch guarantee that the last put on the ioctx will be done in interrupt\ncontext (during I/O completion).\n\nAha. AIO fgets a new struct file from the fd when it queues the ioctx.\nThe completion of the FUSE_WRITE command from userspace causes the fuse\nserver to call the AIO completion function. The completion puts the\nstruct file, queuing a delayed fput to the fuse server task. When the\nfuse server task returns to userspace, it has to run the delayed fput,\nwhich in the case of a fuseblk server, it does synchronously.\n\nSending the FUSE_RELEASE command sychronously from fuse server threads\nis a bad idea because a client program can initiate enough simultaneous\nAIOs such that all the fuse server threads end up in delayed_fput, and\nnow there aren\u0027t any threads left to handle the queued fuse commands.\n\nFix this by only using asynchronous fputs when closing files, and leave\na comment explaining why."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T14:50:44.108Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948"
},
{
"url": "https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35"
},
{
"url": "https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a"
},
{
"url": "https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e"
},
{
"url": "https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a"
},
{
"url": "https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049"
},
{
"url": "https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01"
}
],
"title": "fuse: fix livelock in synchronous file put from fuseblk workers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40220",
"datePublished": "2025-12-04T14:50:44.108Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T14:50:44.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68176 (GCVE-0-2025-68176)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
PCI: cadence: Check for the existence of cdns_pcie::ops before using it
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: cadence: Check for the existence of cdns_pcie::ops before using it
cdns_pcie::ops might not be populated by all the Cadence glue drivers. This
is going to be true for the upcoming Sophgo platform which doesn't set the
ops.
Hence, add a check to prevent NULL pointer dereference.
[mani: reworded subject and description]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
40d957e6f9eb3a8a585007b8b730340c829afbdb , < d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1
(git)
Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 0d0bb756f002810d249caee51f3f1c309f3cdab5 (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 1810b2fd7375de88a74976dcd402b29088e479ed (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 953eb3796ef06b8ea3bf6bdde14156255bc75866 (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 363448d069e29685ca37a118065121e486387af3 (git) Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/cadence/pcie-cadence-host.c",
"drivers/pci/controller/cadence/pcie-cadence.c",
"drivers/pci/controller/cadence/pcie-cadence.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "0d0bb756f002810d249caee51f3f1c309f3cdab5",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "1810b2fd7375de88a74976dcd402b29088e479ed",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "953eb3796ef06b8ea3bf6bdde14156255bc75866",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "363448d069e29685ca37a118065121e486387af3",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
},
{
"lessThan": "49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09",
"status": "affected",
"version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/controller/cadence/pcie-cadence-host.c",
"drivers/pci/controller/cadence/pcie-cadence.c",
"drivers/pci/controller/cadence/pcie-cadence.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: cadence: Check for the existence of cdns_pcie::ops before using it\n\ncdns_pcie::ops might not be populated by all the Cadence glue drivers. This\nis going to be true for the upcoming Sophgo platform which doesn\u0027t set the\nops.\n\nHence, add a check to prevent NULL pointer dereference.\n\n[mani: reworded subject and description]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:04.730Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1"
},
{
"url": "https://git.kernel.org/stable/c/eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed"
},
{
"url": "https://git.kernel.org/stable/c/0d0bb756f002810d249caee51f3f1c309f3cdab5"
},
{
"url": "https://git.kernel.org/stable/c/1810b2fd7375de88a74976dcd402b29088e479ed"
},
{
"url": "https://git.kernel.org/stable/c/953eb3796ef06b8ea3bf6bdde14156255bc75866"
},
{
"url": "https://git.kernel.org/stable/c/363448d069e29685ca37a118065121e486387af3"
},
{
"url": "https://git.kernel.org/stable/c/49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09"
}
],
"title": "PCI: cadence: Check for the existence of cdns_pcie::ops before using it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68176",
"datePublished": "2025-12-16T13:42:55.616Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2026-01-02T15:34:04.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50846 (GCVE-0-2022-50846)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
mmc: via-sdmmc: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: via-sdmmc: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
Fix this by checking the return value and goto error path which
will call mmc_free_host().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < 076bcd2c93e16b05c10564e299d6e5d26a766d00
(git)
Affected: f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < 12b8e81b77c05c658efd9cde3585bbd65ae39b59 (git) Affected: f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < 95025a8dd0ec015872f6c16473fe04d6264e68ca (git) Affected: f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < f59ef2a47a228e51322ad76752a55a8917c56e38 (git) Affected: f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < 63400da6cd37a9793c19bb6aed7131b58b975a04 (git) Affected: f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < 0959cc1685eb19774300d43ef25e318b457b156b (git) Affected: f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < 0ec94795114edc7e24ec71849dce42bfa61dafa3 (git) Affected: f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < ba91b413983a9235792523c6b9f7ba2586c4d75d (git) Affected: f0bf7f61b8405224bc52fc9a3ccd167a68126e00 , < e4e46fb61e3bb4628170810d3f2b996b709b90d9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/via-sdmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "076bcd2c93e16b05c10564e299d6e5d26a766d00",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
},
{
"lessThan": "12b8e81b77c05c658efd9cde3585bbd65ae39b59",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
},
{
"lessThan": "95025a8dd0ec015872f6c16473fe04d6264e68ca",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
},
{
"lessThan": "f59ef2a47a228e51322ad76752a55a8917c56e38",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
},
{
"lessThan": "63400da6cd37a9793c19bb6aed7131b58b975a04",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
},
{
"lessThan": "0959cc1685eb19774300d43ef25e318b457b156b",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
},
{
"lessThan": "0ec94795114edc7e24ec71849dce42bfa61dafa3",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
},
{
"lessThan": "ba91b413983a9235792523c6b9f7ba2586c4d75d",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
},
{
"lessThan": "e4e46fb61e3bb4628170810d3f2b996b709b90d9",
"status": "affected",
"version": "f0bf7f61b8405224bc52fc9a3ccd167a68126e00",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/via-sdmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: via-sdmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it\u0027s not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nFix this by checking the return value and goto error path which\nwill call mmc_free_host()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:03.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/076bcd2c93e16b05c10564e299d6e5d26a766d00"
},
{
"url": "https://git.kernel.org/stable/c/12b8e81b77c05c658efd9cde3585bbd65ae39b59"
},
{
"url": "https://git.kernel.org/stable/c/95025a8dd0ec015872f6c16473fe04d6264e68ca"
},
{
"url": "https://git.kernel.org/stable/c/f59ef2a47a228e51322ad76752a55a8917c56e38"
},
{
"url": "https://git.kernel.org/stable/c/63400da6cd37a9793c19bb6aed7131b58b975a04"
},
{
"url": "https://git.kernel.org/stable/c/0959cc1685eb19774300d43ef25e318b457b156b"
},
{
"url": "https://git.kernel.org/stable/c/0ec94795114edc7e24ec71849dce42bfa61dafa3"
},
{
"url": "https://git.kernel.org/stable/c/ba91b413983a9235792523c6b9f7ba2586c4d75d"
},
{
"url": "https://git.kernel.org/stable/c/e4e46fb61e3bb4628170810d3f2b996b709b90d9"
}
],
"title": "mmc: via-sdmmc: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50846",
"datePublished": "2025-12-30T12:11:03.286Z",
"dateReserved": "2025-12-30T12:06:07.134Z",
"dateUpdated": "2025-12-30T12:11:03.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53747 (GCVE-0-2023-53747)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
Summary
In the Linux kernel, the following vulnerability has been resolved:
vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
After a call to console_unlock() in vcs_write() the vc_data struct can be
freed by vc_port_destruct(). Because of that, the struct vc_data pointer
must be reloaded in the while loop in vcs_write() after console_lock() to
avoid a UAF when vcs_size() is called.
Syzkaller reported a UAF in vcs_size().
BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119
Call Trace:
<TASK>
__asan_report_load4_noabort (mm/kasan/report_generic.c:380)
vcs_size (drivers/tty/vt/vc_screen.c:215)
vcs_write (drivers/tty/vt/vc_screen.c:664)
vfs_write (fs/read_write.c:582 fs/read_write.c:564)
...
<TASK>
Allocated by task 1213:
kmalloc_trace (mm/slab_common.c:1064)
vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680
drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)
con_install (drivers/tty/vt/vt.c:3334)
tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415
drivers/tty/tty_io.c:1392)
tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)
chrdev_open (fs/char_dev.c:415)
do_dentry_open (fs/open.c:921)
vfs_open (fs/open.c:1052)
...
Freed by task 4116:
kfree (mm/slab_common.c:1016)
vc_port_destruct (drivers/tty/vt/vt.c:1044)
tty_port_destructor (drivers/tty/tty_port.c:296)
tty_port_put (drivers/tty/tty_port.c:312)
vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
tty_ioctl (drivers/tty/tty_io.c:2778)
...
The buggy address belongs to the object at ffff8880beab8800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 424 bytes inside of
freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)
The buggy address belongs to the physical page:
page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0xbeab8
head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0
pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff , < 934de9a9b659785fed3e820bc0c813a460c71fea
(git)
Affected: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff , < 0deff678157333d775af190f84696336cdcccd6d (git) Affected: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff , < a4e3c4c65ae8510e01352c9a4347e05c035b2ce2 (git) Affected: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff , < 11dddfbb7a4e62489b01074d6c04d9d1b42e4047 (git) Affected: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff , < e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67 (git) Affected: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff , < 3338d0b9acde770ee588eead5cac32c25e7048fc (git) Affected: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff , < 1de42e7653d6714a7507ba6696151a1fa028c69f (git) Affected: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff , < 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vc_screen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "934de9a9b659785fed3e820bc0c813a460c71fea",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "0deff678157333d775af190f84696336cdcccd6d",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "a4e3c4c65ae8510e01352c9a4347e05c035b2ce2",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "11dddfbb7a4e62489b01074d6c04d9d1b42e4047",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "3338d0b9acde770ee588eead5cac32c25e7048fc",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "1de42e7653d6714a7507ba6696151a1fa028c69f",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vc_screen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.327",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.327",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF\n\nAfter a call to console_unlock() in vcs_write() the vc_data struct can be\nfreed by vc_port_destruct(). Because of that, the struct vc_data pointer\nmust be reloaded in the while loop in vcs_write() after console_lock() to\navoid a UAF when vcs_size() is called.\n\nSyzkaller reported a UAF in vcs_size().\n\nBUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)\nRead of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119\n\nCall Trace:\n \u003cTASK\u003e\n__asan_report_load4_noabort (mm/kasan/report_generic.c:380)\nvcs_size (drivers/tty/vt/vc_screen.c:215)\nvcs_write (drivers/tty/vt/vc_screen.c:664)\nvfs_write (fs/read_write.c:582 fs/read_write.c:564)\n...\n \u003cTASK\u003e\n\nAllocated by task 1213:\nkmalloc_trace (mm/slab_common.c:1064)\nvc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680\n drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)\ncon_install (drivers/tty/vt/vt.c:3334)\ntty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415\n drivers/tty/tty_io.c:1392)\ntty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)\nchrdev_open (fs/char_dev.c:415)\ndo_dentry_open (fs/open.c:921)\nvfs_open (fs/open.c:1052)\n...\n\nFreed by task 4116:\nkfree (mm/slab_common.c:1016)\nvc_port_destruct (drivers/tty/vt/vt.c:1044)\ntty_port_destructor (drivers/tty/tty_port.c:296)\ntty_port_put (drivers/tty/tty_port.c:312)\nvt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))\nvt_ioctl (drivers/tty/vt/vt_ioctl.c:903)\ntty_ioctl (drivers/tty/tty_io.c:2778)\n...\n\nThe buggy address belongs to the object at ffff8880beab8800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 424 bytes inside of\n freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)\n\nThe buggy address belongs to the physical page:\npage:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000\n index:0x0 pfn:0xbeab8\nhead:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0\n pincount:0\nflags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)\npage_type: 0xffffffff()\nraw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nDisabling lock debugging due to kernel taint"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:06.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/934de9a9b659785fed3e820bc0c813a460c71fea"
},
{
"url": "https://git.kernel.org/stable/c/0deff678157333d775af190f84696336cdcccd6d"
},
{
"url": "https://git.kernel.org/stable/c/a4e3c4c65ae8510e01352c9a4347e05c035b2ce2"
},
{
"url": "https://git.kernel.org/stable/c/11dddfbb7a4e62489b01074d6c04d9d1b42e4047"
},
{
"url": "https://git.kernel.org/stable/c/e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67"
},
{
"url": "https://git.kernel.org/stable/c/3338d0b9acde770ee588eead5cac32c25e7048fc"
},
{
"url": "https://git.kernel.org/stable/c/1de42e7653d6714a7507ba6696151a1fa028c69f"
},
{
"url": "https://git.kernel.org/stable/c/8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357"
}
],
"title": "vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53747",
"datePublished": "2025-12-08T01:19:06.255Z",
"dateReserved": "2025-12-08T01:18:04.279Z",
"dateUpdated": "2025-12-08T01:19:06.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40215 (GCVE-0-2025-40215)
Vulnerability from cvelistv5 – Published: 2025-12-04 12:38 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
xfrm: delete x->tunnel as we delete x
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: delete x->tunnel as we delete x
The ipcomp fallback tunnels currently get deleted (from the various
lists and hashtables) as the last user state that needed that fallback
is destroyed (not deleted). If a reference to that user state still
exists, the fallback state will remain on the hashtables/lists,
triggering the WARN in xfrm_state_fini. Because of those remaining
references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path") is not complete.
We recently fixed one such situation in TCP due to defered freeing of
skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we
currently drop dst")). This can also happen due to IP reassembly: skbs
with a secpath remain on the reassembly queue until netns
destruction. If we can't guarantee that the queues are flushed by the
time xfrm_state_fini runs, there may still be references to a (user)
xfrm_state, preventing the timely deletion of the corresponding
fallback state.
Instead of chasing each instance of skbs holding a secpath one by one,
this patch fixes the issue directly within xfrm, by deleting the
fallback state as soon as the last user state depending on it has been
deleted. Destruction will still happen when the final reference is
dropped.
A separate lockdep class for the fallback state is required since
we're going to lock x->tunnel while x is locked.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 1b28a7fae0128fa140a7dccd995182ff6cd1c67b
(git)
Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 4b2c17d0f9be8b58bb30468bc81a4b61c985b04e (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 0da961fa46da1b37ef868d9b603bd202136f8f8e (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < d0e0d1097118461463b76562c7ebaabaa5b90b13 (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < dc3636912d41770466543623cb76e7b88fdb42c7 (git) Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < b441cf3f8c4b8576639d20c8eb4aa32917602ecd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/xfrm.h",
"net/ipv4/ipcomp.c",
"net/ipv6/ipcomp6.c",
"net/ipv6/xfrm6_tunnel.c",
"net/xfrm/xfrm_ipcomp.c",
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b28a7fae0128fa140a7dccd995182ff6cd1c67b",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "4b2c17d0f9be8b58bb30468bc81a4b61c985b04e",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "0da961fa46da1b37ef868d9b603bd202136f8f8e",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "d0e0d1097118461463b76562c7ebaabaa5b90b13",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "dc3636912d41770466543623cb76e7b88fdb42c7",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
},
{
"lessThan": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
"status": "affected",
"version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/xfrm.h",
"net/ipv4/ipcomp.c",
"net/ipv6/ipcomp6.c",
"net/ipv6/xfrm6_tunnel.c",
"net/xfrm/xfrm_ipcomp.c",
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: delete x-\u003etunnel as we delete x\n\nThe ipcomp fallback tunnels currently get deleted (from the various\nlists and hashtables) as the last user state that needed that fallback\nis destroyed (not deleted). If a reference to that user state still\nexists, the fallback state will remain on the hashtables/lists,\ntriggering the WARN in xfrm_state_fini. Because of those remaining\nreferences, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state\nsynchronously on net exit path\") is not complete.\n\nWe recently fixed one such situation in TCP due to defered freeing of\nskbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we\ncurrently drop dst\")). This can also happen due to IP reassembly: skbs\nwith a secpath remain on the reassembly queue until netns\ndestruction. If we can\u0027t guarantee that the queues are flushed by the\ntime xfrm_state_fini runs, there may still be references to a (user)\nxfrm_state, preventing the timely deletion of the corresponding\nfallback state.\n\nInstead of chasing each instance of skbs holding a secpath one by one,\nthis patch fixes the issue directly within xfrm, by deleting the\nfallback state as soon as the last user state depending on it has been\ndeleted. Destruction will still happen when the final reference is\ndropped.\n\nA separate lockdep class for the fallback state is required since\nwe\u0027re going to lock x-\u003etunnel while x is locked."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:05.674Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b28a7fae0128fa140a7dccd995182ff6cd1c67b"
},
{
"url": "https://git.kernel.org/stable/c/4b2c17d0f9be8b58bb30468bc81a4b61c985b04e"
},
{
"url": "https://git.kernel.org/stable/c/0da961fa46da1b37ef868d9b603bd202136f8f8e"
},
{
"url": "https://git.kernel.org/stable/c/d0e0d1097118461463b76562c7ebaabaa5b90b13"
},
{
"url": "https://git.kernel.org/stable/c/dc3636912d41770466543623cb76e7b88fdb42c7"
},
{
"url": "https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd"
}
],
"title": "xfrm: delete x-\u003etunnel as we delete x",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40215",
"datePublished": "2025-12-04T12:38:32.517Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2026-01-19T12:18:05.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68339 (GCVE-0-2025-68339)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
EPSS
Title
atm/fore200e: Fix possible data race in fore200e_open()
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm/fore200e: Fix possible data race in fore200e_open()
Protect access to fore200e->available_cell_rate with rate_mtx lock in the
error handling path of fore200e_open() to prevent a data race.
The field fore200e->available_cell_rate is a shared resource used to track
available bandwidth. It is concurrently accessed by fore200e_open(),
fore200e_close(), and fore200e_change_qos().
In fore200e_open(), the lock rate_mtx is correctly held when subtracting
vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.
However, if the subsequent call to fore200e_activate_vcin() fails, the
function restores the reserved bandwidth by adding back to
available_cell_rate without holding the lock.
This introduces a race condition because available_cell_rate is a global
device resource shared across all VCCs. If the error path in
fore200e_open() executes concurrently with operations like
fore200e_close() or fore200e_change_qos() on other VCCs, a
read-modify-write race occurs.
Specifically, the error path reads the rate without the lock. If another
CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in
fore200e_close()) between this read and the subsequent write, the error
path will overwrite the concurrent update with a stale value. This results
in incorrect bandwidth accounting.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bd1415efbab507b9b995918105eef953013449dd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9917ba597cf95f307778e495f71ff25a5064d167 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 667ac868823224374f819500adc5baa2889c7bc5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6610361458e7eb6502dd3182f586f91fcc218039 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82fca3d8a4a34667f01ec2351a607135249c9cff (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/atm/fore200e.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd1415efbab507b9b995918105eef953013449dd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9917ba597cf95f307778e495f71ff25a5064d167",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "667ac868823224374f819500adc5baa2889c7bc5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6610361458e7eb6502dd3182f586f91fcc218039",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82fca3d8a4a34667f01ec2351a607135249c9cff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/atm/fore200e.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm/fore200e: Fix possible data race in fore200e_open()\n\nProtect access to fore200e-\u003eavailable_cell_rate with rate_mtx lock in the\nerror handling path of fore200e_open() to prevent a data race.\n\nThe field fore200e-\u003eavailable_cell_rate is a shared resource used to track\navailable bandwidth. It is concurrently accessed by fore200e_open(),\nfore200e_close(), and fore200e_change_qos().\n\nIn fore200e_open(), the lock rate_mtx is correctly held when subtracting\nvcc-\u003eqos.txtp.max_pcr from available_cell_rate to reserve bandwidth.\nHowever, if the subsequent call to fore200e_activate_vcin() fails, the\nfunction restores the reserved bandwidth by adding back to\navailable_cell_rate without holding the lock.\n\nThis introduces a race condition because available_cell_rate is a global\ndevice resource shared across all VCCs. If the error path in\nfore200e_open() executes concurrently with operations like\nfore200e_close() or fore200e_change_qos() on other VCCs, a\nread-modify-write race occurs.\n\nSpecifically, the error path reads the rate without the lock. If another\nCPU acquires the lock and modifies the rate (e.g., releasing bandwidth in\nfore200e_close()) between this read and the subsequent write, the error\npath will overwrite the concurrent update with a stale value. This results\nin incorrect bandwidth accounting."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:24.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d"
},
{
"url": "https://git.kernel.org/stable/c/bd1415efbab507b9b995918105eef953013449dd"
},
{
"url": "https://git.kernel.org/stable/c/ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1"
},
{
"url": "https://git.kernel.org/stable/c/9917ba597cf95f307778e495f71ff25a5064d167"
},
{
"url": "https://git.kernel.org/stable/c/667ac868823224374f819500adc5baa2889c7bc5"
},
{
"url": "https://git.kernel.org/stable/c/6610361458e7eb6502dd3182f586f91fcc218039"
},
{
"url": "https://git.kernel.org/stable/c/82fca3d8a4a34667f01ec2351a607135249c9cff"
}
],
"title": "atm/fore200e: Fix possible data race in fore200e_open()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68339",
"datePublished": "2025-12-23T13:58:24.955Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-23T13:58:24.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68766 (GCVE-0-2025-68766)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
Summary
In the Linux kernel, the following vulnerability has been resolved:
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
it results in an out of bounds access.
The code checks for invalid values, but doesn't set the error code. Return
-EINVAL in that case, instead of returning success.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00fa3461c86dd289b441d4d5a6bb236064bd207b , < 324c60a67c4b9668497940f667db14d216cc7b1b
(git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < c21c606ad398eeb86a0f3aaff9ba4f2665e286c6 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 3873afcb57614c1aaa5b6715554d6d1c22cac95a (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 09efe7cfbf919c4d763bc425473fcfee0dc98356 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552 (git) Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "324c60a67c4b9668497940f667db14d216cc7b1b",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "c21c606ad398eeb86a0f3aaff9ba4f2665e286c6",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "3873afcb57614c1aaa5b6715554d6d1c22cac95a",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "09efe7cfbf919c4d763bc425473fcfee0dc98356",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
},
{
"lessThan": "7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7",
"status": "affected",
"version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/irqchip/irq-mchp-eic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()\n\nIf irq_domain_translate_twocell() sets \"hwirq\" to \u003e= MCHP_EIC_NIRQ (2) then\nit results in an out of bounds access.\n\nThe code checks for invalid values, but doesn\u0027t set the error code. Return\n-EINVAL in that case, instead of returning success."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:35.537Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/324c60a67c4b9668497940f667db14d216cc7b1b"
},
{
"url": "https://git.kernel.org/stable/c/c21c606ad398eeb86a0f3aaff9ba4f2665e286c6"
},
{
"url": "https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a"
},
{
"url": "https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356"
},
{
"url": "https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552"
},
{
"url": "https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7"
}
],
"title": "irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68766",
"datePublished": "2026-01-05T09:44:13.935Z",
"dateReserved": "2025-12-24T10:30:51.034Z",
"dateUpdated": "2026-01-11T16:30:35.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50756 (GCVE-0-2022-50756)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
nvme-pci: fix mempool alloc size
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-pci: fix mempool alloc size
Convert the max size to bytes to match the units of the divisor that
calculates the worst-case number of PRP entries.
The result is used to determine how many PRP Lists are required. The
code was previously rounding this to 1 list, but we can require 2 in the
worst case. In that scenario, the driver would corrupt memory beyond the
size provided by the mempool.
While unlikely to occur (you'd need a 4MB in exactly 127 phys segments
on a queue that doesn't support SGLs), this memory corruption has been
observed by kfence.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
943e942e6266f22babee5efeb00f8f672fbff5bd , < dfb6d54893d544151e7f480bc44cfe7823f5ad23
(git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < 9141144b37f30e3e7fa024bcfa0a13011e546ba9 (git) Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < e1777b4286e526c58b4ee699344b0ad85aaf83a0 (git) Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < b1814724e0d7162bdf4799f2d565381bc2251c63 (git) Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < c89a529e823d51dd23c7ec0c047c7a454a428541 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dfb6d54893d544151e7f480bc44cfe7823f5ad23",
"status": "affected",
"version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
"versionType": "git"
},
{
"lessThan": "9141144b37f30e3e7fa024bcfa0a13011e546ba9",
"status": "affected",
"version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
"versionType": "git"
},
{
"lessThan": "e1777b4286e526c58b4ee699344b0ad85aaf83a0",
"status": "affected",
"version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
"versionType": "git"
},
{
"lessThan": "b1814724e0d7162bdf4799f2d565381bc2251c63",
"status": "affected",
"version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
"versionType": "git"
},
{
"lessThan": "c89a529e823d51dd23c7ec0c047c7a454a428541",
"status": "affected",
"version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix mempool alloc size\n\nConvert the max size to bytes to match the units of the divisor that\ncalculates the worst-case number of PRP entries.\n\nThe result is used to determine how many PRP Lists are required. The\ncode was previously rounding this to 1 list, but we can require 2 in the\nworst case. In that scenario, the driver would corrupt memory beyond the\nsize provided by the mempool.\n\nWhile unlikely to occur (you\u0027d need a 4MB in exactly 127 phys segments\non a queue that doesn\u0027t support SGLs), this memory corruption has been\nobserved by kfence."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:49.635Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dfb6d54893d544151e7f480bc44cfe7823f5ad23"
},
{
"url": "https://git.kernel.org/stable/c/9141144b37f30e3e7fa024bcfa0a13011e546ba9"
},
{
"url": "https://git.kernel.org/stable/c/e1777b4286e526c58b4ee699344b0ad85aaf83a0"
},
{
"url": "https://git.kernel.org/stable/c/b1814724e0d7162bdf4799f2d565381bc2251c63"
},
{
"url": "https://git.kernel.org/stable/c/c89a529e823d51dd23c7ec0c047c7a454a428541"
}
],
"title": "nvme-pci: fix mempool alloc size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50756",
"datePublished": "2025-12-24T13:05:49.635Z",
"dateReserved": "2025-12-24T13:02:21.545Z",
"dateUpdated": "2025-12-24T13:05:49.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54285 (GCVE-0-2023-54285)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
iomap: Fix possible overflow condition in iomap_write_delalloc_scan
Summary
In the Linux kernel, the following vulnerability has been resolved:
iomap: Fix possible overflow condition in iomap_write_delalloc_scan
folio_next_index() returns an unsigned long value which left shifted
by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead
use folio_pos(folio) + folio_size(folio), which does this correctly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/iomap/buffered-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c281b0c5d18c8eeb1cfd5023f4adb153e6d1240",
"status": "affected",
"version": "f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78",
"versionType": "git"
},
{
"lessThan": "eee2d2e6ea5550118170dbd5bb1316ceb38455fb",
"status": "affected",
"version": "f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78",
"versionType": "git"
},
{
"status": "affected",
"version": "38be53c3fd7f4f4bd5de319a323d72f9f6beb16d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/iomap/buffered-io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.92",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: Fix possible overflow condition in iomap_write_delalloc_scan\n\nfolio_next_index() returns an unsigned long value which left shifted\nby PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead\nuse folio_pos(folio) + folio_size(folio), which does this correctly."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:17.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c281b0c5d18c8eeb1cfd5023f4adb153e6d1240"
},
{
"url": "https://git.kernel.org/stable/c/eee2d2e6ea5550118170dbd5bb1316ceb38455fb"
}
],
"title": "iomap: Fix possible overflow condition in iomap_write_delalloc_scan",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54285",
"datePublished": "2025-12-30T12:23:25.770Z",
"dateReserved": "2025-12-30T12:06:44.526Z",
"dateUpdated": "2026-01-05T11:37:17.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50832 (GCVE-0-2022-50832)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10
VLAI?
EPSS
Title
wifi: wilc1000: fix potential memory leak in wilc_mac_xmit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: wilc1000: fix potential memory leak in wilc_mac_xmit()
The wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add
dev_kfree_skb() to fix it. Compile tested only.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c5c77ba18ea66aa05441c71e38473efb787705a4 , < a12610e83789c838493034e5c50ac5c903ad8c0d
(git)
Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < a1e94fb4d09d0fcfeaa73aa49d787f06c42db7ee (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < 5706d00fde3f1d5eb7296a4dfefb6aea35108224 (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < 07dcd756e28f27e4f8fcd8b809ffa05a5cc5de2b (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < baef42df7de7c35ba60b75a5f96d1eb039f4d782 (git) Affected: c5c77ba18ea66aa05441c71e38473efb787705a4 , < deb962ec9e1c9a81babd3d37542ad4bd6ac3396e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/microchip/wilc1000/netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a12610e83789c838493034e5c50ac5c903ad8c0d",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "a1e94fb4d09d0fcfeaa73aa49d787f06c42db7ee",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "5706d00fde3f1d5eb7296a4dfefb6aea35108224",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "07dcd756e28f27e4f8fcd8b809ffa05a5cc5de2b",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "baef42df7de7c35ba60b75a5f96d1eb039f4d782",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
},
{
"lessThan": "deb962ec9e1c9a81babd3d37542ad4bd6ac3396e",
"status": "affected",
"version": "c5c77ba18ea66aa05441c71e38473efb787705a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/microchip/wilc1000/netdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix potential memory leak in wilc_mac_xmit()\n\nThe wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add\ndev_kfree_skb() to fix it. Compile tested only."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:53.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a12610e83789c838493034e5c50ac5c903ad8c0d"
},
{
"url": "https://git.kernel.org/stable/c/a1e94fb4d09d0fcfeaa73aa49d787f06c42db7ee"
},
{
"url": "https://git.kernel.org/stable/c/5706d00fde3f1d5eb7296a4dfefb6aea35108224"
},
{
"url": "https://git.kernel.org/stable/c/07dcd756e28f27e4f8fcd8b809ffa05a5cc5de2b"
},
{
"url": "https://git.kernel.org/stable/c/baef42df7de7c35ba60b75a5f96d1eb039f4d782"
},
{
"url": "https://git.kernel.org/stable/c/deb962ec9e1c9a81babd3d37542ad4bd6ac3396e"
}
],
"title": "wifi: wilc1000: fix potential memory leak in wilc_mac_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50832",
"datePublished": "2025-12-30T12:10:53.601Z",
"dateReserved": "2025-12-30T12:06:07.132Z",
"dateUpdated": "2025-12-30T12:10:53.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53864 (GCVE-0-2023-53864)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()
When disabling overlay plane in mxsfb_plane_overlay_atomic_update(),
overlay plane's framebuffer pointer is NULL. So, dereferencing it would
cause a kernel Oops(NULL pointer dereferencing). Fix the issue by
disabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < 8bf2d4ca521d3acb57fc1607386e749b3cc92aaf
(git)
Affected: cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < 0f98de0a11d29821d9448114178ddc1b1fe32a18 (git) Affected: cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33 , < aa656d48e871a1b062e1bbf9474d8b831c35074c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mxsfb/mxsfb_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8bf2d4ca521d3acb57fc1607386e749b3cc92aaf",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
},
{
"lessThan": "0f98de0a11d29821d9448114178ddc1b1fe32a18",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
},
{
"lessThan": "aa656d48e871a1b062e1bbf9474d8b831c35074c",
"status": "affected",
"version": "cb285a5348e768dbc8edfe28cc2be5ec0c7e1a33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mxsfb/mxsfb_kms.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()\n\nWhen disabling overlay plane in mxsfb_plane_overlay_atomic_update(),\noverlay plane\u0027s framebuffer pointer is NULL. So, dereferencing it would\ncause a kernel Oops(NULL pointer dereferencing). Fix the issue by\ndisabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:33.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8bf2d4ca521d3acb57fc1607386e749b3cc92aaf"
},
{
"url": "https://git.kernel.org/stable/c/0f98de0a11d29821d9448114178ddc1b1fe32a18"
},
{
"url": "https://git.kernel.org/stable/c/aa656d48e871a1b062e1bbf9474d8b831c35074c"
}
],
"title": "drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53864",
"datePublished": "2025-12-09T01:30:33.263Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:33.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53989 (GCVE-0-2023-53989)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
arm64: mm: fix VA-range sanity check
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: mm: fix VA-range sanity check
Both create_mapping_noalloc() and update_mapping_prot() sanity-check
their 'virt' parameter, but the check itself doesn't make much sense.
The condition used today appears to be a historical accident.
The sanity-check condition:
if ((virt >= PAGE_END) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
... can only be true for the KASAN shadow region or the module region,
and there's no reason to exclude these specifically for creating and
updateing mappings.
When arm64 support was first upstreamed in commit:
c1cc1552616d0f35 ("arm64: MMU initialisation")
... the condition was:
if (virt < VMALLOC_START) {
[ ... warning here ... ]
return;
}
At the time, VMALLOC_START was the lowest kernel address, and this was
checking whether 'virt' would be translated via TTBR1.
Subsequently in commit:
14c127c957c1c607 ("arm64: mm: Flip kernel VA space")
... the condition was changed to:
if ((virt >= VA_START) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
This appear to have been a thinko. The commit moved the linear map to
the bottom of the kernel address space, with VMALLOC_START being at the
halfway point. The old condition would warn for changes to the linear
map below this, and at the time VA_START was the end of the linear map.
Subsequently we cleaned up the naming of VA_START in commit:
77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END")
... keeping the erroneous condition as:
if ((virt >= PAGE_END) && (virt < VMALLOC_START)) {
[ ... warning here ... ]
return;
}
Correct the condition to check against the start of the TTBR1 address
space, which is currently PAGE_OFFSET. This simplifies the logic, and
more clearly matches the "outside kernel range" message in the warning.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
14c127c957c1c6070647c171e72f06e0db275ebf , < 9d8d3df71516ec3236d8d93ff029d251377ba4b1
(git)
Affected: 14c127c957c1c6070647c171e72f06e0db275ebf , < 32020fc2a8373d3de35ae6d029d5969a42651e7a (git) Affected: 14c127c957c1c6070647c171e72f06e0db275ebf , < 621619f626cbe702ddbdc54117f3868b8ebd8129 (git) Affected: 14c127c957c1c6070647c171e72f06e0db275ebf , < b03c7fcc5ed854d0e1b27e9abf12428bfa751a37 (git) Affected: 14c127c957c1c6070647c171e72f06e0db275ebf , < ab9b4008092c86dc12497af155a0901cc1156999 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9d8d3df71516ec3236d8d93ff029d251377ba4b1",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
},
{
"lessThan": "32020fc2a8373d3de35ae6d029d5969a42651e7a",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
},
{
"lessThan": "621619f626cbe702ddbdc54117f3868b8ebd8129",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
},
{
"lessThan": "b03c7fcc5ed854d0e1b27e9abf12428bfa751a37",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
},
{
"lessThan": "ab9b4008092c86dc12497af155a0901cc1156999",
"status": "affected",
"version": "14c127c957c1c6070647c171e72f06e0db275ebf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: fix VA-range sanity check\n\nBoth create_mapping_noalloc() and update_mapping_prot() sanity-check\ntheir \u0027virt\u0027 parameter, but the check itself doesn\u0027t make much sense.\nThe condition used today appears to be a historical accident.\n\nThe sanity-check condition:\n\n\tif ((virt \u003e= PAGE_END) \u0026\u0026 (virt \u003c VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\n... can only be true for the KASAN shadow region or the module region,\nand there\u0027s no reason to exclude these specifically for creating and\nupdateing mappings.\n\nWhen arm64 support was first upstreamed in commit:\n\n c1cc1552616d0f35 (\"arm64: MMU initialisation\")\n\n... the condition was:\n\n\tif (virt \u003c VMALLOC_START) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nAt the time, VMALLOC_START was the lowest kernel address, and this was\nchecking whether \u0027virt\u0027 would be translated via TTBR1.\n\nSubsequently in commit:\n\n 14c127c957c1c607 (\"arm64: mm: Flip kernel VA space\")\n\n... the condition was changed to:\n\n\tif ((virt \u003e= VA_START) \u0026\u0026 (virt \u003c VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nThis appear to have been a thinko. The commit moved the linear map to\nthe bottom of the kernel address space, with VMALLOC_START being at the\nhalfway point. The old condition would warn for changes to the linear\nmap below this, and at the time VA_START was the end of the linear map.\n\nSubsequently we cleaned up the naming of VA_START in commit:\n\n 77ad4ce69321abbe (\"arm64: memory: rename VA_START to PAGE_END\")\n\n... keeping the erroneous condition as:\n\n\tif ((virt \u003e= PAGE_END) \u0026\u0026 (virt \u003c VMALLOC_START)) {\n\t\t[ ... warning here ... ]\n\t\treturn;\n\t}\n\nCorrect the condition to check against the start of the TTBR1 address\nspace, which is currently PAGE_OFFSET. This simplifies the logic, and\nmore clearly matches the \"outside kernel range\" message in the warning."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:21.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9d8d3df71516ec3236d8d93ff029d251377ba4b1"
},
{
"url": "https://git.kernel.org/stable/c/32020fc2a8373d3de35ae6d029d5969a42651e7a"
},
{
"url": "https://git.kernel.org/stable/c/621619f626cbe702ddbdc54117f3868b8ebd8129"
},
{
"url": "https://git.kernel.org/stable/c/b03c7fcc5ed854d0e1b27e9abf12428bfa751a37"
},
{
"url": "https://git.kernel.org/stable/c/ab9b4008092c86dc12497af155a0901cc1156999"
}
],
"title": "arm64: mm: fix VA-range sanity check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53989",
"datePublished": "2025-12-24T10:55:28.461Z",
"dateReserved": "2025-12-24T10:53:46.175Z",
"dateUpdated": "2026-01-05T10:33:21.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54099 (GCVE-0-2023-54099)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
fs: Protect reconfiguration of sb read-write from racing writes
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: Protect reconfiguration of sb read-write from racing writes
The reconfigure / remount code takes a lot of effort to protect
filesystem's reconfiguration code from racing writes on remounting
read-only. However during remounting read-only filesystem to read-write
mode userspace writes can start immediately once we clear SB_RDONLY
flag. This is inconvenient for example for ext4 because we need to do
some writes to the filesystem (such as preparation of quota files)
before we can take userspace writes so we are clearing SB_RDONLY flag
before we are fully ready to accept userpace writes and syzbot has found
a way to exploit this [1]. Also as far as I'm reading the code
the filesystem remount code was protected from racing writes in the
legacy mount path by the mount's MNT_READONLY flag so this is relatively
new problem. It is actually fairly easy to protect remount read-write
from racing writes using sb->s_readonly_remount flag so let's just do
that instead of having to workaround these races in the filesystem code.
[1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8d0347f6c3a9d4953ddd636a31c6584da082e084 , < 0336b42456e485fda1006b5b411e7372e20fbf03
(git)
Affected: 8d0347f6c3a9d4953ddd636a31c6584da082e084 , < 7e4e87ec56aa6d008c64eab31b340a7c452b26cc (git) Affected: 8d0347f6c3a9d4953ddd636a31c6584da082e084 , < 0ccfe21949bc9f706a86ee7351b74375c0745757 (git) Affected: 8d0347f6c3a9d4953ddd636a31c6584da082e084 , < 295ef44a2abaf97d7a594b1d4c60d4be3738191f (git) Affected: 8d0347f6c3a9d4953ddd636a31c6584da082e084 , < 4abda85197ba5d695e6040d580b4b409ce0d3733 (git) Affected: 8d0347f6c3a9d4953ddd636a31c6584da082e084 , < c541dce86c537714b6761a79a969c1623dfa222b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0336b42456e485fda1006b5b411e7372e20fbf03",
"status": "affected",
"version": "8d0347f6c3a9d4953ddd636a31c6584da082e084",
"versionType": "git"
},
{
"lessThan": "7e4e87ec56aa6d008c64eab31b340a7c452b26cc",
"status": "affected",
"version": "8d0347f6c3a9d4953ddd636a31c6584da082e084",
"versionType": "git"
},
{
"lessThan": "0ccfe21949bc9f706a86ee7351b74375c0745757",
"status": "affected",
"version": "8d0347f6c3a9d4953ddd636a31c6584da082e084",
"versionType": "git"
},
{
"lessThan": "295ef44a2abaf97d7a594b1d4c60d4be3738191f",
"status": "affected",
"version": "8d0347f6c3a9d4953ddd636a31c6584da082e084",
"versionType": "git"
},
{
"lessThan": "4abda85197ba5d695e6040d580b4b409ce0d3733",
"status": "affected",
"version": "8d0347f6c3a9d4953ddd636a31c6584da082e084",
"versionType": "git"
},
{
"lessThan": "c541dce86c537714b6761a79a969c1623dfa222b",
"status": "affected",
"version": "8d0347f6c3a9d4953ddd636a31c6584da082e084",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Protect reconfiguration of sb read-write from racing writes\n\nThe reconfigure / remount code takes a lot of effort to protect\nfilesystem\u0027s reconfiguration code from racing writes on remounting\nread-only. However during remounting read-only filesystem to read-write\nmode userspace writes can start immediately once we clear SB_RDONLY\nflag. This is inconvenient for example for ext4 because we need to do\nsome writes to the filesystem (such as preparation of quota files)\nbefore we can take userspace writes so we are clearing SB_RDONLY flag\nbefore we are fully ready to accept userpace writes and syzbot has found\na way to exploit this [1]. Also as far as I\u0027m reading the code\nthe filesystem remount code was protected from racing writes in the\nlegacy mount path by the mount\u0027s MNT_READONLY flag so this is relatively\nnew problem. It is actually fairly easy to protect remount read-write\nfrom racing writes using sb-\u003es_readonly_remount flag so let\u0027s just do\nthat instead of having to workaround these races in the filesystem code.\n\n[1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:44.627Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03"
},
{
"url": "https://git.kernel.org/stable/c/7e4e87ec56aa6d008c64eab31b340a7c452b26cc"
},
{
"url": "https://git.kernel.org/stable/c/0ccfe21949bc9f706a86ee7351b74375c0745757"
},
{
"url": "https://git.kernel.org/stable/c/295ef44a2abaf97d7a594b1d4c60d4be3738191f"
},
{
"url": "https://git.kernel.org/stable/c/4abda85197ba5d695e6040d580b4b409ce0d3733"
},
{
"url": "https://git.kernel.org/stable/c/c541dce86c537714b6761a79a969c1623dfa222b"
}
],
"title": "fs: Protect reconfiguration of sb read-write from racing writes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54099",
"datePublished": "2025-12-24T13:06:25.895Z",
"dateReserved": "2025-12-24T13:02:52.517Z",
"dateUpdated": "2026-01-05T10:33:44.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50758 (GCVE-0-2022-50758)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
staging: vt6655: fix potential memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: vt6655: fix potential memory leak
In function device_init_td0_ring, memory is allocated for member
td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
allocation failure, the memory is freed in reversed order, with i
decreasing to 0. However, the case i=0 is left out and thus memory is
leaked.
Modify the memory freeing loop to include the case i=0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5341ee0adb17d12a96dc5344e0d267cd12b52135 , < e741e38aa98704fbb959650ecd270b71b2670680
(git)
Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < 16a45e78a687eb6c69acc4e62b94b6508b0bfbda (git) Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < 1b3cebeca99e8e0aa4fa57faac8dbf41e967317a (git) Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < ff8551d411f12b5abc5ca929ab87643afa8a9588 (git) Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < fb5f569bcda8f87bd47d8030bfae343d757fa3ea (git) Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < cfdf139258614ef65b0f68b857ada5328fb7c0e5 (git) Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < c8ff91535880d41b49699b3829fb6151942de29e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/vt6655/device_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e741e38aa98704fbb959650ecd270b71b2670680",
"status": "affected",
"version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
"versionType": "git"
},
{
"lessThan": "16a45e78a687eb6c69acc4e62b94b6508b0bfbda",
"status": "affected",
"version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
"versionType": "git"
},
{
"lessThan": "1b3cebeca99e8e0aa4fa57faac8dbf41e967317a",
"status": "affected",
"version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
"versionType": "git"
},
{
"lessThan": "ff8551d411f12b5abc5ca929ab87643afa8a9588",
"status": "affected",
"version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
"versionType": "git"
},
{
"lessThan": "fb5f569bcda8f87bd47d8030bfae343d757fa3ea",
"status": "affected",
"version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
"versionType": "git"
},
{
"lessThan": "cfdf139258614ef65b0f68b857ada5328fb7c0e5",
"status": "affected",
"version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
"versionType": "git"
},
{
"lessThan": "c8ff91535880d41b49699b3829fb6151942de29e",
"status": "affected",
"version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/vt6655/device_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vt6655: fix potential memory leak\n\nIn function device_init_td0_ring, memory is allocated for member\ntd_info of priv-\u003eapTD0Rings[i], with i increasing from 0. In case of\nallocation failure, the memory is freed in reversed order, with i\ndecreasing to 0. However, the case i=0 is left out and thus memory is\nleaked.\n\nModify the memory freeing loop to include the case i=0."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:27.666Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e741e38aa98704fbb959650ecd270b71b2670680"
},
{
"url": "https://git.kernel.org/stable/c/16a45e78a687eb6c69acc4e62b94b6508b0bfbda"
},
{
"url": "https://git.kernel.org/stable/c/1b3cebeca99e8e0aa4fa57faac8dbf41e967317a"
},
{
"url": "https://git.kernel.org/stable/c/ff8551d411f12b5abc5ca929ab87643afa8a9588"
},
{
"url": "https://git.kernel.org/stable/c/fb5f569bcda8f87bd47d8030bfae343d757fa3ea"
},
{
"url": "https://git.kernel.org/stable/c/cfdf139258614ef65b0f68b857ada5328fb7c0e5"
},
{
"url": "https://git.kernel.org/stable/c/c8ff91535880d41b49699b3829fb6151942de29e"
}
],
"title": "staging: vt6655: fix potential memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50758",
"datePublished": "2025-12-24T13:05:51.159Z",
"dateReserved": "2025-12-24T13:02:21.545Z",
"dateUpdated": "2026-01-02T15:04:27.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54169 (GCVE-0-2023-54169)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
net/mlx5e: fix memory leak in mlx5e_ptp_open
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: fix memory leak in mlx5e_ptp_open
When kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memory
pointed by "c" or "cparams" is not freed, which can lead to a memory
leak. Fix by freeing the array in the error path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
145e5637d941daec2e8d1ff21676cbf1aa62cf4d , < 4892e1e548b5bd6524c1c89df06e4849df26fc20
(git)
Affected: 145e5637d941daec2e8d1ff21676cbf1aa62cf4d , < 83a8f7337a14cdb215c76a8f4cf3f3be8b59177d (git) Affected: 145e5637d941daec2e8d1ff21676cbf1aa62cf4d , < 7035e3ae600c4e9cb3dc220c24dd77112ddff8b1 (git) Affected: 145e5637d941daec2e8d1ff21676cbf1aa62cf4d , < d543b649ffe58a0cb4b6948b3305069c5980a1fa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4892e1e548b5bd6524c1c89df06e4849df26fc20",
"status": "affected",
"version": "145e5637d941daec2e8d1ff21676cbf1aa62cf4d",
"versionType": "git"
},
{
"lessThan": "83a8f7337a14cdb215c76a8f4cf3f3be8b59177d",
"status": "affected",
"version": "145e5637d941daec2e8d1ff21676cbf1aa62cf4d",
"versionType": "git"
},
{
"lessThan": "7035e3ae600c4e9cb3dc220c24dd77112ddff8b1",
"status": "affected",
"version": "145e5637d941daec2e8d1ff21676cbf1aa62cf4d",
"versionType": "git"
},
{
"lessThan": "d543b649ffe58a0cb4b6948b3305069c5980a1fa",
"status": "affected",
"version": "145e5637d941daec2e8d1ff21676cbf1aa62cf4d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: fix memory leak in mlx5e_ptp_open\n\nWhen kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memory\npointed by \"c\" or \"cparams\" is not freed, which can lead to a memory\nleak. Fix by freeing the array in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:44.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4892e1e548b5bd6524c1c89df06e4849df26fc20"
},
{
"url": "https://git.kernel.org/stable/c/83a8f7337a14cdb215c76a8f4cf3f3be8b59177d"
},
{
"url": "https://git.kernel.org/stable/c/7035e3ae600c4e9cb3dc220c24dd77112ddff8b1"
},
{
"url": "https://git.kernel.org/stable/c/d543b649ffe58a0cb4b6948b3305069c5980a1fa"
}
],
"title": "net/mlx5e: fix memory leak in mlx5e_ptp_open",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54169",
"datePublished": "2025-12-30T12:08:44.089Z",
"dateReserved": "2025-12-30T12:06:44.496Z",
"dateUpdated": "2025-12-30T12:08:44.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40331 (GCVE-0-2025-40331)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
sctp: Prevent TOCTOU out-of-bounds write
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: Prevent TOCTOU out-of-bounds write
For the following path not holding the sock lock,
sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump()
make sure not to exceed bounds in case the address list has grown
between buffer allocation (time-of-check) and write (time-of-use).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f840e47f190cbe61a96945c13e9551048d42cef , < b106a68df0650b694b254427cd9250c04500edd3
(git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 3006959371007fc2eae4a078f823c680fa52de1a (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 72e3fea68eac8d088e44c3dd954e843478e9240e (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 584307275b2048991b2e8984962189b6cc0a9b85 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < c9119f243d9c0da3c3b5f577a328de3e7ffd1b42 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 2fe08fcaacb7eb019fa9c81db39b2214de216677 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 89eac1e150dbd42963e13d23828cb8c4e0763196 (git) Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 95aef86ab231f047bb8085c70666059b58f53c09 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b106a68df0650b694b254427cd9250c04500edd3",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "3006959371007fc2eae4a078f823c680fa52de1a",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "72e3fea68eac8d088e44c3dd954e843478e9240e",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "584307275b2048991b2e8984962189b6cc0a9b85",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "c9119f243d9c0da3c3b5f577a328de3e7ffd1b42",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "2fe08fcaacb7eb019fa9c81db39b2214de216677",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "89eac1e150dbd42963e13d23828cb8c4e0763196",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
},
{
"lessThan": "95aef86ab231f047bb8085c70666059b58f53c09",
"status": "affected",
"version": "8f840e47f190cbe61a96945c13e9551048d42cef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/diag.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Prevent TOCTOU out-of-bounds write\n\nFor the following path not holding the sock lock,\n\n sctp_diag_dump() -\u003e sctp_for_each_endpoint() -\u003e sctp_ep_dump()\n\nmake sure not to exceed bounds in case the address list has grown\nbetween buffer allocation (time-of-check) and write (time-of-use)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:48.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b106a68df0650b694b254427cd9250c04500edd3"
},
{
"url": "https://git.kernel.org/stable/c/3006959371007fc2eae4a078f823c680fa52de1a"
},
{
"url": "https://git.kernel.org/stable/c/72e3fea68eac8d088e44c3dd954e843478e9240e"
},
{
"url": "https://git.kernel.org/stable/c/584307275b2048991b2e8984962189b6cc0a9b85"
},
{
"url": "https://git.kernel.org/stable/c/c9119f243d9c0da3c3b5f577a328de3e7ffd1b42"
},
{
"url": "https://git.kernel.org/stable/c/2fe08fcaacb7eb019fa9c81db39b2214de216677"
},
{
"url": "https://git.kernel.org/stable/c/89eac1e150dbd42963e13d23828cb8c4e0763196"
},
{
"url": "https://git.kernel.org/stable/c/95aef86ab231f047bb8085c70666059b58f53c09"
}
],
"title": "sctp: Prevent TOCTOU out-of-bounds write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40331",
"datePublished": "2025-12-09T04:09:48.196Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:48.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50833 (GCVE-0-2022-50833)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10
VLAI?
EPSS
Title
Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works
syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq
WQ into hdev->workqueue WQ which is under draining operation [1], for
commit c8efcc2589464ac7 ("workqueue: allow chained queueing during
destruction") does not allow such operation.
The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work
queue is drained, only queue chained work") was incomplete.
Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because
hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect
the queuing operation with RCU read lock in order to avoid calling
queue_delayed_work() after cancel_delayed_work() completed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3b382555706558f5c0587862b6dc03e96a252bba , < c4635cf3d845a7324c25c52d549b70c8bd7ad4c7
(git)
Affected: 877afadad2dce8aae1f2aad8ce47e072d4f6165e , < 3c6b036fe5c8ed8b6c4cbdc03605929882907ef0 (git) Affected: 877afadad2dce8aae1f2aad8ce47e072d4f6165e , < deee93d13d385103205879a8a0915036ecd83261 (git) Affected: 4bf367fa1fefabdf14938d0ac9ed60020389112e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4635cf3d845a7324c25c52d549b70c8bd7ad4c7",
"status": "affected",
"version": "3b382555706558f5c0587862b6dc03e96a252bba",
"versionType": "git"
},
{
"lessThan": "3c6b036fe5c8ed8b6c4cbdc03605929882907ef0",
"status": "affected",
"version": "877afadad2dce8aae1f2aad8ce47e072d4f6165e",
"versionType": "git"
},
{
"lessThan": "deee93d13d385103205879a8a0915036ecd83261",
"status": "affected",
"version": "877afadad2dce8aae1f2aad8ce47e072d4f6165e",
"versionType": "git"
},
{
"status": "affected",
"version": "4bf367fa1fefabdf14938d0ac9ed60020389112e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c",
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.15",
"versionStartIncluding": "5.19.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: use hdev-\u003eworkqueue when queuing hdev-\u003e{cmd,ncmd}_timer works\n\nsyzbot is reporting attempt to schedule hdev-\u003ecmd_work work from system_wq\nWQ into hdev-\u003eworkqueue WQ which is under draining operation [1], for\ncommit c8efcc2589464ac7 (\"workqueue: allow chained queueing during\ndestruction\") does not allow such operation.\n\nThe check introduced by commit 877afadad2dce8aa (\"Bluetooth: When HCI work\nqueue is drained, only queue chained work\") was incomplete.\n\nUse hdev-\u003eworkqueue WQ when queuing hdev-\u003e{cmd,ncmd}_timer works because\nhci_{cmd,ncmd}_timeout() calls queue_work(hdev-\u003eworkqueue). Also, protect\nthe queuing operation with RCU read lock in order to avoid calling\nqueue_delayed_work() after cancel_delayed_work() completed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:54.342Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4635cf3d845a7324c25c52d549b70c8bd7ad4c7"
},
{
"url": "https://git.kernel.org/stable/c/3c6b036fe5c8ed8b6c4cbdc03605929882907ef0"
},
{
"url": "https://git.kernel.org/stable/c/deee93d13d385103205879a8a0915036ecd83261"
}
],
"title": "Bluetooth: use hdev-\u003eworkqueue when queuing hdev-\u003e{cmd,ncmd}_timer works",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50833",
"datePublished": "2025-12-30T12:10:54.342Z",
"dateReserved": "2025-12-30T12:06:07.132Z",
"dateUpdated": "2025-12-30T12:10:54.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50843 (GCVE-0-2022-50843)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
dm clone: Fix UAF in clone_dtr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm clone: Fix UAF in clone_dtr()
Dm_clone also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.
Therefore, cancelling timer again in clone_dtr().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7431b7835f554f8608b415a02cf3c3f086309e02 , < 520b56cfd9faee7683f081c3a38f11a81b13a68e
(git)
Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < 342cfd8426dff4228e6c714bcb9fc8295a2748dd (git) Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < 856edd0e92f3fe89606b704c86a93daedddfe6ec (git) Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < b1ddb666073bb5f36390aaabaa1a4d48d78c52ed (git) Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < 9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff (git) Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < e4b5957c6f749a501c464f92792f1c8e26b61a94 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-clone-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "520b56cfd9faee7683f081c3a38f11a81b13a68e",
"status": "affected",
"version": "7431b7835f554f8608b415a02cf3c3f086309e02",
"versionType": "git"
},
{
"lessThan": "342cfd8426dff4228e6c714bcb9fc8295a2748dd",
"status": "affected",
"version": "7431b7835f554f8608b415a02cf3c3f086309e02",
"versionType": "git"
},
{
"lessThan": "856edd0e92f3fe89606b704c86a93daedddfe6ec",
"status": "affected",
"version": "7431b7835f554f8608b415a02cf3c3f086309e02",
"versionType": "git"
},
{
"lessThan": "b1ddb666073bb5f36390aaabaa1a4d48d78c52ed",
"status": "affected",
"version": "7431b7835f554f8608b415a02cf3c3f086309e02",
"versionType": "git"
},
{
"lessThan": "9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff",
"status": "affected",
"version": "7431b7835f554f8608b415a02cf3c3f086309e02",
"versionType": "git"
},
{
"lessThan": "e4b5957c6f749a501c464f92792f1c8e26b61a94",
"status": "affected",
"version": "7431b7835f554f8608b415a02cf3c3f086309e02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-clone-target.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm clone: Fix UAF in clone_dtr()\n\nDm_clone also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in clone_dtr()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:01.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/520b56cfd9faee7683f081c3a38f11a81b13a68e"
},
{
"url": "https://git.kernel.org/stable/c/342cfd8426dff4228e6c714bcb9fc8295a2748dd"
},
{
"url": "https://git.kernel.org/stable/c/856edd0e92f3fe89606b704c86a93daedddfe6ec"
},
{
"url": "https://git.kernel.org/stable/c/b1ddb666073bb5f36390aaabaa1a4d48d78c52ed"
},
{
"url": "https://git.kernel.org/stable/c/9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff"
},
{
"url": "https://git.kernel.org/stable/c/e4b5957c6f749a501c464f92792f1c8e26b61a94"
}
],
"title": "dm clone: Fix UAF in clone_dtr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50843",
"datePublished": "2025-12-30T12:11:01.130Z",
"dateReserved": "2025-12-30T12:06:07.133Z",
"dateUpdated": "2025-12-30T12:11:01.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50860 (GCVE-0-2022-50860)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
apparmor: Fix memleak in alloc_ns()
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: Fix memleak in alloc_ns()
After changes in commit a1bd627b46d1 ("apparmor: share profile name on
replacement"), the hname member of struct aa_policy is not valid slab
object, but a subset of that, it can not be freed by kfree_sensitive(),
use aa_policy_destroy() to fix it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a1bd627b46d169268a0ee5960899fb5be960a317 , < 9a32aa87a25d800b2c6f47bc2749a7bfd9a486f3
(git)
Affected: a1bd627b46d169268a0ee5960899fb5be960a317 , < 5f509fa740b17307f0cba412485072f632d5af36 (git) Affected: a1bd627b46d169268a0ee5960899fb5be960a317 , < 0250cf8d37bb5201a117177afd24dc73a1c81657 (git) Affected: a1bd627b46d169268a0ee5960899fb5be960a317 , < 12695b4b76d437b9c0182a6f7dfb2248013a9daf (git) Affected: a1bd627b46d169268a0ee5960899fb5be960a317 , < e9e6fa49dbab6d84c676666f3fe7d360497fd65b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a32aa87a25d800b2c6f47bc2749a7bfd9a486f3",
"status": "affected",
"version": "a1bd627b46d169268a0ee5960899fb5be960a317",
"versionType": "git"
},
{
"lessThan": "5f509fa740b17307f0cba412485072f632d5af36",
"status": "affected",
"version": "a1bd627b46d169268a0ee5960899fb5be960a317",
"versionType": "git"
},
{
"lessThan": "0250cf8d37bb5201a117177afd24dc73a1c81657",
"status": "affected",
"version": "a1bd627b46d169268a0ee5960899fb5be960a317",
"versionType": "git"
},
{
"lessThan": "12695b4b76d437b9c0182a6f7dfb2248013a9daf",
"status": "affected",
"version": "a1bd627b46d169268a0ee5960899fb5be960a317",
"versionType": "git"
},
{
"lessThan": "e9e6fa49dbab6d84c676666f3fe7d360497fd65b",
"status": "affected",
"version": "a1bd627b46d169268a0ee5960899fb5be960a317",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix memleak in alloc_ns()\n\nAfter changes in commit a1bd627b46d1 (\"apparmor: share profile name on\nreplacement\"), the hname member of struct aa_policy is not valid slab\nobject, but a subset of that, it can not be freed by kfree_sensitive(),\nuse aa_policy_destroy() to fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:33.859Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a32aa87a25d800b2c6f47bc2749a7bfd9a486f3"
},
{
"url": "https://git.kernel.org/stable/c/5f509fa740b17307f0cba412485072f632d5af36"
},
{
"url": "https://git.kernel.org/stable/c/0250cf8d37bb5201a117177afd24dc73a1c81657"
},
{
"url": "https://git.kernel.org/stable/c/12695b4b76d437b9c0182a6f7dfb2248013a9daf"
},
{
"url": "https://git.kernel.org/stable/c/e9e6fa49dbab6d84c676666f3fe7d360497fd65b"
}
],
"title": "apparmor: Fix memleak in alloc_ns()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50860",
"datePublished": "2025-12-30T12:15:33.859Z",
"dateReserved": "2025-12-30T12:06:07.135Z",
"dateUpdated": "2025-12-30T12:15:33.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68289 (GCVE-0-2025-68289)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
usb: gadget: f_eem: Fix memory leak in eem_unwrap
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_eem: Fix memory leak in eem_unwrap
The existing code did not handle the failure case of usb_ep_queue in the
command path, potentially leading to memory leaks.
Improve error handling to free all allocated resources on usb_ep_queue
failure. This patch continues to use goto logic for error handling, as the
existing error handling is complex and not easily adaptable to auto-cleanup
helpers.
kmemleak results:
unreferenced object 0xffffff895a512300 (size 240):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
kmem_cache_alloc+0x1b4/0x358
skb_clone+0x90/0xd8
eem_unwrap+0x1cc/0x36c
unreferenced object 0xffffff8a157f4000 (size 256):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
dwc3_gadget_ep_alloc_request+0x58/0x11c
usb_ep_alloc_request+0x40/0xe4
eem_unwrap+0x204/0x36c
unreferenced object 0xffffff8aadbaac00 (size 128):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
__kmalloc+0x64/0x1a8
eem_unwrap+0x218/0x36c
unreferenced object 0xffffff89ccef3500 (size 64):
backtrace:
slab_post_alloc_hook+0xbc/0x3a4
__kmem_cache_alloc_node+0x1b4/0x2dc
kmalloc_trace+0x48/0x140
eem_unwrap+0x238/0x36c
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b545788505b2e2883aff13bdddeacaf88942a4f , < a9985a88b2fc29fbe1657fe8518908e261d6889c
(git)
Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 5a1628283cd9dccf1e44acfb74e77504f4dc7472 (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 0ac07e476944a5e4c2b8b087dd167dec248c1bdf (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 41434488ca714ab15cb2a4d0378418d1be8052d2 (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < e72c963177c708a167a7e17ed6c76320815157cf (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 0dea2e0069a7e9aa034696f8065945b7be6dd6b7 (git) Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < e4f5ce990818d37930cd9fb0be29eee0553c59d9 (git) Affected: d55a236f1bab102e353ea5abb7b7b6ff7e847294 (git) Affected: 8e275d3d5915a8f7db3786e3f84534bb48245f4c (git) Affected: 3680a6ff9a9ccd3c664663da04bef2534397d591 (git) Affected: d654be97e1b679616e3337b871a9ec8f31a88841 (git) Affected: 8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9 (git) Affected: 77d7f071883cf2921a7547f82e41f15f7f860e35 (git) Affected: a55093941e38113dd6f5f5d5d2705fec3018f332 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_eem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9985a88b2fc29fbe1657fe8518908e261d6889c",
"status": "affected",
"version": "3b545788505b2e2883aff13bdddeacaf88942a4f",
"versionType": "git"
},
{
"lessThan": "5a1628283cd9dccf1e44acfb74e77504f4dc7472",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "0ac07e476944a5e4c2b8b087dd167dec248c1bdf",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "41434488ca714ab15cb2a4d0378418d1be8052d2",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "e72c963177c708a167a7e17ed6c76320815157cf",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "0dea2e0069a7e9aa034696f8065945b7be6dd6b7",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"lessThan": "e4f5ce990818d37930cd9fb0be29eee0553c59d9",
"status": "affected",
"version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
"versionType": "git"
},
{
"status": "affected",
"version": "d55a236f1bab102e353ea5abb7b7b6ff7e847294",
"versionType": "git"
},
{
"status": "affected",
"version": "8e275d3d5915a8f7db3786e3f84534bb48245f4c",
"versionType": "git"
},
{
"status": "affected",
"version": "3680a6ff9a9ccd3c664663da04bef2534397d591",
"versionType": "git"
},
{
"status": "affected",
"version": "d654be97e1b679616e3337b871a9ec8f31a88841",
"versionType": "git"
},
{
"status": "affected",
"version": "8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9",
"versionType": "git"
},
{
"status": "affected",
"version": "77d7f071883cf2921a7547f82e41f15f7f860e35",
"versionType": "git"
},
{
"status": "affected",
"version": "a55093941e38113dd6f5f5d5d2705fec3018f332",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_eem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.132",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_eem: Fix memory leak in eem_unwrap\n\nThe existing code did not handle the failure case of usb_ep_queue in the\ncommand path, potentially leading to memory leaks.\n\nImprove error handling to free all allocated resources on usb_ep_queue\nfailure. This patch continues to use goto logic for error handling, as the\nexisting error handling is complex and not easily adaptable to auto-cleanup\nhelpers.\n\nkmemleak results:\n unreferenced object 0xffffff895a512300 (size 240):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n kmem_cache_alloc+0x1b4/0x358\n skb_clone+0x90/0xd8\n eem_unwrap+0x1cc/0x36c\n unreferenced object 0xffffff8a157f4000 (size 256):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n kmalloc_trace+0x48/0x140\n dwc3_gadget_ep_alloc_request+0x58/0x11c\n usb_ep_alloc_request+0x40/0xe4\n eem_unwrap+0x204/0x36c\n unreferenced object 0xffffff8aadbaac00 (size 128):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n __kmalloc+0x64/0x1a8\n eem_unwrap+0x218/0x36c\n unreferenced object 0xffffff89ccef3500 (size 64):\n backtrace:\n slab_post_alloc_hook+0xbc/0x3a4\n __kmem_cache_alloc_node+0x1b4/0x2dc\n kmalloc_trace+0x48/0x140\n eem_unwrap+0x238/0x36c"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:10.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9985a88b2fc29fbe1657fe8518908e261d6889c"
},
{
"url": "https://git.kernel.org/stable/c/5a1628283cd9dccf1e44acfb74e77504f4dc7472"
},
{
"url": "https://git.kernel.org/stable/c/0ac07e476944a5e4c2b8b087dd167dec248c1bdf"
},
{
"url": "https://git.kernel.org/stable/c/41434488ca714ab15cb2a4d0378418d1be8052d2"
},
{
"url": "https://git.kernel.org/stable/c/e72c963177c708a167a7e17ed6c76320815157cf"
},
{
"url": "https://git.kernel.org/stable/c/0dea2e0069a7e9aa034696f8065945b7be6dd6b7"
},
{
"url": "https://git.kernel.org/stable/c/e4f5ce990818d37930cd9fb0be29eee0553c59d9"
}
],
"title": "usb: gadget: f_eem: Fix memory leak in eem_unwrap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68289",
"datePublished": "2025-12-16T15:06:10.450Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:10.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68244 (GCVE-0-2025-68244)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-16 14:21
VLAI?
EPSS
Title
drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD
On completion of i915_vma_pin_ww(), a synchronous variant of
dma_fence_work_commit() is called. When pinning a VMA to GGTT address
space on a Cherry View family processor, or on a Broxton generation SoC
with VTD enabled, i.e., when stop_machine() is then called from
intel_ggtt_bind_vma(), that can potentially lead to lock inversion among
reservation_ww and cpu_hotplug locks.
[86.861179] ======================================================
[86.861193] WARNING: possible circular locking dependency detected
[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U
[86.861226] ------------------------------------------------------
[86.861238] i915_module_loa/1432 is trying to acquire lock:
[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50
[86.861290]
but task is already holding lock:
[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]
[86.862233]
which lock already depends on the new lock.
[86.862251]
the existing dependency chain (in reverse order) is:
[86.862265]
-> #5 (reservation_ww_class_mutex){+.+.}-{3:3}:
[86.862292] dma_resv_lockdep+0x19a/0x390
[86.862315] do_one_initcall+0x60/0x3f0
[86.862334] kernel_init_freeable+0x3cd/0x680
[86.862353] kernel_init+0x1b/0x200
[86.862369] ret_from_fork+0x47/0x70
[86.862383] ret_from_fork_asm+0x1a/0x30
[86.862399]
-> #4 (reservation_ww_class_acquire){+.+.}-{0:0}:
[86.862425] dma_resv_lockdep+0x178/0x390
[86.862440] do_one_initcall+0x60/0x3f0
[86.862454] kernel_init_freeable+0x3cd/0x680
[86.862470] kernel_init+0x1b/0x200
[86.862482] ret_from_fork+0x47/0x70
[86.862495] ret_from_fork_asm+0x1a/0x30
[86.862509]
-> #3 (&mm->mmap_lock){++++}-{3:3}:
[86.862531] down_read_killable+0x46/0x1e0
[86.862546] lock_mm_and_find_vma+0xa2/0x280
[86.862561] do_user_addr_fault+0x266/0x8e0
[86.862578] exc_page_fault+0x8a/0x2f0
[86.862593] asm_exc_page_fault+0x27/0x30
[86.862607] filldir64+0xeb/0x180
[86.862620] kernfs_fop_readdir+0x118/0x480
[86.862635] iterate_dir+0xcf/0x2b0
[86.862648] __x64_sys_getdents64+0x84/0x140
[86.862661] x64_sys_call+0x1058/0x2660
[86.862675] do_syscall_64+0x91/0xe90
[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[86.862703]
-> #2 (&root->kernfs_rwsem){++++}-{3:3}:
[86.862725] down_write+0x3e/0xf0
[86.862738] kernfs_add_one+0x30/0x3c0
[86.862751] kernfs_create_dir_ns+0x53/0xb0
[86.862765] internal_create_group+0x134/0x4c0
[86.862779] sysfs_create_group+0x13/0x20
[86.862792] topology_add_dev+0x1d/0x30
[86.862806] cpuhp_invoke_callback+0x4b5/0x850
[86.862822] cpuhp_issue_call+0xbf/0x1f0
[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320
[86.862852] __cpuhp_setup_state+0xb0/0x220
[86.862866] topology_sysfs_init+0x30/0x50
[86.862879] do_one_initcall+0x60/0x3f0
[86.862893] kernel_init_freeable+0x3cd/0x680
[86.862908] kernel_init+0x1b/0x200
[86.862921] ret_from_fork+0x47/0x70
[86.862934] ret_from_fork_asm+0x1a/0x30
[86.862947]
-> #1 (cpuhp_state_mutex){+.+.}-{3:3}:
[86.862969] __mutex_lock+0xaa/0xed0
[86.862982] mutex_lock_nested+0x1b/0x30
[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320
[86.863012] __cpuhp_setup_state+0xb0/0x220
[86.863026] page_alloc_init_cpuhp+0x2d/0x60
[86.863041] mm_core_init+0x22/0x2d0
[86.863054] start_kernel+0x576/0xbd0
[86.863068] x86_64_start_reservations+0x18/0x30
[86.863084] x86_64_start_kernel+0xbf/0x110
[86.863098] common_startup_64+0x13e/0x141
[86.863114]
-> #0 (cpu_hotplug_lock){++++}-{0:0}:
[86.863135] __lock_acquire+0x16
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d1c2618eac590d948eb33b9807d913ddb6e105f , < e988634d7aae7214818b9c86cd7ef9e78c84b02d
(git)
Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 20d94a6117b752fd10a78cefdc1cf2c16706048b (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 3dec22bde207a36f1b8a4b80564cbbe13996a7cd (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 4e73066e3323add260e46eb51f79383d87950281 (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 858a50127be714f55c3bcb25621028d4a323d77e (git) Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_vma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e988634d7aae7214818b9c86cd7ef9e78c84b02d",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "20d94a6117b752fd10a78cefdc1cf2c16706048b",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "3dec22bde207a36f1b8a4b80564cbbe13996a7cd",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "4e73066e3323add260e46eb51f79383d87950281",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "858a50127be714f55c3bcb25621028d4a323d77e",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
},
{
"lessThan": "84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b",
"status": "affected",
"version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_vma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD\n\nOn completion of i915_vma_pin_ww(), a synchronous variant of\ndma_fence_work_commit() is called. When pinning a VMA to GGTT address\nspace on a Cherry View family processor, or on a Broxton generation SoC\nwith VTD enabled, i.e., when stop_machine() is then called from\nintel_ggtt_bind_vma(), that can potentially lead to lock inversion among\nreservation_ww and cpu_hotplug locks.\n\n[86.861179] ======================================================\n[86.861193] WARNING: possible circular locking dependency detected\n[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U\n[86.861226] ------------------------------------------------------\n[86.861238] i915_module_loa/1432 is trying to acquire lock:\n[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50\n[86.861290]\nbut task is already holding lock:\n[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]\n[86.862233]\nwhich lock already depends on the new lock.\n[86.862251]\nthe existing dependency chain (in reverse order) is:\n[86.862265]\n-\u003e #5 (reservation_ww_class_mutex){+.+.}-{3:3}:\n[86.862292] dma_resv_lockdep+0x19a/0x390\n[86.862315] do_one_initcall+0x60/0x3f0\n[86.862334] kernel_init_freeable+0x3cd/0x680\n[86.862353] kernel_init+0x1b/0x200\n[86.862369] ret_from_fork+0x47/0x70\n[86.862383] ret_from_fork_asm+0x1a/0x30\n[86.862399]\n-\u003e #4 (reservation_ww_class_acquire){+.+.}-{0:0}:\n[86.862425] dma_resv_lockdep+0x178/0x390\n[86.862440] do_one_initcall+0x60/0x3f0\n[86.862454] kernel_init_freeable+0x3cd/0x680\n[86.862470] kernel_init+0x1b/0x200\n[86.862482] ret_from_fork+0x47/0x70\n[86.862495] ret_from_fork_asm+0x1a/0x30\n[86.862509]\n-\u003e #3 (\u0026mm-\u003emmap_lock){++++}-{3:3}:\n[86.862531] down_read_killable+0x46/0x1e0\n[86.862546] lock_mm_and_find_vma+0xa2/0x280\n[86.862561] do_user_addr_fault+0x266/0x8e0\n[86.862578] exc_page_fault+0x8a/0x2f0\n[86.862593] asm_exc_page_fault+0x27/0x30\n[86.862607] filldir64+0xeb/0x180\n[86.862620] kernfs_fop_readdir+0x118/0x480\n[86.862635] iterate_dir+0xcf/0x2b0\n[86.862648] __x64_sys_getdents64+0x84/0x140\n[86.862661] x64_sys_call+0x1058/0x2660\n[86.862675] do_syscall_64+0x91/0xe90\n[86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[86.862703]\n-\u003e #2 (\u0026root-\u003ekernfs_rwsem){++++}-{3:3}:\n[86.862725] down_write+0x3e/0xf0\n[86.862738] kernfs_add_one+0x30/0x3c0\n[86.862751] kernfs_create_dir_ns+0x53/0xb0\n[86.862765] internal_create_group+0x134/0x4c0\n[86.862779] sysfs_create_group+0x13/0x20\n[86.862792] topology_add_dev+0x1d/0x30\n[86.862806] cpuhp_invoke_callback+0x4b5/0x850\n[86.862822] cpuhp_issue_call+0xbf/0x1f0\n[86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320\n[86.862852] __cpuhp_setup_state+0xb0/0x220\n[86.862866] topology_sysfs_init+0x30/0x50\n[86.862879] do_one_initcall+0x60/0x3f0\n[86.862893] kernel_init_freeable+0x3cd/0x680\n[86.862908] kernel_init+0x1b/0x200\n[86.862921] ret_from_fork+0x47/0x70\n[86.862934] ret_from_fork_asm+0x1a/0x30\n[86.862947]\n-\u003e #1 (cpuhp_state_mutex){+.+.}-{3:3}:\n[86.862969] __mutex_lock+0xaa/0xed0\n[86.862982] mutex_lock_nested+0x1b/0x30\n[86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320\n[86.863012] __cpuhp_setup_state+0xb0/0x220\n[86.863026] page_alloc_init_cpuhp+0x2d/0x60\n[86.863041] mm_core_init+0x22/0x2d0\n[86.863054] start_kernel+0x576/0xbd0\n[86.863068] x86_64_start_reservations+0x18/0x30\n[86.863084] x86_64_start_kernel+0xbf/0x110\n[86.863098] common_startup_64+0x13e/0x141\n[86.863114]\n-\u003e #0 (cpu_hotplug_lock){++++}-{0:0}:\n[86.863135] __lock_acquire+0x16\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:21:21.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e988634d7aae7214818b9c86cd7ef9e78c84b02d"
},
{
"url": "https://git.kernel.org/stable/c/20d94a6117b752fd10a78cefdc1cf2c16706048b"
},
{
"url": "https://git.kernel.org/stable/c/3dec22bde207a36f1b8a4b80564cbbe13996a7cd"
},
{
"url": "https://git.kernel.org/stable/c/4e73066e3323add260e46eb51f79383d87950281"
},
{
"url": "https://git.kernel.org/stable/c/858a50127be714f55c3bcb25621028d4a323d77e"
},
{
"url": "https://git.kernel.org/stable/c/84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b"
}
],
"title": "drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68244",
"datePublished": "2025-12-16T14:21:21.277Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:21:21.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40277 (GCVE-0-2025-40277)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE
This data originates from userspace and is used in buffer offset
calculations which could potentially overflow causing an out-of-bounds
access.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < e58559845021c3bad5e094219378b869157fad53
(git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 54d458b244893e47bda52ec3943fdfbc8d7d068b (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < a3abb54c27b2c393c44362399777ad2f6e1ff17e (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 (git) Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e58559845021c3bad5e094219378b869157fad53",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "54d458b244893e47bda52ec3943fdfbc8d7d068b",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "a3abb54c27b2c393c44362399777ad2f6e1ff17e",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "b5df9e06eed3df6a4f5c6f8453013b0cabb927b4",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
},
{
"lessThan": "32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af",
"status": "affected",
"version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE\n\nThis data originates from userspace and is used in buffer offset\ncalculations which could potentially overflow causing an out-of-bounds\naccess."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:00.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53"
},
{
"url": "https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b"
},
{
"url": "https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173"
},
{
"url": "https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e"
},
{
"url": "https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4"
},
{
"url": "https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc"
},
{
"url": "https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0"
},
{
"url": "https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af"
}
],
"title": "drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40277",
"datePublished": "2025-12-06T21:51:00.437Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:00.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68380 (GCVE-0-2025-68380)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
wifi: ath11k: fix peer HE MCS assignment
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix peer HE MCS assignment
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to
firmware as receive MCS while peer's receive MCS sent as transmit MCS,
which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not
supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff
is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities
[...]
Supported HE-MCS and NSS Set
[...]
Rx and Tx MCS Maps 160 MHz
[...]
Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it
needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping
done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
61fe43e7216df6e9a912d831aafc7142fa20f280 , < 92791290e4f6a1de25d35af792ab8918a70737f6
(git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4304bd7a334e981f189b9973056a58f84cc2b482 (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 097c870b91817779e5a312c6539099a884b1fe2b (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 381096a417b7019896e93e86f4c585c592bf98e2 (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 6b1a0da75932353f66e710976ca85a7131f647ff (git) Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4a013ca2d490c73c40588d62712ffaa432046a04 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92791290e4f6a1de25d35af792ab8918a70737f6",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4304bd7a334e981f189b9973056a58f84cc2b482",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "097c870b91817779e5a312c6539099a884b1fe2b",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "381096a417b7019896e93e86f4c585c592bf98e2",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "6b1a0da75932353f66e710976ca85a7131f647ff",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
},
{
"lessThan": "4a013ca2d490c73c40588d62712ffaa432046a04",
"status": "affected",
"version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c",
"drivers/net/wireless/ath/ath11k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix peer HE MCS assignment\n\nIn ath11k_wmi_send_peer_assoc_cmd(), peer\u0027s transmit MCS is sent to\nfirmware as receive MCS while peer\u0027s receive MCS sent as transmit MCS,\nwhich goes against firmwire\u0027s definition.\n\nWhile connecting to a misbehaved AP that advertises 0xffff (meaning not\nsupported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff\nis assigned to he_mcs-\u003erx_mcs_set field.\n\n\tExt Tag: HE Capabilities\n\t [...]\n\t Supported HE-MCS and NSS Set\n\t\t[...]\n\t Rx and Tx MCS Maps 160 MHz\n\t\t [...]\n\t Tx HE-MCS Map 160 MHz: 0xffff\n\nSwap the assignment to fix this issue.\n\nAs the HE rate control mask is meant to limit our own transmit MCS, it\nneeds to go via he_mcs-\u003erx_mcs_set field. With the aforementioned swapping\ndone, change is needed as well to apply it to the peer\u0027s receive MCS.\n\nTested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:11.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92791290e4f6a1de25d35af792ab8918a70737f6"
},
{
"url": "https://git.kernel.org/stable/c/4304bd7a334e981f189b9973056a58f84cc2b482"
},
{
"url": "https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b"
},
{
"url": "https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2"
},
{
"url": "https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff"
},
{
"url": "https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04"
}
],
"title": "wifi: ath11k: fix peer HE MCS assignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68380",
"datePublished": "2025-12-24T10:33:08.266Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2026-01-11T16:30:11.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68758 (GCVE-0-2025-68758)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
backlight: led-bl: Add devlink to supplier LEDs
Summary
In the Linux kernel, the following vulnerability has been resolved:
backlight: led-bl: Add devlink to supplier LEDs
LED Backlight is a consumer of one or multiple LED class devices, but
devlink is currently unable to create correct supplier-producer links when
the supplier is a class device. It creates instead a link where the
supplier is the parent of the expected device.
One consequence is that removal order is not correctly enforced.
Issues happen for example with the following sections in a device tree
overlay:
// An LED driver chip
pca9632@62 {
compatible = "nxp,pca9632";
reg = <0x62>;
// ...
addon_led_pwm: led-pwm@3 {
reg = <3>;
label = "addon:led:pwm";
};
};
backlight-addon {
compatible = "led-backlight";
leds = <&addon_led_pwm>;
brightness-levels = <255>;
default-brightness-level = <255>;
};
In this example, the devlink should be created between the backlight-addon
(consumer) and the pca9632@62 (supplier). Instead it is created between the
backlight-addon (consumer) and the parent of the pca9632@62, which is
typically the I2C bus adapter.
On removal of the above overlay, the LED driver can be removed before the
backlight device, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
Call trace:
led_put+0xe0/0x140
devm_led_release+0x6c/0x98
Another way to reproduce the bug without any device tree overlays is
unbinding the LED class device (pca9632@62) before unbinding the consumer
(backlight-addon):
echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind
echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind
Fix by adding a devlink between the consuming led-backlight device and the
supplying LED device, as other drivers and subsystems do as well.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 64739adf3eef063b8e2c72b7e919eac8c6480bf0
(git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < cd01a24b3e52d6777b49c917d841f125fe9eebd0 (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < e06df738a9ad8417f1c4c7cd6992cda320e9e7ca (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 30cbe4b642745a9488a0f0d78be43afe69d7555c (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 0e63ea4378489e09eb5e920c8a50c10caacf563a (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9 (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 08c9dc6b0f2c68e5e7c374ac4499e321e435d46c (git) Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 9341d6698f4cfdfc374fb6944158d111ebe16a9d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64739adf3eef063b8e2c72b7e919eac8c6480bf0",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "cd01a24b3e52d6777b49c917d841f125fe9eebd0",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "e06df738a9ad8417f1c4c7cd6992cda320e9e7ca",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "30cbe4b642745a9488a0f0d78be43afe69d7555c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "0e63ea4378489e09eb5e920c8a50c10caacf563a",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "08c9dc6b0f2c68e5e7c374ac4499e321e435d46c",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
},
{
"lessThan": "9341d6698f4cfdfc374fb6944158d111ebe16a9d",
"status": "affected",
"version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/backlight/led_bl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led-bl: Add devlink to supplier LEDs\n\nLED Backlight is a consumer of one or multiple LED class devices, but\ndevlink is currently unable to create correct supplier-producer links when\nthe supplier is a class device. It creates instead a link where the\nsupplier is the parent of the expected device.\n\nOne consequence is that removal order is not correctly enforced.\n\nIssues happen for example with the following sections in a device tree\noverlay:\n\n // An LED driver chip\n pca9632@62 {\n compatible = \"nxp,pca9632\";\n reg = \u003c0x62\u003e;\n\n\t// ...\n\n addon_led_pwm: led-pwm@3 {\n reg = \u003c3\u003e;\n label = \"addon:led:pwm\";\n };\n };\n\n backlight-addon {\n compatible = \"led-backlight\";\n leds = \u003c\u0026addon_led_pwm\u003e;\n brightness-levels = \u003c255\u003e;\n default-brightness-level = \u003c255\u003e;\n };\n\nIn this example, the devlink should be created between the backlight-addon\n(consumer) and the pca9632@62 (supplier). Instead it is created between the\nbacklight-addon (consumer) and the parent of the pca9632@62, which is\ntypically the I2C bus adapter.\n\nOn removal of the above overlay, the LED driver can be removed before the\nbacklight device, resulting in:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n ...\n Call trace:\n led_put+0xe0/0x140\n devm_led_release+0x6c/0x98\n\nAnother way to reproduce the bug without any device tree overlays is\nunbinding the LED class device (pca9632@62) before unbinding the consumer\n(backlight-addon):\n\n echo 11-0062 \u003e/sys/bus/i2c/drivers/leds-pca963x/unbind\n echo ...backlight-dock \u003e/sys/bus/platform/drivers/led-backlight/unbind\n\nFix by adding a devlink between the consuming led-backlight device and the\nsupplying LED device, as other drivers and subsystems do as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:45.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64739adf3eef063b8e2c72b7e919eac8c6480bf0"
},
{
"url": "https://git.kernel.org/stable/c/cd01a24b3e52d6777b49c917d841f125fe9eebd0"
},
{
"url": "https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca"
},
{
"url": "https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c"
},
{
"url": "https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a"
},
{
"url": "https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9"
},
{
"url": "https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c"
},
{
"url": "https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d"
}
],
"title": "backlight: led-bl: Add devlink to supplier LEDs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68758",
"datePublished": "2026-01-05T09:32:31.399Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-19T12:18:45.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54114 (GCVE-0-2023-54114)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
As the call trace shows, skb_panic was caused by wrong skb->mac_header
in nsh_gso_segment():
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
RIP: 0010:skb_panic+0xda/0xe0
call Trace:
skb_push+0x91/0xa0
nsh_gso_segment+0x4f3/0x570
skb_mac_gso_segment+0x19e/0x270
__skb_gso_segment+0x1e8/0x3c0
validate_xmit_skb+0x452/0x890
validate_xmit_skb_list+0x99/0xd0
sch_direct_xmit+0x294/0x7c0
__dev_queue_xmit+0x16f0/0x1d70
packet_xmit+0x185/0x210
packet_snd+0xc15/0x1170
packet_sendmsg+0x7b/0xa0
sock_sendmsg+0x14f/0x160
The root cause is:
nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
in skb_gso_error_unwind() if inner-layer protocol gso fails.
However, skb->network_header may be reset by inner-layer protocol
gso function e.g. mpls_gso_segment. skb->mac_header reset by the
inaccurate network_header will be larger than skb headroom.
nsh_gso_segment
nhoff = skb->network_header - skb->mac_header;
__skb_pull(skb,nsh_len)
skb_mac_gso_segment
mpls_gso_segment
skb_reset_network_header(skb);//skb->network_header+=nsh_len
return -EINVAL;
skb_gso_error_unwind
skb_push(skb, nsh_len);
skb->mac_header = skb->network_header - nhoff;
// skb->mac_header > skb->headroom, cause skb_push panic
Use correct mac_offset to restore mac_header and get rid of nhoff.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c411ed854584a71b0e86ac3019b60e4789d88086 , < 2f88c8d38ecf5ed0273f99a067246899ba499eb2
(git)
Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < d2309e0cb27b6871b273fbc1725e93be62570d86 (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 435855b0831b351cb72cb38369ee33122ce9574c (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 02b20e0bc0c2628539e9e518dc342787c3332de2 (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < cdd8160dcda1fed2028a5f96575a84afc23aff7d (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < 6fbedf987b6b8ed54a50e2205d998eb2c8be72f9 (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < cb38e62922aa3991793344b5a5870e7291c74a44 (git) Affected: c411ed854584a71b0e86ac3019b60e4789d88086 , < c83b49383b595be50647f0c764a48c78b5f3c4f8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nsh/nsh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f88c8d38ecf5ed0273f99a067246899ba499eb2",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "d2309e0cb27b6871b273fbc1725e93be62570d86",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "435855b0831b351cb72cb38369ee33122ce9574c",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "02b20e0bc0c2628539e9e518dc342787c3332de2",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "cdd8160dcda1fed2028a5f96575a84afc23aff7d",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "6fbedf987b6b8ed54a50e2205d998eb2c8be72f9",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "cb38e62922aa3991793344b5a5870e7291c74a44",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
},
{
"lessThan": "c83b49383b595be50647f0c764a48c78b5f3c4f8",
"status": "affected",
"version": "c411ed854584a71b0e86ac3019b60e4789d88086",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nsh/nsh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()\n\nAs the call trace shows, skb_panic was caused by wrong skb-\u003emac_header\nin nsh_gso_segment():\n\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1\nRIP: 0010:skb_panic+0xda/0xe0\ncall Trace:\n skb_push+0x91/0xa0\n nsh_gso_segment+0x4f3/0x570\n skb_mac_gso_segment+0x19e/0x270\n __skb_gso_segment+0x1e8/0x3c0\n validate_xmit_skb+0x452/0x890\n validate_xmit_skb_list+0x99/0xd0\n sch_direct_xmit+0x294/0x7c0\n __dev_queue_xmit+0x16f0/0x1d70\n packet_xmit+0x185/0x210\n packet_snd+0xc15/0x1170\n packet_sendmsg+0x7b/0xa0\n sock_sendmsg+0x14f/0x160\n\nThe root cause is:\nnsh_gso_segment() use skb-\u003enetwork_header - nhoff to reset mac_header\nin skb_gso_error_unwind() if inner-layer protocol gso fails.\nHowever, skb-\u003enetwork_header may be reset by inner-layer protocol\ngso function e.g. mpls_gso_segment. skb-\u003emac_header reset by the\ninaccurate network_header will be larger than skb headroom.\n\nnsh_gso_segment\n nhoff = skb-\u003enetwork_header - skb-\u003emac_header;\n __skb_pull(skb,nsh_len)\n skb_mac_gso_segment\n mpls_gso_segment\n skb_reset_network_header(skb);//skb-\u003enetwork_header+=nsh_len\n return -EINVAL;\n skb_gso_error_unwind\n skb_push(skb, nsh_len);\n skb-\u003emac_header = skb-\u003enetwork_header - nhoff;\n // skb-\u003emac_header \u003e skb-\u003eheadroom, cause skb_push panic\n\nUse correct mac_offset to restore mac_header and get rid of nhoff."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:36.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2"
},
{
"url": "https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86"
},
{
"url": "https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c"
},
{
"url": "https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2"
},
{
"url": "https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d"
},
{
"url": "https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9"
},
{
"url": "https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44"
},
{
"url": "https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8"
}
],
"title": "net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54114",
"datePublished": "2025-12-24T13:06:36.214Z",
"dateReserved": "2025-12-24T13:02:52.519Z",
"dateUpdated": "2025-12-24T13:06:36.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53676 (GCVE-0-2023-53676)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2026-01-05 10:21
VLAI?
EPSS
Title
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
The function lio_target_nacl_info_show() uses sprintf() in a loop to print
details for every iSCSI connection in a session without checking for the
buffer length. With enough iSCSI connections it's possible to overflow the
buffer provided by configfs and corrupt the memory.
This patch replaces sprintf() with sysfs_emit_at() that checks for buffer
boundries.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e48354ce078c079996f89d715dfa44814b4eba01 , < df349e84c2cb0dd05d98c8e1189c26ab4b116083
(git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 114b44dddea1f8f99576de3c0e6e9059012002fc (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 5353df78c22623b42a71d51226d228a8413097e2 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 4738bf8b2d3635c2944b81b2a84d97b8c8b0978d (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 0cac6cbb9908309352a5d30c1876882771d3da50 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 801f287c93ff95582b0a2d2163f12870a2f076d4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df349e84c2cb0dd05d98c8e1189c26ab4b116083",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "114b44dddea1f8f99576de3c0e6e9059012002fc",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "5353df78c22623b42a71d51226d228a8413097e2",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "4738bf8b2d3635c2944b81b2a84d97b8c8b0978d",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "0cac6cbb9908309352a5d30c1876882771d3da50",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "801f287c93ff95582b0a2d2163f12870a2f076d4",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_configfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()\n\nThe function lio_target_nacl_info_show() uses sprintf() in a loop to print\ndetails for every iSCSI connection in a session without checking for the\nbuffer length. With enough iSCSI connections it\u0027s possible to overflow the\nbuffer provided by configfs and corrupt the memory.\n\nThis patch replaces sprintf() with sysfs_emit_at() that checks for buffer\nboundries."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:21:49.841Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df349e84c2cb0dd05d98c8e1189c26ab4b116083"
},
{
"url": "https://git.kernel.org/stable/c/114b44dddea1f8f99576de3c0e6e9059012002fc"
},
{
"url": "https://git.kernel.org/stable/c/2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6"
},
{
"url": "https://git.kernel.org/stable/c/bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a"
},
{
"url": "https://git.kernel.org/stable/c/5353df78c22623b42a71d51226d228a8413097e2"
},
{
"url": "https://git.kernel.org/stable/c/4738bf8b2d3635c2944b81b2a84d97b8c8b0978d"
},
{
"url": "https://git.kernel.org/stable/c/0cac6cbb9908309352a5d30c1876882771d3da50"
},
{
"url": "https://git.kernel.org/stable/c/801f287c93ff95582b0a2d2163f12870a2f076d4"
}
],
"title": "scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53676",
"datePublished": "2025-10-07T15:21:31.757Z",
"dateReserved": "2025-10-07T15:16:59.664Z",
"dateUpdated": "2026-01-05T10:21:49.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50665 (GCVE-0-2022-50665)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected
It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(),
as below, it will not print when debug_mask is not set ATH11K_DBG_DATA.
ath11k_dbg(ab, ATH11K_DBG_DATA,
"failed to find the peer with peer_id %d\n",
ppdu_info.peer_id);
When run scan with station disconnected, the peer_id is 0 for case
HAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called
from ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is
reset to 0 in the while loop, so it does not match condition of the
check "if (ppdu_info->peer_id == HAL_INVALID_PEERID" in the loop, and
then the log "failed to find the peer with peer_id 0" print after the
check in the loop, it is below call stack when debug_mask is set
ATH11K_DBG_DATA.
The reason is this commit 01d2f285e3e5 ("ath11k: decode HE status tlv")
add "memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))" in
ath11k_dp_rx_process_mon_status(), but the commit does not initialize
the peer_id to HAL_INVALID_PEERID, then lead the check mis-match.
Callstack of the failed log:
[12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k]
[12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd
[12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246
[12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000
[12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18
[12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000
[12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40
[12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000
[12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000
[12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0
[12335.689360] Call Trace:
[12335.689377] <IRQ>
[12335.689418] ? rcu_read_lock_held_common+0x12/0x50
[12335.689447] ? rcu_read_lock_sched_held+0x25/0x80
[12335.689471] ? rcu_read_lock_held_common+0x12/0x50
[12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]
[12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]
[12335.689653] ? lock_acquire+0xef/0x360
[12335.689681] ? rcu_read_lock_sched_held+0x25/0x80
[12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k]
[12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]
[12335.689860] call_timer_fn+0xb2/0x2f0
[12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]
[12335.689970] run_timer_softirq+0x21f/0x540
[12335.689999] ? ktime_get+0xad/0x160
[12335.690025] ? lapic_next_deadline+0x2c/0x40
[12335.690053] ? clockevents_program_event+0x82/0x100
[12335.690093] __do_softirq+0x151/0x4a8
[12335.690135] irq_exit_rcu+0xc9/0x100
[12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0
[12335.690189] </IRQ>
[12335.690204] <TASK>
[12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20
Reset the default value to HAL_INVALID_PEERID each time after memset
of ppdu_info as well as others memset which existed in function
ath11k_dp_rx_process_mon_status(), then the failed log disappeared.
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
01d2f285e3e5b629df9c61514e7ee07a54d0eed9 , < c0bb97a90b133416b50b3ffbdb7efca9253cc687
(git)
Affected: 01d2f285e3e5b629df9c61514e7ee07a54d0eed9 , < a5b03df19041e5ce35c7f048fa84bf1b0ceb1311 (git) Affected: 01d2f285e3e5b629df9c61514e7ee07a54d0eed9 , < a20ed60bb357776301c2dad7b4a4f0db97e143e9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0bb97a90b133416b50b3ffbdb7efca9253cc687",
"status": "affected",
"version": "01d2f285e3e5b629df9c61514e7ee07a54d0eed9",
"versionType": "git"
},
{
"lessThan": "a5b03df19041e5ce35c7f048fa84bf1b0ceb1311",
"status": "affected",
"version": "01d2f285e3e5b629df9c61514e7ee07a54d0eed9",
"versionType": "git"
},
{
"lessThan": "a20ed60bb357776301c2dad7b4a4f0db97e143e9",
"status": "affected",
"version": "01d2f285e3e5b629df9c61514e7ee07a54d0eed9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected\n\nIt has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(),\nas below, it will not print when debug_mask is not set ATH11K_DBG_DATA.\n\tath11k_dbg(ab, ATH11K_DBG_DATA,\n\t\t \"failed to find the peer with peer_id %d\\n\",\n\t\t ppdu_info.peer_id);\n\nWhen run scan with station disconnected, the peer_id is 0 for case\nHAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called\nfrom ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is\nreset to 0 in the while loop, so it does not match condition of the\ncheck \"if (ppdu_info-\u003epeer_id == HAL_INVALID_PEERID\" in the loop, and\nthen the log \"failed to find the peer with peer_id 0\" print after the\ncheck in the loop, it is below call stack when debug_mask is set\nATH11K_DBG_DATA.\n\nThe reason is this commit 01d2f285e3e5 (\"ath11k: decode HE status tlv\")\nadd \"memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))\" in\nath11k_dp_rx_process_mon_status(), but the commit does not initialize\nthe peer_id to HAL_INVALID_PEERID, then lead the check mis-match.\n\nCallstack of the failed log:\n[12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k]\n[12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff \u003c0f\u003e 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd\n[12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246\n[12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000\n[12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18\n[12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000\n[12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40\n[12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000\n[12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000\n[12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0\n[12335.689360] Call Trace:\n[12335.689377] \u003cIRQ\u003e\n[12335.689418] ? rcu_read_lock_held_common+0x12/0x50\n[12335.689447] ? rcu_read_lock_sched_held+0x25/0x80\n[12335.689471] ? rcu_read_lock_held_common+0x12/0x50\n[12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]\n[12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]\n[12335.689653] ? lock_acquire+0xef/0x360\n[12335.689681] ? rcu_read_lock_sched_held+0x25/0x80\n[12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k]\n[12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]\n[12335.689860] call_timer_fn+0xb2/0x2f0\n[12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]\n[12335.689970] run_timer_softirq+0x21f/0x540\n[12335.689999] ? ktime_get+0xad/0x160\n[12335.690025] ? lapic_next_deadline+0x2c/0x40\n[12335.690053] ? clockevents_program_event+0x82/0x100\n[12335.690093] __do_softirq+0x151/0x4a8\n[12335.690135] irq_exit_rcu+0xc9/0x100\n[12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0\n[12335.690189] \u003c/IRQ\u003e\n[12335.690204] \u003cTASK\u003e\n[12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20\n\nReset the default value to HAL_INVALID_PEERID each time after memset\nof ppdu_info as well as others memset which existed in function\nath11k_dp_rx_process_mon_status(), then the failed log disappeared.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:15.255Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0bb97a90b133416b50b3ffbdb7efca9253cc687"
},
{
"url": "https://git.kernel.org/stable/c/a5b03df19041e5ce35c7f048fa84bf1b0ceb1311"
},
{
"url": "https://git.kernel.org/stable/c/a20ed60bb357776301c2dad7b4a4f0db97e143e9"
}
],
"title": "wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50665",
"datePublished": "2025-12-09T01:29:15.255Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:15.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57849 (GCVE-0-2024-57849)
Vulnerability from cvelistv5 – Published: 2025-01-11 14:30 – Updated: 2026-01-05 10:56
VLAI?
EPSS
Title
s390/cpum_sf: Handle CPU hotplug remove during sampling
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/cpum_sf: Handle CPU hotplug remove during sampling
CPU hotplug remove handling triggers the following function
call sequence:
CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu()
...
CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu()
The s390 CPUMF sampling CPU hotplug handler invokes:
s390_pmu_sf_offline_cpu()
+--> cpusf_pmu_setup()
+--> setup_pmc_cpu()
+--> deallocate_buffers()
This function de-allocates all sampling data buffers (SDBs) allocated
for that CPU at event initialization. It also clears the
PMU_F_RESERVED bit. The CPU is gone and can not be sampled.
With the event still being active on the removed CPU, the CPU event
hotplug support in kernel performance subsystem triggers the
following function calls on the removed CPU:
perf_event_exit_cpu()
+--> perf_event_exit_cpu_context()
+--> __perf_event_exit_context()
+--> __perf_remove_from_context()
+--> event_sched_out()
+--> cpumsf_pmu_del()
+--> cpumsf_pmu_stop()
+--> hw_perf_event_update()
to stop and remove the event. During removal of the event, the
sampling device driver tries to read out the remaining samples from
the sample data buffers (SDBs). But they have already been freed
(and may have been re-assigned). This may lead to a use after free
situation in which case the samples are most likely invalid. In the
best case the memory has not been reassigned and still contains
valid data.
Remedy this situation and check if the CPU is still in reserved
state (bit PMU_F_RESERVED set). In this case the SDBs have not been
released an contain valid data. This is always the case when
the event is removed (and no CPU hotplug off occured).
If the PMU_F_RESERVED bit is not set, the SDB buffers are gone.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < 238e3af849dfdcb1faed544349f7025e533f9aab
(git)
Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < 99192c735ed4bfdff0d215ec85c8a87a677cb898 (git) Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < 06a92f810df8037ca36157282ddcbefdcaf049b8 (git) Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < b5be6a0bb639d165c8418d8dddd8f322587be8be (git) Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < a69752f1e5de817941a2ea0609254f6f25acd274 (git) Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < be54e6e0f93a39a9c00478d70d12956a5f3d5b9b (git) Affected: e3d617fe6ac7294974fc513dc5e4d8ada8080fd1 , < a0bd7dacbd51c632b8e2c0500b479af564afadf3 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:54:42.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/perf_cpum_sf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "238e3af849dfdcb1faed544349f7025e533f9aab",
"status": "affected",
"version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
"versionType": "git"
},
{
"lessThan": "99192c735ed4bfdff0d215ec85c8a87a677cb898",
"status": "affected",
"version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
"versionType": "git"
},
{
"lessThan": "06a92f810df8037ca36157282ddcbefdcaf049b8",
"status": "affected",
"version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
"versionType": "git"
},
{
"lessThan": "b5be6a0bb639d165c8418d8dddd8f322587be8be",
"status": "affected",
"version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
"versionType": "git"
},
{
"lessThan": "a69752f1e5de817941a2ea0609254f6f25acd274",
"status": "affected",
"version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
"versionType": "git"
},
{
"lessThan": "be54e6e0f93a39a9c00478d70d12956a5f3d5b9b",
"status": "affected",
"version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
"versionType": "git"
},
{
"lessThan": "a0bd7dacbd51c632b8e2c0500b479af564afadf3",
"status": "affected",
"version": "e3d617fe6ac7294974fc513dc5e4d8ada8080fd1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/kernel/perf_cpum_sf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.287",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.287",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.231",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cpum_sf: Handle CPU hotplug remove during sampling\n\nCPU hotplug remove handling triggers the following function\ncall sequence:\n\n CPUHP_AP_PERF_S390_SF_ONLINE --\u003e s390_pmu_sf_offline_cpu()\n ...\n CPUHP_AP_PERF_ONLINE --\u003e perf_event_exit_cpu()\n\nThe s390 CPUMF sampling CPU hotplug handler invokes:\n\n s390_pmu_sf_offline_cpu()\n +--\u003e cpusf_pmu_setup()\n +--\u003e setup_pmc_cpu()\n +--\u003e deallocate_buffers()\n\nThis function de-allocates all sampling data buffers (SDBs) allocated\nfor that CPU at event initialization. It also clears the\nPMU_F_RESERVED bit. The CPU is gone and can not be sampled.\n\nWith the event still being active on the removed CPU, the CPU event\nhotplug support in kernel performance subsystem triggers the\nfollowing function calls on the removed CPU:\n\n perf_event_exit_cpu()\n +--\u003e perf_event_exit_cpu_context()\n +--\u003e __perf_event_exit_context()\n\t +--\u003e __perf_remove_from_context()\n\t +--\u003e event_sched_out()\n\t +--\u003e cpumsf_pmu_del()\n\t +--\u003e cpumsf_pmu_stop()\n +--\u003e hw_perf_event_update()\n\nto stop and remove the event. During removal of the event, the\nsampling device driver tries to read out the remaining samples from\nthe sample data buffers (SDBs). But they have already been freed\n(and may have been re-assigned). This may lead to a use after free\nsituation in which case the samples are most likely invalid. In the\nbest case the memory has not been reassigned and still contains\nvalid data.\n\nRemedy this situation and check if the CPU is still in reserved\nstate (bit PMU_F_RESERVED set). In this case the SDBs have not been\nreleased an contain valid data. This is always the case when\nthe event is removed (and no CPU hotplug off occured).\nIf the PMU_F_RESERVED bit is not set, the SDB buffers are gone."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:56:29.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/238e3af849dfdcb1faed544349f7025e533f9aab"
},
{
"url": "https://git.kernel.org/stable/c/99192c735ed4bfdff0d215ec85c8a87a677cb898"
},
{
"url": "https://git.kernel.org/stable/c/06a92f810df8037ca36157282ddcbefdcaf049b8"
},
{
"url": "https://git.kernel.org/stable/c/b5be6a0bb639d165c8418d8dddd8f322587be8be"
},
{
"url": "https://git.kernel.org/stable/c/a69752f1e5de817941a2ea0609254f6f25acd274"
},
{
"url": "https://git.kernel.org/stable/c/be54e6e0f93a39a9c00478d70d12956a5f3d5b9b"
},
{
"url": "https://git.kernel.org/stable/c/a0bd7dacbd51c632b8e2c0500b479af564afadf3"
}
],
"title": "s390/cpum_sf: Handle CPU hotplug remove during sampling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-57849",
"datePublished": "2025-01-11T14:30:58.365Z",
"dateReserved": "2025-01-11T12:33:33.699Z",
"dateUpdated": "2026-01-05T10:56:29.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53847 (GCVE-0-2023-53847)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
usb-storage: alauda: Fix uninit-value in alauda_check_media()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb-storage: alauda: Fix uninit-value in alauda_check_media()
Syzbot got KMSAN to complain about access to an uninitialized value in
the alauda subdriver of usb-storage:
BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0
drivers/usb/storage/alauda.c:1137
CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x191/0x1f0 lib/dump_stack.c:113
kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108
__msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250
alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460
The problem is that alauda_check_media() doesn't verify that its USB
transfer succeeded before trying to use the received data. What
should happen if the transfer fails isn't entirely clear, but a
reasonably conservative approach is to pretend that no media is
present.
A similar problem exists in a usb_stor_dbg() call in
alauda_get_media_status(). In this case, when an error occurs the
call is redundant, because usb_stor_ctrl_transfer() already will print
a debugging message.
Finally, unrelated to the uninitialized memory access, is the fact
that alauda_check_media() performs DMA to a buffer on the stack.
Fortunately usb-storage provides a general purpose DMA-able buffer for
uses like this. We'll use it instead.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 153c3e85873cc3e2f387169783c3a227bad9a95a
(git)
Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 49d380bcd6cba987c6085fae6464c9c087e8d9a0 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 044f4446e06bb03c52216697b14867ebc555ad3b (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < fe7c3a445d22783d27fe8bd0521a8aab1eb9da65 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 7a11d1e2625bdb2346f6586773b20b20977278ac (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < 373e0ab8c4c516561493f1acf367c7ee7dc053c2 (git) Affected: e80b0fade09ef1ee67b0898d480d4c588f124d5f , < a6ff6e7a9dd69364547751db0f626a10a6d628d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/alauda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "153c3e85873cc3e2f387169783c3a227bad9a95a",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "49d380bcd6cba987c6085fae6464c9c087e8d9a0",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "044f4446e06bb03c52216697b14867ebc555ad3b",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "fe7c3a445d22783d27fe8bd0521a8aab1eb9da65",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "7a11d1e2625bdb2346f6586773b20b20977278ac",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "373e0ab8c4c516561493f1acf367c7ee7dc053c2",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
},
{
"lessThan": "a6ff6e7a9dd69364547751db0f626a10a6d628d2",
"status": "affected",
"version": "e80b0fade09ef1ee67b0898d480d4c588f124d5f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/alauda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb-storage: alauda: Fix uninit-value in alauda_check_media()\n\nSyzbot got KMSAN to complain about access to an uninitialized value in\nthe alauda subdriver of usb-storage:\n\nBUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0\ndrivers/usb/storage/alauda.c:1137\nCPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 01/01/2011\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x191/0x1f0 lib/dump_stack.c:113\n kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108\n __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250\n alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460\n\nThe problem is that alauda_check_media() doesn\u0027t verify that its USB\ntransfer succeeded before trying to use the received data. What\nshould happen if the transfer fails isn\u0027t entirely clear, but a\nreasonably conservative approach is to pretend that no media is\npresent.\n\nA similar problem exists in a usb_stor_dbg() call in\nalauda_get_media_status(). In this case, when an error occurs the\ncall is redundant, because usb_stor_ctrl_transfer() already will print\na debugging message.\n\nFinally, unrelated to the uninitialized memory access, is the fact\nthat alauda_check_media() performs DMA to a buffer on the stack.\nFortunately usb-storage provides a general purpose DMA-able buffer for\nuses like this. We\u0027ll use it instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:10.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/153c3e85873cc3e2f387169783c3a227bad9a95a"
},
{
"url": "https://git.kernel.org/stable/c/49d380bcd6cba987c6085fae6464c9c087e8d9a0"
},
{
"url": "https://git.kernel.org/stable/c/044f4446e06bb03c52216697b14867ebc555ad3b"
},
{
"url": "https://git.kernel.org/stable/c/fe7c3a445d22783d27fe8bd0521a8aab1eb9da65"
},
{
"url": "https://git.kernel.org/stable/c/7a11d1e2625bdb2346f6586773b20b20977278ac"
},
{
"url": "https://git.kernel.org/stable/c/0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd"
},
{
"url": "https://git.kernel.org/stable/c/373e0ab8c4c516561493f1acf367c7ee7dc053c2"
},
{
"url": "https://git.kernel.org/stable/c/a6ff6e7a9dd69364547751db0f626a10a6d628d2"
}
],
"title": "usb-storage: alauda: Fix uninit-value in alauda_check_media()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53847",
"datePublished": "2025-12-09T01:30:10.344Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:10.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54026 (GCVE-0-2023-54026)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
opp: Fix use-after-free in lazy_opp_tables after probe deferral
Summary
In the Linux kernel, the following vulnerability has been resolved:
opp: Fix use-after-free in lazy_opp_tables after probe deferral
When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns
-EPROBE_DEFER, the opp_table is freed again, to wait until all the
interconnect paths are available.
However, if the OPP table is using required-opps then it may already
have been added to the global lazy_opp_tables list. The error path
does not remove the opp_table from the list again.
This can cause crashes later when the provider of the required-opps
is added, since we will iterate over OPP tables that have already been
freed. E.g.:
Unable to handle kernel NULL pointer dereference when read
CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3
PC is at _of_add_opp_table_v2 (include/linux/of.h:949
drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404
drivers/opp/of.c:1032) -> lazy_link_required_opp_table()
Fix this by calling _of_clear_opp_table() to remove the opp_table from
the list and clear other allocated resources. While at it, also add the
missing mutex_destroy() calls in the error path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7eba0c7641b0009818e469dbfcdd87a0155ab9d4 , < 39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc
(git)
Affected: 7eba0c7641b0009818e469dbfcdd87a0155ab9d4 , < 76ab057de777723ec924654502d1a260ba7d7d54 (git) Affected: 7eba0c7641b0009818e469dbfcdd87a0155ab9d4 , < c05e76d6b249e5254c31994eedd06dd3cc90dee0 (git) Affected: 7eba0c7641b0009818e469dbfcdd87a0155ab9d4 , < b2a2ab039bd58f51355e33d7d3fc64605d7f870d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/opp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc",
"status": "affected",
"version": "7eba0c7641b0009818e469dbfcdd87a0155ab9d4",
"versionType": "git"
},
{
"lessThan": "76ab057de777723ec924654502d1a260ba7d7d54",
"status": "affected",
"version": "7eba0c7641b0009818e469dbfcdd87a0155ab9d4",
"versionType": "git"
},
{
"lessThan": "c05e76d6b249e5254c31994eedd06dd3cc90dee0",
"status": "affected",
"version": "7eba0c7641b0009818e469dbfcdd87a0155ab9d4",
"versionType": "git"
},
{
"lessThan": "b2a2ab039bd58f51355e33d7d3fc64605d7f870d",
"status": "affected",
"version": "7eba0c7641b0009818e469dbfcdd87a0155ab9d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/opp/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nopp: Fix use-after-free in lazy_opp_tables after probe deferral\n\nWhen dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns\n-EPROBE_DEFER, the opp_table is freed again, to wait until all the\ninterconnect paths are available.\n\nHowever, if the OPP table is using required-opps then it may already\nhave been added to the global lazy_opp_tables list. The error path\ndoes not remove the opp_table from the list again.\n\nThis can cause crashes later when the provider of the required-opps\nis added, since we will iterate over OPP tables that have already been\nfreed. E.g.:\n\n Unable to handle kernel NULL pointer dereference when read\n CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3\n PC is at _of_add_opp_table_v2 (include/linux/of.h:949\n drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404\n drivers/opp/of.c:1032) -\u003e lazy_link_required_opp_table()\n\nFix this by calling _of_clear_opp_table() to remove the opp_table from\nthe list and clear other allocated resources. While at it, also add the\nmissing mutex_destroy() calls in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:55.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc"
},
{
"url": "https://git.kernel.org/stable/c/76ab057de777723ec924654502d1a260ba7d7d54"
},
{
"url": "https://git.kernel.org/stable/c/c05e76d6b249e5254c31994eedd06dd3cc90dee0"
},
{
"url": "https://git.kernel.org/stable/c/b2a2ab039bd58f51355e33d7d3fc64605d7f870d"
}
],
"title": "opp: Fix use-after-free in lazy_opp_tables after probe deferral",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54026",
"datePublished": "2025-12-24T10:55:55.182Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:55.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54244 (GCVE-0-2023-54244)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-05 11:36
VLAI?
EPSS
Title
ACPI: EC: Fix oops when removing custom query handlers
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: EC: Fix oops when removing custom query handlers
When removing custom query handlers, the handler might still
be used inside the EC query workqueue, causing a kernel oops
if the module holding the callback function was already unloaded.
Fix this by flushing the EC query workqueue when removing
custom query handlers.
Tested on a Acer Travelmate 4002WLMi
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a62e8f1978f49e52f87a711ff6711b323d4b12ff , < 130e3eac51912f2c866e7d035992ede25f8feac0
(git)
Affected: a62e8f1978f49e52f87a711ff6711b323d4b12ff , < 0d528a7c421b1f1772fc1d29370b3b5fc0f42b19 (git) Affected: a62e8f1978f49e52f87a711ff6711b323d4b12ff , < ccae2233e9935a038a35fe8cfd703df905f700e7 (git) Affected: a62e8f1978f49e52f87a711ff6711b323d4b12ff , < 066b90bca755f0b876e7b027b75d1796861d6db0 (git) Affected: a62e8f1978f49e52f87a711ff6711b323d4b12ff , < f4a573eed6377d356f835a4b00099d5dacee0da0 (git) Affected: a62e8f1978f49e52f87a711ff6711b323d4b12ff , < 86a159fd5bdb01ec34b160cfda1a313b616d9302 (git) Affected: a62e8f1978f49e52f87a711ff6711b323d4b12ff , < fd2c99e81ae0dbdd62a154ef9c77fc01715cc020 (git) Affected: a62e8f1978f49e52f87a711ff6711b323d4b12ff , < e5b492c6bb900fcf9722e05f4a10924410e170c1 (git) Affected: 1ff7b99e4983d9e93d25e98ba1ce303ad4e4909e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/ec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "130e3eac51912f2c866e7d035992ede25f8feac0",
"status": "affected",
"version": "a62e8f1978f49e52f87a711ff6711b323d4b12ff",
"versionType": "git"
},
{
"lessThan": "0d528a7c421b1f1772fc1d29370b3b5fc0f42b19",
"status": "affected",
"version": "a62e8f1978f49e52f87a711ff6711b323d4b12ff",
"versionType": "git"
},
{
"lessThan": "ccae2233e9935a038a35fe8cfd703df905f700e7",
"status": "affected",
"version": "a62e8f1978f49e52f87a711ff6711b323d4b12ff",
"versionType": "git"
},
{
"lessThan": "066b90bca755f0b876e7b027b75d1796861d6db0",
"status": "affected",
"version": "a62e8f1978f49e52f87a711ff6711b323d4b12ff",
"versionType": "git"
},
{
"lessThan": "f4a573eed6377d356f835a4b00099d5dacee0da0",
"status": "affected",
"version": "a62e8f1978f49e52f87a711ff6711b323d4b12ff",
"versionType": "git"
},
{
"lessThan": "86a159fd5bdb01ec34b160cfda1a313b616d9302",
"status": "affected",
"version": "a62e8f1978f49e52f87a711ff6711b323d4b12ff",
"versionType": "git"
},
{
"lessThan": "fd2c99e81ae0dbdd62a154ef9c77fc01715cc020",
"status": "affected",
"version": "a62e8f1978f49e52f87a711ff6711b323d4b12ff",
"versionType": "git"
},
{
"lessThan": "e5b492c6bb900fcf9722e05f4a10924410e170c1",
"status": "affected",
"version": "a62e8f1978f49e52f87a711ff6711b323d4b12ff",
"versionType": "git"
},
{
"status": "affected",
"version": "1ff7b99e4983d9e93d25e98ba1ce303ad4e4909e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/ec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: EC: Fix oops when removing custom query handlers\n\nWhen removing custom query handlers, the handler might still\nbe used inside the EC query workqueue, causing a kernel oops\nif the module holding the callback function was already unloaded.\n\nFix this by flushing the EC query workqueue when removing\ncustom query handlers.\n\nTested on a Acer Travelmate 4002WLMi"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:36:59.842Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/130e3eac51912f2c866e7d035992ede25f8feac0"
},
{
"url": "https://git.kernel.org/stable/c/0d528a7c421b1f1772fc1d29370b3b5fc0f42b19"
},
{
"url": "https://git.kernel.org/stable/c/ccae2233e9935a038a35fe8cfd703df905f700e7"
},
{
"url": "https://git.kernel.org/stable/c/066b90bca755f0b876e7b027b75d1796861d6db0"
},
{
"url": "https://git.kernel.org/stable/c/f4a573eed6377d356f835a4b00099d5dacee0da0"
},
{
"url": "https://git.kernel.org/stable/c/86a159fd5bdb01ec34b160cfda1a313b616d9302"
},
{
"url": "https://git.kernel.org/stable/c/fd2c99e81ae0dbdd62a154ef9c77fc01715cc020"
},
{
"url": "https://git.kernel.org/stable/c/e5b492c6bb900fcf9722e05f4a10924410e170c1"
}
],
"title": "ACPI: EC: Fix oops when removing custom query handlers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54244",
"datePublished": "2025-12-30T12:15:43.397Z",
"dateReserved": "2025-12-30T12:06:44.512Z",
"dateUpdated": "2026-01-05T11:36:59.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50731 (GCVE-0-2022-50731)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
crypto: akcipher - default implementation for setting a private key
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: akcipher - default implementation for setting a private key
Changes from v1:
* removed the default implementation from set_pub_key: it is assumed that
an implementation must always have this callback defined as there are
no use case for an algorithm, which doesn't need a public key
Many akcipher implementations (like ECDSA) support only signature
verifications, so they don't have all callbacks defined.
Commit 78a0324f4a53 ("crypto: akcipher - default implementations for
request callbacks") introduced default callbacks for sign/verify
operations, which just return an error code.
However, these are not enough, because before calling sign the caller would
likely call set_priv_key first on the instantiated transform (as the
in-kernel testmgr does). This function does not have a default stub, so the
kernel crashes, when trying to set a private key on an akcipher, which
doesn't support signature generation.
I've noticed this, when trying to add a KAT vector for ECDSA signature to
the testmgr.
With this patch the testmgr returns an error in dmesg (as it should)
instead of crashing the kernel NULL ptr dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78a0324f4a5328088fea9426cfe1d1851276c475 , < 95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e
(git)
Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < a1354bdd191d533211b7cb723aa76a66f516f197 (git) Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < 779a9930f3e152c82699feb389a0e6d6644e747e (git) Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < 85bc736a18b872f54912e8bb70682d11770aece0 (git) Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < f9058178597059d6307efe96a7916600f8ede08c (git) Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < bc155c6c188c2f0c5749993b1405673d25a80389 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/akcipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e",
"status": "affected",
"version": "78a0324f4a5328088fea9426cfe1d1851276c475",
"versionType": "git"
},
{
"lessThan": "a1354bdd191d533211b7cb723aa76a66f516f197",
"status": "affected",
"version": "78a0324f4a5328088fea9426cfe1d1851276c475",
"versionType": "git"
},
{
"lessThan": "779a9930f3e152c82699feb389a0e6d6644e747e",
"status": "affected",
"version": "78a0324f4a5328088fea9426cfe1d1851276c475",
"versionType": "git"
},
{
"lessThan": "85bc736a18b872f54912e8bb70682d11770aece0",
"status": "affected",
"version": "78a0324f4a5328088fea9426cfe1d1851276c475",
"versionType": "git"
},
{
"lessThan": "f9058178597059d6307efe96a7916600f8ede08c",
"status": "affected",
"version": "78a0324f4a5328088fea9426cfe1d1851276c475",
"versionType": "git"
},
{
"lessThan": "bc155c6c188c2f0c5749993b1405673d25a80389",
"status": "affected",
"version": "78a0324f4a5328088fea9426cfe1d1851276c475",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/akcipher.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: akcipher - default implementation for setting a private key\n\nChanges from v1:\n * removed the default implementation from set_pub_key: it is assumed that\n an implementation must always have this callback defined as there are\n no use case for an algorithm, which doesn\u0027t need a public key\n\nMany akcipher implementations (like ECDSA) support only signature\nverifications, so they don\u0027t have all callbacks defined.\n\nCommit 78a0324f4a53 (\"crypto: akcipher - default implementations for\nrequest callbacks\") introduced default callbacks for sign/verify\noperations, which just return an error code.\n\nHowever, these are not enough, because before calling sign the caller would\nlikely call set_priv_key first on the instantiated transform (as the\nin-kernel testmgr does). This function does not have a default stub, so the\nkernel crashes, when trying to set a private key on an akcipher, which\ndoesn\u0027t support signature generation.\n\nI\u0027ve noticed this, when trying to add a KAT vector for ECDSA signature to\nthe testmgr.\n\nWith this patch the testmgr returns an error in dmesg (as it should)\ninstead of crashing the kernel NULL ptr dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:51.122Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e"
},
{
"url": "https://git.kernel.org/stable/c/a1354bdd191d533211b7cb723aa76a66f516f197"
},
{
"url": "https://git.kernel.org/stable/c/779a9930f3e152c82699feb389a0e6d6644e747e"
},
{
"url": "https://git.kernel.org/stable/c/85bc736a18b872f54912e8bb70682d11770aece0"
},
{
"url": "https://git.kernel.org/stable/c/f9058178597059d6307efe96a7916600f8ede08c"
},
{
"url": "https://git.kernel.org/stable/c/bc155c6c188c2f0c5749993b1405673d25a80389"
}
],
"title": "crypto: akcipher - default implementation for setting a private key",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50731",
"datePublished": "2025-12-24T12:22:51.122Z",
"dateReserved": "2025-12-24T12:20:40.331Z",
"dateUpdated": "2025-12-24T12:22:51.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50710 (GCVE-0-2022-50710)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
ice: set tx_tstamps when creating new Tx rings via ethtool
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: set tx_tstamps when creating new Tx rings via ethtool
When the user changes the number of queues via ethtool, the driver
allocates new rings. This allocation did not initialize tx_tstamps. This
results in the tx_tstamps field being zero (due to kcalloc allocation), and
would result in a NULL pointer dereference when attempting a transmit
timestamp on the new ring.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ea9b847cda647b9849b0b9fa0447e876a1ac62e1 , < 624f03a027f2b18647cc4f1a7a81920a1e4e0201
(git)
Affected: ea9b847cda647b9849b0b9fa0447e876a1ac62e1 , < 13180cb88a7be5ee389f65f6ab9f78e46f7722b2 (git) Affected: ea9b847cda647b9849b0b9fa0447e876a1ac62e1 , < 9eb5fff6b0e78819c758892282da5faa915724d0 (git) Affected: ea9b847cda647b9849b0b9fa0447e876a1ac62e1 , < b3b173745c8cab1e24d6821488b60abed3acb24d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "624f03a027f2b18647cc4f1a7a81920a1e4e0201",
"status": "affected",
"version": "ea9b847cda647b9849b0b9fa0447e876a1ac62e1",
"versionType": "git"
},
{
"lessThan": "13180cb88a7be5ee389f65f6ab9f78e46f7722b2",
"status": "affected",
"version": "ea9b847cda647b9849b0b9fa0447e876a1ac62e1",
"versionType": "git"
},
{
"lessThan": "9eb5fff6b0e78819c758892282da5faa915724d0",
"status": "affected",
"version": "ea9b847cda647b9849b0b9fa0447e876a1ac62e1",
"versionType": "git"
},
{
"lessThan": "b3b173745c8cab1e24d6821488b60abed3acb24d",
"status": "affected",
"version": "ea9b847cda647b9849b0b9fa0447e876a1ac62e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: set tx_tstamps when creating new Tx rings via ethtool\n\nWhen the user changes the number of queues via ethtool, the driver\nallocates new rings. This allocation did not initialize tx_tstamps. This\nresults in the tx_tstamps field being zero (due to kcalloc allocation), and\nwould result in a NULL pointer dereference when attempting a transmit\ntimestamp on the new ring."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:59.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/624f03a027f2b18647cc4f1a7a81920a1e4e0201"
},
{
"url": "https://git.kernel.org/stable/c/13180cb88a7be5ee389f65f6ab9f78e46f7722b2"
},
{
"url": "https://git.kernel.org/stable/c/9eb5fff6b0e78819c758892282da5faa915724d0"
},
{
"url": "https://git.kernel.org/stable/c/b3b173745c8cab1e24d6821488b60abed3acb24d"
}
],
"title": "ice: set tx_tstamps when creating new Tx rings via ethtool",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50710",
"datePublished": "2025-12-24T10:55:23.918Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2026-01-02T15:03:59.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54081 (GCVE-0-2023-54081)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
xen: speed up grant-table reclaim
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen: speed up grant-table reclaim
When a grant entry is still in use by the remote domain, Linux must put
it on a deferred list. Normally, this list is very short, because
the PV network and block protocols expect the backend to unmap the grant
first. However, Qubes OS's GUI protocol is subject to the constraints
of the X Window System, and as such winds up with the frontend unmapping
the window first. As a result, the list can grow very large, resulting
in a massive memory leak and eventual VM freeze.
To partially solve this problem, make the number of entries that the VM
will attempt to free at each iteration tunable. The default is still
10, but it can be overridden via a module parameter.
This is Cc: stable because (when combined with appropriate userspace
changes) it fixes a severe performance and stability problem for Qubes
OS users.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
569ca5b3f94cd0b3295ec5943aa457cf4a4f6a3a , < cd1a8952ff529adc210e62306849fd6f256608c0
(git)
Affected: 569ca5b3f94cd0b3295ec5943aa457cf4a4f6a3a , < c76d96c555895ac602c1587b001e5cf656abc371 (git) Affected: 569ca5b3f94cd0b3295ec5943aa457cf4a4f6a3a , < c04e9894846c663f3278a414f34416e6e45bbe68 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"Documentation/ABI/testing/sysfs-module",
"drivers/xen/grant-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd1a8952ff529adc210e62306849fd6f256608c0",
"status": "affected",
"version": "569ca5b3f94cd0b3295ec5943aa457cf4a4f6a3a",
"versionType": "git"
},
{
"lessThan": "c76d96c555895ac602c1587b001e5cf656abc371",
"status": "affected",
"version": "569ca5b3f94cd0b3295ec5943aa457cf4a4f6a3a",
"versionType": "git"
},
{
"lessThan": "c04e9894846c663f3278a414f34416e6e45bbe68",
"status": "affected",
"version": "569ca5b3f94cd0b3295ec5943aa457cf4a4f6a3a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"Documentation/ABI/testing/sysfs-module",
"drivers/xen/grant-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen: speed up grant-table reclaim\n\nWhen a grant entry is still in use by the remote domain, Linux must put\nit on a deferred list. Normally, this list is very short, because\nthe PV network and block protocols expect the backend to unmap the grant\nfirst. However, Qubes OS\u0027s GUI protocol is subject to the constraints\nof the X Window System, and as such winds up with the frontend unmapping\nthe window first. As a result, the list can grow very large, resulting\nin a massive memory leak and eventual VM freeze.\n\nTo partially solve this problem, make the number of entries that the VM\nwill attempt to free at each iteration tunable. The default is still\n10, but it can be overridden via a module parameter.\n\nThis is Cc: stable because (when combined with appropriate userspace\nchanges) it fixes a severe performance and stability problem for Qubes\nOS users."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:40.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd1a8952ff529adc210e62306849fd6f256608c0"
},
{
"url": "https://git.kernel.org/stable/c/c76d96c555895ac602c1587b001e5cf656abc371"
},
{
"url": "https://git.kernel.org/stable/c/c04e9894846c663f3278a414f34416e6e45bbe68"
}
],
"title": "xen: speed up grant-table reclaim",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54081",
"datePublished": "2025-12-24T13:06:13.316Z",
"dateReserved": "2025-12-24T13:02:52.515Z",
"dateUpdated": "2026-01-05T10:33:40.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53831 (GCVE-0-2023-53831)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
net: read sk->sk_family once in sk_mc_loop()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: read sk->sk_family once in sk_mc_loop()
syzbot is playing with IPV6_ADDRFORM quite a lot these days,
and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()
We have many more similar issues to fix.
WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260
Modules linked in:
CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: events_power_efficient gc_worker
RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782
Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48
RSP: 0018:ffffc90000388530 EFLAGS: 00010246
RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980
RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011
RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65
R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000
R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000
FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
[<ffffffff8507734f>] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83
[<ffffffff85062766>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
[<ffffffff85062766>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
[<ffffffff85061f8c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
[<ffffffff85061f8c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
[<ffffffff852071cf>] dst_output include/net/dst.h:444 [inline]
[<ffffffff852071cf>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
[<ffffffff83618fb4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
[<ffffffff83618fb4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
[<ffffffff83618fb4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
[<ffffffff83618fb4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
[<ffffffff8361ddd9>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
[<ffffffff84763fc0>] netdev_start_xmit include/linux/netdevice.h:4925 [inline]
[<ffffffff84763fc0>] xmit_one net/core/dev.c:3644 [inline]
[<ffffffff84763fc0>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
[<ffffffff8494c650>] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342
[<ffffffff8494d883>] qdisc_restart net/sched/sch_generic.c:407 [inline]
[<ffffffff8494d883>] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415
[<ffffffff8478c426>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125
[<ffffffff84796eac>] net_tx_action+0x7ac/0x940 net/core/dev.c:5247
[<ffffffff858002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599
[<ffffffff814c3fe8>] invoke_softirq kernel/softirq.c:430 [inline]
[<ffffffff814c3fe8>] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683
[<ffffffff814c3f09>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7ad6848c7e81a603605fad3f3575841aab004eea , < 7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89b
(git)
Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < e918d0211ffbaf039447334c3460cafee1ce0157 (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < 41f10a4d78fe69d685a3172e6884297f233dcf95 (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < 895dc4c47171a20035cdaa8d74c1c1e97f2fc974 (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < ed4e0adfa407ab65dd73b8862ebf2f308a0349d2 (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < 9036b6342fcdab190d6edce3dd447859c1de90fc (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < b1f5b890b89cb38a6c0bac91984d56cd69808e8c (git) Affected: 7ad6848c7e81a603605fad3f3575841aab004eea , < a3e0fdf71bbe031de845e8e08ed7fba49f9c702c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89b",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "e918d0211ffbaf039447334c3460cafee1ce0157",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "41f10a4d78fe69d685a3172e6884297f233dcf95",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "895dc4c47171a20035cdaa8d74c1c1e97f2fc974",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "ed4e0adfa407ab65dd73b8862ebf2f308a0349d2",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "9036b6342fcdab190d6edce3dd447859c1de90fc",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "b1f5b890b89cb38a6c0bac91984d56cd69808e8c",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
},
{
"lessThan": "a3e0fdf71bbe031de845e8e08ed7fba49f9c702c",
"status": "affected",
"version": "7ad6848c7e81a603605fad3f3575841aab004eea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: read sk-\u003esk_family once in sk_mc_loop()\n\nsyzbot is playing with IPV6_ADDRFORM quite a lot these days,\nand managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()\n\nWe have many more similar issues to fix.\n\nWARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260\nModules linked in:\nCPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\nWorkqueue: events_power_efficient gc_worker\nRIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782\nCode: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd \u003c0f\u003e 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48\nRSP: 0018:ffffc90000388530 EFLAGS: 00010246\nRAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980\nRDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011\nRBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65\nR10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000\nR13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000\nFS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cIRQ\u003e\n[\u003cffffffff8507734f\u003e] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83\n[\u003cffffffff85062766\u003e] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]\n[\u003cffffffff85062766\u003e] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211\n[\u003cffffffff85061f8c\u003e] NF_HOOK_COND include/linux/netfilter.h:298 [inline]\n[\u003cffffffff85061f8c\u003e] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232\n[\u003cffffffff852071cf\u003e] dst_output include/net/dst.h:444 [inline]\n[\u003cffffffff852071cf\u003e] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161\n[\u003cffffffff83618fb4\u003e] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]\n[\u003cffffffff83618fb4\u003e] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]\n[\u003cffffffff83618fb4\u003e] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]\n[\u003cffffffff83618fb4\u003e] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677\n[\u003cffffffff8361ddd9\u003e] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229\n[\u003cffffffff84763fc0\u003e] netdev_start_xmit include/linux/netdevice.h:4925 [inline]\n[\u003cffffffff84763fc0\u003e] xmit_one net/core/dev.c:3644 [inline]\n[\u003cffffffff84763fc0\u003e] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660\n[\u003cffffffff8494c650\u003e] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342\n[\u003cffffffff8494d883\u003e] qdisc_restart net/sched/sch_generic.c:407 [inline]\n[\u003cffffffff8494d883\u003e] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415\n[\u003cffffffff8478c426\u003e] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n[\u003cffffffff84796eac\u003e] net_tx_action+0x7ac/0x940 net/core/dev.c:5247\n[\u003cffffffff858002bd\u003e] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599\n[\u003cffffffff814c3fe8\u003e] invoke_softirq kernel/softirq.c:430 [inline]\n[\u003cffffffff814c3fe8\u003e] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683\n[\u003cffffffff814c3f09\u003e] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:46.374Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89b"
},
{
"url": "https://git.kernel.org/stable/c/e918d0211ffbaf039447334c3460cafee1ce0157"
},
{
"url": "https://git.kernel.org/stable/c/41f10a4d78fe69d685a3172e6884297f233dcf95"
},
{
"url": "https://git.kernel.org/stable/c/895dc4c47171a20035cdaa8d74c1c1e97f2fc974"
},
{
"url": "https://git.kernel.org/stable/c/ed4e0adfa407ab65dd73b8862ebf2f308a0349d2"
},
{
"url": "https://git.kernel.org/stable/c/9036b6342fcdab190d6edce3dd447859c1de90fc"
},
{
"url": "https://git.kernel.org/stable/c/b1f5b890b89cb38a6c0bac91984d56cd69808e8c"
},
{
"url": "https://git.kernel.org/stable/c/a3e0fdf71bbe031de845e8e08ed7fba49f9c702c"
}
],
"title": "net: read sk-\u003esk_family once in sk_mc_loop()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53831",
"datePublished": "2025-12-09T01:29:46.374Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:46.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50664 (GCVE-0-2022-50664)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
media: dvb-frontends: fix leak of memory fw
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-frontends: fix leak of memory fw
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < afccb6ac63fc4328bc61ba086a3cad30054d87c1
(git)
Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < a44828482bd5b11d728d7dac09b0d723aab9ff7b (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < b4d8fd008de1774d99a5b50acc03d92a1919c3a7 (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < 438a4a8dece2abac099777a00db91784c0996cdc (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < b42580c8d8aac11a66046897979cc13cfd04c541 (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < 438cd29fec3ea09769639f6032687e0c1434dbe0 (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < 25cab05aa2df904ee1fea37d8dfa0d92c951bb4e (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < 669fb90507dbaf419aa3871bf73160e93d50487f (git) Affected: 55f51efdb696ff6e9d2056377d05268a97f3d4e4 , < a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/bcm3510.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "afccb6ac63fc4328bc61ba086a3cad30054d87c1",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "a44828482bd5b11d728d7dac09b0d723aab9ff7b",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "b4d8fd008de1774d99a5b50acc03d92a1919c3a7",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "438a4a8dece2abac099777a00db91784c0996cdc",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "b42580c8d8aac11a66046897979cc13cfd04c541",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "438cd29fec3ea09769639f6032687e0c1434dbe0",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "25cab05aa2df904ee1fea37d8dfa0d92c951bb4e",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "669fb90507dbaf419aa3871bf73160e93d50487f",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
},
{
"lessThan": "a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa",
"status": "affected",
"version": "55f51efdb696ff6e9d2056377d05268a97f3d4e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/dvb-frontends/bcm3510.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.13"
},
{
"lessThan": "2.6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: fix leak of memory fw"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:28.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/afccb6ac63fc4328bc61ba086a3cad30054d87c1"
},
{
"url": "https://git.kernel.org/stable/c/a44828482bd5b11d728d7dac09b0d723aab9ff7b"
},
{
"url": "https://git.kernel.org/stable/c/b4d8fd008de1774d99a5b50acc03d92a1919c3a7"
},
{
"url": "https://git.kernel.org/stable/c/438a4a8dece2abac099777a00db91784c0996cdc"
},
{
"url": "https://git.kernel.org/stable/c/b42580c8d8aac11a66046897979cc13cfd04c541"
},
{
"url": "https://git.kernel.org/stable/c/438cd29fec3ea09769639f6032687e0c1434dbe0"
},
{
"url": "https://git.kernel.org/stable/c/25cab05aa2df904ee1fea37d8dfa0d92c951bb4e"
},
{
"url": "https://git.kernel.org/stable/c/669fb90507dbaf419aa3871bf73160e93d50487f"
},
{
"url": "https://git.kernel.org/stable/c/a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa"
}
],
"title": "media: dvb-frontends: fix leak of memory fw",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50664",
"datePublished": "2025-12-09T01:29:13.652Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-23T13:30:28.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54079 (GCVE-0-2023-54079)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
power: supply: bq27xxx: Fix poll_interval handling and races on remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: bq27xxx: Fix poll_interval handling and races on remove
Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0
to avoid bq27xxx_battery_update() requeuing the delayed_work item.
There are 2 problems with this:
1. If the driver is unbound through sysfs, rather then the module being
rmmod-ed, this changes poll_interval unexpectedly
2. This is racy, after it being set poll_interval could be changed
before bq27xxx_battery_update() checks it through
/sys/module/bq27xxx_battery/parameters/poll_interval
Fix this by added a removed attribute to struct bq27xxx_device_info and
using that instead of setting poll_interval to 0.
There also is another poll_interval related race on remove(), writing
/sys/module/bq27xxx_battery/parameters/poll_interval will requeue
the delayed_work item for all devices on the bq27xxx_battery_devices
list and the device being removed was only removed from that list
after cancelling the delayed_work item.
Fix this by moving the removal from the bq27xxx_battery_devices list
to before cancelling the delayed_work item.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db , < 4c9615474fb0a41cfad658d78db3c9ec70912969
(git)
Affected: 8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db , < 465d919151a1e8d40daf366b868914f59d073211 (git) Affected: 8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db , < 0c5f4cec759679c290720fbcf6bb81768e21c95b (git) Affected: 8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db , < e85757da9091998276ff21a13915ac25229cc232 (git) Affected: 8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db , < e98e5bebfcafc75a7b41192a607dfea5c1268afa (git) Affected: 8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db , < d952a1eaafcc5f0351caad5dbe9b5b3300d1d529 (git) Affected: 8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db , < b12faeca0e819ea09051a705fef9df7ea7e9e18c (git) Affected: 8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db , < c00bc80462afc7963f449d7f21d896d2f629cacc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/bq27xxx_battery.c",
"include/linux/power/bq27xxx_battery.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c9615474fb0a41cfad658d78db3c9ec70912969",
"status": "affected",
"version": "8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db",
"versionType": "git"
},
{
"lessThan": "465d919151a1e8d40daf366b868914f59d073211",
"status": "affected",
"version": "8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db",
"versionType": "git"
},
{
"lessThan": "0c5f4cec759679c290720fbcf6bb81768e21c95b",
"status": "affected",
"version": "8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db",
"versionType": "git"
},
{
"lessThan": "e85757da9091998276ff21a13915ac25229cc232",
"status": "affected",
"version": "8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db",
"versionType": "git"
},
{
"lessThan": "e98e5bebfcafc75a7b41192a607dfea5c1268afa",
"status": "affected",
"version": "8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db",
"versionType": "git"
},
{
"lessThan": "d952a1eaafcc5f0351caad5dbe9b5b3300d1d529",
"status": "affected",
"version": "8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db",
"versionType": "git"
},
{
"lessThan": "b12faeca0e819ea09051a705fef9df7ea7e9e18c",
"status": "affected",
"version": "8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db",
"versionType": "git"
},
{
"lessThan": "c00bc80462afc7963f449d7f21d896d2f629cacc",
"status": "affected",
"version": "8cfaaa811894a3ae2d7360a15a6cfccff3ebc7db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/bq27xxx_battery.c",
"include/linux/power/bq27xxx_battery.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: bq27xxx: Fix poll_interval handling and races on remove\n\nBefore this patch bq27xxx_battery_teardown() was setting poll_interval = 0\nto avoid bq27xxx_battery_update() requeuing the delayed_work item.\n\nThere are 2 problems with this:\n\n1. If the driver is unbound through sysfs, rather then the module being\n rmmod-ed, this changes poll_interval unexpectedly\n\n2. This is racy, after it being set poll_interval could be changed\n before bq27xxx_battery_update() checks it through\n /sys/module/bq27xxx_battery/parameters/poll_interval\n\nFix this by added a removed attribute to struct bq27xxx_device_info and\nusing that instead of setting poll_interval to 0.\n\nThere also is another poll_interval related race on remove(), writing\n/sys/module/bq27xxx_battery/parameters/poll_interval will requeue\nthe delayed_work item for all devices on the bq27xxx_battery_devices\nlist and the device being removed was only removed from that list\nafter cancelling the delayed_work item.\n\nFix this by moving the removal from the bq27xxx_battery_devices list\nto before cancelling the delayed_work item."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:11.956Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c9615474fb0a41cfad658d78db3c9ec70912969"
},
{
"url": "https://git.kernel.org/stable/c/465d919151a1e8d40daf366b868914f59d073211"
},
{
"url": "https://git.kernel.org/stable/c/0c5f4cec759679c290720fbcf6bb81768e21c95b"
},
{
"url": "https://git.kernel.org/stable/c/e85757da9091998276ff21a13915ac25229cc232"
},
{
"url": "https://git.kernel.org/stable/c/e98e5bebfcafc75a7b41192a607dfea5c1268afa"
},
{
"url": "https://git.kernel.org/stable/c/d952a1eaafcc5f0351caad5dbe9b5b3300d1d529"
},
{
"url": "https://git.kernel.org/stable/c/b12faeca0e819ea09051a705fef9df7ea7e9e18c"
},
{
"url": "https://git.kernel.org/stable/c/c00bc80462afc7963f449d7f21d896d2f629cacc"
}
],
"title": "power: supply: bq27xxx: Fix poll_interval handling and races on remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54079",
"datePublished": "2025-12-24T13:06:11.956Z",
"dateReserved": "2025-12-24T13:02:52.514Z",
"dateUpdated": "2025-12-24T13:06:11.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53815 (GCVE-0-2023-53815)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
posix-timers: Prevent RT livelock in itimer_delete()
Summary
In the Linux kernel, the following vulnerability has been resolved:
posix-timers: Prevent RT livelock in itimer_delete()
itimer_delete() has a retry loop when the timer is concurrently expired. On
non-RT kernels this just spin-waits until the timer callback has completed,
except for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK
enabled.
In that case and on RT kernels the existing task could live lock when
preempting the task which does the timer delivery.
Replace spin_unlock() with an invocation of timer_wait_running() to handle
it the same way as the other retry loops in the posix timer code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec8f954a40da8cd3d159713b608e901f0cd909a9 , < f1be1ed32daa053484222f7f9beb2b16c624dffd
(git)
Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < 0670c4c567b27bd8f999a943028f4fe60d1a1106 (git) Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < e7aff15ba29ba4b3052786b1636fa5c4aa39e179 (git) Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < f9bd298e3e4d3fd6e19f017789a42d0f332cd555 (git) Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < c1968bb8a28625cc95d2ad3ca872ab98c9c36d59 (git) Affected: ec8f954a40da8cd3d159713b608e901f0cd909a9 , < 9d9e522010eb5685d8b53e8a24320653d9d4cbbf (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1be1ed32daa053484222f7f9beb2b16c624dffd",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "0670c4c567b27bd8f999a943028f4fe60d1a1106",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "e7aff15ba29ba4b3052786b1636fa5c4aa39e179",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "f9bd298e3e4d3fd6e19f017789a42d0f332cd555",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "c1968bb8a28625cc95d2ad3ca872ab98c9c36d59",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
},
{
"lessThan": "9d9e522010eb5685d8b53e8a24320653d9d4cbbf",
"status": "affected",
"version": "ec8f954a40da8cd3d159713b608e901f0cd909a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/time/posix-timers.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nposix-timers: Prevent RT livelock in itimer_delete()\n\nitimer_delete() has a retry loop when the timer is concurrently expired. On\nnon-RT kernels this just spin-waits until the timer callback has completed,\nexcept for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK\nenabled.\n\nIn that case and on RT kernels the existing task could live lock when\npreempting the task which does the timer delivery.\n\nReplace spin_unlock() with an invocation of timer_wait_running() to handle\nit the same way as the other retry loops in the posix timer code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:12.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1be1ed32daa053484222f7f9beb2b16c624dffd"
},
{
"url": "https://git.kernel.org/stable/c/0670c4c567b27bd8f999a943028f4fe60d1a1106"
},
{
"url": "https://git.kernel.org/stable/c/e7aff15ba29ba4b3052786b1636fa5c4aa39e179"
},
{
"url": "https://git.kernel.org/stable/c/f9bd298e3e4d3fd6e19f017789a42d0f332cd555"
},
{
"url": "https://git.kernel.org/stable/c/c1968bb8a28625cc95d2ad3ca872ab98c9c36d59"
},
{
"url": "https://git.kernel.org/stable/c/9d9e522010eb5685d8b53e8a24320653d9d4cbbf"
}
],
"title": "posix-timers: Prevent RT livelock in itimer_delete()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53815",
"datePublished": "2025-12-09T00:01:12.832Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:12.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54155 (GCVE-0-2023-54155)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:07 – Updated: 2025-12-24 13:07
VLAI?
EPSS
Title
net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
Syzkaller reported the following issue:
=======================================
Too BIG xdp->frame_sz = 131072
WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121
____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline]
WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121
bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103
...
Call Trace:
<TASK>
bpf_prog_4add87e5301a4105+0x1a/0x1c
__bpf_prog_run include/linux/filter.h:600 [inline]
bpf_prog_run_xdp include/linux/filter.h:775 [inline]
bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721
netif_receive_generic_xdp net/core/dev.c:4807 [inline]
do_xdp_generic+0x35c/0x770 net/core/dev.c:4866
tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919
tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043
call_write_iter include/linux/fs.h:1871 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x650/0xe40 fs/read_write.c:584
ksys_write+0x12f/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87
("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper
Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the
xdp_init_buff() which all XDP driver use - it's safe to remove this
check. The original intend was to catch cases where XDP drivers have
not been updated to use xdp.frame_sz, but that is not longer a concern
(since xdp_init_buff).
Running the initial syzkaller repro it was discovered that the
contiguous physical memory allocation is used for both xdp paths in
tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also
stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can
work on higher order pages, as long as this is contiguous physical
memory (e.g. a page).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
43b5169d8355ccf26d726fbc75f083b2429113e4 , < a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8
(git)
Affected: 43b5169d8355ccf26d726fbc75f083b2429113e4 , < 20acffcdc2b74fb7dcc4e299f7aca173df89d911 (git) Affected: 43b5169d8355ccf26d726fbc75f083b2429113e4 , < d9252d67ed2f921c230bba449ee051b5c32e4841 (git) Affected: 43b5169d8355ccf26d726fbc75f083b2429113e4 , < d14eea09edf427fa36bd446f4a3271f99164202f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8",
"status": "affected",
"version": "43b5169d8355ccf26d726fbc75f083b2429113e4",
"versionType": "git"
},
{
"lessThan": "20acffcdc2b74fb7dcc4e299f7aca173df89d911",
"status": "affected",
"version": "43b5169d8355ccf26d726fbc75f083b2429113e4",
"versionType": "git"
},
{
"lessThan": "d9252d67ed2f921c230bba449ee051b5c32e4841",
"status": "affected",
"version": "43b5169d8355ccf26d726fbc75f083b2429113e4",
"versionType": "git"
},
{
"lessThan": "d14eea09edf427fa36bd446f4a3271f99164202f",
"status": "affected",
"version": "43b5169d8355ccf26d726fbc75f083b2429113e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()\n\nSyzkaller reported the following issue:\n=======================================\nToo BIG xdp-\u003eframe_sz = 131072\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\n ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline]\nWARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121\n bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103\n...\nCall Trace:\n \u003cTASK\u003e\n bpf_prog_4add87e5301a4105+0x1a/0x1c\n __bpf_prog_run include/linux/filter.h:600 [inline]\n bpf_prog_run_xdp include/linux/filter.h:775 [inline]\n bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721\n netif_receive_generic_xdp net/core/dev.c:4807 [inline]\n do_xdp_generic+0x35c/0x770 net/core/dev.c:4866\n tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919\n tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043\n call_write_iter include/linux/fs.h:1871 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x650/0xe40 fs/read_write.c:584\n ksys_write+0x12f/0x250 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nxdp-\u003eframe_sz \u003e PAGE_SIZE check was introduced in commit c8741e2bfe87\n(\"xdp: Allow bpf_xdp_adjust_tail() to grow packet size\"). But Jesper\nDangaard Brouer \u003cjbrouer@redhat.com\u003e noted that after introducing the\nxdp_init_buff() which all XDP driver use - it\u0027s safe to remove this\ncheck. The original intend was to catch cases where XDP drivers have\nnot been updated to use xdp.frame_sz, but that is not longer a concern\n(since xdp_init_buff).\n\nRunning the initial syzkaller repro it was discovered that the\ncontiguous physical memory allocation is used for both xdp paths in\ntun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also\nstated by Jesper Dangaard Brouer \u003cjbrouer@redhat.com\u003e that XDP can\nwork on higher order pages, as long as this is contiguous physical\nmemory (e.g. a page)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:07:05.385Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8"
},
{
"url": "https://git.kernel.org/stable/c/20acffcdc2b74fb7dcc4e299f7aca173df89d911"
},
{
"url": "https://git.kernel.org/stable/c/d9252d67ed2f921c230bba449ee051b5c32e4841"
},
{
"url": "https://git.kernel.org/stable/c/d14eea09edf427fa36bd446f4a3271f99164202f"
}
],
"title": "net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54155",
"datePublished": "2025-12-24T13:07:05.385Z",
"dateReserved": "2025-12-24T13:02:52.530Z",
"dateUpdated": "2025-12-24T13:07:05.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54156 (GCVE-0-2023-54156)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:07 – Updated: 2025-12-24 13:07
VLAI?
EPSS
Title
sfc: fix crash when reading stats while NIC is resetting
Summary
In the Linux kernel, the following vulnerability has been resolved:
sfc: fix crash when reading stats while NIC is resetting
efx_net_stats() (.ndo_get_stats64) can be called during an ethtool
selftest, during which time nic_data->mc_stats is NULL as the NIC has
been fini'd. In this case do not attempt to fetch the latest stats
from the hardware, else we will crash on a NULL dereference:
BUG: kernel NULL pointer dereference, address: 0000000000000038
RIP efx_nic_update_stats
abridged calltrace:
efx_ef10_update_stats_pf
efx_net_stats
dev_get_stats
dev_seq_printf_stats
Skipping the read is safe, we will simply give out stale stats.
To ensure that the free in efx_ef10_fini_nic() does not race against
efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the
efx->stats_lock in fini_nic (it is already held across update_stats).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d3142c193dca9a2f6878f4128ce1aaf221bb3f99 , < cb1aa7cc562cab6a87ea33574c8c65f2d2fd7aeb
(git)
Affected: d3142c193dca9a2f6878f4128ce1aaf221bb3f99 , < 91f4ef204e731565afdc6c2a7fcf509a3fd6fd67 (git) Affected: d3142c193dca9a2f6878f4128ce1aaf221bb3f99 , < 446f5567934331923d0aec4ce045e4ecb0174aae (git) Affected: d3142c193dca9a2f6878f4128ce1aaf221bb3f99 , < 470152d76b3ed107d172ea46acc4bfa941f20b4b (git) Affected: d3142c193dca9a2f6878f4128ce1aaf221bb3f99 , < aba32b4c58112960c0c708703ca6b44dc8944082 (git) Affected: d3142c193dca9a2f6878f4128ce1aaf221bb3f99 , < d1b355438b8325a486f087e506d412c4e852f37b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/ef10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb1aa7cc562cab6a87ea33574c8c65f2d2fd7aeb",
"status": "affected",
"version": "d3142c193dca9a2f6878f4128ce1aaf221bb3f99",
"versionType": "git"
},
{
"lessThan": "91f4ef204e731565afdc6c2a7fcf509a3fd6fd67",
"status": "affected",
"version": "d3142c193dca9a2f6878f4128ce1aaf221bb3f99",
"versionType": "git"
},
{
"lessThan": "446f5567934331923d0aec4ce045e4ecb0174aae",
"status": "affected",
"version": "d3142c193dca9a2f6878f4128ce1aaf221bb3f99",
"versionType": "git"
},
{
"lessThan": "470152d76b3ed107d172ea46acc4bfa941f20b4b",
"status": "affected",
"version": "d3142c193dca9a2f6878f4128ce1aaf221bb3f99",
"versionType": "git"
},
{
"lessThan": "aba32b4c58112960c0c708703ca6b44dc8944082",
"status": "affected",
"version": "d3142c193dca9a2f6878f4128ce1aaf221bb3f99",
"versionType": "git"
},
{
"lessThan": "d1b355438b8325a486f087e506d412c4e852f37b",
"status": "affected",
"version": "d3142c193dca9a2f6878f4128ce1aaf221bb3f99",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/sfc/ef10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix crash when reading stats while NIC is resetting\n\nefx_net_stats() (.ndo_get_stats64) can be called during an ethtool\n selftest, during which time nic_data-\u003emc_stats is NULL as the NIC has\n been fini\u0027d. In this case do not attempt to fetch the latest stats\n from the hardware, else we will crash on a NULL dereference:\n BUG: kernel NULL pointer dereference, address: 0000000000000038\n RIP efx_nic_update_stats\n abridged calltrace:\n efx_ef10_update_stats_pf\n efx_net_stats\n dev_get_stats\n dev_seq_printf_stats\nSkipping the read is safe, we will simply give out stale stats.\nTo ensure that the free in efx_ef10_fini_nic() does not race against\n efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the\n efx-\u003estats_lock in fini_nic (it is already held across update_stats)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:07:06.043Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb1aa7cc562cab6a87ea33574c8c65f2d2fd7aeb"
},
{
"url": "https://git.kernel.org/stable/c/91f4ef204e731565afdc6c2a7fcf509a3fd6fd67"
},
{
"url": "https://git.kernel.org/stable/c/446f5567934331923d0aec4ce045e4ecb0174aae"
},
{
"url": "https://git.kernel.org/stable/c/470152d76b3ed107d172ea46acc4bfa941f20b4b"
},
{
"url": "https://git.kernel.org/stable/c/aba32b4c58112960c0c708703ca6b44dc8944082"
},
{
"url": "https://git.kernel.org/stable/c/d1b355438b8325a486f087e506d412c4e852f37b"
}
],
"title": "sfc: fix crash when reading stats while NIC is resetting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54156",
"datePublished": "2025-12-24T13:07:06.043Z",
"dateReserved": "2025-12-24T13:02:52.530Z",
"dateUpdated": "2025-12-24T13:07:06.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40337 (GCVE-0-2025-40337)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
net: stmmac: Correctly handle Rx checksum offload errors
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: Correctly handle Rx checksum offload errors
The stmmac_rx function would previously set skb->ip_summed to
CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled
and the packet was of a known IP ethertype.
However, this logic failed to check if the hardware had actually
reported a checksum error. The hardware status, indicating a header or
payload checksum failure, was being ignored at this stage. This could
cause corrupt packets to be passed up the network stack as valid.
This patch corrects the logic by checking the `csum_none` status flag,
which is set when the hardware reports a checksum error. If this flag
is set, skb->ip_summed is now correctly set to CHECKSUM_NONE,
ensuring the kernel's network stack will perform its own validation and
properly handle the corrupt packet.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 63fbe0e6413279d5ea5842e2423e351ded547683
(git)
Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 719fcdf29051f7471d5d433475af76219019d33d (git) Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 1aa319e0f12d2d761a31556b82a5852c98eb0bea (git) Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < ee0aace5f844ef59335148875d05bec8764e71e8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "63fbe0e6413279d5ea5842e2423e351ded547683",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "719fcdf29051f7471d5d433475af76219019d33d",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "1aa319e0f12d2d761a31556b82a5852c98eb0bea",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
},
{
"lessThan": "ee0aace5f844ef59335148875d05bec8764e71e8",
"status": "affected",
"version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Correctly handle Rx checksum offload errors\n\nThe stmmac_rx function would previously set skb-\u003eip_summed to\nCHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled\nand the packet was of a known IP ethertype.\n\nHowever, this logic failed to check if the hardware had actually\nreported a checksum error. The hardware status, indicating a header or\npayload checksum failure, was being ignored at this stage. This could\ncause corrupt packets to be passed up the network stack as valid.\n\nThis patch corrects the logic by checking the `csum_none` status flag,\nwhich is set when the hardware reports a checksum error. If this flag\nis set, skb-\u003eip_summed is now correctly set to CHECKSUM_NONE,\nensuring the kernel\u0027s network stack will perform its own validation and\nproperly handle the corrupt packet."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:39.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/63fbe0e6413279d5ea5842e2423e351ded547683"
},
{
"url": "https://git.kernel.org/stable/c/719fcdf29051f7471d5d433475af76219019d33d"
},
{
"url": "https://git.kernel.org/stable/c/1aa319e0f12d2d761a31556b82a5852c98eb0bea"
},
{
"url": "https://git.kernel.org/stable/c/ee0aace5f844ef59335148875d05bec8764e71e8"
}
],
"title": "net: stmmac: Correctly handle Rx checksum offload errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40337",
"datePublished": "2025-12-09T04:09:53.808Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:39.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54057 (GCVE-0-2023-54057)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter
The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow,
because the string specifier in the format string sscanf()
has no width limitation.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ca3bf5d47cec8b7614bcb2e9132c40081d6d81db , < 5e97dc748d13fad582136ba0c8cec215c7aeeb17
(git)
Affected: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db , < f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9 (git) Affected: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db , < c513043e0afe6a8ba79d00af358655afabb576d2 (git) Affected: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db , < 2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60 (git) Affected: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db , < 63cd11165e5e0ea2012254c764003eda1f9adb7d (git) Affected: ca3bf5d47cec8b7614bcb2e9132c40081d6d81db , < b6b26d86c61c441144c72f842f7469bb686e1211 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e97dc748d13fad582136ba0c8cec215c7aeeb17",
"status": "affected",
"version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
"versionType": "git"
},
{
"lessThan": "f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9",
"status": "affected",
"version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
"versionType": "git"
},
{
"lessThan": "c513043e0afe6a8ba79d00af358655afabb576d2",
"status": "affected",
"version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
"versionType": "git"
},
{
"lessThan": "2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60",
"status": "affected",
"version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
"versionType": "git"
},
{
"lessThan": "63cd11165e5e0ea2012254c764003eda1f9adb7d",
"status": "affected",
"version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
"versionType": "git"
},
{
"lessThan": "b6b26d86c61c441144c72f842f7469bb686e1211",
"status": "affected",
"version": "ca3bf5d47cec8b7614bcb2e9132c40081d6d81db",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/amd/init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.237",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.175",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.103",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter\n\nThe \u0027acpiid\u0027 buffer in the parse_ivrs_acpihid function may overflow,\nbecause the string specifier in the format string sscanf()\nhas no width limitation.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:05.208Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e97dc748d13fad582136ba0c8cec215c7aeeb17"
},
{
"url": "https://git.kernel.org/stable/c/f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9"
},
{
"url": "https://git.kernel.org/stable/c/c513043e0afe6a8ba79d00af358655afabb576d2"
},
{
"url": "https://git.kernel.org/stable/c/2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60"
},
{
"url": "https://git.kernel.org/stable/c/63cd11165e5e0ea2012254c764003eda1f9adb7d"
},
{
"url": "https://git.kernel.org/stable/c/b6b26d86c61c441144c72f842f7469bb686e1211"
}
],
"title": "iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54057",
"datePublished": "2025-12-24T12:23:05.208Z",
"dateReserved": "2025-12-24T12:21:05.091Z",
"dateUpdated": "2025-12-24T12:23:05.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38500 (GCVE-0-2025-38500)
Vulnerability from cvelistv5 – Published: 2025-08-12 16:02 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
xfrm: interface: fix use-after-free after changing collect_md xfrm interface
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: interface: fix use-after-free after changing collect_md xfrm interface
collect_md property on xfrm interfaces can only be set on device creation,
thus xfrmi_changelink() should fail when called on such interfaces.
The check to enforce this was done only in the case where the xi was
returned from xfrmi_locate() which doesn't look for the collect_md
interface, and thus the validation was never reached.
Calling changelink would thus errornously place the special interface xi
in the xfrmi_net->xfrmi hash, but since it also exists in the
xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when
the net namespace was taken down [1].
Change the check to use the xi from netdev_priv which is available earlier
in the function to prevent changes in xfrm collect_md interfaces.
[1] resulting oops:
[ 8.516540] kernel BUG at net/core/dev.c:12029!
[ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)
[ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 8.516569] Workqueue: netns cleanup_net
[ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0
[ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24
[ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206
[ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60
[ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122
[ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100
[ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00
[ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00
[ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000
[ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0
[ 8.516625] PKRU: 55555554
[ 8.516627] Call Trace:
[ 8.516632] <TASK>
[ 8.516635] ? rtnl_is_locked+0x15/0x20
[ 8.516641] ? unregister_netdevice_queue+0x29/0xf0
[ 8.516650] ops_undo_list+0x1f2/0x220
[ 8.516659] cleanup_net+0x1ad/0x2e0
[ 8.516664] process_one_work+0x160/0x380
[ 8.516673] worker_thread+0x2aa/0x3c0
[ 8.516679] ? __pfx_worker_thread+0x10/0x10
[ 8.516686] kthread+0xfb/0x200
[ 8.516690] ? __pfx_kthread+0x10/0x10
[ 8.516693] ? __pfx_kthread+0x10/0x10
[ 8.516697] ret_from_fork+0x82/0xf0
[ 8.516705] ? __pfx_kthread+0x10/0x10
[ 8.516709] ret_from_fork_asm+0x1a/0x30
[ 8.516718] </TASK>
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4
(git)
Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < bfebdb85496e1da21d3cf05de099210915c3e706 (git) Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < 5918c3f4800a3aef2173865e5903370f21e24f47 (git) Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < 69a31f7a6a81f5ffd3812c442e09ff0be22960f1 (git) Affected: abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 , < a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-38500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T18:10:59.896187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T18:12:31.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:09.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
},
{
"lessThan": "bfebdb85496e1da21d3cf05de099210915c3e706",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
},
{
"lessThan": "5918c3f4800a3aef2173865e5903370f21e24f47",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
},
{
"lessThan": "69a31f7a6a81f5ffd3812c442e09ff0be22960f1",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
},
{
"lessThan": "a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b",
"status": "affected",
"version": "abc340b38ba25cd6c7aa2c0bd9150d30738c82d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_interface_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: interface: fix use-after-free after changing collect_md xfrm interface\n\ncollect_md property on xfrm interfaces can only be set on device creation,\nthus xfrmi_changelink() should fail when called on such interfaces.\n\nThe check to enforce this was done only in the case where the xi was\nreturned from xfrmi_locate() which doesn\u0027t look for the collect_md\ninterface, and thus the validation was never reached.\n\nCalling changelink would thus errornously place the special interface xi\nin the xfrmi_net-\u003exfrmi hash, but since it also exists in the\nxfrmi_net-\u003ecollect_md_xfrmi pointer it would lead to a double free when\nthe net namespace was taken down [1].\n\nChange the check to use the xi from netdev_priv which is available earlier\nin the function to prevent changes in xfrm collect_md interfaces.\n\n[1] resulting oops:\n[ 8.516540] kernel BUG at net/core/dev.c:12029!\n[ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)\n[ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 8.516569] Workqueue: netns cleanup_net\n[ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0\n[ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 \u003c0f\u003e 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24\n[ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206\n[ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60\n[ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122\n[ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100\n[ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00\n[ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00\n[ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000\n[ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0\n[ 8.516625] PKRU: 55555554\n[ 8.516627] Call Trace:\n[ 8.516632] \u003cTASK\u003e\n[ 8.516635] ? rtnl_is_locked+0x15/0x20\n[ 8.516641] ? unregister_netdevice_queue+0x29/0xf0\n[ 8.516650] ops_undo_list+0x1f2/0x220\n[ 8.516659] cleanup_net+0x1ad/0x2e0\n[ 8.516664] process_one_work+0x160/0x380\n[ 8.516673] worker_thread+0x2aa/0x3c0\n[ 8.516679] ? __pfx_worker_thread+0x10/0x10\n[ 8.516686] kthread+0xfb/0x200\n[ 8.516690] ? __pfx_kthread+0x10/0x10\n[ 8.516693] ? __pfx_kthread+0x10/0x10\n[ 8.516697] ret_from_fork+0x82/0xf0\n[ 8.516705] ? __pfx_kthread+0x10/0x10\n[ 8.516709] ret_from_fork_asm+0x1a/0x30\n[ 8.516718] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T15:16:37.105Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8d4748b954584ab7bd800f1a4e46d5b0eeb5ce4"
},
{
"url": "https://git.kernel.org/stable/c/bfebdb85496e1da21d3cf05de099210915c3e706"
},
{
"url": "https://git.kernel.org/stable/c/5918c3f4800a3aef2173865e5903370f21e24f47"
},
{
"url": "https://git.kernel.org/stable/c/69a31f7a6a81f5ffd3812c442e09ff0be22960f1"
},
{
"url": "https://git.kernel.org/stable/c/a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b"
}
],
"title": "xfrm: interface: fix use-after-free after changing collect_md xfrm interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38500",
"datePublished": "2025-08-12T16:02:42.363Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2025-11-03T17:39:09.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50717 (GCVE-0-2022-50717)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
nvmet-tcp: add bounds check on Transfer Tag
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: add bounds check on Transfer Tag
ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(),
add a bounds check to avoid out-of-bounds access.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 0d150ccd55dbfad36f55855b40b381884c98456e
(git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < d5bb45f47b37d10f010355686b28c9ebacb361d4 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < ec8adf767e1cfa7031f853b8c71ba1963f07df15 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < fcf82e4553db911d10234ff2390cfd0e2aa854e4 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 752593d04637ebdc87fd29cba81897f21ae053f0 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d150ccd55dbfad36f55855b40b381884c98456e",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "d5bb45f47b37d10f010355686b28c9ebacb361d4",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "ec8adf767e1cfa7031f853b8c71ba1963f07df15",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "fcf82e4553db911d10234ff2390cfd0e2aa854e4",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "752593d04637ebdc87fd29cba81897f21ae053f0",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds check on Transfer Tag\n\nttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(),\nadd a bounds check to avoid out-of-bounds access."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:03.799Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d150ccd55dbfad36f55855b40b381884c98456e"
},
{
"url": "https://git.kernel.org/stable/c/d5bb45f47b37d10f010355686b28c9ebacb361d4"
},
{
"url": "https://git.kernel.org/stable/c/ec8adf767e1cfa7031f853b8c71ba1963f07df15"
},
{
"url": "https://git.kernel.org/stable/c/fcf82e4553db911d10234ff2390cfd0e2aa854e4"
},
{
"url": "https://git.kernel.org/stable/c/752593d04637ebdc87fd29cba81897f21ae053f0"
},
{
"url": "https://git.kernel.org/stable/c/b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b"
}
],
"title": "nvmet-tcp: add bounds check on Transfer Tag",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50717",
"datePublished": "2025-12-24T12:22:41.269Z",
"dateReserved": "2025-12-24T12:20:40.329Z",
"dateUpdated": "2026-01-02T15:04:03.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50763 (GCVE-0-2022-50763)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
crypto: marvell/octeontx - prevent integer overflows
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: marvell/octeontx - prevent integer overflows
The "code_length" value comes from the firmware file. If your firmware
is untrusted realistically there is probably very little you can do to
protect yourself. Still we try to limit the damage as much as possible.
Also Smatch marks any data read from the filesystem as untrusted and
prints warnings if it not capped correctly.
The "code_length * 2" can overflow. The round_up(ucode_size, 16) +
sizeof() expression can overflow too. Prevent these overflows.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d9110b0b01ff1cd02751cd5c2c94e938a8906083 , < 7bfa7d67735381715c98091194e81e7685f9b7db
(git)
Affected: d9110b0b01ff1cd02751cd5c2c94e938a8906083 , < 12acfa1059ad69aa352ddb2bf23ba1b831aff15f (git) Affected: d9110b0b01ff1cd02751cd5c2c94e938a8906083 , < 8f5eee162e55175d9dac98b5e9b8da76449d2257 (git) Affected: d9110b0b01ff1cd02751cd5c2c94e938a8906083 , < e7ff7a46baafd38d7ed45604397e650d61f5db8d (git) Affected: d9110b0b01ff1cd02751cd5c2c94e938a8906083 , < caca37cf6c749ff0303f68418cfe7b757a4e0697 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bfa7d67735381715c98091194e81e7685f9b7db",
"status": "affected",
"version": "d9110b0b01ff1cd02751cd5c2c94e938a8906083",
"versionType": "git"
},
{
"lessThan": "12acfa1059ad69aa352ddb2bf23ba1b831aff15f",
"status": "affected",
"version": "d9110b0b01ff1cd02751cd5c2c94e938a8906083",
"versionType": "git"
},
{
"lessThan": "8f5eee162e55175d9dac98b5e9b8da76449d2257",
"status": "affected",
"version": "d9110b0b01ff1cd02751cd5c2c94e938a8906083",
"versionType": "git"
},
{
"lessThan": "e7ff7a46baafd38d7ed45604397e650d61f5db8d",
"status": "affected",
"version": "d9110b0b01ff1cd02751cd5c2c94e938a8906083",
"versionType": "git"
},
{
"lessThan": "caca37cf6c749ff0303f68418cfe7b757a4e0697",
"status": "affected",
"version": "d9110b0b01ff1cd02751cd5c2c94e938a8906083",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/octeontx - prevent integer overflows\n\nThe \"code_length\" value comes from the firmware file. If your firmware\nis untrusted realistically there is probably very little you can do to\nprotect yourself. Still we try to limit the damage as much as possible.\nAlso Smatch marks any data read from the filesystem as untrusted and\nprints warnings if it not capped correctly.\n\nThe \"code_length * 2\" can overflow. The round_up(ucode_size, 16) +\nsizeof() expression can overflow too. Prevent these overflows."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:54.704Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bfa7d67735381715c98091194e81e7685f9b7db"
},
{
"url": "https://git.kernel.org/stable/c/12acfa1059ad69aa352ddb2bf23ba1b831aff15f"
},
{
"url": "https://git.kernel.org/stable/c/8f5eee162e55175d9dac98b5e9b8da76449d2257"
},
{
"url": "https://git.kernel.org/stable/c/e7ff7a46baafd38d7ed45604397e650d61f5db8d"
},
{
"url": "https://git.kernel.org/stable/c/caca37cf6c749ff0303f68418cfe7b757a4e0697"
}
],
"title": "crypto: marvell/octeontx - prevent integer overflows",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50763",
"datePublished": "2025-12-24T13:05:54.704Z",
"dateReserved": "2025-12-24T13:02:21.545Z",
"dateUpdated": "2025-12-24T13:05:54.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54035 (GCVE-0-2023-54035)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
netfilter: nf_tables: fix underflow in chain reference counter
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: fix underflow in chain reference counter
Set element addition error path decrements reference counter on chains
twice: once on element release and again via nft_data_release().
Then, d6b478666ffa ("netfilter: nf_tables: fix underflow in object
reference counter") incorrectly fixed this by removing the stateful
object reference count decrement.
Restore the stateful object decrement as in b91d90368837 ("netfilter:
nf_tables: fix leaking object reference count") and let
nft_data_release() decrement the chain reference counter, so this is
done only once.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
35651fde1a7bb54dde0a46d35cd0d7136869ae86 , < b068314fd8ce751a7f906e55bb90f3551815f1a0
(git)
Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 9c959671abc7d4ffdf34eed10c64492d43cb6a3c (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < b389139f12f287b8ed2e2628b72df89a081f0b59 (git) Affected: bc9f791d2593f17e39f87c6e2b3a36549a3705b1 (git) Affected: 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 (git) Affected: a136b7942ad2a50de708f76ea299ccb45ac7a7f9 (git) Affected: 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 (git) Affected: d60be2da67d172aecf866302c91ea11533eca4d9 (git) Affected: dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b068314fd8ce751a7f906e55bb90f3551815f1a0",
"status": "affected",
"version": "35651fde1a7bb54dde0a46d35cd0d7136869ae86",
"versionType": "git"
},
{
"lessThan": "9c959671abc7d4ffdf34eed10c64492d43cb6a3c",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"lessThan": "b389139f12f287b8ed2e2628b72df89a081f0b59",
"status": "affected",
"version": "628bd3e49cba1c066228e23d71a852c23e26da73",
"versionType": "git"
},
{
"status": "affected",
"version": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1",
"versionType": "git"
},
{
"status": "affected",
"version": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50",
"versionType": "git"
},
{
"status": "affected",
"version": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9",
"versionType": "git"
},
{
"status": "affected",
"version": "25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8",
"versionType": "git"
},
{
"status": "affected",
"version": "d60be2da67d172aecf866302c91ea11533eca4d9",
"versionType": "git"
},
{
"status": "affected",
"version": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix underflow in chain reference counter\n\nSet element addition error path decrements reference counter on chains\ntwice: once on element release and again via nft_data_release().\n\nThen, d6b478666ffa (\"netfilter: nf_tables: fix underflow in object\nreference counter\") incorrectly fixed this by removing the stateful\nobject reference count decrement.\n\nRestore the stateful object decrement as in b91d90368837 (\"netfilter:\nnf_tables: fix leaking object reference count\") and let\nnft_data_release() decrement the chain reference counter, so this is\ndone only once."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:02.358Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b068314fd8ce751a7f906e55bb90f3551815f1a0"
},
{
"url": "https://git.kernel.org/stable/c/9c959671abc7d4ffdf34eed10c64492d43cb6a3c"
},
{
"url": "https://git.kernel.org/stable/c/b389139f12f287b8ed2e2628b72df89a081f0b59"
}
],
"title": "netfilter: nf_tables: fix underflow in chain reference counter",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54035",
"datePublished": "2025-12-24T10:56:02.358Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:56:02.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54252 (GCVE-0-2023-54252)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings
My previous commit introduced a memory leak where the item allocated
from tlmi_setting was not freed.
This commit also renames it to avoid confusion with the similarly name
variable in the same function.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dae47bf0222e1e0eb6684c7e141b7170b0884a4c , < cccdb30935c82be805d3362a15680b95d5cb3ee0
(git)
Affected: f0a67ad7dce49d93570edc795e0312bb787f19bb , < 081da7b1c881828244b93b3befb7c18389f696bb (git) Affected: c9c542eba4edf8d061bd2e5007cf598625e112df , < 43fc0342bac1808fda2b76184e43414727111c6b (git) Affected: 8a02d70679fc1c434401863333c8ea7dbf201494 , < e7d796fccdc8d17c2d21817ebe4c7bf5bbfe5433 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/think-lmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cccdb30935c82be805d3362a15680b95d5cb3ee0",
"status": "affected",
"version": "dae47bf0222e1e0eb6684c7e141b7170b0884a4c",
"versionType": "git"
},
{
"lessThan": "081da7b1c881828244b93b3befb7c18389f696bb",
"status": "affected",
"version": "f0a67ad7dce49d93570edc795e0312bb787f19bb",
"versionType": "git"
},
{
"lessThan": "43fc0342bac1808fda2b76184e43414727111c6b",
"status": "affected",
"version": "c9c542eba4edf8d061bd2e5007cf598625e112df",
"versionType": "git"
},
{
"lessThan": "e7d796fccdc8d17c2d21817ebe4c7bf5bbfe5433",
"status": "affected",
"version": "8a02d70679fc1c434401863333c8ea7dbf201494",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/think-lmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.107",
"status": "affected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThan": "6.1.24",
"status": "affected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThan": "6.2.11",
"status": "affected",
"version": "6.2.10",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.15.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "6.1.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "6.2.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings\n\nMy previous commit introduced a memory leak where the item allocated\nfrom tlmi_setting was not freed.\nThis commit also renames it to avoid confusion with the similarly name\nvariable in the same function."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:48.796Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cccdb30935c82be805d3362a15680b95d5cb3ee0"
},
{
"url": "https://git.kernel.org/stable/c/081da7b1c881828244b93b3befb7c18389f696bb"
},
{
"url": "https://git.kernel.org/stable/c/43fc0342bac1808fda2b76184e43414727111c6b"
},
{
"url": "https://git.kernel.org/stable/c/e7d796fccdc8d17c2d21817ebe4c7bf5bbfe5433"
}
],
"title": "platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54252",
"datePublished": "2025-12-30T12:15:48.796Z",
"dateReserved": "2025-12-30T12:06:44.514Z",
"dateUpdated": "2025-12-30T12:15:48.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50853 (GCVE-0-2022-50853)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
NFSv4: Fix a credential leak in _nfs4_discover_trunking()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4: Fix a credential leak in _nfs4_discover_trunking()
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ead049562758cc415437c0e99b09ce5eb2ab3dc0 , < c6aca4c7ba8f6d40a0cfeeb09160dd8efdf97c64
(git)
Affected: 4f40a5b5544618b096d1611a18219dd91fd57f80 , < dfad5d5e7511933c2ae3d12a8131840074c5a73d (git) Affected: 4f40a5b5544618b096d1611a18219dd91fd57f80 , < b247a9828f6607d41189fa6c2a3be754d33cae86 (git) Affected: 4f40a5b5544618b096d1611a18219dd91fd57f80 , < e83458fce080dc23c25353a1af90bfecf79c7369 (git) Affected: 2f42531f545f2670192b894d14d50e0539e47e24 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6aca4c7ba8f6d40a0cfeeb09160dd8efdf97c64",
"status": "affected",
"version": "ead049562758cc415437c0e99b09ce5eb2ab3dc0",
"versionType": "git"
},
{
"lessThan": "dfad5d5e7511933c2ae3d12a8131840074c5a73d",
"status": "affected",
"version": "4f40a5b5544618b096d1611a18219dd91fd57f80",
"versionType": "git"
},
{
"lessThan": "b247a9828f6607d41189fa6c2a3be754d33cae86",
"status": "affected",
"version": "4f40a5b5544618b096d1611a18219dd91fd57f80",
"versionType": "git"
},
{
"lessThan": "e83458fce080dc23c25353a1af90bfecf79c7369",
"status": "affected",
"version": "4f40a5b5544618b096d1611a18219dd91fd57f80",
"versionType": "git"
},
{
"status": "affected",
"version": "2f42531f545f2670192b894d14d50e0539e47e24",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.15.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4: Fix a credential leak in _nfs4_discover_trunking()"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:29.104Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6aca4c7ba8f6d40a0cfeeb09160dd8efdf97c64"
},
{
"url": "https://git.kernel.org/stable/c/dfad5d5e7511933c2ae3d12a8131840074c5a73d"
},
{
"url": "https://git.kernel.org/stable/c/b247a9828f6607d41189fa6c2a3be754d33cae86"
},
{
"url": "https://git.kernel.org/stable/c/e83458fce080dc23c25353a1af90bfecf79c7369"
}
],
"title": "NFSv4: Fix a credential leak in _nfs4_discover_trunking()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50853",
"datePublished": "2025-12-30T12:15:29.104Z",
"dateReserved": "2025-12-30T12:06:07.134Z",
"dateUpdated": "2025-12-30T12:15:29.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50882 (GCVE-0-2022-50882)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
media: uvcvideo: Fix memory leak in uvc_gpio_parse
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Fix memory leak in uvc_gpio_parse
Previously the unit buffer was allocated before checking the IRQ for
privacy GPIO. In case of error, the unit buffer was leaked.
Allocate the unit buffer after the IRQ to avoid it.
Addresses-Coverity-ID: 1474639 ("Resource leak")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < 6c5da92103bddd1f0c36cb69446ff7cae3043986
(git)
Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < deb8f32ae4b10a48c433f2da1b1159521ac24674 (git) Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < 4a7ae8d982a89b3b43b36ec7d62a2e3d06ffa16e (git) Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < f0f078457f18f10696888f8d0e6aba9deb9cde92 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c5da92103bddd1f0c36cb69446ff7cae3043986",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
},
{
"lessThan": "deb8f32ae4b10a48c433f2da1b1159521ac24674",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
},
{
"lessThan": "4a7ae8d982a89b3b43b36ec7d62a2e3d06ffa16e",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
},
{
"lessThan": "f0f078457f18f10696888f8d0e6aba9deb9cde92",
"status": "affected",
"version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/uvc/uvc_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix memory leak in uvc_gpio_parse\n\nPreviously the unit buffer was allocated before checking the IRQ for\nprivacy GPIO. In case of error, the unit buffer was leaked.\n\nAllocate the unit buffer after the IRQ to avoid it.\n\nAddresses-Coverity-ID: 1474639 (\"Resource leak\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:21.019Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c5da92103bddd1f0c36cb69446ff7cae3043986"
},
{
"url": "https://git.kernel.org/stable/c/deb8f32ae4b10a48c433f2da1b1159521ac24674"
},
{
"url": "https://git.kernel.org/stable/c/4a7ae8d982a89b3b43b36ec7d62a2e3d06ffa16e"
},
{
"url": "https://git.kernel.org/stable/c/f0f078457f18f10696888f8d0e6aba9deb9cde92"
}
],
"title": "media: uvcvideo: Fix memory leak in uvc_gpio_parse",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50882",
"datePublished": "2025-12-30T12:23:21.019Z",
"dateReserved": "2025-12-30T12:06:07.137Z",
"dateUpdated": "2025-12-30T12:23:21.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40276 (GCVE-0-2025-40276)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-08 09:50
VLAI?
EPSS
Title
drm/panthor: Flush shmem writes before mapping buffers CPU-uncached
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: Flush shmem writes before mapping buffers CPU-uncached
The shmem layer zeroes out the new pages using cached mappings, and if
we don't CPU-flush we might leave dirty cachelines behind, leading to
potential data leaks and/or asynchronous buffer corruption when dirty
cachelines are evicted.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8a1cc07578bf42d85f008316873d710ff684dd29 , < 8355eea2a2e9c323021dfdcb95d7767d382123c4
(git)
Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 7a12f9c96d06b145562f76ffb20369b4692f0911 (git) Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 576c930e5e7dcb937648490611a83f1bf0171048 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8355eea2a2e9c323021dfdcb95d7767d382123c4",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
},
{
"lessThan": "7a12f9c96d06b145562f76ffb20369b4692f0911",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
},
{
"lessThan": "576c930e5e7dcb937648490611a83f1bf0171048",
"status": "affected",
"version": "8a1cc07578bf42d85f008316873d710ff684dd29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Flush shmem writes before mapping buffers CPU-uncached\n\nThe shmem layer zeroes out the new pages using cached mappings, and if\nwe don\u0027t CPU-flush we might leave dirty cachelines behind, leading to\npotential data leaks and/or asynchronous buffer corruption when dirty\ncachelines are evicted."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T09:50:20.169Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8355eea2a2e9c323021dfdcb95d7767d382123c4"
},
{
"url": "https://git.kernel.org/stable/c/7a12f9c96d06b145562f76ffb20369b4692f0911"
},
{
"url": "https://git.kernel.org/stable/c/576c930e5e7dcb937648490611a83f1bf0171048"
}
],
"title": "drm/panthor: Flush shmem writes before mapping buffers CPU-uncached",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40276",
"datePublished": "2025-12-06T21:50:59.035Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2026-01-08T09:50:20.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68307 (GCVE-0-2025-68307)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs
The driver lacks the cleanup of failed transfers of URBs. This reduces the
number of available URBs per error by 1. This leads to reduced performance
and ultimately to a complete stop of the transmission.
If the sending of a bulk URB fails do proper cleanup:
- increase netdev stats
- mark the echo_sbk as free
- free the driver's context and do accounting
- wake the send queue
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d08e973a77d128b25e01a08c34d89593fdf222da , < f7a5560675bd85efaf16ab01a43053670ff2b000
(git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 1a588c40a422a3663a52f1c5535e8fb6b044167d (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 4a82072e451eacf24fc66a445e906f5095d215db (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 9c8eb33b7008178b6ce88aa7593d12063ce60ca3 (git) Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 516a0cd1c03fa266bb67dd87940a209fd4e53ce7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7a5560675bd85efaf16ab01a43053670ff2b000",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "1a588c40a422a3663a52f1c5535e8fb6b044167d",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "4a82072e451eacf24fc66a445e906f5095d215db",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "9c8eb33b7008178b6ce88aa7593d12063ce60ca3",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
},
{
"lessThan": "516a0cd1c03fa266bb67dd87940a209fd4e53ce7",
"status": "affected",
"version": "d08e973a77d128b25e01a08c34d89593fdf222da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/gs_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs\n\nThe driver lacks the cleanup of failed transfers of URBs. This reduces the\nnumber of available URBs per error by 1. This leads to reduced performance\nand ultimately to a complete stop of the transmission.\n\nIf the sending of a bulk URB fails do proper cleanup:\n- increase netdev stats\n- mark the echo_sbk as free\n- free the driver\u0027s context and do accounting\n- wake the send queue"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:24.271Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7a5560675bd85efaf16ab01a43053670ff2b000"
},
{
"url": "https://git.kernel.org/stable/c/1a588c40a422a3663a52f1c5535e8fb6b044167d"
},
{
"url": "https://git.kernel.org/stable/c/4a82072e451eacf24fc66a445e906f5095d215db"
},
{
"url": "https://git.kernel.org/stable/c/9c8eb33b7008178b6ce88aa7593d12063ce60ca3"
},
{
"url": "https://git.kernel.org/stable/c/516a0cd1c03fa266bb67dd87940a209fd4e53ce7"
}
],
"title": "can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68307",
"datePublished": "2025-12-16T15:06:24.271Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:24.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68185 (GCVE-0-2025-68185)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing
Theoretically it's an oopsable race, but I don't believe one can manage
to hit it on real hardware; might become doable on a KVM, but it still
won't be easy to attack.
Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of
put_unaligned_be64(), we can put that under ->d_lock and be done with that.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6025f641a0e30afdc5aa62017397b1860ad9f677
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e6cafe71eb3b5579b245ba1bd528a181e77f3df1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fa4daf7d11e45b72aad5d943a7ab991f869fff79 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 504b3fb9948a9e96ebbabdee0d33966a8bab15cb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eacfd08b26a062f1095b18719715bc82ad35312e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 40be5b9080114f18b0cea386db415b68a7273c1a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f5e570eaab36a110c6ffda32b87c51170990c2d1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a890a2e339b929dbd843328f9a92a1625404fe63 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6025f641a0e30afdc5aa62017397b1860ad9f677",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6cafe71eb3b5579b245ba1bd528a181e77f3df1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa4daf7d11e45b72aad5d943a7ab991f869fff79",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "504b3fb9948a9e96ebbabdee0d33966a8bab15cb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eacfd08b26a062f1095b18719715bc82ad35312e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40be5b9080114f18b0cea386db415b68a7273c1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f5e570eaab36a110c6ffda32b87c51170990c2d1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a890a2e339b929dbd843328f9a92a1625404fe63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing\n\nTheoretically it\u0027s an oopsable race, but I don\u0027t believe one can manage\nto hit it on real hardware; might become doable on a KVM, but it still\nwon\u0027t be easy to attack.\n\nAnyway, it\u0027s easy to deal with - since xdr_encode_hyper() is just a call of\nput_unaligned_be64(), we can put that under -\u003ed_lock and be done with that."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:15.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6025f641a0e30afdc5aa62017397b1860ad9f677"
},
{
"url": "https://git.kernel.org/stable/c/e6cafe71eb3b5579b245ba1bd528a181e77f3df1"
},
{
"url": "https://git.kernel.org/stable/c/fa4daf7d11e45b72aad5d943a7ab991f869fff79"
},
{
"url": "https://git.kernel.org/stable/c/504b3fb9948a9e96ebbabdee0d33966a8bab15cb"
},
{
"url": "https://git.kernel.org/stable/c/eacfd08b26a062f1095b18719715bc82ad35312e"
},
{
"url": "https://git.kernel.org/stable/c/40be5b9080114f18b0cea386db415b68a7273c1a"
},
{
"url": "https://git.kernel.org/stable/c/f5e570eaab36a110c6ffda32b87c51170990c2d1"
},
{
"url": "https://git.kernel.org/stable/c/a890a2e339b929dbd843328f9a92a1625404fe63"
}
],
"title": "nfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68185",
"datePublished": "2025-12-16T13:43:02.894Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2026-01-02T15:34:15.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50884 (GCVE-0-2022-50884)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
drm: Prevent drm_copy_field() to attempt copying a NULL pointer
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: Prevent drm_copy_field() to attempt copying a NULL pointer
There are some struct drm_driver fields that are required by drivers since
drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.
But it can be possible that a driver has a bug and did not set some of the
fields, which leads to drm_copy_field() attempting to copy a NULL pointer:
[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[ +0.010955] Mem abort info:
[ +0.002835] ESR = 0x0000000096000004
[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits
[ +0.005395] SET = 0, FnV = 0
[ +0.003113] EA = 0, S1PTW = 0
[ +0.003182] FSC = 0x04: level 0 translation fault
[ +0.004964] Data abort info:
[ +0.002919] ISV = 0, ISS = 0x00000004
[ +0.003886] CM = 0, WnR = 0
[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000
[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[ +0.006925] Internal error: Oops: 96000004 [#1] SMP
...
[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ +0.007061] pc : __pi_strlen+0x14/0x150
[ +0.003895] lr : drm_copy_field+0x30/0x1a4
[ +0.004156] sp : ffff8000094b3a50
[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040
[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040
[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000
[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000
[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40
[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8
[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141
[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000
[ +0.007240] Call trace:
[ +0.002475] __pi_strlen+0x14/0x150
[ +0.003537] drm_version+0x84/0xac
[ +0.003448] drm_ioctl_kernel+0xa8/0x16c
[ +0.003975] drm_ioctl+0x270/0x580
[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc
[ +0.003978] invoke_syscall+0x78/0x100
[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4
[ +0.004767] do_el0_svc+0x38/0x4c
[ +0.003357] el0_svc+0x34/0x100
[ +0.003185] el0t_64_sync_handler+0x11c/0x150
[ +0.004418] el0t_64_sync+0x190/0x194
[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)
[ +0.006180] ---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
22eae947bf76e236ba972f2f11cfd1b083b736ad , < d213914386a0ede76a4549b41de30192fb92c595
(git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < ee9885cd936aad88f84d0cf90bf9a70e83e42a97 (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 8052612b9d08048ebbebcb572894670b4ac07d2f (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < cdde55f97298e5bb9af6d41c9303a3ec545a370e (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < c28a8082b25ce4ec94999e10a30c50d20bd44a25 (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < ca163e389f0ae096a4e1e19f0a95e60ed80b4e31 (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 2d6708ea5c2033ff53267feff1876a717689989f (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 6cf5e9356b2d856403ee480f987f3ea64dbf8d8c (git) Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < f6ee30407e883042482ad4ad30da5eaba47872ee (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d213914386a0ede76a4549b41de30192fb92c595",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "ee9885cd936aad88f84d0cf90bf9a70e83e42a97",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "8052612b9d08048ebbebcb572894670b4ac07d2f",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "cdde55f97298e5bb9af6d41c9303a3ec545a370e",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "c28a8082b25ce4ec94999e10a30c50d20bd44a25",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "ca163e389f0ae096a4e1e19f0a95e60ed80b4e31",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "2d6708ea5c2033ff53267feff1876a717689989f",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "6cf5e9356b2d856403ee480f987f3ea64dbf8d8c",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
},
{
"lessThan": "f6ee30407e883042482ad4ad30da5eaba47872ee",
"status": "affected",
"version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Prevent drm_copy_field() to attempt copying a NULL pointer\n\nThere are some struct drm_driver fields that are required by drivers since\ndrm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.\n\nBut it can be possible that a driver has a bug and did not set some of the\nfields, which leads to drm_copy_field() attempting to copy a NULL pointer:\n\n[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[ +0.010955] Mem abort info:\n[ +0.002835] ESR = 0x0000000096000004\n[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits\n[ +0.005395] SET = 0, FnV = 0\n[ +0.003113] EA = 0, S1PTW = 0\n[ +0.003182] FSC = 0x04: level 0 translation fault\n[ +0.004964] Data abort info:\n[ +0.002919] ISV = 0, ISS = 0x00000004\n[ +0.003886] CM = 0, WnR = 0\n[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000\n[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[ +0.006925] Internal error: Oops: 96000004 [#1] SMP\n...\n[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ +0.007061] pc : __pi_strlen+0x14/0x150\n[ +0.003895] lr : drm_copy_field+0x30/0x1a4\n[ +0.004156] sp : ffff8000094b3a50\n[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040\n[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040\n[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000\n[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000\n[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40\n[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8\n[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141\n[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000\n[ +0.007240] Call trace:\n[ +0.002475] __pi_strlen+0x14/0x150\n[ +0.003537] drm_version+0x84/0xac\n[ +0.003448] drm_ioctl_kernel+0xa8/0x16c\n[ +0.003975] drm_ioctl+0x270/0x580\n[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc\n[ +0.003978] invoke_syscall+0x78/0x100\n[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4\n[ +0.004767] do_el0_svc+0x38/0x4c\n[ +0.003357] el0_svc+0x34/0x100\n[ +0.003185] el0t_64_sync_handler+0x11c/0x150\n[ +0.004418] el0t_64_sync+0x190/0x194\n[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)\n[ +0.006180] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:18.258Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d213914386a0ede76a4549b41de30192fb92c595"
},
{
"url": "https://git.kernel.org/stable/c/ee9885cd936aad88f84d0cf90bf9a70e83e42a97"
},
{
"url": "https://git.kernel.org/stable/c/8052612b9d08048ebbebcb572894670b4ac07d2f"
},
{
"url": "https://git.kernel.org/stable/c/cdde55f97298e5bb9af6d41c9303a3ec545a370e"
},
{
"url": "https://git.kernel.org/stable/c/c28a8082b25ce4ec94999e10a30c50d20bd44a25"
},
{
"url": "https://git.kernel.org/stable/c/ca163e389f0ae096a4e1e19f0a95e60ed80b4e31"
},
{
"url": "https://git.kernel.org/stable/c/2d6708ea5c2033ff53267feff1876a717689989f"
},
{
"url": "https://git.kernel.org/stable/c/6cf5e9356b2d856403ee480f987f3ea64dbf8d8c"
},
{
"url": "https://git.kernel.org/stable/c/f6ee30407e883042482ad4ad30da5eaba47872ee"
}
],
"title": "drm: Prevent drm_copy_field() to attempt copying a NULL pointer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50884",
"datePublished": "2025-12-30T12:34:11.390Z",
"dateReserved": "2025-12-30T12:26:05.425Z",
"dateUpdated": "2026-01-02T15:05:18.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40312 (GCVE-0-2025-40312)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
jfs: Verify inode mode when loading from disk
Summary
In the Linux kernel, the following vulnerability has been resolved:
jfs: Verify inode mode when loading from disk
The inode mode loaded from corrupted disk can be invalid. Do like what
commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk")
does.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 19cce65709a8a2966203653028d9004e28e85bd5
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fabc1348bb8fe6bc80850014ee94bd89945f7f4d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2870a7dec49ccdc3f6ae35da8f5d6737f21133a8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ce054a366c54992185c9514e489a14f145b10c29 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1795277a4e98d82e6451544d43695540cee042ea (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8d6a9cbd276b3b85da0e7e98208f89416fed9265 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7a5aa54fba2bd591b22b9b624e6baa9037276986 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "19cce65709a8a2966203653028d9004e28e85bd5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fabc1348bb8fe6bc80850014ee94bd89945f7f4d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2870a7dec49ccdc3f6ae35da8f5d6737f21133a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce054a366c54992185c9514e489a14f145b10c29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1795277a4e98d82e6451544d43695540cee042ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8d6a9cbd276b3b85da0e7e98208f89416fed9265",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7a5aa54fba2bd591b22b9b624e6baa9037276986",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: Verify inode mode when loading from disk\n\nThe inode mode loaded from corrupted disk can be invalid. Do like what\ncommit 0a9e74051313 (\"isofs: Verify inode mode when loading from disk\")\ndoes."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:32.079Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/19cce65709a8a2966203653028d9004e28e85bd5"
},
{
"url": "https://git.kernel.org/stable/c/fabc1348bb8fe6bc80850014ee94bd89945f7f4d"
},
{
"url": "https://git.kernel.org/stable/c/46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f"
},
{
"url": "https://git.kernel.org/stable/c/2870a7dec49ccdc3f6ae35da8f5d6737f21133a8"
},
{
"url": "https://git.kernel.org/stable/c/ce054a366c54992185c9514e489a14f145b10c29"
},
{
"url": "https://git.kernel.org/stable/c/1795277a4e98d82e6451544d43695540cee042ea"
},
{
"url": "https://git.kernel.org/stable/c/8d6a9cbd276b3b85da0e7e98208f89416fed9265"
},
{
"url": "https://git.kernel.org/stable/c/7a5aa54fba2bd591b22b9b624e6baa9037276986"
}
],
"title": "jfs: Verify inode mode when loading from disk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40312",
"datePublished": "2025-12-08T00:46:38.147Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:32.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50714 (GCVE-0-2022-50714)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
wifi: mt76: mt7921e: fix rmmod crash in driver reload test
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921e: fix rmmod crash in driver reload test
In insmod/rmmod stress test, the following crash dump shows up immediately.
The problem is caused by missing mt76_dev in mt7921_pci_remove(). We
should make sure the drvdata is ready before probe() finished.
[168.862789] ==================================================================
[168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480
[168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361
[168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1
[168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020
[168.862820] Call Trace:
[168.862822] <TASK>
[168.862825] dump_stack_lvl+0x49/0x63
[168.862832] print_report.cold+0x493/0x6b7
[168.862845] kasan_report+0xa7/0x120
[168.862857] kasan_check_range+0x163/0x200
[168.862861] __kasan_check_write+0x14/0x20
[168.862866] try_to_grab_pending+0x59/0x480
[168.862870] __cancel_work_timer+0xbb/0x340
[168.862898] cancel_work_sync+0x10/0x20
[168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e]
[168.862909] pci_device_remove+0xa3/0x1d0
[168.862914] device_remove+0xc4/0x170
[168.862920] device_release_driver_internal+0x163/0x300
[168.862925] driver_detach+0xc7/0x1a0
[168.862930] bus_remove_driver+0xeb/0x2d0
[168.862935] driver_unregister+0x71/0xb0
[168.862939] pci_unregister_driver+0x30/0x230
[168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e]
[168.862949] __x64_sys_delete_module+0x2f9/0x4b0
[168.862968] do_syscall_64+0x38/0x90
[168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Test steps:
1. insmode
2. do not ifup
3. rmmod quickly (within 1 second)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1c71e03afe4b457a15e50de40006b927dfc00755 , < 1034d8e08508830161377f136a060e78fc24f2a5
(git)
Affected: 1c71e03afe4b457a15e50de40006b927dfc00755 , < ccda3ebdae719d348f90563b6719fba4929ae283 (git) Affected: 1c71e03afe4b457a15e50de40006b927dfc00755 , < b5a62d612b7baf6e09884e4de94decb6391d6a9d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1034d8e08508830161377f136a060e78fc24f2a5",
"status": "affected",
"version": "1c71e03afe4b457a15e50de40006b927dfc00755",
"versionType": "git"
},
{
"lessThan": "ccda3ebdae719d348f90563b6719fba4929ae283",
"status": "affected",
"version": "1c71e03afe4b457a15e50de40006b927dfc00755",
"versionType": "git"
},
{
"lessThan": "b5a62d612b7baf6e09884e4de94decb6391d6a9d",
"status": "affected",
"version": "1c71e03afe4b457a15e50de40006b927dfc00755",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921e: fix rmmod crash in driver reload test\n\nIn insmod/rmmod stress test, the following crash dump shows up immediately.\nThe problem is caused by missing mt76_dev in mt7921_pci_remove(). We\nshould make sure the drvdata is ready before probe() finished.\n\n[168.862789] ==================================================================\n[168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480\n[168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361\n[168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1\n[168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020\n[168.862820] Call Trace:\n[168.862822] \u003cTASK\u003e\n[168.862825] dump_stack_lvl+0x49/0x63\n[168.862832] print_report.cold+0x493/0x6b7\n[168.862845] kasan_report+0xa7/0x120\n[168.862857] kasan_check_range+0x163/0x200\n[168.862861] __kasan_check_write+0x14/0x20\n[168.862866] try_to_grab_pending+0x59/0x480\n[168.862870] __cancel_work_timer+0xbb/0x340\n[168.862898] cancel_work_sync+0x10/0x20\n[168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e]\n[168.862909] pci_device_remove+0xa3/0x1d0\n[168.862914] device_remove+0xc4/0x170\n[168.862920] device_release_driver_internal+0x163/0x300\n[168.862925] driver_detach+0xc7/0x1a0\n[168.862930] bus_remove_driver+0xeb/0x2d0\n[168.862935] driver_unregister+0x71/0xb0\n[168.862939] pci_unregister_driver+0x30/0x230\n[168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e]\n[168.862949] __x64_sys_delete_module+0x2f9/0x4b0\n[168.862968] do_syscall_64+0x38/0x90\n[168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nTest steps:\n1. insmode\n2. do not ifup\n3. rmmod quickly (within 1 second)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:39.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1034d8e08508830161377f136a060e78fc24f2a5"
},
{
"url": "https://git.kernel.org/stable/c/ccda3ebdae719d348f90563b6719fba4929ae283"
},
{
"url": "https://git.kernel.org/stable/c/b5a62d612b7baf6e09884e4de94decb6391d6a9d"
}
],
"title": "wifi: mt76: mt7921e: fix rmmod crash in driver reload test",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50714",
"datePublished": "2025-12-24T12:22:39.059Z",
"dateReserved": "2025-12-24T12:20:40.329Z",
"dateUpdated": "2025-12-24T12:22:39.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53841 (GCVE-0-2023-53841)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
devlink: report devlink_port_type_warn source device
Summary
In the Linux kernel, the following vulnerability has been resolved:
devlink: report devlink_port_type_warn source device
devlink_port_type_warn is scheduled for port devlink and warning
when the port type is not set. But from this warning it is not easy
found out which device (driver) has no devlink port set.
[ 3709.975552] Type was not set for devlink port.
[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20
[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm
[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse
[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1
[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022
[ 3710.108437] Workqueue: events devlink_port_type_warn
[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20
[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87
[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282
[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027
[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8
[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18
[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600
[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905
[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000
[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0
[ 3710.108456] PKRU: 55555554
[ 3710.108457] Call Trace:
[ 3710.108458] <TASK>
[ 3710.108459] process_one_work+0x1e2/0x3b0
[ 3710.108466] ? rescuer_thread+0x390/0x390
[ 3710.108468] worker_thread+0x50/0x3a0
[ 3710.108471] ? rescuer_thread+0x390/0x390
[ 3710.108473] kthread+0xdd/0x100
[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20
[ 3710.108479] ret_from_fork+0x1f/0x30
[ 3710.108485] </TASK>
[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]---
After patch:
[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port.
[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 970c7035f4b03c7be9f49c403ccf6fb0b70039a1
(git)
Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 2864cc9a1fd13666ed7fd9064dc3f2c51a85de32 (git) Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 7552020e3aa8283b215ca6b3840e6f9281ee4664 (git) Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 408d40c729cbe3a918a381405df769491a472122 (git) Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < 21b9e0efb38eac1fe7bed369e96980cad45aa9c7 (git) Affected: 136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2 , < a52305a81d6bb74b90b400dfa56455d37872fe4b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/devlink/leftover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "970c7035f4b03c7be9f49c403ccf6fb0b70039a1",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "2864cc9a1fd13666ed7fd9064dc3f2c51a85de32",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "7552020e3aa8283b215ca6b3840e6f9281ee4664",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "408d40c729cbe3a918a381405df769491a472122",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "21b9e0efb38eac1fe7bed369e96980cad45aa9c7",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
},
{
"lessThan": "a52305a81d6bb74b90b400dfa56455d37872fe4b",
"status": "affected",
"version": "136bf27fc0e9376525b9b6d9a1aa08508a0d1ac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/devlink/leftover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: report devlink_port_type_warn source device\n\ndevlink_port_type_warn is scheduled for port devlink and warning\nwhen the port type is not set. But from this warning it is not easy\nfound out which device (driver) has no devlink port set.\n\n[ 3709.975552] Type was not set for devlink port.\n[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20\n[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm\n[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse\n[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1\n[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022\n[ 3710.108437] Workqueue: events devlink_port_type_warn\n[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20\n[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff \u003c0f\u003e 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87\n[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282\n[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027\n[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8\n[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18\n[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600\n[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905\n[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000\n[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0\n[ 3710.108456] PKRU: 55555554\n[ 3710.108457] Call Trace:\n[ 3710.108458] \u003cTASK\u003e\n[ 3710.108459] process_one_work+0x1e2/0x3b0\n[ 3710.108466] ? rescuer_thread+0x390/0x390\n[ 3710.108468] worker_thread+0x50/0x3a0\n[ 3710.108471] ? rescuer_thread+0x390/0x390\n[ 3710.108473] kthread+0xdd/0x100\n[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20\n[ 3710.108479] ret_from_fork+0x1f/0x30\n[ 3710.108485] \u003c/TASK\u003e\n[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]---\n\nAfter patch:\n[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port.\n[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:01.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/970c7035f4b03c7be9f49c403ccf6fb0b70039a1"
},
{
"url": "https://git.kernel.org/stable/c/2864cc9a1fd13666ed7fd9064dc3f2c51a85de32"
},
{
"url": "https://git.kernel.org/stable/c/7552020e3aa8283b215ca6b3840e6f9281ee4664"
},
{
"url": "https://git.kernel.org/stable/c/408d40c729cbe3a918a381405df769491a472122"
},
{
"url": "https://git.kernel.org/stable/c/21b9e0efb38eac1fe7bed369e96980cad45aa9c7"
},
{
"url": "https://git.kernel.org/stable/c/a52305a81d6bb74b90b400dfa56455d37872fe4b"
}
],
"title": "devlink: report devlink_port_type_warn source device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53841",
"datePublished": "2025-12-09T01:29:58.448Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2026-01-05T10:33:01.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40271 (GCVE-0-2025-40271)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
fs/proc: fix uaf in proc_readdir_de()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/proc: fix uaf in proc_readdir_de()
Pde is erased from subdir rbtree through rb_erase(), but not set the node
to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()
set the erased node to EMPTY, then pde_subdir_next() will return NULL to
avoid uaf access.
We found an uaf issue while using stress-ng testing, need to run testcase
getdent and tun in the same time. The steps of the issue is as follows:
1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current
pde is tun3;
2) in the [time windows] unregister netdevice tun3 and tun2, and erase
them from rbtree. erase tun3 first, and then erase tun2. the
pde(tun2) will be released to slab;
3) continue to getdent process, then pde_subdir_next() will return
pde(tun2) which is released, it will case uaf access.
CPU 0 | CPU 1
-------------------------------------------------------------------------
traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2
sys_getdents64() |
iterate_dir() |
proc_readdir() |
proc_readdir_de() | snmp6_unregister_dev()
pde_get(de); | proc_remove()
read_unlock(&proc_subdir_lock); | remove_proc_subtree()
| write_lock(&proc_subdir_lock);
[time window] | rb_erase(&root->subdir_node, &parent->subdir);
| write_unlock(&proc_subdir_lock);
read_lock(&proc_subdir_lock); |
next = pde_subdir_next(de); |
pde_put(de); |
de = next; //UAF |
rbtree of dev_snmp6
|
pde(tun3)
/ \
NULL pde(tun2)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
710585d4922fd315f2cada8fbe550ae8ed23e994 , < 1d1596d68a6f11d28f677eedf6cf5b17dbfeb491
(git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < c81d0385500446efe48c305bbb83d47f2ae23a50 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 4cba73c4c89219beef7685a47374bf88b1022369 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 6f2482745e510ae1dacc9b090194b9c5f918d774 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 67272c11f379d9aa5e0f6b16286b9d89b3f76046 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 623bb26127fb581a741e880e1e1a47d79aecb6f8 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 03de7ff197a3d0e17d0d5c58fdac99a63cba8110 (git) Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 895b4c0c79b092d732544011c3cecaf7322c36a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d1596d68a6f11d28f677eedf6cf5b17dbfeb491",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "c81d0385500446efe48c305bbb83d47f2ae23a50",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "4cba73c4c89219beef7685a47374bf88b1022369",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "6f2482745e510ae1dacc9b090194b9c5f918d774",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "67272c11f379d9aa5e0f6b16286b9d89b3f76046",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "623bb26127fb581a741e880e1e1a47d79aecb6f8",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "03de7ff197a3d0e17d0d5c58fdac99a63cba8110",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
},
{
"lessThan": "895b4c0c79b092d732544011c3cecaf7322c36a1",
"status": "affected",
"version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/generic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time. The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n them from rbtree. erase tun3 first, and then erase tun2. the\n pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n pde(tun2) which is released, it will case uaf access.\n\nCPU 0 | CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun-\u003edev) //tun3 tun2\nsys_getdents64() |\n iterate_dir() |\n proc_readdir() |\n proc_readdir_de() | snmp6_unregister_dev()\n pde_get(de); | proc_remove()\n read_unlock(\u0026proc_subdir_lock); | remove_proc_subtree()\n | write_lock(\u0026proc_subdir_lock);\n [time window] | rb_erase(\u0026root-\u003esubdir_node, \u0026parent-\u003esubdir);\n | write_unlock(\u0026proc_subdir_lock);\n read_lock(\u0026proc_subdir_lock); |\n next = pde_subdir_next(de); |\n pde_put(de); |\n de = next; //UAF |\n\nrbtree of dev_snmp6\n |\n pde(tun3)\n / \\\n NULL pde(tun2)"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:21.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491"
},
{
"url": "https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50"
},
{
"url": "https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369"
},
{
"url": "https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774"
},
{
"url": "https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046"
},
{
"url": "https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8"
},
{
"url": "https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110"
},
{
"url": "https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1"
}
],
"title": "fs/proc: fix uaf in proc_readdir_de()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40271",
"datePublished": "2025-12-06T21:50:53.266Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2026-01-02T15:33:21.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50646 (GCVE-0-2022-50646)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
scsi: hpsa: Fix possible memory leak in hpsa_init_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: hpsa: Fix possible memory leak in hpsa_init_one()
The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in
hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to
clean1 directly, which frees h and leaks the h->reply_map.
Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead
free h directly.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < f4d1c14e8b404766ff2bb8644bb19443d73965de
(git)
Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < c808edbf580bfc454671cbe66e9d7c2e938e7601 (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < bfe10a1d9fbccdf39f8449d62509f070d8aaaac1 (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507 (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < 0aa7be66168b1e84b2581ffff3ccb54a6c804a1e (git) Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < 9c9ff300e0de07475796495d86f449340d454a0c (git) Affected: 1edd825c11f8ed2c409d6fb6b3d90a042cbf738d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hpsa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4d1c14e8b404766ff2bb8644bb19443d73965de",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "c808edbf580bfc454671cbe66e9d7c2e938e7601",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "bfe10a1d9fbccdf39f8449d62509f070d8aaaac1",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "0aa7be66168b1e84b2581ffff3ccb54a6c804a1e",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"lessThan": "9c9ff300e0de07475796495d86f449340d454a0c",
"status": "affected",
"version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
"versionType": "git"
},
{
"status": "affected",
"version": "1edd825c11f8ed2c409d6fb6b3d90a042cbf738d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/hpsa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.63",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hpsa: Fix possible memory leak in hpsa_init_one()\n\nThe hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in\nhpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to\nclean1 directly, which frees h and leaks the h-\u003ereply_map.\n\nFix by calling hpda_free_ctlr_info() to release h-\u003ereplay_map and h instead\nfree h directly."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:20.596Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4d1c14e8b404766ff2bb8644bb19443d73965de"
},
{
"url": "https://git.kernel.org/stable/c/f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e"
},
{
"url": "https://git.kernel.org/stable/c/c808edbf580bfc454671cbe66e9d7c2e938e7601"
},
{
"url": "https://git.kernel.org/stable/c/bfe10a1d9fbccdf39f8449d62509f070d8aaaac1"
},
{
"url": "https://git.kernel.org/stable/c/fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507"
},
{
"url": "https://git.kernel.org/stable/c/0aa7be66168b1e84b2581ffff3ccb54a6c804a1e"
},
{
"url": "https://git.kernel.org/stable/c/9c9ff300e0de07475796495d86f449340d454a0c"
}
],
"title": "scsi: hpsa: Fix possible memory leak in hpsa_init_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50646",
"datePublished": "2025-12-09T00:00:20.596Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:20.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54316 (GCVE-0-2023-54316)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
refscale: Fix uninitalized use of wait_queue_head_t
Summary
In the Linux kernel, the following vulnerability has been resolved:
refscale: Fix uninitalized use of wait_queue_head_t
Running the refscale test occasionally crashes the kernel with the
following error:
[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8
[ 8569.952900] #PF: supervisor read access in kernel mode
[ 8569.952902] #PF: error_code(0x0000) - not-present page
[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0
[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI
[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021
[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190
:
[ 8569.952940] Call Trace:
[ 8569.952941] <TASK>
[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale]
[ 8569.952959] kthread+0x10e/0x130
[ 8569.952966] ret_from_fork+0x1f/0x30
[ 8569.952973] </TASK>
The likely cause is that init_waitqueue_head() is called after the call to
the torture_create_kthread() function that creates the ref_scale_reader
kthread. Although this init_waitqueue_head() call will very likely
complete before this kthread is created and starts running, it is
possible that the calling kthread will be delayed between the calls to
torture_create_kthread() and init_waitqueue_head(). In this case, the
new kthread will use the waitqueue head before it is properly initialized,
which is not good for the kernel's health and well-being.
The above crash happened here:
static inline void __add_wait_queue(...)
{
:
if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here
The offset of flags from list_head entry in wait_queue_entry is
-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task
structure is zero initialized, the instruction will try to access address
0xffffffffffffffe8, which is exactly the fault address listed above.
This commit therefore invokes init_waitqueue_head() before creating
the kthread.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
653ed64b01dc5989f8f579d0038e987476c2c023 , < 066fbd8bc981cf49923bf828b7b4092894df577f
(git)
Affected: 653ed64b01dc5989f8f579d0038e987476c2c023 , < ec9d118ad99dc6f1bc674c1e649c25533d89b9ba (git) Affected: 653ed64b01dc5989f8f579d0038e987476c2c023 , < e0322a255a2242dbe4686b6176b3c83dea490529 (git) Affected: 653ed64b01dc5989f8f579d0038e987476c2c023 , < e5de968a9032366198720eac4f368ed7e690b3ef (git) Affected: 653ed64b01dc5989f8f579d0038e987476c2c023 , < 70a2856fd1d0a040c876ba9e3f89b949ae92e4dd (git) Affected: 653ed64b01dc5989f8f579d0038e987476c2c023 , < f5063e8948dad7f31adb007284a5d5038ae31bb8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/refscale.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "066fbd8bc981cf49923bf828b7b4092894df577f",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "ec9d118ad99dc6f1bc674c1e649c25533d89b9ba",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "e0322a255a2242dbe4686b6176b3c83dea490529",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "e5de968a9032366198720eac4f368ed7e690b3ef",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "70a2856fd1d0a040c876ba9e3f89b949ae92e4dd",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
},
{
"lessThan": "f5063e8948dad7f31adb007284a5d5038ae31bb8",
"status": "affected",
"version": "653ed64b01dc5989f8f579d0038e987476c2c023",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/refscale.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrefscale: Fix uninitalized use of wait_queue_head_t\n\nRunning the refscale test occasionally crashes the kernel with the\nfollowing error:\n\n[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8\n[ 8569.952900] #PF: supervisor read access in kernel mode\n[ 8569.952902] #PF: error_code(0x0000) - not-present page\n[ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0\n[ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI\n[ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021\n[ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190\n :\n[ 8569.952940] Call Trace:\n[ 8569.952941] \u003cTASK\u003e\n[ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale]\n[ 8569.952959] kthread+0x10e/0x130\n[ 8569.952966] ret_from_fork+0x1f/0x30\n[ 8569.952973] \u003c/TASK\u003e\n\nThe likely cause is that init_waitqueue_head() is called after the call to\nthe torture_create_kthread() function that creates the ref_scale_reader\nkthread. Although this init_waitqueue_head() call will very likely\ncomplete before this kthread is created and starts running, it is\npossible that the calling kthread will be delayed between the calls to\ntorture_create_kthread() and init_waitqueue_head(). In this case, the\nnew kthread will use the waitqueue head before it is properly initialized,\nwhich is not good for the kernel\u0027s health and well-being.\n\nThe above crash happened here:\n\n\tstatic inline void __add_wait_queue(...)\n\t{\n\t\t:\n\t\tif (!(wq-\u003eflags \u0026 WQ_FLAG_PRIORITY)) \u003c=== Crash here\n\nThe offset of flags from list_head entry in wait_queue_entry is\n-0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task\nstructure is zero initialized, the instruction will try to access address\n0xffffffffffffffe8, which is exactly the fault address listed above.\n\nThis commit therefore invokes init_waitqueue_head() before creating\nthe kthread."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:46.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/066fbd8bc981cf49923bf828b7b4092894df577f"
},
{
"url": "https://git.kernel.org/stable/c/ec9d118ad99dc6f1bc674c1e649c25533d89b9ba"
},
{
"url": "https://git.kernel.org/stable/c/e0322a255a2242dbe4686b6176b3c83dea490529"
},
{
"url": "https://git.kernel.org/stable/c/e5de968a9032366198720eac4f368ed7e690b3ef"
},
{
"url": "https://git.kernel.org/stable/c/70a2856fd1d0a040c876ba9e3f89b949ae92e4dd"
},
{
"url": "https://git.kernel.org/stable/c/f5063e8948dad7f31adb007284a5d5038ae31bb8"
}
],
"title": "refscale: Fix uninitalized use of wait_queue_head_t",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54316",
"datePublished": "2025-12-30T12:23:46.526Z",
"dateReserved": "2025-12-30T12:06:44.531Z",
"dateUpdated": "2025-12-30T12:23:46.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54132 (GCVE-0-2023-54132)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
erofs: stop parsing non-compact HEAD index if clusterofs is invalid
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: stop parsing non-compact HEAD index if clusterofs is invalid
Syzbot generated a crafted image [1] with a non-compact HEAD index of
clusterofs 33024 while valid numbers should be 0 ~ lclustersize-1,
which causes the following unexpected behavior as below:
BUG: unable to handle page fault for address: fffff52101a3fff9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffed067 P4D 23ffed067 PUD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 4398 Comm: kworker/u5:1 Not tainted 6.3.0-rc6-syzkaller-g09a9639e56c0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Workqueue: erofs_worker z_erofs_decompressqueue_work
RIP: 0010:z_erofs_decompress_queue+0xb7e/0x2b40
...
Call Trace:
<TASK>
z_erofs_decompressqueue_work+0x99/0xe0
process_one_work+0x8f6/0x1170
worker_thread+0xa63/0x1210
kthread+0x270/0x300
ret_from_fork+0x1f/0x30
Note that normal images or images using compact indexes are not
impacted. Let's fix this now.
[1] https://lore.kernel.org/r/000000000000ec75b005ee97fbaa@google.com
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
02827e1796b33f1794966f5c3101f8da2dfa9c1d , < 880c79bdb002b9d5b6940e52c2ad3829c2178207
(git)
Affected: 02827e1796b33f1794966f5c3101f8da2dfa9c1d , < 7a4579cd6e4936de107c82499c3c9ee11b63401e (git) Affected: 02827e1796b33f1794966f5c3101f8da2dfa9c1d , < 060fecf1114ff9fcfe87953fe8c4fc5048777160 (git) Affected: 02827e1796b33f1794966f5c3101f8da2dfa9c1d , < 7ee7a86e28ce9ead7112286c388df8d254c373c6 (git) Affected: 02827e1796b33f1794966f5c3101f8da2dfa9c1d , < f01b2894928affa3339d355608713cf3db8360b8 (git) Affected: 02827e1796b33f1794966f5c3101f8da2dfa9c1d , < 96a845419b3722869f09883319de4d55c44d9aef (git) Affected: 02827e1796b33f1794966f5c3101f8da2dfa9c1d , < cc4efd3dd2ac9f89143e5d881609747ecff04164 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "880c79bdb002b9d5b6940e52c2ad3829c2178207",
"status": "affected",
"version": "02827e1796b33f1794966f5c3101f8da2dfa9c1d",
"versionType": "git"
},
{
"lessThan": "7a4579cd6e4936de107c82499c3c9ee11b63401e",
"status": "affected",
"version": "02827e1796b33f1794966f5c3101f8da2dfa9c1d",
"versionType": "git"
},
{
"lessThan": "060fecf1114ff9fcfe87953fe8c4fc5048777160",
"status": "affected",
"version": "02827e1796b33f1794966f5c3101f8da2dfa9c1d",
"versionType": "git"
},
{
"lessThan": "7ee7a86e28ce9ead7112286c388df8d254c373c6",
"status": "affected",
"version": "02827e1796b33f1794966f5c3101f8da2dfa9c1d",
"versionType": "git"
},
{
"lessThan": "f01b2894928affa3339d355608713cf3db8360b8",
"status": "affected",
"version": "02827e1796b33f1794966f5c3101f8da2dfa9c1d",
"versionType": "git"
},
{
"lessThan": "96a845419b3722869f09883319de4d55c44d9aef",
"status": "affected",
"version": "02827e1796b33f1794966f5c3101f8da2dfa9c1d",
"versionType": "git"
},
{
"lessThan": "cc4efd3dd2ac9f89143e5d881609747ecff04164",
"status": "affected",
"version": "02827e1796b33f1794966f5c3101f8da2dfa9c1d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: stop parsing non-compact HEAD index if clusterofs is invalid\n\nSyzbot generated a crafted image [1] with a non-compact HEAD index of\nclusterofs 33024 while valid numbers should be 0 ~ lclustersize-1,\nwhich causes the following unexpected behavior as below:\n\n BUG: unable to handle page fault for address: fffff52101a3fff9\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 23ffed067 P4D 23ffed067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 4398 Comm: kworker/u5:1 Not tainted 6.3.0-rc6-syzkaller-g09a9639e56c0 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023\n Workqueue: erofs_worker z_erofs_decompressqueue_work\n RIP: 0010:z_erofs_decompress_queue+0xb7e/0x2b40\n ...\n Call Trace:\n \u003cTASK\u003e\n z_erofs_decompressqueue_work+0x99/0xe0\n process_one_work+0x8f6/0x1170\n worker_thread+0xa63/0x1210\n kthread+0x270/0x300\n ret_from_fork+0x1f/0x30\n\nNote that normal images or images using compact indexes are not\nimpacted. Let\u0027s fix this now.\n\n[1] https://lore.kernel.org/r/000000000000ec75b005ee97fbaa@google.com"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:49.030Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/880c79bdb002b9d5b6940e52c2ad3829c2178207"
},
{
"url": "https://git.kernel.org/stable/c/7a4579cd6e4936de107c82499c3c9ee11b63401e"
},
{
"url": "https://git.kernel.org/stable/c/060fecf1114ff9fcfe87953fe8c4fc5048777160"
},
{
"url": "https://git.kernel.org/stable/c/7ee7a86e28ce9ead7112286c388df8d254c373c6"
},
{
"url": "https://git.kernel.org/stable/c/f01b2894928affa3339d355608713cf3db8360b8"
},
{
"url": "https://git.kernel.org/stable/c/96a845419b3722869f09883319de4d55c44d9aef"
},
{
"url": "https://git.kernel.org/stable/c/cc4efd3dd2ac9f89143e5d881609747ecff04164"
}
],
"title": "erofs: stop parsing non-compact HEAD index if clusterofs is invalid",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54132",
"datePublished": "2025-12-24T13:06:49.030Z",
"dateReserved": "2025-12-24T13:02:52.522Z",
"dateUpdated": "2025-12-24T13:06:49.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50669 (GCVE-0-2022-50669)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
misc: ocxl: fix possible name leak in ocxl_file_register_afu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: ocxl: fix possible name leak in ocxl_file_register_afu()
If device_register() returns error in ocxl_file_register_afu(),
the name allocated by dev_set_name() need be freed. As comment
of device_register() says, it should use put_device() to give
up the reference in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanup(),
and info is freed in info_release().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
75ca758adbafc81804c39b2c200ecdc819a6c042 , < 0cd05062371a49774e8a45258bdedf0bd6d3d327
(git)
Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < 7525741cb302a1672b8c3a5edb2a08e4229b5c7c (git) Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < 3299983a6bf628249ac650908e62d12de959341e (git) Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < 557b7de055d1e230ddb6664c29d26917b8db9143 (git) Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < 2fce8b3583d1641a1716486f408478b58e96ec91 (git) Affected: 75ca758adbafc81804c39b2c200ecdc819a6c042 , < a4cb1004aeed2ab893a058fad00a5b41a12c4691 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/ocxl/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cd05062371a49774e8a45258bdedf0bd6d3d327",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "7525741cb302a1672b8c3a5edb2a08e4229b5c7c",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "3299983a6bf628249ac650908e62d12de959341e",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "557b7de055d1e230ddb6664c29d26917b8db9143",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "2fce8b3583d1641a1716486f408478b58e96ec91",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
},
{
"lessThan": "a4cb1004aeed2ab893a058fad00a5b41a12c4691",
"status": "affected",
"version": "75ca758adbafc81804c39b2c200ecdc819a6c042",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/ocxl/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ocxl: fix possible name leak in ocxl_file_register_afu()\n\nIf device_register() returns error in ocxl_file_register_afu(),\nthe name allocated by dev_set_name() need be freed. As comment\nof device_register() says, it should use put_device() to give\nup the reference in the error path. So fix this by calling\nput_device(), then the name can be freed in kobject_cleanup(),\nand info is freed in info_release()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:20.745Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cd05062371a49774e8a45258bdedf0bd6d3d327"
},
{
"url": "https://git.kernel.org/stable/c/7525741cb302a1672b8c3a5edb2a08e4229b5c7c"
},
{
"url": "https://git.kernel.org/stable/c/3299983a6bf628249ac650908e62d12de959341e"
},
{
"url": "https://git.kernel.org/stable/c/557b7de055d1e230ddb6664c29d26917b8db9143"
},
{
"url": "https://git.kernel.org/stable/c/2fce8b3583d1641a1716486f408478b58e96ec91"
},
{
"url": "https://git.kernel.org/stable/c/a4cb1004aeed2ab893a058fad00a5b41a12c4691"
}
],
"title": "misc: ocxl: fix possible name leak in ocxl_file_register_afu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50669",
"datePublished": "2025-12-09T01:29:20.745Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:20.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39963 (GCVE-0-2025-39963)
Vulnerability from cvelistv5 – Published: 2025-10-09 12:13 – Updated: 2025-10-09 12:13
VLAI?
EPSS
Title
io_uring: fix incorrect io_kiocb reference in io_link_skb
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix incorrect io_kiocb reference in io_link_skb
In io_link_skb function, there is a bug where prev_notif is incorrectly
assigned using 'nd' instead of 'prev_nd'. This causes the context
validation check to compare the current notification with itself instead
of comparing it with the previous notification.
Fix by using the correct prev_nd parameter when obtaining prev_notif.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6fe4220912d19152a26ce19713ab232f4263018d , < a89c34babc2e5834aa0905278f26f4dbe4b26b76
(git)
Affected: 6fe4220912d19152a26ce19713ab232f4263018d , < 50a98ce1ea694f1ff8e87bc2f8f84096d1736f6a (git) Affected: 6fe4220912d19152a26ce19713ab232f4263018d , < 2c139a47eff8de24e3350dadb4c9d5e3426db826 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/notif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a89c34babc2e5834aa0905278f26f4dbe4b26b76",
"status": "affected",
"version": "6fe4220912d19152a26ce19713ab232f4263018d",
"versionType": "git"
},
{
"lessThan": "50a98ce1ea694f1ff8e87bc2f8f84096d1736f6a",
"status": "affected",
"version": "6fe4220912d19152a26ce19713ab232f4263018d",
"versionType": "git"
},
{
"lessThan": "2c139a47eff8de24e3350dadb4c9d5e3426db826",
"status": "affected",
"version": "6fe4220912d19152a26ce19713ab232f4263018d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/notif.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.49",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.49",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix incorrect io_kiocb reference in io_link_skb\n\nIn io_link_skb function, there is a bug where prev_notif is incorrectly\nassigned using \u0027nd\u0027 instead of \u0027prev_nd\u0027. This causes the context\nvalidation check to compare the current notification with itself instead\nof comparing it with the previous notification.\n\nFix by using the correct prev_nd parameter when obtaining prev_notif."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T12:13:23.345Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a89c34babc2e5834aa0905278f26f4dbe4b26b76"
},
{
"url": "https://git.kernel.org/stable/c/50a98ce1ea694f1ff8e87bc2f8f84096d1736f6a"
},
{
"url": "https://git.kernel.org/stable/c/2c139a47eff8de24e3350dadb4c9d5e3426db826"
}
],
"title": "io_uring: fix incorrect io_kiocb reference in io_link_skb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39963",
"datePublished": "2025-10-09T12:13:23.345Z",
"dateReserved": "2025-04-16T07:20:57.149Z",
"dateUpdated": "2025-10-09T12:13:23.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40323 (GCVE-0-2025-40323)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
fbcon: Set fb_display[i]->mode to NULL when the mode is released
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbcon: Set fb_display[i]->mode to NULL when the mode is released
Recently, we discovered the following issue through syzkaller:
BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0
Read of size 4 at addr ff11000001b3c69c by task syz.xxx
...
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
print_address_description.constprop.0+0x2c/0x390
print_report+0xb9/0x280
kasan_report+0xb8/0xf0
fb_mode_is_equal+0x285/0x2f0
fbcon_mode_deleted+0x129/0x180
fb_set_var+0xe7f/0x11d0
do_fb_ioctl+0x6a0/0x750
fb_ioctl+0xe0/0x140
__x64_sys_ioctl+0x193/0x210
do_syscall_64+0x5f/0x9c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Based on experimentation and analysis, during framebuffer unregistration,
only the memory of fb_info->modelist is freed, without setting the
corresponding fb_display[i]->mode to NULL for the freed modes. This leads
to UAF issues during subsequent accesses. Here's an example of reproduction
steps:
1. With /dev/fb0 already registered in the system, load a kernel module
to register a new device /dev/fb1;
2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);
3. Switch console from fb to VGA (to allow normal rmmod of the ko);
4. Unload the kernel module, at this point fb1's modelist is freed, leaving
a wild pointer in fb_display[];
5. Trigger the bug via system calls through fb0 attempting to delete a mode
from fb0.
Add a check in do_unregister_framebuffer(): if the mode to be freed exists
in fb_display[], set the corresponding mode pointer to NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 468f78276a37f4c6499385a4ce28f4f57be6655d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c079d42f70109512eee49123a843be91d8fa133f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < de89d19f4f30d9a8de87b9d08c1bd35cb70576d8 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a1f3058930745d2b938b6b4f5bd9630dc74b26b7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c",
"drivers/video/fbdev/core/fbmem.c",
"include/linux/fbcon.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "468f78276a37f4c6499385a4ce28f4f57be6655d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c079d42f70109512eee49123a843be91d8fa133f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "de89d19f4f30d9a8de87b9d08c1bd35cb70576d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1f3058930745d2b938b6b4f5bd9630dc74b26b7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/fbcon.c",
"drivers/video/fbdev/core/fbmem.c",
"include/linux/fbcon.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Set fb_display[i]-\u003emode to NULL when the mode is released\n\nRecently, we discovered the following issue through syzkaller:\n\nBUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0\nRead of size 4 at addr ff11000001b3c69c by task syz.xxx\n...\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xab/0xe0\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb9/0x280\n kasan_report+0xb8/0xf0\n fb_mode_is_equal+0x285/0x2f0\n fbcon_mode_deleted+0x129/0x180\n fb_set_var+0xe7f/0x11d0\n do_fb_ioctl+0x6a0/0x750\n fb_ioctl+0xe0/0x140\n __x64_sys_ioctl+0x193/0x210\n do_syscall_64+0x5f/0x9c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nBased on experimentation and analysis, during framebuffer unregistration,\nonly the memory of fb_info-\u003emodelist is freed, without setting the\ncorresponding fb_display[i]-\u003emode to NULL for the freed modes. This leads\nto UAF issues during subsequent accesses. Here\u0027s an example of reproduction\nsteps:\n1. With /dev/fb0 already registered in the system, load a kernel module\n to register a new device /dev/fb1;\n2. Set fb1\u0027s mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);\n3. Switch console from fb to VGA (to allow normal rmmod of the ko);\n4. Unload the kernel module, at this point fb1\u0027s modelist is freed, leaving\n a wild pointer in fb_display[];\n5. Trigger the bug via system calls through fb0 attempting to delete a mode\n from fb0.\n\nAdd a check in do_unregister_framebuffer(): if the mode to be freed exists\nin fb_display[], set the corresponding mode pointer to NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:36.178Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb"
},
{
"url": "https://git.kernel.org/stable/c/468f78276a37f4c6499385a4ce28f4f57be6655d"
},
{
"url": "https://git.kernel.org/stable/c/c079d42f70109512eee49123a843be91d8fa133f"
},
{
"url": "https://git.kernel.org/stable/c/de89d19f4f30d9a8de87b9d08c1bd35cb70576d8"
},
{
"url": "https://git.kernel.org/stable/c/a1f3058930745d2b938b6b4f5bd9630dc74b26b7"
}
],
"title": "fbcon: Set fb_display[i]-\u003emode to NULL when the mode is released",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40323",
"datePublished": "2025-12-08T00:46:50.833Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:36.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53808 (GCVE-0-2023-53808)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
Always free the zeroed page on return from 'mwifiex_histogram_read()'.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < d3b53ac2b60283f84bcc650aaa8af98500f37b56
(git)
Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 7be90670b967d11f53a9d45bc88fa8ac9daf9709 (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 8f717752f94efae84853e17f2589665c330a0cf5 (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 0c4240d23db525208fd40dd6371ca3254fa1b93d (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 308eb3a609ac39ca9c3e466b35e8825007c8d826 (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 84081b4baafb49211193c6a056d5aee9c0e6ab8e (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 5d66b32a6ecf2e2e1a9523eaa4f8b314832fe06c (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < f76e1da838377777557d78dfeb6d8c532f7118be (git) Affected: cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73 , < 9c8fd72a5c2a031cbc680a2990107ecd958ffcdb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3b53ac2b60283f84bcc650aaa8af98500f37b56",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "7be90670b967d11f53a9d45bc88fa8ac9daf9709",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "8f717752f94efae84853e17f2589665c330a0cf5",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "0c4240d23db525208fd40dd6371ca3254fa1b93d",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "308eb3a609ac39ca9c3e466b35e8825007c8d826",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "84081b4baafb49211193c6a056d5aee9c0e6ab8e",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "5d66b32a6ecf2e2e1a9523eaa4f8b314832fe06c",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "f76e1da838377777557d78dfeb6d8c532f7118be",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
},
{
"lessThan": "9c8fd72a5c2a031cbc680a2990107ecd958ffcdb",
"status": "affected",
"version": "cbf6e05527a7654ac1c4f4787dfd7a182fcc0c73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: fix memory leak in mwifiex_histogram_read()\n\nAlways free the zeroed page on return from \u0027mwifiex_histogram_read()\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:06.210Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3b53ac2b60283f84bcc650aaa8af98500f37b56"
},
{
"url": "https://git.kernel.org/stable/c/7be90670b967d11f53a9d45bc88fa8ac9daf9709"
},
{
"url": "https://git.kernel.org/stable/c/8f717752f94efae84853e17f2589665c330a0cf5"
},
{
"url": "https://git.kernel.org/stable/c/0c4240d23db525208fd40dd6371ca3254fa1b93d"
},
{
"url": "https://git.kernel.org/stable/c/308eb3a609ac39ca9c3e466b35e8825007c8d826"
},
{
"url": "https://git.kernel.org/stable/c/84081b4baafb49211193c6a056d5aee9c0e6ab8e"
},
{
"url": "https://git.kernel.org/stable/c/5d66b32a6ecf2e2e1a9523eaa4f8b314832fe06c"
},
{
"url": "https://git.kernel.org/stable/c/f76e1da838377777557d78dfeb6d8c532f7118be"
},
{
"url": "https://git.kernel.org/stable/c/9c8fd72a5c2a031cbc680a2990107ecd958ffcdb"
}
],
"title": "wifi: mwifiex: fix memory leak in mwifiex_histogram_read()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53808",
"datePublished": "2025-12-09T00:01:06.210Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T00:01:06.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50667 (GCVE-0-2022-50667)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()
If the copy of the description string from userspace fails, then the page
for the instance descriptor doesn't get freed before returning -EFAULT,
which leads to a memleak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7a7a933edd6c3a6d5d64e08093f2d564104cefcd , < b47a37ad4a444d82f9caf153a79d090b79786ebb
(git)
Affected: 7a7a933edd6c3a6d5d64e08093f2d564104cefcd , < 6ad40bbb2c25f17b899fcea114ebc0a46d8a938b (git) Affected: 7a7a933edd6c3a6d5d64e08093f2d564104cefcd , < 53066b144715332ce9370143c33c50d9a4d3e809 (git) Affected: 7a7a933edd6c3a6d5d64e08093f2d564104cefcd , < a40c7f61d12fbd1e785e59140b9efd57127c0c33 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_msg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b47a37ad4a444d82f9caf153a79d090b79786ebb",
"status": "affected",
"version": "7a7a933edd6c3a6d5d64e08093f2d564104cefcd",
"versionType": "git"
},
{
"lessThan": "6ad40bbb2c25f17b899fcea114ebc0a46d8a938b",
"status": "affected",
"version": "7a7a933edd6c3a6d5d64e08093f2d564104cefcd",
"versionType": "git"
},
{
"lessThan": "53066b144715332ce9370143c33c50d9a4d3e809",
"status": "affected",
"version": "7a7a933edd6c3a6d5d64e08093f2d564104cefcd",
"versionType": "git"
},
{
"lessThan": "a40c7f61d12fbd1e785e59140b9efd57127c0c33",
"status": "affected",
"version": "7a7a933edd6c3a6d5d64e08093f2d564104cefcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_msg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()\n\nIf the copy of the description string from userspace fails, then the page\nfor the instance descriptor doesn\u0027t get freed before returning -EFAULT,\nwhich leads to a memleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:17.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b47a37ad4a444d82f9caf153a79d090b79786ebb"
},
{
"url": "https://git.kernel.org/stable/c/6ad40bbb2c25f17b899fcea114ebc0a46d8a938b"
},
{
"url": "https://git.kernel.org/stable/c/53066b144715332ce9370143c33c50d9a4d3e809"
},
{
"url": "https://git.kernel.org/stable/c/a40c7f61d12fbd1e785e59140b9efd57127c0c33"
}
],
"title": "drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50667",
"datePublished": "2025-12-09T01:29:17.925Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:17.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50889 (GCVE-0-2022-50889)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
EPSS
Title
dm integrity: Fix UAF in dm_integrity_dtr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm integrity: Fix UAF in dm_integrity_dtr()
Dm_integrity also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.
Therefore, cancelling timer again in dm_integrity_dtr().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 792e51aac376cfb5bd527c2a30826223b82dd177
(git)
Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < a506b5c92757b034034ef683e667bffc456c600b (git) Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 9215b25f2e105032114e9b92c9783a2a84ee8af9 (git) Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 9f8e1e54a3a424c6c4fb8742e094789d3ec91e42 (git) Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < b6c93cd61afab061d80cc842333abca97b289774 (git) Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < f50cb2cbabd6c4a60add93d72451728f86e4791c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "792e51aac376cfb5bd527c2a30826223b82dd177",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "a506b5c92757b034034ef683e667bffc456c600b",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "9215b25f2e105032114e9b92c9783a2a84ee8af9",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "9f8e1e54a3a424c6c4fb8742e094789d3ec91e42",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "b6c93cd61afab061d80cc842333abca97b289774",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
},
{
"lessThan": "f50cb2cbabd6c4a60add93d72451728f86e4791c",
"status": "affected",
"version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm integrity: Fix UAF in dm_integrity_dtr()\n\nDm_integrity also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in dm_integrity_dtr()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:06.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/792e51aac376cfb5bd527c2a30826223b82dd177"
},
{
"url": "https://git.kernel.org/stable/c/a506b5c92757b034034ef683e667bffc456c600b"
},
{
"url": "https://git.kernel.org/stable/c/9215b25f2e105032114e9b92c9783a2a84ee8af9"
},
{
"url": "https://git.kernel.org/stable/c/9f8e1e54a3a424c6c4fb8742e094789d3ec91e42"
},
{
"url": "https://git.kernel.org/stable/c/b6c93cd61afab061d80cc842333abca97b289774"
},
{
"url": "https://git.kernel.org/stable/c/f50cb2cbabd6c4a60add93d72451728f86e4791c"
}
],
"title": "dm integrity: Fix UAF in dm_integrity_dtr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50889",
"datePublished": "2025-12-30T12:37:06.957Z",
"dateReserved": "2025-12-30T12:35:41.596Z",
"dateUpdated": "2025-12-30T12:37:06.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50769 (GCVE-0-2022-50769)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
mmc: mxcmmc: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: mxcmmc: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d96be879ff469759af6d7fcebdb66237c18da6f8 , < 5f35c038c9f4d258b3cf77885a2730f1417d63e7
(git)
Affected: d96be879ff469759af6d7fcebdb66237c18da6f8 , < 1cf0c1e58738b97e2de207846105b6a5d46622ee (git) Affected: d96be879ff469759af6d7fcebdb66237c18da6f8 , < b8bdb3fd13d5cd1e86d22fd3f803a742fd88af89 (git) Affected: d96be879ff469759af6d7fcebdb66237c18da6f8 , < 32eb502c972dfc34413c9147418b3d94d870c2b8 (git) Affected: d96be879ff469759af6d7fcebdb66237c18da6f8 , < 3904eb97bb78fdca3e16d30a38ce5697b9686110 (git) Affected: d96be879ff469759af6d7fcebdb66237c18da6f8 , < 2d496050ded83b13b16f05e1fc0329b0210d2493 (git) Affected: d96be879ff469759af6d7fcebdb66237c18da6f8 , < d37474ab9a79149075f0823315c6d45dd983a78c (git) Affected: d96be879ff469759af6d7fcebdb66237c18da6f8 , < d2ead18bc7cc166220cab5a744a05c5b69431a12 (git) Affected: d96be879ff469759af6d7fcebdb66237c18da6f8 , < cde600af7b413c9fe03e85c58c4279df90e91d13 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/mxcmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f35c038c9f4d258b3cf77885a2730f1417d63e7",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
},
{
"lessThan": "1cf0c1e58738b97e2de207846105b6a5d46622ee",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
},
{
"lessThan": "b8bdb3fd13d5cd1e86d22fd3f803a742fd88af89",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
},
{
"lessThan": "32eb502c972dfc34413c9147418b3d94d870c2b8",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
},
{
"lessThan": "3904eb97bb78fdca3e16d30a38ce5697b9686110",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
},
{
"lessThan": "2d496050ded83b13b16f05e1fc0329b0210d2493",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
},
{
"lessThan": "d37474ab9a79149075f0823315c6d45dd983a78c",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
},
{
"lessThan": "d2ead18bc7cc166220cab5a744a05c5b69431a12",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
},
{
"lessThan": "cde600af7b413c9fe03e85c58c4279df90e91d13",
"status": "affected",
"version": "d96be879ff469759af6d7fcebdb66237c18da6f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/mxcmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mxcmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and goto error path which will call\nmmc_free_host()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:58.994Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f35c038c9f4d258b3cf77885a2730f1417d63e7"
},
{
"url": "https://git.kernel.org/stable/c/1cf0c1e58738b97e2de207846105b6a5d46622ee"
},
{
"url": "https://git.kernel.org/stable/c/b8bdb3fd13d5cd1e86d22fd3f803a742fd88af89"
},
{
"url": "https://git.kernel.org/stable/c/32eb502c972dfc34413c9147418b3d94d870c2b8"
},
{
"url": "https://git.kernel.org/stable/c/3904eb97bb78fdca3e16d30a38ce5697b9686110"
},
{
"url": "https://git.kernel.org/stable/c/2d496050ded83b13b16f05e1fc0329b0210d2493"
},
{
"url": "https://git.kernel.org/stable/c/d37474ab9a79149075f0823315c6d45dd983a78c"
},
{
"url": "https://git.kernel.org/stable/c/d2ead18bc7cc166220cab5a744a05c5b69431a12"
},
{
"url": "https://git.kernel.org/stable/c/cde600af7b413c9fe03e85c58c4279df90e91d13"
}
],
"title": "mmc: mxcmmc: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50769",
"datePublished": "2025-12-24T13:05:58.994Z",
"dateReserved": "2025-12-24T13:02:21.546Z",
"dateUpdated": "2025-12-24T13:05:58.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54045 (GCVE-0-2023-54045)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
audit: fix possible soft lockup in __audit_inode_child()
Summary
In the Linux kernel, the following vulnerability has been resolved:
audit: fix possible soft lockup in __audit_inode_child()
Tracefs or debugfs maybe cause hundreds to thousands of PATH records,
too many PATH records maybe cause soft lockup.
For example:
1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n
2. auditctl -a exit,always -S open -k key
3. sysctl -w kernel.watchdog_thresh=5
4. mkdir /sys/kernel/debug/tracing/instances/test
There may be a soft lockup as follows:
watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498]
Kernel panic - not syncing: softlockup: hung tasks
Call trace:
dump_backtrace+0x0/0x30c
show_stack+0x20/0x30
dump_stack+0x11c/0x174
panic+0x27c/0x494
watchdog_timer_fn+0x2bc/0x390
__run_hrtimer+0x148/0x4fc
__hrtimer_run_queues+0x154/0x210
hrtimer_interrupt+0x2c4/0x760
arch_timer_handler_phys+0x48/0x60
handle_percpu_devid_irq+0xe0/0x340
__handle_domain_irq+0xbc/0x130
gic_handle_irq+0x78/0x460
el1_irq+0xb8/0x140
__audit_inode_child+0x240/0x7bc
tracefs_create_file+0x1b8/0x2a0
trace_create_file+0x18/0x50
event_create_dir+0x204/0x30c
__trace_add_new_event+0xac/0x100
event_trace_add_tracer+0xa0/0x130
trace_array_create_dir+0x60/0x140
trace_array_create+0x1e0/0x370
instance_mkdir+0x90/0xd0
tracefs_syscall_mkdir+0x68/0xa0
vfs_mkdir+0x21c/0x34c
do_mkdirat+0x1b4/0x1d4
__arm64_sys_mkdirat+0x4c/0x60
el0_svc_common.constprop.0+0xa8/0x240
do_el0_svc+0x8c/0xc0
el0_svc+0x20/0x30
el0_sync_handler+0xb0/0xb4
el0_sync+0x160/0x180
Therefore, we add cond_resched() to __audit_inode_child() to fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5195d8e217a78697152d64fc09a16e063a022465 , < d061e2bfc20f2914656385816e0d20566213c54c
(git)
Affected: 5195d8e217a78697152d64fc09a16e063a022465 , < 1640c7bd4eddec6c72f3a99cbb74e333a2ce9f5d (git) Affected: 5195d8e217a78697152d64fc09a16e063a022465 , < f6364fa751d7486502c777f124a14d4d543fc5eb (git) Affected: 5195d8e217a78697152d64fc09a16e063a022465 , < 98ef243d5900d75a64539a2165745bffbb155d43 (git) Affected: 5195d8e217a78697152d64fc09a16e063a022465 , < 0152e7758cc4e9f8bfba8dbea4438d8e488d6c08 (git) Affected: 5195d8e217a78697152d64fc09a16e063a022465 , < 9ca08adb75fb40a8f742c371927ee73f9dc753bf (git) Affected: 5195d8e217a78697152d64fc09a16e063a022465 , < 8a40b491372966ba5426e138a53460985565d5a6 (git) Affected: 5195d8e217a78697152d64fc09a16e063a022465 , < 8e76b944a7b9bddef190ffe2e29c9ae342ab91ed (git) Affected: 5195d8e217a78697152d64fc09a16e063a022465 , < b59bc6e37237e37eadf50cd5de369e913f524463 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/auditsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d061e2bfc20f2914656385816e0d20566213c54c",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
},
{
"lessThan": "1640c7bd4eddec6c72f3a99cbb74e333a2ce9f5d",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
},
{
"lessThan": "f6364fa751d7486502c777f124a14d4d543fc5eb",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
},
{
"lessThan": "98ef243d5900d75a64539a2165745bffbb155d43",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
},
{
"lessThan": "0152e7758cc4e9f8bfba8dbea4438d8e488d6c08",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
},
{
"lessThan": "9ca08adb75fb40a8f742c371927ee73f9dc753bf",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
},
{
"lessThan": "8a40b491372966ba5426e138a53460985565d5a6",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
},
{
"lessThan": "8e76b944a7b9bddef190ffe2e29c9ae342ab91ed",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
},
{
"lessThan": "b59bc6e37237e37eadf50cd5de369e913f524463",
"status": "affected",
"version": "5195d8e217a78697152d64fc09a16e063a022465",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/auditsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naudit: fix possible soft lockup in __audit_inode_child()\n\nTracefs or debugfs maybe cause hundreds to thousands of PATH records,\ntoo many PATH records maybe cause soft lockup.\n\nFor example:\n 1. CONFIG_KASAN=y \u0026\u0026 CONFIG_PREEMPTION=n\n 2. auditctl -a exit,always -S open -k key\n 3. sysctl -w kernel.watchdog_thresh=5\n 4. mkdir /sys/kernel/debug/tracing/instances/test\n\nThere may be a soft lockup as follows:\n watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498]\n Kernel panic - not syncing: softlockup: hung tasks\n Call trace:\n dump_backtrace+0x0/0x30c\n show_stack+0x20/0x30\n dump_stack+0x11c/0x174\n panic+0x27c/0x494\n watchdog_timer_fn+0x2bc/0x390\n __run_hrtimer+0x148/0x4fc\n __hrtimer_run_queues+0x154/0x210\n hrtimer_interrupt+0x2c4/0x760\n arch_timer_handler_phys+0x48/0x60\n handle_percpu_devid_irq+0xe0/0x340\n __handle_domain_irq+0xbc/0x130\n gic_handle_irq+0x78/0x460\n el1_irq+0xb8/0x140\n __audit_inode_child+0x240/0x7bc\n tracefs_create_file+0x1b8/0x2a0\n trace_create_file+0x18/0x50\n event_create_dir+0x204/0x30c\n __trace_add_new_event+0xac/0x100\n event_trace_add_tracer+0xa0/0x130\n trace_array_create_dir+0x60/0x140\n trace_array_create+0x1e0/0x370\n instance_mkdir+0x90/0xd0\n tracefs_syscall_mkdir+0x68/0xa0\n vfs_mkdir+0x21c/0x34c\n do_mkdirat+0x1b4/0x1d4\n __arm64_sys_mkdirat+0x4c/0x60\n el0_svc_common.constprop.0+0xa8/0x240\n do_el0_svc+0x8c/0xc0\n el0_svc+0x20/0x30\n el0_sync_handler+0xb0/0xb4\n el0_sync+0x160/0x180\n\nTherefore, we add cond_resched() to __audit_inode_child() to fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:56.742Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d061e2bfc20f2914656385816e0d20566213c54c"
},
{
"url": "https://git.kernel.org/stable/c/1640c7bd4eddec6c72f3a99cbb74e333a2ce9f5d"
},
{
"url": "https://git.kernel.org/stable/c/f6364fa751d7486502c777f124a14d4d543fc5eb"
},
{
"url": "https://git.kernel.org/stable/c/98ef243d5900d75a64539a2165745bffbb155d43"
},
{
"url": "https://git.kernel.org/stable/c/0152e7758cc4e9f8bfba8dbea4438d8e488d6c08"
},
{
"url": "https://git.kernel.org/stable/c/9ca08adb75fb40a8f742c371927ee73f9dc753bf"
},
{
"url": "https://git.kernel.org/stable/c/8a40b491372966ba5426e138a53460985565d5a6"
},
{
"url": "https://git.kernel.org/stable/c/8e76b944a7b9bddef190ffe2e29c9ae342ab91ed"
},
{
"url": "https://git.kernel.org/stable/c/b59bc6e37237e37eadf50cd5de369e913f524463"
}
],
"title": "audit: fix possible soft lockup in __audit_inode_child()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54045",
"datePublished": "2025-12-24T12:22:56.742Z",
"dateReserved": "2025-12-24T10:53:46.182Z",
"dateUpdated": "2025-12-24T12:22:56.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54136 (GCVE-0-2023-54136)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
serial: sprd: Fix DMA buffer leak issue
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: sprd: Fix DMA buffer leak issue
Release DMA buffer when _probe() returns failure to avoid memory leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f4487db58eb780a52d768f3b36aaaa8fd5839215 , < c65be6ad55e5e45f8c4e40e1d8d7fe0e21b26e77
(git)
Affected: f4487db58eb780a52d768f3b36aaaa8fd5839215 , < 9a26aaea6c212ea26bab159933dbfd3321a491f6 (git) Affected: f4487db58eb780a52d768f3b36aaaa8fd5839215 , < f34508d934c4f2efb6a85787fc37f42184dabadf (git) Affected: f4487db58eb780a52d768f3b36aaaa8fd5839215 , < 6d209ed70f9c388727995aaece1f930fe63d402b (git) Affected: f4487db58eb780a52d768f3b36aaaa8fd5839215 , < 0237f913694d57bcd7e0e7ae6f255b648a1c42a7 (git) Affected: f4487db58eb780a52d768f3b36aaaa8fd5839215 , < 4ee715e54e255b1be65722f715fca939d5c2ca7a (git) Affected: f4487db58eb780a52d768f3b36aaaa8fd5839215 , < cd119fdc3ee1450fbf7f78862b5de44c42b6e47f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/sprd_serial.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c65be6ad55e5e45f8c4e40e1d8d7fe0e21b26e77",
"status": "affected",
"version": "f4487db58eb780a52d768f3b36aaaa8fd5839215",
"versionType": "git"
},
{
"lessThan": "9a26aaea6c212ea26bab159933dbfd3321a491f6",
"status": "affected",
"version": "f4487db58eb780a52d768f3b36aaaa8fd5839215",
"versionType": "git"
},
{
"lessThan": "f34508d934c4f2efb6a85787fc37f42184dabadf",
"status": "affected",
"version": "f4487db58eb780a52d768f3b36aaaa8fd5839215",
"versionType": "git"
},
{
"lessThan": "6d209ed70f9c388727995aaece1f930fe63d402b",
"status": "affected",
"version": "f4487db58eb780a52d768f3b36aaaa8fd5839215",
"versionType": "git"
},
{
"lessThan": "0237f913694d57bcd7e0e7ae6f255b648a1c42a7",
"status": "affected",
"version": "f4487db58eb780a52d768f3b36aaaa8fd5839215",
"versionType": "git"
},
{
"lessThan": "4ee715e54e255b1be65722f715fca939d5c2ca7a",
"status": "affected",
"version": "f4487db58eb780a52d768f3b36aaaa8fd5839215",
"versionType": "git"
},
{
"lessThan": "cd119fdc3ee1450fbf7f78862b5de44c42b6e47f",
"status": "affected",
"version": "f4487db58eb780a52d768f3b36aaaa8fd5839215",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/sprd_serial.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sprd: Fix DMA buffer leak issue\n\nRelease DMA buffer when _probe() returns failure to avoid memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:51.989Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c65be6ad55e5e45f8c4e40e1d8d7fe0e21b26e77"
},
{
"url": "https://git.kernel.org/stable/c/9a26aaea6c212ea26bab159933dbfd3321a491f6"
},
{
"url": "https://git.kernel.org/stable/c/f34508d934c4f2efb6a85787fc37f42184dabadf"
},
{
"url": "https://git.kernel.org/stable/c/6d209ed70f9c388727995aaece1f930fe63d402b"
},
{
"url": "https://git.kernel.org/stable/c/0237f913694d57bcd7e0e7ae6f255b648a1c42a7"
},
{
"url": "https://git.kernel.org/stable/c/4ee715e54e255b1be65722f715fca939d5c2ca7a"
},
{
"url": "https://git.kernel.org/stable/c/cd119fdc3ee1450fbf7f78862b5de44c42b6e47f"
}
],
"title": "serial: sprd: Fix DMA buffer leak issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54136",
"datePublished": "2025-12-24T13:06:51.989Z",
"dateReserved": "2025-12-24T13:02:52.522Z",
"dateUpdated": "2025-12-24T13:06:51.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50830 (GCVE-0-2022-50830)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10
VLAI?
EPSS
Title
auxdisplay: hd44780: Fix potential memory leak in hd44780_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
auxdisplay: hd44780: Fix potential memory leak in hd44780_remove()
hd44780_probe() allocates a memory chunk for hd with kzalloc() and
makes "lcd->drvdata->hd44780" point to it. When we call hd44780_remove(),
we should release all relevant memory and resource. But "lcd->drvdata
->hd44780" is not released, which will lead to a memory leak.
We should release the "lcd->drvdata->hd44780" in hd44780_remove() to fix
the memory leak bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
718e05ed92ecac0d9d3954bcc8064527c3ce7565 , < 8311961a1724bfc64390c539dedc31e067a80315
(git)
Affected: 718e05ed92ecac0d9d3954bcc8064527c3ce7565 , < 6cd37f8232f5e169a723e1d5fbe3b2139c2ef763 (git) Affected: 718e05ed92ecac0d9d3954bcc8064527c3ce7565 , < 5d407911e605702ffcc0e97a6db546592ab27dd0 (git) Affected: 718e05ed92ecac0d9d3954bcc8064527c3ce7565 , < ddf75a86aba2cfb7ec4497e8692b60c8c8fe0ee7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/auxdisplay/hd44780.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8311961a1724bfc64390c539dedc31e067a80315",
"status": "affected",
"version": "718e05ed92ecac0d9d3954bcc8064527c3ce7565",
"versionType": "git"
},
{
"lessThan": "6cd37f8232f5e169a723e1d5fbe3b2139c2ef763",
"status": "affected",
"version": "718e05ed92ecac0d9d3954bcc8064527c3ce7565",
"versionType": "git"
},
{
"lessThan": "5d407911e605702ffcc0e97a6db546592ab27dd0",
"status": "affected",
"version": "718e05ed92ecac0d9d3954bcc8064527c3ce7565",
"versionType": "git"
},
{
"lessThan": "ddf75a86aba2cfb7ec4497e8692b60c8c8fe0ee7",
"status": "affected",
"version": "718e05ed92ecac0d9d3954bcc8064527c3ce7565",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/auxdisplay/hd44780.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nauxdisplay: hd44780: Fix potential memory leak in hd44780_remove()\n\nhd44780_probe() allocates a memory chunk for hd with kzalloc() and\nmakes \"lcd-\u003edrvdata-\u003ehd44780\" point to it. When we call hd44780_remove(),\nwe should release all relevant memory and resource. But \"lcd-\u003edrvdata\n-\u003ehd44780\" is not released, which will lead to a memory leak.\n\nWe should release the \"lcd-\u003edrvdata-\u003ehd44780\" in hd44780_remove() to fix\nthe memory leak bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:52.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8311961a1724bfc64390c539dedc31e067a80315"
},
{
"url": "https://git.kernel.org/stable/c/6cd37f8232f5e169a723e1d5fbe3b2139c2ef763"
},
{
"url": "https://git.kernel.org/stable/c/5d407911e605702ffcc0e97a6db546592ab27dd0"
},
{
"url": "https://git.kernel.org/stable/c/ddf75a86aba2cfb7ec4497e8692b60c8c8fe0ee7"
}
],
"title": "auxdisplay: hd44780: Fix potential memory leak in hd44780_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50830",
"datePublished": "2025-12-30T12:10:52.099Z",
"dateReserved": "2025-12-30T12:06:07.132Z",
"dateUpdated": "2025-12-30T12:10:52.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68206 (GCVE-0-2025-68206)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2026-01-08 09:50
VLAI?
EPSS
Title
netfilter: nft_ct: add seqadj extension for natted connections
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: add seqadj extension for natted connections
Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
due to need to re-write packet payload (IP, port) on the ftp control
connection. This can require changes to the TCP length and expected
seq / ack_seq.
The easiest way to reproduce this issue is with PASV mode.
Example ruleset:
table inet ftp_nat {
ct helper ftp_helper {
type "ftp" protocol tcp
l3proto inet
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
tcp dport 21 ct state new ct helper set "ftp_helper"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
tcp dport 21 dnat ip prefix to ip daddr map {
192.168.100.1 : 192.168.13.2/32 }
}
chain postrouting {
type nat hook postrouting priority 100 ; policy accept;
tcp sport 21 snat ip prefix to ip saddr map {
192.168.13.2 : 192.168.100.1/32 }
}
}
Note that the ftp helper gets assigned *after* the dnat setup.
The inverse (nat after helper assign) is handled by an existing
check in nf_nat_setup_info() and will not show the problem.
Topoloy:
+-------------------+ +----------------------------------+
| FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+-------------------+ +----------------------------------+
|
+-----------------------+
| Client: 192.168.100.2 |
+-----------------------+
ftp nat changes do not work as expected in this case:
Connected to 192.168.100.1.
[..]
ftp> epsv
EPSV/EPRT on IPv4 off.
ftp> ls
227 Entering passive mode (192,168,100,1,209,129).
421 Service not available, remote server has closed connection.
Kernel logs:
Missing nfct_seqadj_ext_add() setup call
WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
[..]
__nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
help+0x4d1/0x880 [nf_conntrack_ftp]
nf_confirm+0x122/0x2e0 [nf_conntrack]
nf_hook_slow+0x3c/0xb0
..
Fix this by adding the required extension when a conntrack helper is assigned
to a connection that has a nat binding.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 4ab2cd906e4e1a19ddbda6eb532851b0e9cda110
(git)
Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 (git) Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 90918e3b6404c2a37837b8f11692471b4c512de2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4ab2cd906e4e1a19ddbda6eb532851b0e9cda110",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
},
{
"lessThan": "90918e3b6404c2a37837b8f11692471b4c512de2",
"status": "affected",
"version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: add seqadj extension for natted connections\n\nSequence adjustment may be required for FTP traffic with PASV/EPSV modes.\ndue to need to re-write packet payload (IP, port) on the ftp control\nconnection. This can require changes to the TCP length and expected\nseq / ack_seq.\n\nThe easiest way to reproduce this issue is with PASV mode.\nExample ruleset:\ntable inet ftp_nat {\n ct helper ftp_helper {\n type \"ftp\" protocol tcp\n l3proto inet\n }\n\n chain prerouting {\n type filter hook prerouting priority 0; policy accept;\n tcp dport 21 ct state new ct helper set \"ftp_helper\"\n }\n}\ntable ip nat {\n chain prerouting {\n type nat hook prerouting priority -100; policy accept;\n tcp dport 21 dnat ip prefix to ip daddr map {\n\t\t\t192.168.100.1 : 192.168.13.2/32 }\n }\n\n chain postrouting {\n type nat hook postrouting priority 100 ; policy accept;\n tcp sport 21 snat ip prefix to ip saddr map {\n\t\t\t192.168.13.2 : 192.168.100.1/32 }\n }\n}\n\nNote that the ftp helper gets assigned *after* the dnat setup.\n\nThe inverse (nat after helper assign) is handled by an existing\ncheck in nf_nat_setup_info() and will not show the problem.\n\nTopoloy:\n\n +-------------------+ +----------------------------------+\n | FTP: 192.168.13.2 | \u003c-\u003e | NAT: 192.168.13.3, 192.168.100.1 |\n +-------------------+ +----------------------------------+\n |\n +-----------------------+\n | Client: 192.168.100.2 |\n +-----------------------+\n\nftp nat changes do not work as expected in this case:\nConnected to 192.168.100.1.\n[..]\nftp\u003e epsv\nEPSV/EPRT on IPv4 off.\nftp\u003e ls\n227 Entering passive mode (192,168,100,1,209,129).\n421 Service not available, remote server has closed connection.\n\nKernel logs:\nMissing nfct_seqadj_ext_add() setup call\nWARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41\n[..]\n __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]\n nf_nat_ftp+0x142/0x280 [nf_nat_ftp]\n help+0x4d1/0x880 [nf_conntrack_ftp]\n nf_confirm+0x122/0x2e0 [nf_conntrack]\n nf_hook_slow+0x3c/0xb0\n ..\n\nFix this by adding the required extension when a conntrack helper is assigned\nto a connection that has a nat binding."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T09:50:22.711Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4ab2cd906e4e1a19ddbda6eb532851b0e9cda110"
},
{
"url": "https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6"
},
{
"url": "https://git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2"
}
],
"title": "netfilter: nft_ct: add seqadj extension for natted connections",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68206",
"datePublished": "2025-12-16T13:48:33.763Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2026-01-08T09:50:22.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50878 (GCVE-0-2022-50878)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()
A NULL check for bridge->encoder shows that it may be NULL, but it
already been dereferenced on all paths leading to the check.
812 if (!bridge->encoder) {
Dereference the pointer bridge->encoder.
810 drm_connector_attach_encoder(<9611->connector, bridge->encoder);
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
23278bf54afe180967069bdc8c0f1c7a365fc63e , < 3959e8faf8bf6bea619e8856c736db64e6eced37
(git)
Affected: 23278bf54afe180967069bdc8c0f1c7a365fc63e , < a29f7427041a943484f916157c43c46d3bbf25d4 (git) Affected: 23278bf54afe180967069bdc8c0f1c7a365fc63e , < b2e4323e0020213f44dca6ffc815d66aef39f6f6 (git) Affected: 23278bf54afe180967069bdc8c0f1c7a365fc63e , < 912f84e15e94ab87f5a7156aa1870090373d8304 (git) Affected: 23278bf54afe180967069bdc8c0f1c7a365fc63e , < ef8886f321c5dab8124b9153d25afa2a71d05323 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/lontium-lt9611.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3959e8faf8bf6bea619e8856c736db64e6eced37",
"status": "affected",
"version": "23278bf54afe180967069bdc8c0f1c7a365fc63e",
"versionType": "git"
},
{
"lessThan": "a29f7427041a943484f916157c43c46d3bbf25d4",
"status": "affected",
"version": "23278bf54afe180967069bdc8c0f1c7a365fc63e",
"versionType": "git"
},
{
"lessThan": "b2e4323e0020213f44dca6ffc815d66aef39f6f6",
"status": "affected",
"version": "23278bf54afe180967069bdc8c0f1c7a365fc63e",
"versionType": "git"
},
{
"lessThan": "912f84e15e94ab87f5a7156aa1870090373d8304",
"status": "affected",
"version": "23278bf54afe180967069bdc8c0f1c7a365fc63e",
"versionType": "git"
},
{
"lessThan": "ef8886f321c5dab8124b9153d25afa2a71d05323",
"status": "affected",
"version": "23278bf54afe180967069bdc8c0f1c7a365fc63e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/lontium-lt9611.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()\n\nA NULL check for bridge-\u003eencoder shows that it may be NULL, but it\nalready been dereferenced on all paths leading to the check.\n812\tif (!bridge-\u003eencoder) {\n\nDereference the pointer bridge-\u003eencoder.\n810\tdrm_connector_attach_encoder(\u0026lt9611-\u003econnector, bridge-\u003eencoder);"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:11.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3959e8faf8bf6bea619e8856c736db64e6eced37"
},
{
"url": "https://git.kernel.org/stable/c/a29f7427041a943484f916157c43c46d3bbf25d4"
},
{
"url": "https://git.kernel.org/stable/c/b2e4323e0020213f44dca6ffc815d66aef39f6f6"
},
{
"url": "https://git.kernel.org/stable/c/912f84e15e94ab87f5a7156aa1870090373d8304"
},
{
"url": "https://git.kernel.org/stable/c/ef8886f321c5dab8124b9153d25afa2a71d05323"
}
],
"title": "gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50878",
"datePublished": "2025-12-30T12:23:18.173Z",
"dateReserved": "2025-12-30T12:06:07.137Z",
"dateUpdated": "2026-01-02T15:05:11.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54271 (GCVE-0-2023-54271)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16
VLAI?
EPSS
Title
blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init
blk-iocost sometimes causes the following crash:
BUG: kernel NULL pointer dereference, address: 00000000000000e0
...
RIP: 0010:_raw_spin_lock+0x17/0x30
Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00
RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001
RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0
RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003
R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000
R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600
FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0
Call Trace:
<TASK>
ioc_weight_write+0x13d/0x410
cgroup_file_write+0x7a/0x130
kernfs_fop_write_iter+0xf5/0x170
vfs_write+0x298/0x370
ksys_write+0x5f/0xb0
__x64_sys_write+0x1b/0x20
do_syscall_64+0x3d/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
This happens because iocg->ioc is NULL. The field is initialized by
ioc_pd_init() and never cleared. The NULL deref is caused by
blkcg_activate_policy() installing blkg_policy_data before initializing it.
blkcg_activate_policy() was doing the following:
1. Allocate pd's for all existing blkg's and install them in blkg->pd[].
2. Initialize all pd's.
3. Online all pd's.
blkcg_activate_policy() only grabs the queue_lock and may release and
re-acquire the lock as allocation may need to sleep. ioc_weight_write()
grabs blkcg->lock and iterates all its blkg's. The two can race and if
ioc_weight_write() runs during #1 or between #1 and #2, it can encounter a
pd which is not initialized yet, leading to crash.
The crash can be reproduced with the following script:
#!/bin/bash
echo +io > /sys/fs/cgroup/cgroup.subtree_control
systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct
echo 100 > /sys/fs/cgroup/system.slice/io.weight
bash -c "echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos" &
sleep .2
echo 100 > /sys/fs/cgroup/system.slice/io.weight
with the following patch applied:
> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
> index fc49be622e05..38d671d5e10c 100644
> --- a/block/blk-cgroup.c
> +++ b/block/blk-cgroup.c
> @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol)
> pd->online = false;
> }
>
> + if (system_state == SYSTEM_RUNNING) {
> + spin_unlock_irq(&q->queue_lock);
> + ssleep(1);
> + spin_lock_irq(&q->queue_lock);
> + }
> +
> /* all allocated, init in the same order */
> if (pol->pd_init_fn)
> list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)
I don't see a reason why all pd's should be allocated, initialized and
onlined together. The only ordering requirement is that parent blkgs to be
initialized and onlined before children, which is guaranteed from the
walking order. Let's fix the bug by allocating, initializing and onlining pd
for each blkg and holding blkcg->lock over initialization and onlining. This
ensures that an installed blkg is always fully initialized and onlined
removing the the race window.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9d179b865449b351ad5cb76dbea480c9170d4a27 , < e39ef7880d1057b2ebcdb013405f4d84a257db23
(git)
Affected: 9d179b865449b351ad5cb76dbea480c9170d4a27 , < 7d63c6f9765339dcfc34b7365ced7c518012e4fe (git) Affected: 9d179b865449b351ad5cb76dbea480c9170d4a27 , < ec14a87ee1999b19d8b7ed0fa95fea80644624ae (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e39ef7880d1057b2ebcdb013405f4d84a257db23",
"status": "affected",
"version": "9d179b865449b351ad5cb76dbea480c9170d4a27",
"versionType": "git"
},
{
"lessThan": "7d63c6f9765339dcfc34b7365ced7c518012e4fe",
"status": "affected",
"version": "9d179b865449b351ad5cb76dbea480c9170d4a27",
"versionType": "git"
},
{
"lessThan": "ec14a87ee1999b19d8b7ed0fa95fea80644624ae",
"status": "affected",
"version": "9d179b865449b351ad5cb76dbea480c9170d4a27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init\n\nblk-iocost sometimes causes the following crash:\n\n BUG: kernel NULL pointer dereference, address: 00000000000000e0\n ...\n RIP: 0010:_raw_spin_lock+0x17/0x30\n Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 \u003cf0\u003e 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00\n RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001\n RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0\n RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003\n R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000\n R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600\n FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0\n Call Trace:\n \u003cTASK\u003e\n ioc_weight_write+0x13d/0x410\n cgroup_file_write+0x7a/0x130\n kernfs_fop_write_iter+0xf5/0x170\n vfs_write+0x298/0x370\n ksys_write+0x5f/0xb0\n __x64_sys_write+0x1b/0x20\n do_syscall_64+0x3d/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThis happens because iocg-\u003eioc is NULL. The field is initialized by\nioc_pd_init() and never cleared. The NULL deref is caused by\nblkcg_activate_policy() installing blkg_policy_data before initializing it.\n\nblkcg_activate_policy() was doing the following:\n\n1. Allocate pd\u0027s for all existing blkg\u0027s and install them in blkg-\u003epd[].\n2. Initialize all pd\u0027s.\n3. Online all pd\u0027s.\n\nblkcg_activate_policy() only grabs the queue_lock and may release and\nre-acquire the lock as allocation may need to sleep. ioc_weight_write()\ngrabs blkcg-\u003elock and iterates all its blkg\u0027s. The two can race and if\nioc_weight_write() runs during #1 or between #1 and #2, it can encounter a\npd which is not initialized yet, leading to crash.\n\nThe crash can be reproduced with the following script:\n\n #!/bin/bash\n\n echo +io \u003e /sys/fs/cgroup/cgroup.subtree_control\n systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct\n echo 100 \u003e /sys/fs/cgroup/system.slice/io.weight\n bash -c \"echo \u00278:0 enable=1\u0027 \u003e /sys/fs/cgroup/io.cost.qos\" \u0026\n sleep .2\n echo 100 \u003e /sys/fs/cgroup/system.slice/io.weight\n\nwith the following patch applied:\n\n\u003e diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c\n\u003e index fc49be622e05..38d671d5e10c 100644\n\u003e --- a/block/blk-cgroup.c\n\u003e +++ b/block/blk-cgroup.c\n\u003e @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol)\n\u003e \t\tpd-\u003eonline = false;\n\u003e \t}\n\u003e\n\u003e + if (system_state == SYSTEM_RUNNING) {\n\u003e + spin_unlock_irq(\u0026q-\u003equeue_lock);\n\u003e + ssleep(1);\n\u003e + spin_lock_irq(\u0026q-\u003equeue_lock);\n\u003e + }\n\u003e +\n\u003e \t/* all allocated, init in the same order */\n\u003e \tif (pol-\u003epd_init_fn)\n\u003e \t\tlist_for_each_entry_reverse(blkg, \u0026q-\u003eblkg_list, q_node)\n\nI don\u0027t see a reason why all pd\u0027s should be allocated, initialized and\nonlined together. The only ordering requirement is that parent blkgs to be\ninitialized and onlined before children, which is guaranteed from the\nwalking order. Let\u0027s fix the bug by allocating, initializing and onlining pd\nfor each blkg and holding blkcg-\u003elock over initialization and onlining. This\nensures that an installed blkg is always fully initialized and onlined\nremoving the the race window."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:16:01.672Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e39ef7880d1057b2ebcdb013405f4d84a257db23"
},
{
"url": "https://git.kernel.org/stable/c/7d63c6f9765339dcfc34b7365ced7c518012e4fe"
},
{
"url": "https://git.kernel.org/stable/c/ec14a87ee1999b19d8b7ed0fa95fea80644624ae"
}
],
"title": "blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54271",
"datePublished": "2025-12-30T12:16:01.672Z",
"dateReserved": "2025-12-30T12:06:44.519Z",
"dateUpdated": "2025-12-30T12:16:01.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54094 (GCVE-0-2023-54094)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
net: prevent skb corruption on frag list segmentation
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: prevent skb corruption on frag list segmentation
Ian reported several skb corruptions triggered by rx-gro-list,
collecting different oops alike:
[ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0
[ 62.631083] #PF: supervisor read access in kernel mode
[ 62.636312] #PF: error_code(0x0000) - not-present page
[ 62.641541] PGD 0 P4D 0
[ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364
[ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022
[ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858
./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261
net/ipv4/udp_offload.c:277)
[ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246
[ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000
[ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4
[ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9
[ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2
[ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9
[ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000)
knlGS:0000000000000000
[ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0
[ 62.749948] Call Trace:
[ 62.752498] <TASK>
[ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398)
[ 62.787605] skb_mac_gso_segment (net/core/gro.c:141)
[ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2))
[ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862
net/core/dev.c:3659)
[ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710)
[ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330)
[ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210)
net/netfilter/core.c:626)
[ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55)
[ 62.825652] maybe_deliver (net/bridge/br_forward.c:193)
[ 62.829420] br_flood (net/bridge/br_forward.c:233)
[ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215)
[ 62.837403] br_handle_frame (net/bridge/br_input.c:298
net/bridge/br_input.c:416)
[ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387)
[ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570)
[ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638
net/core/dev.c:5727)
[ 62.876795] napi_complete_done (./include/linux/list.h:37
./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067)
[ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191)
[ 62.893534] __napi_poll (net/core/dev.c:6498)
[ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89
net/core/dev.c:6640)
[ 62.905276] kthread (kernel/kthread.c:379)
[ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314)
[ 62.917119] </TASK>
In the critical scenario, rx-gro-list GRO-ed packets are fed, via a
bridge, both to the local input path and to an egress device (tun).
The segmentation of such packets unsafely writes to the cloned skbs
with shared heads.
This change addresses the issue by uncloning as needed the
to-be-segmented skbs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3a1296a38d0cf62bffb9a03c585cbd5dbf15d596 , < bc3ab5d2ab69823f5cff89cf74ef78ffa0386c9a
(git)
Affected: 3a1296a38d0cf62bffb9a03c585cbd5dbf15d596 , < ea438eed94ac0fe69b93ac034738823c0e989a12 (git) Affected: 3a1296a38d0cf62bffb9a03c585cbd5dbf15d596 , < 1731234e8b60063eae858c77b55c7a88f5084353 (git) Affected: 3a1296a38d0cf62bffb9a03c585cbd5dbf15d596 , < 7a59f29961cf97b98b02acaadf5a0b1f8dde938c (git) Affected: 3a1296a38d0cf62bffb9a03c585cbd5dbf15d596 , < c329b261afe71197d9da83c1f18eb45a7e97e089 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc3ab5d2ab69823f5cff89cf74ef78ffa0386c9a",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
},
{
"lessThan": "ea438eed94ac0fe69b93ac034738823c0e989a12",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
},
{
"lessThan": "1731234e8b60063eae858c77b55c7a88f5084353",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
},
{
"lessThan": "7a59f29961cf97b98b02acaadf5a0b1f8dde938c",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
},
{
"lessThan": "c329b261afe71197d9da83c1f18eb45a7e97e089",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent skb corruption on frag list segmentation\n\nIan reported several skb corruptions triggered by rx-gro-list,\ncollecting different oops alike:\n\n[ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0\n[ 62.631083] #PF: supervisor read access in kernel mode\n[ 62.636312] #PF: error_code(0x0000) - not-present page\n[ 62.641541] PGD 0 P4D 0\n[ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364\n[ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022\n[ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858\n./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261\nnet/ipv4/udp_offload.c:277)\n[ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246\n[ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000\n[ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4\n[ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9\n[ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2\n[ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9\n[ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000)\nknlGS:0000000000000000\n[ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0\n[ 62.749948] Call Trace:\n[ 62.752498] \u003cTASK\u003e\n[ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398)\n[ 62.787605] skb_mac_gso_segment (net/core/gro.c:141)\n[ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2))\n[ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862\nnet/core/dev.c:3659)\n[ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710)\n[ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330)\n[ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210)\nnet/netfilter/core.c:626)\n[ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55)\n[ 62.825652] maybe_deliver (net/bridge/br_forward.c:193)\n[ 62.829420] br_flood (net/bridge/br_forward.c:233)\n[ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215)\n[ 62.837403] br_handle_frame (net/bridge/br_input.c:298\nnet/bridge/br_input.c:416)\n[ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387)\n[ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570)\n[ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638\nnet/core/dev.c:5727)\n[ 62.876795] napi_complete_done (./include/linux/list.h:37\n./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067)\n[ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191)\n[ 62.893534] __napi_poll (net/core/dev.c:6498)\n[ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89\nnet/core/dev.c:6640)\n[ 62.905276] kthread (kernel/kthread.c:379)\n[ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314)\n[ 62.917119] \u003c/TASK\u003e\n\nIn the critical scenario, rx-gro-list GRO-ed packets are fed, via a\nbridge, both to the local input path and to an egress device (tun).\n\nThe segmentation of such packets unsafely writes to the cloned skbs\nwith shared heads.\n\nThis change addresses the issue by uncloning as needed the\nto-be-segmented skbs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:22.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc3ab5d2ab69823f5cff89cf74ef78ffa0386c9a"
},
{
"url": "https://git.kernel.org/stable/c/ea438eed94ac0fe69b93ac034738823c0e989a12"
},
{
"url": "https://git.kernel.org/stable/c/1731234e8b60063eae858c77b55c7a88f5084353"
},
{
"url": "https://git.kernel.org/stable/c/7a59f29961cf97b98b02acaadf5a0b1f8dde938c"
},
{
"url": "https://git.kernel.org/stable/c/c329b261afe71197d9da83c1f18eb45a7e97e089"
}
],
"title": "net: prevent skb corruption on frag list segmentation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54094",
"datePublished": "2025-12-24T13:06:22.446Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:22.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50879 (GCVE-0-2022-50879)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
objtool: Fix SEGFAULT
Summary
In the Linux kernel, the following vulnerability has been resolved:
objtool: Fix SEGFAULT
find_insn() will return NULL in case of failure. Check insn in order
to avoid a kernel Oops for NULL pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
13810435b9a7014fb92eb715f77da488f3b65b99 , < 418ef921cce2d7415fab7e3e93529227f239e4bb
(git)
Affected: 13810435b9a7014fb92eb715f77da488f3b65b99 , < 0af0e115ff59d638f45416a004cdd8edb38db40c (git) Affected: 13810435b9a7014fb92eb715f77da488f3b65b99 , < 23a249b1185cdd5bfb6971d1608ba49e589f2288 (git) Affected: 13810435b9a7014fb92eb715f77da488f3b65b99 , < 38b9415abbd703438ebbc6fb74990bd0fbddc5b9 (git) Affected: 13810435b9a7014fb92eb715f77da488f3b65b99 , < fcee8a2d4db404a93e690d79e7273b6ef9d33575 (git) Affected: 13810435b9a7014fb92eb715f77da488f3b65b99 , < efb11fdb3e1a9f694fa12b70b21e69e55ec59c36 (git) Affected: 1f7f88aa4df593db34dd1d6345213f20888687fb (git) Affected: 1bea53df12c47517b6e487e6fed34d0c05d42905 (git) Affected: c6f589eed3b5a9b73b3be76a719917cc905bab0e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"tools/objtool/check.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "418ef921cce2d7415fab7e3e93529227f239e4bb",
"status": "affected",
"version": "13810435b9a7014fb92eb715f77da488f3b65b99",
"versionType": "git"
},
{
"lessThan": "0af0e115ff59d638f45416a004cdd8edb38db40c",
"status": "affected",
"version": "13810435b9a7014fb92eb715f77da488f3b65b99",
"versionType": "git"
},
{
"lessThan": "23a249b1185cdd5bfb6971d1608ba49e589f2288",
"status": "affected",
"version": "13810435b9a7014fb92eb715f77da488f3b65b99",
"versionType": "git"
},
{
"lessThan": "38b9415abbd703438ebbc6fb74990bd0fbddc5b9",
"status": "affected",
"version": "13810435b9a7014fb92eb715f77da488f3b65b99",
"versionType": "git"
},
{
"lessThan": "fcee8a2d4db404a93e690d79e7273b6ef9d33575",
"status": "affected",
"version": "13810435b9a7014fb92eb715f77da488f3b65b99",
"versionType": "git"
},
{
"lessThan": "efb11fdb3e1a9f694fa12b70b21e69e55ec59c36",
"status": "affected",
"version": "13810435b9a7014fb92eb715f77da488f3b65b99",
"versionType": "git"
},
{
"status": "affected",
"version": "1f7f88aa4df593db34dd1d6345213f20888687fb",
"versionType": "git"
},
{
"status": "affected",
"version": "1bea53df12c47517b6e487e6fed34d0c05d42905",
"versionType": "git"
},
{
"status": "affected",
"version": "c6f589eed3b5a9b73b3be76a719917cc905bab0e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"tools/objtool/check.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.48",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nobjtool: Fix SEGFAULT\n\nfind_insn() will return NULL in case of failure. Check insn in order\nto avoid a kernel Oops for NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:13.391Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/418ef921cce2d7415fab7e3e93529227f239e4bb"
},
{
"url": "https://git.kernel.org/stable/c/0af0e115ff59d638f45416a004cdd8edb38db40c"
},
{
"url": "https://git.kernel.org/stable/c/23a249b1185cdd5bfb6971d1608ba49e589f2288"
},
{
"url": "https://git.kernel.org/stable/c/38b9415abbd703438ebbc6fb74990bd0fbddc5b9"
},
{
"url": "https://git.kernel.org/stable/c/fcee8a2d4db404a93e690d79e7273b6ef9d33575"
},
{
"url": "https://git.kernel.org/stable/c/efb11fdb3e1a9f694fa12b70b21e69e55ec59c36"
}
],
"title": "objtool: Fix SEGFAULT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50879",
"datePublished": "2025-12-30T12:23:18.858Z",
"dateReserved": "2025-12-30T12:06:07.137Z",
"dateUpdated": "2026-01-02T15:05:13.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54104 (GCVE-0-2023-54104)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()
'op-cs' is copied in 'fun->mchip_number' which is used to access the
'mchip_offsets' and the 'rnb_gpio' arrays.
These arrays have NAND_MAX_CHIPS elements, so the index must be below this
limit.
Fix the sanity check in order to avoid the NAND_MAX_CHIPS value. This
would lead to out-of-bound accesses.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
54309d65776755bcdb9dcf3744cd764fc1e254ea , < 1f09d67d390647f83f8f9d26382b0daa43756e6f
(git)
Affected: 54309d65776755bcdb9dcf3744cd764fc1e254ea , < eb7a5e4d14c8659cb97db6863316280e15f67209 (git) Affected: 54309d65776755bcdb9dcf3744cd764fc1e254ea , < f4b700c71802c81e6f9dce362ee7a0312c8377ba (git) Affected: 54309d65776755bcdb9dcf3744cd764fc1e254ea , < 49e57caf967a969f6b955c88805f2d160910aa12 (git) Affected: 54309d65776755bcdb9dcf3744cd764fc1e254ea , < c6abce60338aa2080973cd95be0aedad528bb41f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/fsl_upm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f09d67d390647f83f8f9d26382b0daa43756e6f",
"status": "affected",
"version": "54309d65776755bcdb9dcf3744cd764fc1e254ea",
"versionType": "git"
},
{
"lessThan": "eb7a5e4d14c8659cb97db6863316280e15f67209",
"status": "affected",
"version": "54309d65776755bcdb9dcf3744cd764fc1e254ea",
"versionType": "git"
},
{
"lessThan": "f4b700c71802c81e6f9dce362ee7a0312c8377ba",
"status": "affected",
"version": "54309d65776755bcdb9dcf3744cd764fc1e254ea",
"versionType": "git"
},
{
"lessThan": "49e57caf967a969f6b955c88805f2d160910aa12",
"status": "affected",
"version": "54309d65776755bcdb9dcf3744cd764fc1e254ea",
"versionType": "git"
},
{
"lessThan": "c6abce60338aa2080973cd95be0aedad528bb41f",
"status": "affected",
"version": "54309d65776755bcdb9dcf3744cd764fc1e254ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/fsl_upm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()\n\n\u0027op-cs\u0027 is copied in \u0027fun-\u003emchip_number\u0027 which is used to access the\n\u0027mchip_offsets\u0027 and the \u0027rnb_gpio\u0027 arrays.\nThese arrays have NAND_MAX_CHIPS elements, so the index must be below this\nlimit.\n\nFix the sanity check in order to avoid the NAND_MAX_CHIPS value. This\nwould lead to out-of-bound accesses."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:29.354Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f09d67d390647f83f8f9d26382b0daa43756e6f"
},
{
"url": "https://git.kernel.org/stable/c/eb7a5e4d14c8659cb97db6863316280e15f67209"
},
{
"url": "https://git.kernel.org/stable/c/f4b700c71802c81e6f9dce362ee7a0312c8377ba"
},
{
"url": "https://git.kernel.org/stable/c/49e57caf967a969f6b955c88805f2d160910aa12"
},
{
"url": "https://git.kernel.org/stable/c/c6abce60338aa2080973cd95be0aedad528bb41f"
}
],
"title": "mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54104",
"datePublished": "2025-12-24T13:06:29.354Z",
"dateReserved": "2025-12-24T13:02:52.517Z",
"dateUpdated": "2025-12-24T13:06:29.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53766 (GCVE-0-2023-53766)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
FS: JFS: Check for read-only mounted filesystem in txBegin
Summary
In the Linux kernel, the following vulnerability has been resolved:
FS: JFS: Check for read-only mounted filesystem in txBegin
This patch adds a check for read-only mounted filesystem
in txBegin before starting a transaction potentially saving
from NULL pointer deref.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a88efca805bea93cea9187dfd00835aa7093bf1b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2a8807f9f511c64de0c7cc9900a1683e3d72a3e5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5c094ca994824e038b6a97835ded4e5d1d808504 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2febd5f81e4bfba61d9f374dcca628aff374cc56 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b0ed8ed0428ee96092da6fefa5cfacbe4abed701 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 95e2b352c03b0a86c5717ba1d24ea20969abcacc (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_txnmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a88efca805bea93cea9187dfd00835aa7093bf1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2a8807f9f511c64de0c7cc9900a1683e3d72a3e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5c094ca994824e038b6a97835ded4e5d1d808504",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2febd5f81e4bfba61d9f374dcca628aff374cc56",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b0ed8ed0428ee96092da6fefa5cfacbe4abed701",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "95e2b352c03b0a86c5717ba1d24ea20969abcacc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jfs/jfs_txnmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS: JFS: Check for read-only mounted filesystem in txBegin\n\n This patch adds a check for read-only mounted filesystem\n in txBegin before starting a transaction potentially saving\n from NULL pointer deref."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:49.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a88efca805bea93cea9187dfd00835aa7093bf1b"
},
{
"url": "https://git.kernel.org/stable/c/97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7"
},
{
"url": "https://git.kernel.org/stable/c/2a8807f9f511c64de0c7cc9900a1683e3d72a3e5"
},
{
"url": "https://git.kernel.org/stable/c/5c094ca994824e038b6a97835ded4e5d1d808504"
},
{
"url": "https://git.kernel.org/stable/c/2febd5f81e4bfba61d9f374dcca628aff374cc56"
},
{
"url": "https://git.kernel.org/stable/c/aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c"
},
{
"url": "https://git.kernel.org/stable/c/b0ed8ed0428ee96092da6fefa5cfacbe4abed701"
},
{
"url": "https://git.kernel.org/stable/c/95e2b352c03b0a86c5717ba1d24ea20969abcacc"
}
],
"title": "FS: JFS: Check for read-only mounted filesystem in txBegin",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53766",
"datePublished": "2025-12-08T01:19:28.976Z",
"dateReserved": "2025-12-08T01:18:04.281Z",
"dateUpdated": "2026-01-05T10:32:49.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54281 (GCVE-0-2023-54281)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
btrfs: release path before inode lookup during the ino lookup ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: release path before inode lookup during the ino lookup ioctl
During the ino lookup ioctl we can end up calling btrfs_iget() to get an
inode reference while we are holding on a root's btree. If btrfs_iget()
needs to lookup the inode from the root's btree, because it's not
currently loaded in memory, then it will need to lock another or the
same path in the same root btree. This may result in a deadlock and
trigger the following lockdep splat:
WARNING: possible circular locking dependency detected
6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted
------------------------------------------------------
syz-executor277/5012 is trying to acquire lock:
ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136
but task is already holding lock:
ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (btrfs-tree-00){++++}-{3:3}:
down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645
__btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136
btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302
btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955
btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline]
btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338
btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline]
open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494
btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154
btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519
legacy_get_tree+0xef/0x190 fs/fs_context.c:611
vfs_get_tree+0x8c/0x270 fs/super.c:1519
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142
btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579
legacy_get_tree+0xef/0x190 fs/fs_context.c:611
vfs_get_tree+0x8c/0x270 fs/super.c:1519
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #0 (btrfs-tree-01){++++}-{3:3}:
check_prev_add kernel/locking/lockdep.c:3142 [inline]
check_prevs_add kernel/locking/lockdep.c:3261 [inline]
validate_chain kernel/locking/lockdep.c:3876 [inline]
__lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144
lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761
down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645
__btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136
btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline]
btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281
btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline]
btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154
btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412
btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline]
btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716
btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline]
btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105
btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
other info
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
23d0b79dfaed2305b500b0215b0421701ada6b1a , < 7390bb377b5fb3be23cb021e0f184d1f576be7d6
(git)
Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < 380bbd46d61c894a8dcaace09e54bc7426d81014 (git) Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < 50e385d98b2a52480836ea41c142b81eeeb277af (git) Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < 6fdce81e425be112f1ca129776f4041afeaad413 (git) Affected: 23d0b79dfaed2305b500b0215b0421701ada6b1a , < ee34a82e890a7babb5585daf1a6dd7d4d1cf142a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7390bb377b5fb3be23cb021e0f184d1f576be7d6",
"status": "affected",
"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
"versionType": "git"
},
{
"lessThan": "380bbd46d61c894a8dcaace09e54bc7426d81014",
"status": "affected",
"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
"versionType": "git"
},
{
"lessThan": "50e385d98b2a52480836ea41c142b81eeeb277af",
"status": "affected",
"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
"versionType": "git"
},
{
"lessThan": "6fdce81e425be112f1ca129776f4041afeaad413",
"status": "affected",
"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
"versionType": "git"
},
{
"lessThan": "ee34a82e890a7babb5585daf1a6dd7d4d1cf142a",
"status": "affected",
"version": "23d0b79dfaed2305b500b0215b0421701ada6b1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before inode lookup during the ino lookup ioctl\n\nDuring the ino lookup ioctl we can end up calling btrfs_iget() to get an\ninode reference while we are holding on a root\u0027s btree. If btrfs_iget()\nneeds to lookup the inode from the root\u0027s btree, because it\u0027s not\ncurrently loaded in memory, then it will need to lock another or the\nsame path in the same root btree. This may result in a deadlock and\ntrigger the following lockdep splat:\n\n WARNING: possible circular locking dependency detected\n 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted\n ------------------------------------------------------\n syz-executor277/5012 is trying to acquire lock:\n ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n but task is already holding lock:\n ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -\u003e #1 (btrfs-tree-00){++++}-{3:3}:\n down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302\n btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955\n btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline]\n btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338\n btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline]\n open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494\n btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154\n btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n fc_mount fs/namespace.c:1112 [inline]\n vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142\n btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579\n legacy_get_tree+0xef/0x190 fs/fs_context.c:611\n vfs_get_tree+0x8c/0x270 fs/super.c:1519\n do_new_mount+0x28f/0xae0 fs/namespace.c:3335\n do_mount fs/namespace.c:3675 [inline]\n __do_sys_mount fs/namespace.c:3884 [inline]\n __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n -\u003e #0 (btrfs-tree-01){++++}-{3:3}:\n check_prev_add kernel/locking/lockdep.c:3142 [inline]\n check_prevs_add kernel/locking/lockdep.c:3261 [inline]\n validate_chain kernel/locking/lockdep.c:3876 [inline]\n __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144\n lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761\n down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645\n __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136\n btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline]\n btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281\n btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline]\n btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154\n btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412\n btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline]\n btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716\n btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline]\n btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105\n btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n other info \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:23.122Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6"
},
{
"url": "https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014"
},
{
"url": "https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af"
},
{
"url": "https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413"
},
{
"url": "https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a"
}
],
"title": "btrfs: release path before inode lookup during the ino lookup ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54281",
"datePublished": "2025-12-30T12:23:23.122Z",
"dateReserved": "2025-12-30T12:06:44.525Z",
"dateUpdated": "2025-12-30T12:23:23.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40292 (GCVE-0-2025-40292)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
virtio-net: fix received length check in big packets
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio-net: fix received length check in big packets
Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length
for big packets"), when guest gso is off, the allocated size for big
packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on
negotiated MTU. The number of allocated frags for big packets is stored
in vi->big_packets_num_skbfrags.
Because the host announced buffer length can be malicious (e.g. the host
vhost_net driver's get_rx_bufs is modified to announce incorrect
length), we need a check in virtio_net receive path. Currently, the
check is not adapted to the new change which can lead to NULL page
pointer dereference in the below while loop when receiving length that
is larger than the allocated one.
This commit fixes the received length check corresponding to the new
change.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4959aebba8c06992abafa09d1e80965e0825af54 , < 82f9028e83944a9eee5229cbc6fee9be1de8a62d
(git)
Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 946dec89c41726b94d31147ec528b96af0be1b5a (git) Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 82fe78065450d2d07f36a22e2b6b44955cf5ca5b (git) Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2 (git) Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 0c716703965ffc5ef4311b65cb5d84a703784717 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82f9028e83944a9eee5229cbc6fee9be1de8a62d",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
},
{
"lessThan": "946dec89c41726b94d31147ec528b96af0be1b5a",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
},
{
"lessThan": "82fe78065450d2d07f36a22e2b6b44955cf5ca5b",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
},
{
"lessThan": "3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
},
{
"lessThan": "0c716703965ffc5ef4311b65cb5d84a703784717",
"status": "affected",
"version": "4959aebba8c06992abafa09d1e80965e0825af54",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/virtio_net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix received length check in big packets\n\nSince commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length\nfor big packets\"), when guest gso is off, the allocated size for big\npackets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on\nnegotiated MTU. The number of allocated frags for big packets is stored\nin vi-\u003ebig_packets_num_skbfrags.\n\nBecause the host announced buffer length can be malicious (e.g. the host\nvhost_net driver\u0027s get_rx_bufs is modified to announce incorrect\nlength), we need a check in virtio_net receive path. Currently, the\ncheck is not adapted to the new change which can lead to NULL page\npointer dereference in the below while loop when receiving length that\nis larger than the allocated one.\n\nThis commit fixes the received length check corresponding to the new\nchange."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:15.761Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82f9028e83944a9eee5229cbc6fee9be1de8a62d"
},
{
"url": "https://git.kernel.org/stable/c/946dec89c41726b94d31147ec528b96af0be1b5a"
},
{
"url": "https://git.kernel.org/stable/c/82fe78065450d2d07f36a22e2b6b44955cf5ca5b"
},
{
"url": "https://git.kernel.org/stable/c/3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2"
},
{
"url": "https://git.kernel.org/stable/c/0c716703965ffc5ef4311b65cb5d84a703784717"
}
],
"title": "virtio-net: fix received length check in big packets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40292",
"datePublished": "2025-12-08T00:46:15.761Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:15.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68312 (GCVE-0-2025-68312)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39
VLAI?
EPSS
Title
usbnet: Prevents free active kevent
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Prevents free active kevent
The root cause of this issue are:
1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);
put the kevent work in global workqueue. However, the kevent has not yet
been scheduled when the usbnet device is unregistered. Therefore, executing
free_netdev() results in the "free active object (kevent)" error reported
here.
2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(),
if the usbnet device is up, ndo_stop() is executed to cancel the kevent.
However, because the device is not up, ndo_stop() is not executed.
The solution to this problem is to cancel the kevent before executing
free_netdev().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b4588b8b00b299be16a35be67b331d8fdba03f3 , < 285d4b953f2ca03c358f986718dd89ee9bde632e
(git)
Affected: 135199a2edd459d2b123144efcd7f9bcd95128e4 , < 88a38b135d69f5db9024ff6527232f1b51be8915 (git) Affected: 635fd8953e4309b54ca6a81bed1d4a87668694f4 , < 43005002b60ef3424719ecda16d124714b45da3b (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 3a10619fdefd3051aeb14860e4d4335529b4e94d (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 9a579d6a39513069d298eee70770bbac8a148565 (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 2ce1de32e05445d77fc056f6ff8339cfb78a5f84 (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 5158fb8da162e3982940f30cd01ed77bdf42c6fc (git) Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 420c84c330d1688b8c764479e5738bbdbf0a33de (git) Affected: d2d6b530d89b0a912148018027386aa049f0a309 (git) Affected: e2a521a7dcc463c5017b4426ca0804e151faeff7 (git) Affected: 7f77dcbc030c2faa6d8e8a594985eeb34018409e (git) Affected: d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f (git) Affected: db3b738ae5f726204876f4303c49cfdf4311403f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "285d4b953f2ca03c358f986718dd89ee9bde632e",
"status": "affected",
"version": "8b4588b8b00b299be16a35be67b331d8fdba03f3",
"versionType": "git"
},
{
"lessThan": "88a38b135d69f5db9024ff6527232f1b51be8915",
"status": "affected",
"version": "135199a2edd459d2b123144efcd7f9bcd95128e4",
"versionType": "git"
},
{
"lessThan": "43005002b60ef3424719ecda16d124714b45da3b",
"status": "affected",
"version": "635fd8953e4309b54ca6a81bed1d4a87668694f4",
"versionType": "git"
},
{
"lessThan": "3a10619fdefd3051aeb14860e4d4335529b4e94d",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "9a579d6a39513069d298eee70770bbac8a148565",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "2ce1de32e05445d77fc056f6ff8339cfb78a5f84",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "5158fb8da162e3982940f30cd01ed77bdf42c6fc",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"lessThan": "420c84c330d1688b8c764479e5738bbdbf0a33de",
"status": "affected",
"version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
"versionType": "git"
},
{
"status": "affected",
"version": "d2d6b530d89b0a912148018027386aa049f0a309",
"versionType": "git"
},
{
"status": "affected",
"version": "e2a521a7dcc463c5017b4426ca0804e151faeff7",
"versionType": "git"
},
{
"status": "affected",
"version": "7f77dcbc030c2faa6d8e8a594985eeb34018409e",
"versionType": "git"
},
{
"status": "affected",
"version": "d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f",
"versionType": "git"
},
{
"status": "affected",
"version": "db3b738ae5f726204876f4303c49cfdf4311403f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.326",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Prevents free active kevent\n\nThe root cause of this issue are:\n1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);\nput the kevent work in global workqueue. However, the kevent has not yet\nbeen scheduled when the usbnet device is unregistered. Therefore, executing\nfree_netdev() results in the \"free active object (kevent)\" error reported\nhere.\n\n2. Another factor is that when calling usbnet_disconnect()-\u003eunregister_netdev(),\nif the usbnet device is up, ndo_stop() is executed to cancel the kevent.\nHowever, because the device is not up, ndo_stop() is not executed.\n\nThe solution to this problem is to cancel the kevent before executing\nfree_netdev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:39:43.174Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632e"
},
{
"url": "https://git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915"
},
{
"url": "https://git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3b"
},
{
"url": "https://git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94d"
},
{
"url": "https://git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565"
},
{
"url": "https://git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84"
},
{
"url": "https://git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fc"
},
{
"url": "https://git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33de"
}
],
"title": "usbnet: Prevents free active kevent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68312",
"datePublished": "2025-12-16T15:39:43.174Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:39:43.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40135 (GCVE-0-2025-40135)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
ipv6: use RCU in ip6_xmit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU in ip6_xmit()
Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent
possible UAF.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7f9e924f23684b4b23cd9f976cceab24a968e34",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "9085e56501d93af9f2d7bd16f7fcfacdde47b99c",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_xmit()\n\nUse RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent\npossible UAF."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:42.191Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7f9e924f23684b4b23cd9f976cceab24a968e34"
},
{
"url": "https://git.kernel.org/stable/c/9085e56501d93af9f2d7bd16f7fcfacdde47b99c"
}
],
"title": "ipv6: use RCU in ip6_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40135",
"datePublished": "2025-11-12T10:23:23.051Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2025-12-01T06:18:42.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53818 (GCVE-0-2023-53818)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
of_find_compatible_node() returns a node pointer with refcount incremented,
we should use of_node_put() on error path.
Add missing of_node_put() to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3329659df0300d1d0aa22f5e7063f83a88ef92aa , < f00bc6727adf840eb208700ea27cda4f3742629d
(git)
Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 351b7e93d02b50b2faae2d4bda28e16a8389cbb7 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < ede0334bf4df360f4f9446075cffbbb3bc54d0b6 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 227f8c1c5c4b3d131b66e57e58d38054f441b915 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 1cc12d10d13ae5ad8d3f7432a4c0156d221fc99b (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < e43a06c73be4b93d308f0df809ee0023b7c37b54 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 4c22ee805202087c2553c9175968e9e922d75bc1 (git) Affected: 3329659df0300d1d0aa22f5e7063f83a88ef92aa , < 9eedb910a3be0005b88c696a8552c0d4c9937cd4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-zynq/slcr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f00bc6727adf840eb208700ea27cda4f3742629d",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "351b7e93d02b50b2faae2d4bda28e16a8389cbb7",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "ede0334bf4df360f4f9446075cffbbb3bc54d0b6",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "227f8c1c5c4b3d131b66e57e58d38054f441b915",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "1cc12d10d13ae5ad8d3f7432a4c0156d221fc99b",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "e43a06c73be4b93d308f0df809ee0023b7c37b54",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "4c22ee805202087c2553c9175968e9e922d75bc1",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
},
{
"lessThan": "9eedb910a3be0005b88c696a8552c0d4c9937cd4",
"status": "affected",
"version": "3329659df0300d1d0aa22f5e7063f83a88ef92aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-zynq/slcr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: zynq: Fix refcount leak in zynq_early_slcr_init\n\nof_find_compatible_node() returns a node pointer with refcount incremented,\nwe should use of_node_put() on error path.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:16.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f00bc6727adf840eb208700ea27cda4f3742629d"
},
{
"url": "https://git.kernel.org/stable/c/351b7e93d02b50b2faae2d4bda28e16a8389cbb7"
},
{
"url": "https://git.kernel.org/stable/c/ede0334bf4df360f4f9446075cffbbb3bc54d0b6"
},
{
"url": "https://git.kernel.org/stable/c/227f8c1c5c4b3d131b66e57e58d38054f441b915"
},
{
"url": "https://git.kernel.org/stable/c/1cc12d10d13ae5ad8d3f7432a4c0156d221fc99b"
},
{
"url": "https://git.kernel.org/stable/c/e43a06c73be4b93d308f0df809ee0023b7c37b54"
},
{
"url": "https://git.kernel.org/stable/c/4c22ee805202087c2553c9175968e9e922d75bc1"
},
{
"url": "https://git.kernel.org/stable/c/9eedb910a3be0005b88c696a8552c0d4c9937cd4"
}
],
"title": "ARM: zynq: Fix refcount leak in zynq_early_slcr_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53818",
"datePublished": "2025-12-09T00:01:16.630Z",
"dateReserved": "2025-12-08T23:58:35.277Z",
"dateUpdated": "2025-12-09T00:01:16.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54046 (GCVE-0-2023-54046)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
crypto: essiv - Handle EBUSY correctly
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: essiv - Handle EBUSY correctly
As it is essiv only handles the special return value of EINPROGERSS,
which means that in all other cases it will free data related to the
request.
However, as the caller of essiv may specify MAY_BACKLOG, we also need
to expect EBUSY and treat it in the same way. Otherwise backlogged
requests will trigger a use-after-free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < c61e7d182ee3f3f5ecf18a2964e303d49c539b52
(git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 796e02cca30a67322161f0745e5ce994bbe75605 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 840a1d3b77c1b062bd62b4733969a5b1efc274ce (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < a006aa3eedb8bfd6fe317c3cfe9c86ffe76b2385 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 69c67d451fc19d88e54f7d97e8e7c093e08357e1 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < b5a772adf45a32c68bef28e60621f12617161556 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/essiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c61e7d182ee3f3f5ecf18a2964e303d49c539b52",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "796e02cca30a67322161f0745e5ce994bbe75605",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "840a1d3b77c1b062bd62b4733969a5b1efc274ce",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "a006aa3eedb8bfd6fe317c3cfe9c86ffe76b2385",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "69c67d451fc19d88e54f7d97e8e7c093e08357e1",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "b5a772adf45a32c68bef28e60621f12617161556",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/essiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: essiv - Handle EBUSY correctly\n\nAs it is essiv only handles the special return value of EINPROGERSS,\nwhich means that in all other cases it will free data related to the\nrequest.\n\nHowever, as the caller of essiv may specify MAY_BACKLOG, we also need\nto expect EBUSY and treat it in the same way. Otherwise backlogged\nrequests will trigger a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:57.416Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c61e7d182ee3f3f5ecf18a2964e303d49c539b52"
},
{
"url": "https://git.kernel.org/stable/c/796e02cca30a67322161f0745e5ce994bbe75605"
},
{
"url": "https://git.kernel.org/stable/c/840a1d3b77c1b062bd62b4733969a5b1efc274ce"
},
{
"url": "https://git.kernel.org/stable/c/a006aa3eedb8bfd6fe317c3cfe9c86ffe76b2385"
},
{
"url": "https://git.kernel.org/stable/c/69c67d451fc19d88e54f7d97e8e7c093e08357e1"
},
{
"url": "https://git.kernel.org/stable/c/b5a772adf45a32c68bef28e60621f12617161556"
}
],
"title": "crypto: essiv - Handle EBUSY correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54046",
"datePublished": "2025-12-24T12:22:57.416Z",
"dateReserved": "2025-12-24T12:21:05.089Z",
"dateUpdated": "2025-12-24T12:22:57.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50740 (GCVE-0-2022-50740)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
Syzkaller reports a long-known leak of urbs in
ath9k_hif_usb_dealloc_tx_urbs().
The cause of the leak is that usb_get_urb() is called but usb_free_urb()
(or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or
urb->ep fields have not been initialized and usb_kill_urb() returns
immediately.
The patch removes trying to kill urbs located in hif_dev->tx.tx_buf
because hif_dev->tx.tx_buf is not supposed to contain urbs which are in
pending state (the pending urbs are stored in hif_dev->tx.tx_pending).
The tx.tx_lock is acquired so there should not be any changes in the list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f0706ef39fecc6bf56d67728fe0c94e26b43e9d , < 134ae5eba41294eff76e4be20d6001b8f0192207
(git)
Affected: 795d57a558d106b8a5bc2bd7aeaf707d9a099244 , < 472312fef2b9eccaa03bd59e0ab2527da945e736 (git) Affected: df4318440c1568b7dedc5f7d4e617d0e297a1313 , < eddbb8f7620f9f8008b090a6e10c460074ca575a (git) Affected: a9990ed2d7ca9339d37c7f67d6f5cb298c3f1b34 , < 9850791d389b342ae6e573fe8198db0b4d338352 (git) Affected: 03fb92a432ea5abe5909bca1455b7e44a9380480 , < c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d (git) Affected: 03fb92a432ea5abe5909bca1455b7e44a9380480 , < d856f7574bcc1d81de565a857caf32f122cd7ce0 (git) Affected: 03fb92a432ea5abe5909bca1455b7e44a9380480 , < c05189a429fdb371dd455c3c466d67ac2ebff152 (git) Affected: 03fb92a432ea5abe5909bca1455b7e44a9380480 , < 08aa0537ec8cf29ceccae98acc1a534fc12598c1 (git) Affected: 03fb92a432ea5abe5909bca1455b7e44a9380480 , < c2a94de38c74e86f49124ac14f093d6a5c377a90 (git) Affected: b92e116ae36f498858dbb18e29a066c3f5348965 (git) Affected: 7f5972267295fe49f8da8eb42bc2eb3d140860c0 (git) Affected: 2d72d5ce63c92f56b9f978e8befb5838144176b9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "134ae5eba41294eff76e4be20d6001b8f0192207",
"status": "affected",
"version": "6f0706ef39fecc6bf56d67728fe0c94e26b43e9d",
"versionType": "git"
},
{
"lessThan": "472312fef2b9eccaa03bd59e0ab2527da945e736",
"status": "affected",
"version": "795d57a558d106b8a5bc2bd7aeaf707d9a099244",
"versionType": "git"
},
{
"lessThan": "eddbb8f7620f9f8008b090a6e10c460074ca575a",
"status": "affected",
"version": "df4318440c1568b7dedc5f7d4e617d0e297a1313",
"versionType": "git"
},
{
"lessThan": "9850791d389b342ae6e573fe8198db0b4d338352",
"status": "affected",
"version": "a9990ed2d7ca9339d37c7f67d6f5cb298c3f1b34",
"versionType": "git"
},
{
"lessThan": "c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"lessThan": "d856f7574bcc1d81de565a857caf32f122cd7ce0",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"lessThan": "c05189a429fdb371dd455c3c466d67ac2ebff152",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"lessThan": "08aa0537ec8cf29ceccae98acc1a534fc12598c1",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"lessThan": "c2a94de38c74e86f49124ac14f093d6a5c377a90",
"status": "affected",
"version": "03fb92a432ea5abe5909bca1455b7e44a9380480",
"versionType": "git"
},
{
"status": "affected",
"version": "b92e116ae36f498858dbb18e29a066c3f5348965",
"versionType": "git"
},
{
"status": "affected",
"version": "7f5972267295fe49f8da8eb42bc2eb3d140860c0",
"versionType": "git"
},
{
"status": "affected",
"version": "2d72d5ce63c92f56b9f978e8befb5838144176b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/hif_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()\n\nSyzkaller reports a long-known leak of urbs in\nath9k_hif_usb_dealloc_tx_urbs().\n\nThe cause of the leak is that usb_get_urb() is called but usb_free_urb()\n(or usb_put_urb()) is not called inside usb_kill_urb() as urb-\u003edev or\nurb-\u003eep fields have not been initialized and usb_kill_urb() returns\nimmediately.\n\nThe patch removes trying to kill urbs located in hif_dev-\u003etx.tx_buf\nbecause hif_dev-\u003etx.tx_buf is not supposed to contain urbs which are in\npending state (the pending urbs are stored in hif_dev-\u003etx.tx_pending).\nThe tx.tx_lock is acquired so there should not be any changes in the list.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:38.150Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/134ae5eba41294eff76e4be20d6001b8f0192207"
},
{
"url": "https://git.kernel.org/stable/c/472312fef2b9eccaa03bd59e0ab2527da945e736"
},
{
"url": "https://git.kernel.org/stable/c/eddbb8f7620f9f8008b090a6e10c460074ca575a"
},
{
"url": "https://git.kernel.org/stable/c/9850791d389b342ae6e573fe8198db0b4d338352"
},
{
"url": "https://git.kernel.org/stable/c/c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d"
},
{
"url": "https://git.kernel.org/stable/c/d856f7574bcc1d81de565a857caf32f122cd7ce0"
},
{
"url": "https://git.kernel.org/stable/c/c05189a429fdb371dd455c3c466d67ac2ebff152"
},
{
"url": "https://git.kernel.org/stable/c/08aa0537ec8cf29ceccae98acc1a534fc12598c1"
},
{
"url": "https://git.kernel.org/stable/c/c2a94de38c74e86f49124ac14f093d6a5c377a90"
}
],
"title": "wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50740",
"datePublished": "2025-12-24T13:05:38.150Z",
"dateReserved": "2025-12-24T13:02:21.542Z",
"dateUpdated": "2025-12-24T13:05:38.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54317 (GCVE-0-2023-54317)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
dm flakey: don't corrupt the zero page
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm flakey: don't corrupt the zero page
When we need to zero some range on a block device, the function
__blkdev_issue_zero_pages submits a write bio with the bio vector pointing
to the zero page. If we use dm-flakey with corrupt bio writes option, it
will corrupt the content of the zero page which results in crashes of
various userspace programs. Glibc assumes that memory returned by mmap is
zeroed and it uses it for calloc implementation; if the newly mapped
memory is not zeroed, calloc will return non-zeroed memory.
Fix this bug by testing if the page is equal to ZERO_PAGE(0) and
avoiding the corruption in this case.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6cd92fcabd6cc78bb1808c6a18245c842722fc1 , < b7f8892f672222dbfcc721f51edc03963212b249
(git)
Affected: d4c637af2e56ee1ec66ee34d0ac5a13c75911aec , < 98e311be44dbe31ad9c42aa067b2359bac451fda (git) Affected: a00f5276e26636cbf72f24f79831026d2e2868e7 , < 3c4a56ef7c538d16c1738ba0ccea9e7146105b5a (git) Affected: a00f5276e26636cbf72f24f79831026d2e2868e7 , < f2b478228bfdd11e358c5bc197561331f5d5c394 (git) Affected: a00f5276e26636cbf72f24f79831026d2e2868e7 , < ff60b2bb680ebcaf8890814dd51084a022891469 (git) Affected: a00f5276e26636cbf72f24f79831026d2e2868e7 , < be360c83f2d810493c04f999d69ec9152981e0c0 (git) Affected: a00f5276e26636cbf72f24f79831026d2e2868e7 , < 63d31617883d64b43b0e2d529f0751f40713ecae (git) Affected: a00f5276e26636cbf72f24f79831026d2e2868e7 , < f50714b57aecb6b3dc81d578e295f86d9c73f078 (git) Affected: 1ed7c9f45fb893877ffa7cedd7aa61beaadbb328 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-flakey.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7f8892f672222dbfcc721f51edc03963212b249",
"status": "affected",
"version": "c6cd92fcabd6cc78bb1808c6a18245c842722fc1",
"versionType": "git"
},
{
"lessThan": "98e311be44dbe31ad9c42aa067b2359bac451fda",
"status": "affected",
"version": "d4c637af2e56ee1ec66ee34d0ac5a13c75911aec",
"versionType": "git"
},
{
"lessThan": "3c4a56ef7c538d16c1738ba0ccea9e7146105b5a",
"status": "affected",
"version": "a00f5276e26636cbf72f24f79831026d2e2868e7",
"versionType": "git"
},
{
"lessThan": "f2b478228bfdd11e358c5bc197561331f5d5c394",
"status": "affected",
"version": "a00f5276e26636cbf72f24f79831026d2e2868e7",
"versionType": "git"
},
{
"lessThan": "ff60b2bb680ebcaf8890814dd51084a022891469",
"status": "affected",
"version": "a00f5276e26636cbf72f24f79831026d2e2868e7",
"versionType": "git"
},
{
"lessThan": "be360c83f2d810493c04f999d69ec9152981e0c0",
"status": "affected",
"version": "a00f5276e26636cbf72f24f79831026d2e2868e7",
"versionType": "git"
},
{
"lessThan": "63d31617883d64b43b0e2d529f0751f40713ecae",
"status": "affected",
"version": "a00f5276e26636cbf72f24f79831026d2e2868e7",
"versionType": "git"
},
{
"lessThan": "f50714b57aecb6b3dc81d578e295f86d9c73f078",
"status": "affected",
"version": "a00f5276e26636cbf72f24f79831026d2e2868e7",
"versionType": "git"
},
{
"status": "affected",
"version": "1ed7c9f45fb893877ffa7cedd7aa61beaadbb328",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-flakey.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.14.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.19.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.206",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm flakey: don\u0027t corrupt the zero page\n\nWhen we need to zero some range on a block device, the function\n__blkdev_issue_zero_pages submits a write bio with the bio vector pointing\nto the zero page. If we use dm-flakey with corrupt bio writes option, it\nwill corrupt the content of the zero page which results in crashes of\nvarious userspace programs. Glibc assumes that memory returned by mmap is\nzeroed and it uses it for calloc implementation; if the newly mapped\nmemory is not zeroed, calloc will return non-zeroed memory.\n\nFix this bug by testing if the page is equal to ZERO_PAGE(0) and\navoiding the corruption in this case."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:47.232Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7f8892f672222dbfcc721f51edc03963212b249"
},
{
"url": "https://git.kernel.org/stable/c/98e311be44dbe31ad9c42aa067b2359bac451fda"
},
{
"url": "https://git.kernel.org/stable/c/3c4a56ef7c538d16c1738ba0ccea9e7146105b5a"
},
{
"url": "https://git.kernel.org/stable/c/f2b478228bfdd11e358c5bc197561331f5d5c394"
},
{
"url": "https://git.kernel.org/stable/c/ff60b2bb680ebcaf8890814dd51084a022891469"
},
{
"url": "https://git.kernel.org/stable/c/be360c83f2d810493c04f999d69ec9152981e0c0"
},
{
"url": "https://git.kernel.org/stable/c/63d31617883d64b43b0e2d529f0751f40713ecae"
},
{
"url": "https://git.kernel.org/stable/c/f50714b57aecb6b3dc81d578e295f86d9c73f078"
}
],
"title": "dm flakey: don\u0027t corrupt the zero page",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54317",
"datePublished": "2025-12-30T12:23:47.232Z",
"dateReserved": "2025-12-30T12:06:44.531Z",
"dateUpdated": "2025-12-30T12:23:47.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39890 (GCVE-0-2025-39890)
Vulnerability from cvelistv5 – Published: 2025-09-24 11:02 – Updated: 2026-01-14 17:35
VLAI?
EPSS
Title
wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event
Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps
is not freed in the failure case, causing a memory leak. The following
trace is observed in kmemleak:
unreferenced object 0xffff8b3eb5789c00 (size 1024):
comm "softirq", pid 0, jiffies 4294942577
hex dump (first 32 bytes):
00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{...
01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8..
backtrace (crc 44e1c357):
__kmalloc_noprof+0x30b/0x410
ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k]
ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]
ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k]
ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]
ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k]
ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k]
ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k]
ath12k_ce_recv_process_cb+0x218/0x300 [ath12k]
ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k]
process_one_work+0x219/0x680
bh_worker+0x198/0x1f0
tasklet_action+0x13/0x30
handle_softirqs+0xca/0x460
__irq_exit_rcu+0xbe/0x110
irq_exit_rcu+0x9/0x30
Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Severity ?
5.5 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 99dbad1b01d3b2f361a9db55c1af1212be497a3d
(git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 3a392f874ac83a77ad0e53eb8aafdbeb787c9298 (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 1089f65b2de78c7837ef6b4f26146a5a5b0b9749 (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 89142d34d5602c7447827beb181fa06eb08b9d5c (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-39890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T17:35:11.239595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:35:29.384Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99dbad1b01d3b2f361a9db55c1af1212be497a3d",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "3a392f874ac83a77ad0e53eb8aafdbeb787c9298",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "1089f65b2de78c7837ef6b4f26146a5a5b0b9749",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "89142d34d5602c7447827beb181fa06eb08b9d5c",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix memory leak in ath12k_service_ready_ext_event\n\nCurrently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps\nis not freed in the failure case, causing a memory leak. The following\ntrace is observed in kmemleak:\n\nunreferenced object 0xffff8b3eb5789c00 (size 1024):\n comm \"softirq\", pid 0, jiffies 4294942577\n hex dump (first 32 bytes):\n 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{...\n 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8..\n backtrace (crc 44e1c357):\n __kmalloc_noprof+0x30b/0x410\n ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k]\n ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]\n ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k]\n ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]\n ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k]\n ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k]\n ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k]\n ath12k_ce_recv_process_cb+0x218/0x300 [ath12k]\n ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k]\n process_one_work+0x219/0x680\n bh_worker+0x198/0x1f0\n tasklet_action+0x13/0x30\n handle_softirqs+0xca/0x460\n __irq_exit_rcu+0xbe/0x110\n irq_exit_rcu+0x9/0x30\n\nFree svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T11:02:53.539Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99dbad1b01d3b2f361a9db55c1af1212be497a3d"
},
{
"url": "https://git.kernel.org/stable/c/3a392f874ac83a77ad0e53eb8aafdbeb787c9298"
},
{
"url": "https://git.kernel.org/stable/c/1089f65b2de78c7837ef6b4f26146a5a5b0b9749"
},
{
"url": "https://git.kernel.org/stable/c/89142d34d5602c7447827beb181fa06eb08b9d5c"
}
],
"title": "wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39890",
"datePublished": "2025-09-24T11:02:53.539Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2026-01-14T17:35:29.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54084 (GCVE-0-2023-54084)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
ALSA: firewire-digi00x: prevent potential use after free
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-digi00x: prevent potential use after free
This code was supposed to return an error code if init_stream()
failed, but it instead freed dg00x->rx_stream and returned success.
This potentially leads to a use after free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9a08067ec318cbeaf0caa2d104cf677e723e02a3 , < 5009aead17f060753428e249eb0246eb1c2f8b86
(git)
Affected: 9a08067ec318cbeaf0caa2d104cf677e723e02a3 , < 13c5fa1248bf06e95a25907c1be83948b8c44c50 (git) Affected: 9a08067ec318cbeaf0caa2d104cf677e723e02a3 , < bbb5ac533ca6c4e2775a95388c9c0c610bb442b7 (git) Affected: 9a08067ec318cbeaf0caa2d104cf677e723e02a3 , < ee1a221d947809c0308f27567c07a3ac93406057 (git) Affected: 9a08067ec318cbeaf0caa2d104cf677e723e02a3 , < 67148395efa2c1fb20e98fca359b20e7a6c81fe4 (git) Affected: 9a08067ec318cbeaf0caa2d104cf677e723e02a3 , < c0e72058d5e21982e61a29de6b098f7c1f0db498 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/digi00x/digi00x-stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5009aead17f060753428e249eb0246eb1c2f8b86",
"status": "affected",
"version": "9a08067ec318cbeaf0caa2d104cf677e723e02a3",
"versionType": "git"
},
{
"lessThan": "13c5fa1248bf06e95a25907c1be83948b8c44c50",
"status": "affected",
"version": "9a08067ec318cbeaf0caa2d104cf677e723e02a3",
"versionType": "git"
},
{
"lessThan": "bbb5ac533ca6c4e2775a95388c9c0c610bb442b7",
"status": "affected",
"version": "9a08067ec318cbeaf0caa2d104cf677e723e02a3",
"versionType": "git"
},
{
"lessThan": "ee1a221d947809c0308f27567c07a3ac93406057",
"status": "affected",
"version": "9a08067ec318cbeaf0caa2d104cf677e723e02a3",
"versionType": "git"
},
{
"lessThan": "67148395efa2c1fb20e98fca359b20e7a6c81fe4",
"status": "affected",
"version": "9a08067ec318cbeaf0caa2d104cf677e723e02a3",
"versionType": "git"
},
{
"lessThan": "c0e72058d5e21982e61a29de6b098f7c1f0db498",
"status": "affected",
"version": "9a08067ec318cbeaf0caa2d104cf677e723e02a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/digi00x/digi00x-stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-digi00x: prevent potential use after free\n\nThis code was supposed to return an error code if init_stream()\nfailed, but it instead freed dg00x-\u003erx_stream and returned success.\nThis potentially leads to a use after free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:15.460Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5009aead17f060753428e249eb0246eb1c2f8b86"
},
{
"url": "https://git.kernel.org/stable/c/13c5fa1248bf06e95a25907c1be83948b8c44c50"
},
{
"url": "https://git.kernel.org/stable/c/bbb5ac533ca6c4e2775a95388c9c0c610bb442b7"
},
{
"url": "https://git.kernel.org/stable/c/ee1a221d947809c0308f27567c07a3ac93406057"
},
{
"url": "https://git.kernel.org/stable/c/67148395efa2c1fb20e98fca359b20e7a6c81fe4"
},
{
"url": "https://git.kernel.org/stable/c/c0e72058d5e21982e61a29de6b098f7c1f0db498"
}
],
"title": "ALSA: firewire-digi00x: prevent potential use after free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54084",
"datePublished": "2025-12-24T13:06:15.460Z",
"dateReserved": "2025-12-24T13:02:52.515Z",
"dateUpdated": "2025-12-24T13:06:15.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54326 (GCVE-0-2023-54326)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
EPSS
Title
misc: pci_endpoint_test: Free IRQs before removing the device
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: pci_endpoint_test: Free IRQs before removing the device
In pci_endpoint_test_remove(), freeing the IRQs after removing the device
creates a small race window for IRQs to be received with the test device
memory already released, causing the IRQ handler to access invalid memory,
resulting in an oops.
Free the device IRQs before removing the device to avoid this issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7
(git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < dd2210379205fcd23a9d8869b0cef90e3770577c (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521 (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 14bdee38e96c7d37ca15e7bea50411eee25fe315 (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55 (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 38d12bcf4e2ce3d285eb29644a79a54f42040fab (git) Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < f61b7634a3249d12b9daa36ffbdb9965b6f24c6c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/pci_endpoint_test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "dd2210379205fcd23a9d8869b0cef90e3770577c",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "14bdee38e96c7d37ca15e7bea50411eee25fe315",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "38d12bcf4e2ce3d285eb29644a79a54f42040fab",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
},
{
"lessThan": "f61b7634a3249d12b9daa36ffbdb9965b6f24c6c",
"status": "affected",
"version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/pci_endpoint_test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Free IRQs before removing the device\n\nIn pci_endpoint_test_remove(), freeing the IRQs after removing the device\ncreates a small race window for IRQs to be received with the test device\nmemory already released, causing the IRQ handler to access invalid memory,\nresulting in an oops.\n\nFree the device IRQs before removing the device to avoid this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:09.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7"
},
{
"url": "https://git.kernel.org/stable/c/dd2210379205fcd23a9d8869b0cef90e3770577c"
},
{
"url": "https://git.kernel.org/stable/c/cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521"
},
{
"url": "https://git.kernel.org/stable/c/14bdee38e96c7d37ca15e7bea50411eee25fe315"
},
{
"url": "https://git.kernel.org/stable/c/c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55"
},
{
"url": "https://git.kernel.org/stable/c/38d12bcf4e2ce3d285eb29644a79a54f42040fab"
},
{
"url": "https://git.kernel.org/stable/c/f61b7634a3249d12b9daa36ffbdb9965b6f24c6c"
}
],
"title": "misc: pci_endpoint_test: Free IRQs before removing the device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54326",
"datePublished": "2025-12-30T12:37:09.698Z",
"dateReserved": "2025-12-30T12:35:56.209Z",
"dateUpdated": "2025-12-30T12:37:09.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54039 (GCVE-0-2023-54039)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access
could occur during the memcpy() operation if the size of skb->cb is
larger than the size of struct j1939_sk_buff_cb. This is because the
memcpy() operation uses the size of skb->cb, leading to a read beyond
the struct j1939_sk_buff_cb.
Updated the memcpy() operation to use the size of struct
j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the
memcpy() operation only reads the memory within the bounds of struct
j1939_sk_buff_cb, preventing out-of-bounds memory access.
Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb
is greater than or equal to the size of struct j1939_sk_buff_cb. This
ensures that the skb->cb buffer is large enough to hold the
j1939_sk_buff_cb structure.
[mkl: rephrase commit message]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9d71dd0c70099914fcd063135da3c580865e924c , < d2136f05690c272dfc9f9d6efcc51d5f53494b33
(git)
Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 70caa596d158a5d84b117f722d58f3ea503a5ba9 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 4fe1d9b6231a68ffc91318f57fd8e4982f028cf7 (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 4c3fb22a6ec68258ee129a2e6b720f43dffc562f (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < 36befc9aed6202b4a9b906529aea13eacd7e34ff (git) Affected: 9d71dd0c70099914fcd063135da3c580865e924c , < b45193cb4df556fe6251b285a5ce44046dd36b4a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2136f05690c272dfc9f9d6efcc51d5f53494b33",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "70caa596d158a5d84b117f722d58f3ea503a5ba9",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "4fe1d9b6231a68ffc91318f57fd8e4982f028cf7",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "4c3fb22a6ec68258ee129a2e6b720f43dffc562f",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "36befc9aed6202b4a9b906529aea13eacd7e34ff",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "b45193cb4df556fe6251b285a5ce44046dd36b4a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access\n\nIn the j1939_tp_tx_dat_new() function, an out-of-bounds memory access\ncould occur during the memcpy() operation if the size of skb-\u003ecb is\nlarger than the size of struct j1939_sk_buff_cb. This is because the\nmemcpy() operation uses the size of skb-\u003ecb, leading to a read beyond\nthe struct j1939_sk_buff_cb.\n\nUpdated the memcpy() operation to use the size of struct\nj1939_sk_buff_cb instead of the size of skb-\u003ecb. This ensures that the\nmemcpy() operation only reads the memory within the bounds of struct\nj1939_sk_buff_cb, preventing out-of-bounds memory access.\n\nAdditionally, add a BUILD_BUG_ON() to check that the size of skb-\u003ecb\nis greater than or equal to the size of struct j1939_sk_buff_cb. This\nensures that the skb-\u003ecb buffer is large enough to hold the\nj1939_sk_buff_cb structure.\n\n[mkl: rephrase commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:05.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2136f05690c272dfc9f9d6efcc51d5f53494b33"
},
{
"url": "https://git.kernel.org/stable/c/70caa596d158a5d84b117f722d58f3ea503a5ba9"
},
{
"url": "https://git.kernel.org/stable/c/4fe1d9b6231a68ffc91318f57fd8e4982f028cf7"
},
{
"url": "https://git.kernel.org/stable/c/4c3fb22a6ec68258ee129a2e6b720f43dffc562f"
},
{
"url": "https://git.kernel.org/stable/c/36befc9aed6202b4a9b906529aea13eacd7e34ff"
},
{
"url": "https://git.kernel.org/stable/c/b45193cb4df556fe6251b285a5ce44046dd36b4a"
}
],
"title": "can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54039",
"datePublished": "2025-12-24T10:56:05.365Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:05.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68255 (GCVE-0-2025-68255)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.
Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.
This prevents kernel stack corruption triggered by malformed association
requests.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 49b7806851f93fd342838c93f4f765e0cc5029b0
(git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 4445adedae770037078803d1ce41f9e88a1944b6 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 34620eb602aa432f090b2b784ee5c5070fb16cf9 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 61871c83259a511980ec2664964cecc69005398b (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 25411f5fcf5743131158f337c99c2bbf3f8477f5 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < e841d8ea722315b781c4fc5bf4f7670fbca88875 (git) Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49b7806851f93fd342838c93f4f765e0cc5029b0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "4445adedae770037078803d1ce41f9e88a1944b6",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "34620eb602aa432f090b2b784ee5c5070fb16cf9",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "61871c83259a511980ec2664964cecc69005398b",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "25411f5fcf5743131158f337c99c2bbf3f8477f5",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "e841d8ea722315b781c4fc5bf4f7670fbca88875",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
},
{
"lessThan": "6ef0e1c10455927867cac8f0ed6b49f328f8cf95",
"status": "affected",
"version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing\n\nThe Supported Rates IE length from an incoming Association Request frame\nwas used directly as the memcpy() length when copying into a fixed-size\n16-byte stack buffer (supportRate). A malicious station can advertise an\nIE length larger than 16 bytes, causing a stack buffer overflow.\n\nClamp ie_len to the buffer size before copying the Supported Rates IE,\nand correct the bounds check when merging Extended Supported Rates to\nprevent a second potential overflow.\n\nThis prevents kernel stack corruption triggered by malformed association\nrequests."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:09.263Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49b7806851f93fd342838c93f4f765e0cc5029b0"
},
{
"url": "https://git.kernel.org/stable/c/4445adedae770037078803d1ce41f9e88a1944b6"
},
{
"url": "https://git.kernel.org/stable/c/d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0"
},
{
"url": "https://git.kernel.org/stable/c/34620eb602aa432f090b2b784ee5c5070fb16cf9"
},
{
"url": "https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b"
},
{
"url": "https://git.kernel.org/stable/c/25411f5fcf5743131158f337c99c2bbf3f8477f5"
},
{
"url": "https://git.kernel.org/stable/c/e841d8ea722315b781c4fc5bf4f7670fbca88875"
},
{
"url": "https://git.kernel.org/stable/c/6ef0e1c10455927867cac8f0ed6b49f328f8cf95"
}
],
"title": "staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68255",
"datePublished": "2025-12-16T14:44:58.031Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-01-19T12:18:09.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50751 (GCVE-0-2022-50751)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
configfs: fix possible memory leak in configfs_create_dir()
Summary
In the Linux kernel, the following vulnerability has been resolved:
configfs: fix possible memory leak in configfs_create_dir()
kmemleak reported memory leaks in configfs_create_dir():
unreferenced object 0xffff888009f6af00 (size 192):
comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
backtrace:
kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163)
configfs_register_subsystem (fs/configfs/dir.c:1857)
basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
do_one_initcall (init/main.c:1296)
do_init_module (kernel/module/main.c:2455)
...
unreferenced object 0xffff888003ba7180 (size 96):
comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
backtrace:
kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194)
configfs_make_dirent (fs/configfs/dir.c:248)
configfs_create_dir (fs/configfs/dir.c:296)
configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852)
configfs_register_subsystem (fs/configfs/dir.c:1881)
basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
do_one_initcall (init/main.c:1296)
do_init_module (kernel/module/main.c:2455)
...
This is because the refcount is not correct in configfs_make_dirent().
For normal stage, the refcount is changing as:
configfs_register_subsystem()
configfs_create_dir()
configfs_make_dirent()
configfs_new_dirent() # set s_count = 1
dentry->d_fsdata = configfs_get(sd); # s_count = 2
...
configfs_unregister_subsystem()
configfs_remove_dir()
remove_dir()
configfs_remove_dirent() # s_count = 1
dput() ...
*dentry_unlink_inode()*
configfs_d_iput() # s_count = 0, release
However, if we failed in configfs_create():
configfs_register_subsystem()
configfs_create_dir()
configfs_make_dirent() # s_count = 2
...
configfs_create() # fail
->out_remove:
configfs_remove_dirent(dentry)
configfs_put(sd) # s_count = 1
return PTR_ERR(inode);
There is no inode in the error path, so the configfs_d_iput() is lost
and makes sd and fragment memory leaked.
To fix this, when we failed in configfs_create(), manually call
configfs_put(sd) to keep the refcount correct.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7063fbf2261194f72ee75afca67b3b38b554b5fa , < 90c38f57a821499391526b15cc944c265bd24e48
(git)
Affected: 7063fbf2261194f72ee75afca67b3b38b554b5fa , < 74ac7c9ee2d486c501e7864c903f5098fc477acd (git) Affected: 7063fbf2261194f72ee75afca67b3b38b554b5fa , < 07f82dca112262b169bec0001378126439cab776 (git) Affected: 7063fbf2261194f72ee75afca67b3b38b554b5fa , < 8bc77754224a2c8581727ffe2e958119b4e27c8f (git) Affected: 7063fbf2261194f72ee75afca67b3b38b554b5fa , < c72eb6e6e49a71f7598740786568fafdd013a227 (git) Affected: 7063fbf2261194f72ee75afca67b3b38b554b5fa , < c65234b283a65cfbfc94619655e820a5e55199eb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/configfs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90c38f57a821499391526b15cc944c265bd24e48",
"status": "affected",
"version": "7063fbf2261194f72ee75afca67b3b38b554b5fa",
"versionType": "git"
},
{
"lessThan": "74ac7c9ee2d486c501e7864c903f5098fc477acd",
"status": "affected",
"version": "7063fbf2261194f72ee75afca67b3b38b554b5fa",
"versionType": "git"
},
{
"lessThan": "07f82dca112262b169bec0001378126439cab776",
"status": "affected",
"version": "7063fbf2261194f72ee75afca67b3b38b554b5fa",
"versionType": "git"
},
{
"lessThan": "8bc77754224a2c8581727ffe2e958119b4e27c8f",
"status": "affected",
"version": "7063fbf2261194f72ee75afca67b3b38b554b5fa",
"versionType": "git"
},
{
"lessThan": "c72eb6e6e49a71f7598740786568fafdd013a227",
"status": "affected",
"version": "7063fbf2261194f72ee75afca67b3b38b554b5fa",
"versionType": "git"
},
{
"lessThan": "c65234b283a65cfbfc94619655e820a5e55199eb",
"status": "affected",
"version": "7063fbf2261194f72ee75afca67b3b38b554b5fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/configfs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nconfigfs: fix possible memory leak in configfs_create_dir()\n\nkmemleak reported memory leaks in configfs_create_dir():\n\nunreferenced object 0xffff888009f6af00 (size 192):\n comm \"modprobe\", pid 3777, jiffies 4295537735 (age 233.784s)\n backtrace:\n kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)\n new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163)\n configfs_register_subsystem (fs/configfs/dir.c:1857)\n basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic\n do_one_initcall (init/main.c:1296)\n do_init_module (kernel/module/main.c:2455)\n ...\n\nunreferenced object 0xffff888003ba7180 (size 96):\n comm \"modprobe\", pid 3777, jiffies 4295537735 (age 233.784s)\n backtrace:\n kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)\n configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194)\n configfs_make_dirent (fs/configfs/dir.c:248)\n configfs_create_dir (fs/configfs/dir.c:296)\n configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852)\n configfs_register_subsystem (fs/configfs/dir.c:1881)\n basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic\n do_one_initcall (init/main.c:1296)\n do_init_module (kernel/module/main.c:2455)\n ...\n\nThis is because the refcount is not correct in configfs_make_dirent().\nFor normal stage, the refcount is changing as:\n\nconfigfs_register_subsystem()\n configfs_create_dir()\n configfs_make_dirent()\n configfs_new_dirent() # set s_count = 1\n dentry-\u003ed_fsdata = configfs_get(sd); # s_count = 2\n...\nconfigfs_unregister_subsystem()\n configfs_remove_dir()\n remove_dir()\n configfs_remove_dirent() # s_count = 1\n dput() ...\n *dentry_unlink_inode()*\n configfs_d_iput() # s_count = 0, release\n\nHowever, if we failed in configfs_create():\n\nconfigfs_register_subsystem()\n configfs_create_dir()\n configfs_make_dirent() # s_count = 2\n ...\n configfs_create() # fail\n -\u003eout_remove:\n configfs_remove_dirent(dentry)\n configfs_put(sd) # s_count = 1\n return PTR_ERR(inode);\n\nThere is no inode in the error path, so the configfs_d_iput() is lost\nand makes sd and fragment memory leaked.\n\nTo fix this, when we failed in configfs_create(), manually call\nconfigfs_put(sd) to keep the refcount correct."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:46.159Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90c38f57a821499391526b15cc944c265bd24e48"
},
{
"url": "https://git.kernel.org/stable/c/74ac7c9ee2d486c501e7864c903f5098fc477acd"
},
{
"url": "https://git.kernel.org/stable/c/07f82dca112262b169bec0001378126439cab776"
},
{
"url": "https://git.kernel.org/stable/c/8bc77754224a2c8581727ffe2e958119b4e27c8f"
},
{
"url": "https://git.kernel.org/stable/c/c72eb6e6e49a71f7598740786568fafdd013a227"
},
{
"url": "https://git.kernel.org/stable/c/c65234b283a65cfbfc94619655e820a5e55199eb"
}
],
"title": "configfs: fix possible memory leak in configfs_create_dir()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50751",
"datePublished": "2025-12-24T13:05:46.159Z",
"dateReserved": "2025-12-24T13:02:21.544Z",
"dateUpdated": "2025-12-24T13:05:46.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54117 (GCVE-0-2023-54117)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
s390/dcssblk: fix kernel crash with list_add corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/dcssblk: fix kernel crash with list_add corruption
Commit fb08a1908cb1 ("dax: simplify the dax_device <-> gendisk
association") introduced new logic for gendisk association, requiring
drivers to explicitly call dax_add_host() and dax_remove_host().
For dcssblk driver, some dax_remove_host() calls were missing, e.g. in
device remove path. The commit also broke error handling for out_dax case
in device add path, resulting in an extra put_device() w/o the previous
get_device() in that case.
This lead to stale xarray entries after device add / remove cycles. In the
case when a previously used struct gendisk pointer (xarray index) would be
used again, because blk_alloc_disk() happened to return such a pointer, the
xa_insert() in dax_add_host() would fail and go to out_dax, doing the extra
put_device() in the error path. In combination with an already flawed error
handling in dcssblk (device_register() cleanup), which needs to be
addressed in a separate patch, this resulted in a missing device_del() /
klist_del(), and eventually in the kernel crash with list_add corruption on
a subsequent device_add() / klist_add().
Fix this by adding the missing dax_remove_host() calls, and also move the
put_device() in the error path to restore the previous logic.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fb08a1908cb119a4585611d91461ab6d27756b14 , < 6489ec0107860345bc57dcde39e63dfb05ac5c11
(git)
Affected: fb08a1908cb119a4585611d91461ab6d27756b14 , < b7ad75c77349beb4983b9f27108d9b3f33ae1413 (git) Affected: fb08a1908cb119a4585611d91461ab6d27756b14 , < b5c531a9a7d8e047c90c909f09cef06a9f8e62f4 (git) Affected: fb08a1908cb119a4585611d91461ab6d27756b14 , < c8f40a0bccefd613748d080147469a4652d6e74c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/block/dcssblk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6489ec0107860345bc57dcde39e63dfb05ac5c11",
"status": "affected",
"version": "fb08a1908cb119a4585611d91461ab6d27756b14",
"versionType": "git"
},
{
"lessThan": "b7ad75c77349beb4983b9f27108d9b3f33ae1413",
"status": "affected",
"version": "fb08a1908cb119a4585611d91461ab6d27756b14",
"versionType": "git"
},
{
"lessThan": "b5c531a9a7d8e047c90c909f09cef06a9f8e62f4",
"status": "affected",
"version": "fb08a1908cb119a4585611d91461ab6d27756b14",
"versionType": "git"
},
{
"lessThan": "c8f40a0bccefd613748d080147469a4652d6e74c",
"status": "affected",
"version": "fb08a1908cb119a4585611d91461ab6d27756b14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/block/dcssblk.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dcssblk: fix kernel crash with list_add corruption\n\nCommit fb08a1908cb1 (\"dax: simplify the dax_device \u003c-\u003e gendisk\nassociation\") introduced new logic for gendisk association, requiring\ndrivers to explicitly call dax_add_host() and dax_remove_host().\n\nFor dcssblk driver, some dax_remove_host() calls were missing, e.g. in\ndevice remove path. The commit also broke error handling for out_dax case\nin device add path, resulting in an extra put_device() w/o the previous\nget_device() in that case.\n\nThis lead to stale xarray entries after device add / remove cycles. In the\ncase when a previously used struct gendisk pointer (xarray index) would be\nused again, because blk_alloc_disk() happened to return such a pointer, the\nxa_insert() in dax_add_host() would fail and go to out_dax, doing the extra\nput_device() in the error path. In combination with an already flawed error\nhandling in dcssblk (device_register() cleanup), which needs to be\naddressed in a separate patch, this resulted in a missing device_del() /\nklist_del(), and eventually in the kernel crash with list_add corruption on\na subsequent device_add() / klist_add().\n\nFix this by adding the missing dax_remove_host() calls, and also move the\nput_device() in the error path to restore the previous logic."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:38.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6489ec0107860345bc57dcde39e63dfb05ac5c11"
},
{
"url": "https://git.kernel.org/stable/c/b7ad75c77349beb4983b9f27108d9b3f33ae1413"
},
{
"url": "https://git.kernel.org/stable/c/b5c531a9a7d8e047c90c909f09cef06a9f8e62f4"
},
{
"url": "https://git.kernel.org/stable/c/c8f40a0bccefd613748d080147469a4652d6e74c"
}
],
"title": "s390/dcssblk: fix kernel crash with list_add corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54117",
"datePublished": "2025-12-24T13:06:38.311Z",
"dateReserved": "2025-12-24T13:02:52.520Z",
"dateUpdated": "2025-12-24T13:06:38.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50728 (GCVE-0-2022-50728)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
s390/lcs: Fix return type of lcs_start_xmit()
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/lcs: Fix return type of lcs_start_xmit()
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = lcs_start_xmit,
^~~~~~~~~~~~~~
drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = lcs_start_xmit,
^~~~~~~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dc1f8bf68b311b1537cb65893430b6796118498a , < 7b4da3fcd513b8e67823eb80da37aad99b3339c1
(git)
Affected: dc1f8bf68b311b1537cb65893430b6796118498a , < d49cc2b705711fb8fb849e7c660929b2100360b7 (git) Affected: dc1f8bf68b311b1537cb65893430b6796118498a , < e684215d8a903752e2b0cc946517fb61e57a880a (git) Affected: dc1f8bf68b311b1537cb65893430b6796118498a , < 20022d551f2064a194d8e0acb6cd7a85094a17b2 (git) Affected: dc1f8bf68b311b1537cb65893430b6796118498a , < ebc3c77785dc8b5b626309c0032a38fbb139287a (git) Affected: dc1f8bf68b311b1537cb65893430b6796118498a , < 5ad774fb823c24bbeb21a15a67103ea7a6f5b928 (git) Affected: dc1f8bf68b311b1537cb65893430b6796118498a , < 69669820844f81a77b6db24b86581320ae4d17af (git) Affected: dc1f8bf68b311b1537cb65893430b6796118498a , < cda74cdc280ba35c8993e7517bac5c257ff36f18 (git) Affected: dc1f8bf68b311b1537cb65893430b6796118498a , < bb16db8393658e0978c3f0d30ae069e878264fa3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/lcs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7b4da3fcd513b8e67823eb80da37aad99b3339c1",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
},
{
"lessThan": "d49cc2b705711fb8fb849e7c660929b2100360b7",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
},
{
"lessThan": "e684215d8a903752e2b0cc946517fb61e57a880a",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
},
{
"lessThan": "20022d551f2064a194d8e0acb6cd7a85094a17b2",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
},
{
"lessThan": "ebc3c77785dc8b5b626309c0032a38fbb139287a",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
},
{
"lessThan": "5ad774fb823c24bbeb21a15a67103ea7a6f5b928",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
},
{
"lessThan": "69669820844f81a77b6db24b86581320ae4d17af",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
},
{
"lessThan": "cda74cdc280ba35c8993e7517bac5c257ff36f18",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
},
{
"lessThan": "bb16db8393658e0978c3f0d30ae069e878264fa3",
"status": "affected",
"version": "dc1f8bf68b311b1537cb65893430b6796118498a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/s390/net/lcs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/lcs: Fix return type of lcs_start_xmit()\n\nWith clang\u0027s kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing \u0027netdev_tx_t (*)(struct sk_buff *, struct net_device *)\u0027 (aka \u0027enum netdev_tx (*)(struct sk_buff *, struct net_device *)\u0027) with an expression of type \u0027int (struct sk_buff *, struct net_device *)\u0027 [-Werror,-Wincompatible-function-pointer-types-strict]\n .ndo_start_xmit = lcs_start_xmit,\n ^~~~~~~~~~~~~~\n drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing \u0027netdev_tx_t (*)(struct sk_buff *, struct net_device *)\u0027 (aka \u0027enum netdev_tx (*)(struct sk_buff *, struct net_device *)\u0027) with an expression of type \u0027int (struct sk_buff *, struct net_device *)\u0027 [-Werror,-Wincompatible-function-pointer-types-strict]\n .ndo_start_xmit = lcs_start_xmit,\n ^~~~~~~~~~~~~~\n\n-\u003endo_start_xmit() in \u0027struct net_device_ops\u0027 expects a return type of\n\u0027netdev_tx_t\u0027, not \u0027int\u0027. Adjust the return type of lcs_start_xmit() to\nmatch the prototype\u0027s to resolve the warning and potential CFI failure,\nshould s390 select ARCH_SUPPORTS_CFI_CLANG in the future."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:08.318Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7b4da3fcd513b8e67823eb80da37aad99b3339c1"
},
{
"url": "https://git.kernel.org/stable/c/d49cc2b705711fb8fb849e7c660929b2100360b7"
},
{
"url": "https://git.kernel.org/stable/c/e684215d8a903752e2b0cc946517fb61e57a880a"
},
{
"url": "https://git.kernel.org/stable/c/20022d551f2064a194d8e0acb6cd7a85094a17b2"
},
{
"url": "https://git.kernel.org/stable/c/ebc3c77785dc8b5b626309c0032a38fbb139287a"
},
{
"url": "https://git.kernel.org/stable/c/5ad774fb823c24bbeb21a15a67103ea7a6f5b928"
},
{
"url": "https://git.kernel.org/stable/c/69669820844f81a77b6db24b86581320ae4d17af"
},
{
"url": "https://git.kernel.org/stable/c/cda74cdc280ba35c8993e7517bac5c257ff36f18"
},
{
"url": "https://git.kernel.org/stable/c/bb16db8393658e0978c3f0d30ae069e878264fa3"
}
],
"title": "s390/lcs: Fix return type of lcs_start_xmit()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50728",
"datePublished": "2025-12-24T12:22:49.001Z",
"dateReserved": "2025-12-24T12:20:40.330Z",
"dateUpdated": "2026-01-02T15:04:08.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50626 (GCVE-0-2022-50626)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
Syzbot reports a memory leak in "dvb_usb_adapter_init()".
The leak is due to not accounting for and freeing current iteration's
adapter->priv in case of an error. Currently if an error occurs,
it will exit before incrementing "num_adapters_initalized",
which is used as a reference counter to free all adap->priv
in "dvb_usb_adapter_exit()". There are multiple error paths that
can exit from before incrementing the counter. Including the
error handling paths for "dvb_usb_adapter_stream_init()",
"dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()"
within "dvb_usb_adapter_init()".
This means that in case of an error in any of these functions the
current iteration is not accounted for and the current iteration's
adap->priv is not freed.
Fix this by freeing the current iteration's adap->priv in the
"stream_init_err:" label in the error path. The rest of the
(accounted for) adap->priv objects are freed in dvb_usb_adapter_exit()
as expected using the num_adapters_initalized variable.
Syzbot report:
BUG: memory leak
unreferenced object 0xffff8881172f1a00 (size 512):
comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]
[<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
[<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
[<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883
[<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
[<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
[<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
[<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
[<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
[<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782
[<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899
[<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
[<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970
[<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
[<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405
[<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170
[<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
[<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
[<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
[<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
[<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
[<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4d43e13f723e12734257277cc38497fab1efc605 , < 733bc9e226da2a7f43b10031b8ebfc26d89ec4bd
(git)
Affected: 4d43e13f723e12734257277cc38497fab1efc605 , < e5a49140035591d13ff57a7537c65217e5af0d15 (git) Affected: 4d43e13f723e12734257277cc38497fab1efc605 , < 21b6b0c9f3796e6917e90db403dae9e74025fc40 (git) Affected: 4d43e13f723e12734257277cc38497fab1efc605 , < 17217737c174883dd975885ab4bee4b00f517239 (git) Affected: 4d43e13f723e12734257277cc38497fab1efc605 , < 7d7ab25ead969594df05fb09ee46ca931d46c5c8 (git) Affected: 4d43e13f723e12734257277cc38497fab1efc605 , < d0af6220bb1eed8225a5511de5a3bd386b94afa4 (git) Affected: 4d43e13f723e12734257277cc38497fab1efc605 , < e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f (git) Affected: 4d43e13f723e12734257277cc38497fab1efc605 , < 93bbf2ed428142aa9a9693721230b28571678bf8 (git) Affected: 4d43e13f723e12734257277cc38497fab1efc605 , < 94d90fb06b94a90c176270d38861bcba34ce377d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dvb-usb-init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "733bc9e226da2a7f43b10031b8ebfc26d89ec4bd",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
},
{
"lessThan": "e5a49140035591d13ff57a7537c65217e5af0d15",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
},
{
"lessThan": "21b6b0c9f3796e6917e90db403dae9e74025fc40",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
},
{
"lessThan": "17217737c174883dd975885ab4bee4b00f517239",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
},
{
"lessThan": "7d7ab25ead969594df05fb09ee46ca931d46c5c8",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
},
{
"lessThan": "d0af6220bb1eed8225a5511de5a3bd386b94afa4",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
},
{
"lessThan": "e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
},
{
"lessThan": "93bbf2ed428142aa9a9693721230b28571678bf8",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
},
{
"lessThan": "94d90fb06b94a90c176270d38861bcba34ce377d",
"status": "affected",
"version": "4d43e13f723e12734257277cc38497fab1efc605",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/dvb-usb-init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: fix memory leak in dvb_usb_adapter_init()\n\nSyzbot reports a memory leak in \"dvb_usb_adapter_init()\".\nThe leak is due to not accounting for and freeing current iteration\u0027s\nadapter-\u003epriv in case of an error. Currently if an error occurs,\nit will exit before incrementing \"num_adapters_initalized\",\nwhich is used as a reference counter to free all adap-\u003epriv\nin \"dvb_usb_adapter_exit()\". There are multiple error paths that\ncan exit from before incrementing the counter. Including the\nerror handling paths for \"dvb_usb_adapter_stream_init()\",\n\"dvb_usb_adapter_dvb_init()\" and \"dvb_usb_adapter_frontend_init()\"\nwithin \"dvb_usb_adapter_init()\".\n\nThis means that in case of an error in any of these functions the\ncurrent iteration is not accounted for and the current iteration\u0027s\nadap-\u003epriv is not freed.\n\nFix this by freeing the current iteration\u0027s adap-\u003epriv in the\n\"stream_init_err:\" label in the error path. The rest of the\n(accounted for) adap-\u003epriv objects are freed in dvb_usb_adapter_exit()\nas expected using the num_adapters_initalized variable.\n\nSyzbot report:\n\nBUG: memory leak\nunreferenced object 0xffff8881172f1a00 (size 512):\n comm \"kworker/0:2\", pid 139, jiffies 4294994873 (age 10.960s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n [\u003cffffffff844af012\u003e] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]\n [\u003cffffffff844af012\u003e] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]\n [\u003cffffffff844af012\u003e] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308\n [\u003cffffffff830db21d\u003e] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883\n [\u003cffffffff82d3fdc7\u003e] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n [\u003cffffffff8274ab37\u003e] call_driver_probe drivers/base/dd.c:542 [inline]\n [\u003cffffffff8274ab37\u003e] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621\n [\u003cffffffff8274ae6c\u003e] really_probe drivers/base/dd.c:583 [inline]\n [\u003cffffffff8274ae6c\u003e] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752\n [\u003cffffffff8274af6a\u003e] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782\n [\u003cffffffff8274b786\u003e] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899\n [\u003cffffffff82747c87\u003e] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427\n [\u003cffffffff8274b352\u003e] __device_attach+0x122/0x260 drivers/base/dd.c:970\n [\u003cffffffff827498f6\u003e] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487\n [\u003cffffffff82745cdb\u003e] device_add+0x5fb/0xdf0 drivers/base/core.c:3405\n [\u003cffffffff82d3d202\u003e] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170\n [\u003cffffffff82d4dbfc\u003e] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n [\u003cffffffff82d3f49c\u003e] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n [\u003cffffffff8274ab37\u003e] call_driver_probe drivers/base/dd.c:542 [inline]\n [\u003cffffffff8274ab37\u003e] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621\n [\u003cffffffff8274ae6c\u003e] really_probe drivers/base/dd.c:583 [inline]\n [\u003cffffffff8274ae6c\u003e] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:21.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/733bc9e226da2a7f43b10031b8ebfc26d89ec4bd"
},
{
"url": "https://git.kernel.org/stable/c/e5a49140035591d13ff57a7537c65217e5af0d15"
},
{
"url": "https://git.kernel.org/stable/c/21b6b0c9f3796e6917e90db403dae9e74025fc40"
},
{
"url": "https://git.kernel.org/stable/c/17217737c174883dd975885ab4bee4b00f517239"
},
{
"url": "https://git.kernel.org/stable/c/7d7ab25ead969594df05fb09ee46ca931d46c5c8"
},
{
"url": "https://git.kernel.org/stable/c/d0af6220bb1eed8225a5511de5a3bd386b94afa4"
},
{
"url": "https://git.kernel.org/stable/c/e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f"
},
{
"url": "https://git.kernel.org/stable/c/93bbf2ed428142aa9a9693721230b28571678bf8"
},
{
"url": "https://git.kernel.org/stable/c/94d90fb06b94a90c176270d38861bcba34ce377d"
}
],
"title": "media: dvb-usb: fix memory leak in dvb_usb_adapter_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50626",
"datePublished": "2025-12-08T01:16:40.754Z",
"dateReserved": "2025-12-08T01:14:55.191Z",
"dateUpdated": "2025-12-23T13:30:21.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53803 (GCVE-0-2023-53803)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
A fix for:
BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses]
Read of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271
Checking after (and before in next loop) addl_desc_ptr[1] is sufficient, we
expect the size to be sanitized before first access to addl_desc_ptr[1].
Make sure we don't walk beyond end of page.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
21fab1d0595eacf781705ec3509012a28f298245 , < da1a955c48a16e16e925d6544793914e52a6fa51
(git)
Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 9e5c7d52085b8c84bc82a261580f0eb170039325 (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 467afb1dd630d8c6d172bd6cacc125199b5f4f2d (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < e4dd25da784b2e07dbfbf04509afa4c5a1375227 (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 2b28a7d261cb309912596d6a2d383ca370483527 (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 0dfe68394cbe1d4fe579fb325ecc813c50528c5a (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 799e8dd2022d2e13f0c5c1906b40ceca07a23349 (git) Affected: 21fab1d0595eacf781705ec3509012a28f298245 , < 9b4f5028e493cb353a5c8f5c45073eeea0303abd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da1a955c48a16e16e925d6544793914e52a6fa51",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "9e5c7d52085b8c84bc82a261580f0eb170039325",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "467afb1dd630d8c6d172bd6cacc125199b5f4f2d",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "e4dd25da784b2e07dbfbf04509afa4c5a1375227",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "2b28a7d261cb309912596d6a2d383ca370483527",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "0dfe68394cbe1d4fe579fb325ecc813c50528c5a",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "799e8dd2022d2e13f0c5c1906b40ceca07a23349",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
},
{
"lessThan": "9b4f5028e493cb353a5c8f5c45073eeea0303abd",
"status": "affected",
"version": "21fab1d0595eacf781705ec3509012a28f298245",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ses.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()\n\nA fix for:\n\nBUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses]\nRead of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271\n\nChecking after (and before in next loop) addl_desc_ptr[1] is sufficient, we\nexpect the size to be sanitized before first access to addl_desc_ptr[1].\nMake sure we don\u0027t walk beyond end of page."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:56.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da1a955c48a16e16e925d6544793914e52a6fa51"
},
{
"url": "https://git.kernel.org/stable/c/9e5c7d52085b8c84bc82a261580f0eb170039325"
},
{
"url": "https://git.kernel.org/stable/c/467afb1dd630d8c6d172bd6cacc125199b5f4f2d"
},
{
"url": "https://git.kernel.org/stable/c/e4dd25da784b2e07dbfbf04509afa4c5a1375227"
},
{
"url": "https://git.kernel.org/stable/c/2b28a7d261cb309912596d6a2d383ca370483527"
},
{
"url": "https://git.kernel.org/stable/c/0dfe68394cbe1d4fe579fb325ecc813c50528c5a"
},
{
"url": "https://git.kernel.org/stable/c/799e8dd2022d2e13f0c5c1906b40ceca07a23349"
},
{
"url": "https://git.kernel.org/stable/c/9b4f5028e493cb353a5c8f5c45073eeea0303abd"
}
],
"title": "scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53803",
"datePublished": "2025-12-09T00:00:59.913Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2026-01-05T10:32:56.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54137 (GCVE-0-2023-54137)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
vfio/type1: fix cap_migration information leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfio/type1: fix cap_migration information leak
Fix an information leak where an uninitialized hole in struct
vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.
The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as
shown in this pahole(1) output:
struct vfio_iommu_type1_info_cap_migration {
struct vfio_info_cap_header header; /* 0 8 */
__u32 flags; /* 8 4 */
/* XXX 4 bytes hole, try to pack */
__u64 pgsize_bitmap; /* 16 8 */
__u64 max_dirty_bitmap_size; /* 24 8 */
/* size: 32, cachelines: 1, members: 4 */
/* sum members: 28, holes: 1, sum holes: 4 */
/* last cacheline: 32 bytes */
};
The cap_mig variable is filled in without initializing the hole:
static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,
struct vfio_info_cap *caps)
{
struct vfio_iommu_type1_info_cap_migration cap_mig;
cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;
cap_mig.header.version = 1;
cap_mig.flags = 0;
/* support minimum pgsize */
cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap);
cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;
return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig));
}
The structure is then copied to a temporary location on the heap. At this point
it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace
later:
int vfio_info_add_capability(struct vfio_info_cap *caps,
struct vfio_info_cap_header *cap, size_t size)
{
struct vfio_info_cap_header *header;
header = vfio_info_cap_add(caps, size, cap->id, cap->version);
if (IS_ERR(header))
return PTR_ERR(header);
memcpy(header + 1, cap + 1, size - sizeof(*header));
return 0;
}
This issue was found by code inspection.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ad721705d09c62f0d108a6b4f59867ebfd592c90 , < ad83d83dd891244de0d07678b257dc976db7c132
(git)
Affected: ad721705d09c62f0d108a6b4f59867ebfd592c90 , < 13fd667db999bffb557c5de7adb3c14f1713dd51 (git) Affected: ad721705d09c62f0d108a6b4f59867ebfd592c90 , < f6f300ecc196d243c02adeb9ee0c62c677c24bfb (git) Affected: ad721705d09c62f0d108a6b4f59867ebfd592c90 , < cbac29a1caa49a34e131394e1f4d924a76d8b0c9 (git) Affected: ad721705d09c62f0d108a6b4f59867ebfd592c90 , < 1b5feb8497cdb5b9962db2700814bffbc030fb4a (git) Affected: ad721705d09c62f0d108a6b4f59867ebfd592c90 , < cd24e2a60af633f157d7e59c0a6dba64f131c0b1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vfio/vfio_iommu_type1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad83d83dd891244de0d07678b257dc976db7c132",
"status": "affected",
"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90",
"versionType": "git"
},
{
"lessThan": "13fd667db999bffb557c5de7adb3c14f1713dd51",
"status": "affected",
"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90",
"versionType": "git"
},
{
"lessThan": "f6f300ecc196d243c02adeb9ee0c62c677c24bfb",
"status": "affected",
"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90",
"versionType": "git"
},
{
"lessThan": "cbac29a1caa49a34e131394e1f4d924a76d8b0c9",
"status": "affected",
"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90",
"versionType": "git"
},
{
"lessThan": "1b5feb8497cdb5b9962db2700814bffbc030fb4a",
"status": "affected",
"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90",
"versionType": "git"
},
{
"lessThan": "cd24e2a60af633f157d7e59c0a6dba64f131c0b1",
"status": "affected",
"version": "ad721705d09c62f0d108a6b4f59867ebfd592c90",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vfio/vfio_iommu_type1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: fix cap_migration information leak\n\nFix an information leak where an uninitialized hole in struct\nvfio_iommu_type1_info_cap_migration on the stack is exposed to userspace.\n\nThe definition of struct vfio_iommu_type1_info_cap_migration contains a hole as\nshown in this pahole(1) output:\n\n struct vfio_iommu_type1_info_cap_migration {\n struct vfio_info_cap_header header; /* 0 8 */\n __u32 flags; /* 8 4 */\n\n /* XXX 4 bytes hole, try to pack */\n\n __u64 pgsize_bitmap; /* 16 8 */\n __u64 max_dirty_bitmap_size; /* 24 8 */\n\n /* size: 32, cachelines: 1, members: 4 */\n /* sum members: 28, holes: 1, sum holes: 4 */\n /* last cacheline: 32 bytes */\n };\n\nThe cap_mig variable is filled in without initializing the hole:\n\n static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu,\n struct vfio_info_cap *caps)\n {\n struct vfio_iommu_type1_info_cap_migration cap_mig;\n\n cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION;\n cap_mig.header.version = 1;\n\n cap_mig.flags = 0;\n /* support minimum pgsize */\n cap_mig.pgsize_bitmap = (size_t)1 \u003c\u003c __ffs(iommu-\u003epgsize_bitmap);\n cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX;\n\n return vfio_info_add_capability(caps, \u0026cap_mig.header, sizeof(cap_mig));\n }\n\nThe structure is then copied to a temporary location on the heap. At this point\nit\u0027s already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace\nlater:\n\n int vfio_info_add_capability(struct vfio_info_cap *caps,\n struct vfio_info_cap_header *cap, size_t size)\n {\n struct vfio_info_cap_header *header;\n\n header = vfio_info_cap_add(caps, size, cap-\u003eid, cap-\u003eversion);\n if (IS_ERR(header))\n return PTR_ERR(header);\n\n memcpy(header + 1, cap + 1, size - sizeof(*header));\n\n return 0;\n }\n\nThis issue was found by code inspection."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:52.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132"
},
{
"url": "https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51"
},
{
"url": "https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb"
},
{
"url": "https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9"
},
{
"url": "https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a"
},
{
"url": "https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1"
}
],
"title": "vfio/type1: fix cap_migration information leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54137",
"datePublished": "2025-12-24T13:06:52.689Z",
"dateReserved": "2025-12-24T13:02:52.522Z",
"dateUpdated": "2025-12-24T13:06:52.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50847 (GCVE-0-2022-50847)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe
During device boot, the HPD interrupt could be triggered before the DRM
subsystem registers it6505 as a DRM bridge. In such cases, the driver
tries to access AUX channel and causes NULL pointer dereference.
Initializing the AUX channel earlier to prevent such error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b5c84a9edcd418cd055becad6a22439e7c5e3bf8 , < 8ed8505803774fc3f36a432718036c21cc51e2ba
(git)
Affected: b5c84a9edcd418cd055becad6a22439e7c5e3bf8 , < 172d4d64075075f955e6e416915e3f287eec514a (git) Affected: b5c84a9edcd418cd055becad6a22439e7c5e3bf8 , < e577d4b13064c337b83fe7edecb3f34e87144821 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/ite-it6505.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ed8505803774fc3f36a432718036c21cc51e2ba",
"status": "affected",
"version": "b5c84a9edcd418cd055becad6a22439e7c5e3bf8",
"versionType": "git"
},
{
"lessThan": "172d4d64075075f955e6e416915e3f287eec514a",
"status": "affected",
"version": "b5c84a9edcd418cd055becad6a22439e7c5e3bf8",
"versionType": "git"
},
{
"lessThan": "e577d4b13064c337b83fe7edecb3f34e87144821",
"status": "affected",
"version": "b5c84a9edcd418cd055becad6a22439e7c5e3bf8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/ite-it6505.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe\n\nDuring device boot, the HPD interrupt could be triggered before the DRM\nsubsystem registers it6505 as a DRM bridge. In such cases, the driver\ntries to access AUX channel and causes NULL pointer dereference.\nInitializing the AUX channel earlier to prevent such error."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:03.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ed8505803774fc3f36a432718036c21cc51e2ba"
},
{
"url": "https://git.kernel.org/stable/c/172d4d64075075f955e6e416915e3f287eec514a"
},
{
"url": "https://git.kernel.org/stable/c/e577d4b13064c337b83fe7edecb3f34e87144821"
}
],
"title": "drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50847",
"datePublished": "2025-12-30T12:11:03.949Z",
"dateReserved": "2025-12-30T12:06:07.134Z",
"dateUpdated": "2025-12-30T12:11:03.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40033 (GCVE-0-2025-40033)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()
pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL
check, which could lead to a null pointer dereference. Move the pru
assignment, ensuring we never dereference a NULL rproc pointer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
102853400321baea2527917e6e89be33508c3e18 , < 66821fdb723d55b25482a76b92d17d416efeae6b
(git)
Affected: 102853400321baea2527917e6e89be33508c3e18 , < c9b6d789591f2bd57b0cbd59592493e11e029ed4 (git) Affected: 102853400321baea2527917e6e89be33508c3e18 , < f0164d89950120281f2446be9687cffa1e43dbcc (git) Affected: 102853400321baea2527917e6e89be33508c3e18 , < d41e075b077142bb9ae5df40b9ddf9fd7821a811 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/pru_rproc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66821fdb723d55b25482a76b92d17d416efeae6b",
"status": "affected",
"version": "102853400321baea2527917e6e89be33508c3e18",
"versionType": "git"
},
{
"lessThan": "c9b6d789591f2bd57b0cbd59592493e11e029ed4",
"status": "affected",
"version": "102853400321baea2527917e6e89be33508c3e18",
"versionType": "git"
},
{
"lessThan": "f0164d89950120281f2446be9687cffa1e43dbcc",
"status": "affected",
"version": "102853400321baea2527917e6e89be33508c3e18",
"versionType": "git"
},
{
"lessThan": "d41e075b077142bb9ae5df40b9ddf9fd7821a811",
"status": "affected",
"version": "102853400321baea2527917e6e89be33508c3e18",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/pru_rproc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()\n\npru_rproc_set_ctable() accessed rproc-\u003epriv before the IS_ERR_OR_NULL\ncheck, which could lead to a null pointer dereference. Move the pru\nassignment, ensuring we never dereference a NULL rproc pointer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:36.566Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66821fdb723d55b25482a76b92d17d416efeae6b"
},
{
"url": "https://git.kernel.org/stable/c/c9b6d789591f2bd57b0cbd59592493e11e029ed4"
},
{
"url": "https://git.kernel.org/stable/c/f0164d89950120281f2446be9687cffa1e43dbcc"
},
{
"url": "https://git.kernel.org/stable/c/d41e075b077142bb9ae5df40b9ddf9fd7821a811"
}
],
"title": "remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40033",
"datePublished": "2025-10-28T11:48:15.624Z",
"dateReserved": "2025-04-16T07:20:57.153Z",
"dateUpdated": "2025-12-01T06:16:36.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68208 (GCVE-0-2025-68208)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48
VLAI?
EPSS
Title
bpf: account for current allocated stack depth in widen_imprecise_scalars()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: account for current allocated stack depth in widen_imprecise_scalars()
The usage pattern for widen_imprecise_scalars() looks as follows:
prev_st = find_prev_entry(env, ...);
queued_st = push_stack(...);
widen_imprecise_scalars(env, prev_st, queued_st);
Where prev_st is an ancestor of the queued_st in the explored states
tree. This ancestor is not guaranteed to have same allocated stack
depth as queued_st. E.g. in the following case:
def main():
for i in 1..2:
foo(i) // same callsite, differnt param
def foo(i):
if i == 1:
use 128 bytes of stack
iterator based loop
Here, for a second 'foo' call prev_st->allocated_stack is 128,
while queued_st->allocated_stack is much smaller.
widen_imprecise_scalars() needs to take this into account and avoid
accessing bpf_verifier_state->frame[*]->stack out of bounds.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ab470fefce2837e66b771c60858118d50bb5bb10 , < 64b12dca2b0abcb5fc0542887d18b926ea5cf711
(git)
Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < 9944c7938cd5b3f37b0afec0481c7c015e4f1c58 (git) Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < 57e04e2ff56e32f923154f0f7bc476fcb596ffe7 (git) Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < b0c8e6d3d866b6a7f73877f71968dbffd27b7785 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64b12dca2b0abcb5fc0542887d18b926ea5cf711",
"status": "affected",
"version": "ab470fefce2837e66b771c60858118d50bb5bb10",
"versionType": "git"
},
{
"lessThan": "9944c7938cd5b3f37b0afec0481c7c015e4f1c58",
"status": "affected",
"version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
"versionType": "git"
},
{
"lessThan": "57e04e2ff56e32f923154f0f7bc476fcb596ffe7",
"status": "affected",
"version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
"versionType": "git"
},
{
"lessThan": "b0c8e6d3d866b6a7f73877f71968dbffd27b7785",
"status": "affected",
"version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: account for current allocated stack depth in widen_imprecise_scalars()\n\nThe usage pattern for widen_imprecise_scalars() looks as follows:\n\n prev_st = find_prev_entry(env, ...);\n queued_st = push_stack(...);\n widen_imprecise_scalars(env, prev_st, queued_st);\n\nWhere prev_st is an ancestor of the queued_st in the explored states\ntree. This ancestor is not guaranteed to have same allocated stack\ndepth as queued_st. E.g. in the following case:\n\n def main():\n for i in 1..2:\n foo(i) // same callsite, differnt param\n\n def foo(i):\n if i == 1:\n use 128 bytes of stack\n iterator based loop\n\nHere, for a second \u0027foo\u0027 call prev_st-\u003eallocated_stack is 128,\nwhile queued_st-\u003eallocated_stack is much smaller.\nwiden_imprecise_scalars() needs to take this into account and avoid\naccessing bpf_verifier_state-\u003eframe[*]-\u003estack out of bounds."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:35.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64b12dca2b0abcb5fc0542887d18b926ea5cf711"
},
{
"url": "https://git.kernel.org/stable/c/9944c7938cd5b3f37b0afec0481c7c015e4f1c58"
},
{
"url": "https://git.kernel.org/stable/c/57e04e2ff56e32f923154f0f7bc476fcb596ffe7"
},
{
"url": "https://git.kernel.org/stable/c/b0c8e6d3d866b6a7f73877f71968dbffd27b7785"
}
],
"title": "bpf: account for current allocated stack depth in widen_imprecise_scalars()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68208",
"datePublished": "2025-12-16T13:48:35.298Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2025-12-16T13:48:35.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54074 (GCVE-0-2023-54074)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
net/mlx5e: Use correct encap attribute during invalidation
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Use correct encap attribute during invalidation
With introduction of post action infrastructure most of the users of encap
attribute had been modified in order to obtain the correct attribute by
calling mlx5e_tc_get_encap_attr() helper instead of assuming encap action
is always on default attribute. However, the cited commit didn't modify
mlx5e_invalidate_encap() which prevents it from destroying correct modify
header action which leads to a warning [0]. Fix the issue by using correct
attribute.
[0]:
Feb 21 09:47:35 c-237-177-40-045 kernel: WARNING: CPU: 17 PID: 654 at drivers/net/ethernet/mellanox/mlx5/core/en_tc.c:684 mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core]
Feb 21 09:47:35 c-237-177-40-045 kernel: RIP: 0010:mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core]
Feb 21 09:47:35 c-237-177-40-045 kernel: Call Trace:
Feb 21 09:47:35 c-237-177-40-045 kernel: <TASK>
Feb 21 09:47:35 c-237-177-40-045 kernel: mlx5e_tc_fib_event_work+0x8e3/0x1f60 [mlx5_core]
Feb 21 09:47:35 c-237-177-40-045 kernel: ? mlx5e_take_all_encap_flows+0xe0/0xe0 [mlx5_core]
Feb 21 09:47:35 c-237-177-40-045 kernel: ? lock_downgrade+0x6d0/0x6d0
Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0
Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0
Feb 21 09:47:35 c-237-177-40-045 kernel: process_one_work+0x7c2/0x1310
Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x3f0/0x3f0
Feb 21 09:47:35 c-237-177-40-045 kernel: ? pwq_dec_nr_in_flight+0x230/0x230
Feb 21 09:47:35 c-237-177-40-045 kernel: ? rwlock_bug.part.0+0x90/0x90
Feb 21 09:47:35 c-237-177-40-045 kernel: worker_thread+0x59d/0xec0
Feb 21 09:47:35 c-237-177-40-045 kernel: ? __kthread_parkme+0xd9/0x1d0
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < 00959a1bad58e4b6c14a2729f84d354255073609
(git)
Affected: 8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < b8b4292fdd8818ab43b943b6717811651f51e39f (git) Affected: 8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < be071cdb167fc3e25fe81922166b3d499d23e8ac (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "00959a1bad58e4b6c14a2729f84d354255073609",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
},
{
"lessThan": "b8b4292fdd8818ab43b943b6717811651f51e39f",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
},
{
"lessThan": "be071cdb167fc3e25fe81922166b3d499d23e8ac",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Use correct encap attribute during invalidation\n\nWith introduction of post action infrastructure most of the users of encap\nattribute had been modified in order to obtain the correct attribute by\ncalling mlx5e_tc_get_encap_attr() helper instead of assuming encap action\nis always on default attribute. However, the cited commit didn\u0027t modify\nmlx5e_invalidate_encap() which prevents it from destroying correct modify\nheader action which leads to a warning [0]. Fix the issue by using correct\nattribute.\n\n[0]:\n\nFeb 21 09:47:35 c-237-177-40-045 kernel: WARNING: CPU: 17 PID: 654 at drivers/net/ethernet/mellanox/mlx5/core/en_tc.c:684 mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core]\nFeb 21 09:47:35 c-237-177-40-045 kernel: RIP: 0010:mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core]\nFeb 21 09:47:35 c-237-177-40-045 kernel: Call Trace:\nFeb 21 09:47:35 c-237-177-40-045 kernel: \u003cTASK\u003e\nFeb 21 09:47:35 c-237-177-40-045 kernel: mlx5e_tc_fib_event_work+0x8e3/0x1f60 [mlx5_core]\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? mlx5e_take_all_encap_flows+0xe0/0xe0 [mlx5_core]\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? lock_downgrade+0x6d0/0x6d0\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0\nFeb 21 09:47:35 c-237-177-40-045 kernel: process_one_work+0x7c2/0x1310\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x3f0/0x3f0\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? pwq_dec_nr_in_flight+0x230/0x230\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? rwlock_bug.part.0+0x90/0x90\nFeb 21 09:47:35 c-237-177-40-045 kernel: worker_thread+0x59d/0xec0\nFeb 21 09:47:35 c-237-177-40-045 kernel: ? __kthread_parkme+0xd9/0x1d0"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:16.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/00959a1bad58e4b6c14a2729f84d354255073609"
},
{
"url": "https://git.kernel.org/stable/c/b8b4292fdd8818ab43b943b6717811651f51e39f"
},
{
"url": "https://git.kernel.org/stable/c/be071cdb167fc3e25fe81922166b3d499d23e8ac"
}
],
"title": "net/mlx5e: Use correct encap attribute during invalidation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54074",
"datePublished": "2025-12-24T12:23:16.920Z",
"dateReserved": "2025-12-24T12:21:05.093Z",
"dateUpdated": "2025-12-24T12:23:16.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-48853 (GCVE-0-2022-48853)
Vulnerability from cvelistv5 – Published: 2024-07-16 12:25 – Updated: 2025-12-21 11:36
VLAI?
EPSS
Title
Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""
Summary
In the Linux kernel, the following vulnerability has been resolved:
swiotlb: fix info leak with DMA_FROM_DEVICE
The problem I'm addressing was discovered by the LTP test covering
cve-2018-1000204.
A short description of what happens follows:
1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO
interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV
and a corresponding dxferp. The peculiar thing about this is that TUR
is not reading from the device.
2) In sg_start_req() the invocation of blk_rq_map_user() effectively
bounces the user-space buffer. As if the device was to transfer into
it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in
sg_build_indirect()") we make sure this first bounce buffer is
allocated with GFP_ZERO.
3) For the rest of the story we keep ignoring that we have a TUR, so the
device won't touch the buffer we prepare as if the we had a
DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device
and the buffer allocated by SG is mapped by the function
virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here
scatter-gather and not scsi generics). This mapping involves bouncing
via the swiotlb (we need swiotlb to do virtio in protected guest like
s390 Secure Execution, or AMD SEV).
4) When the SCSI TUR is done, we first copy back the content of the second
(that is swiotlb) bounce buffer (which most likely contains some
previous IO data), to the first bounce buffer, which contains all
zeros. Then we copy back the content of the first bounce buffer to
the user-space buffer.
5) The test case detects that the buffer, which it zero-initialized,
ain't all zeros and fails.
One can argue that this is an swiotlb problem, because without swiotlb
we leak all zeros, and the swiotlb should be transparent in a sense that
it does not affect the outcome (if all other participants are well
behaved).
Copying the content of the original buffer into the swiotlb buffer is
the only way I can think of to make swiotlb transparent in such
scenarios. So let's do just that if in doubt, but allow the driver
to tell us that the whole mapped buffer is going to be overwritten,
in which case we can preserve the old behavior and avoid the performance
impact of the extra bounce.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd97de9c7b973f46a6103f4170c5efc7b8ef8797
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aaf166f37eb6bb55d81c3e40a2a460c8875c8813 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 06cb238b0f7ac1669cb06390704c61794724c191 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b2f140a9f980806f572d672e1780acea66b9a25c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f3f2247ac31cb71d1f05f56536df5946c6652f4a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7007c894631cf43041dcfa0da7142bbaa7eb673c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dcead36b19d999d687cd9c99b7f37520d9102b57 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2141881b530738777c28bb51c62175895c8178b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:25:01.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:25:58.844703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:34:08.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"Documentation/core-api/dma-attributes.rst",
"include/linux/dma-mapping.h",
"kernel/dma/swiotlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd97de9c7b973f46a6103f4170c5efc7b8ef8797",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aaf166f37eb6bb55d81c3e40a2a460c8875c8813",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "06cb238b0f7ac1669cb06390704c61794724c191",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b2f140a9f980806f572d672e1780acea66b9a25c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f3f2247ac31cb71d1f05f56536df5946c6652f4a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7007c894631cf43041dcfa0da7142bbaa7eb673c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dcead36b19d999d687cd9c99b7f37520d9102b57",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f2141881b530738777c28bb51c62175895c8178b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"Documentation/core-api/dma-attributes.rst",
"include/linux/dma-mapping.h",
"kernel/dma/swiotlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.320",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"version": "5.16.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.320",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.281",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.245",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.118",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.33",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.16.19",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: fix info leak with DMA_FROM_DEVICE\n\nThe problem I\u0027m addressing was discovered by the LTP test covering\ncve-2018-1000204.\n\nA short description of what happens follows:\n1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO\n interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV\n and a corresponding dxferp. The peculiar thing about this is that TUR\n is not reading from the device.\n2) In sg_start_req() the invocation of blk_rq_map_user() effectively\n bounces the user-space buffer. As if the device was to transfer into\n it. Since commit a45b599ad808 (\"scsi: sg: allocate with __GFP_ZERO in\n sg_build_indirect()\") we make sure this first bounce buffer is\n allocated with GFP_ZERO.\n3) For the rest of the story we keep ignoring that we have a TUR, so the\n device won\u0027t touch the buffer we prepare as if the we had a\n DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device\n and the buffer allocated by SG is mapped by the function\n virtqueue_add_split() which uses DMA_FROM_DEVICE for the \"in\" sgs (here\n scatter-gather and not scsi generics). This mapping involves bouncing\n via the swiotlb (we need swiotlb to do virtio in protected guest like\n s390 Secure Execution, or AMD SEV).\n4) When the SCSI TUR is done, we first copy back the content of the second\n (that is swiotlb) bounce buffer (which most likely contains some\n previous IO data), to the first bounce buffer, which contains all\n zeros. Then we copy back the content of the first bounce buffer to\n the user-space buffer.\n5) The test case detects that the buffer, which it zero-initialized,\n ain\u0027t all zeros and fails.\n\nOne can argue that this is an swiotlb problem, because without swiotlb\nwe leak all zeros, and the swiotlb should be transparent in a sense that\nit does not affect the outcome (if all other participants are well\nbehaved).\n\nCopying the content of the original buffer into the swiotlb buffer is\nthe only way I can think of to make swiotlb transparent in such\nscenarios. So let\u0027s do just that if in doubt, but allow the driver\nto tell us that the whole mapped buffer is going to be overwritten,\nin which case we can preserve the old behavior and avoid the performance\nimpact of the extra bounce."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-21T11:36:18.947Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd97de9c7b973f46a6103f4170c5efc7b8ef8797"
},
{
"url": "https://git.kernel.org/stable/c/aaf166f37eb6bb55d81c3e40a2a460c8875c8813"
},
{
"url": "https://git.kernel.org/stable/c/06cb238b0f7ac1669cb06390704c61794724c191"
},
{
"url": "https://git.kernel.org/stable/c/b2f140a9f980806f572d672e1780acea66b9a25c"
},
{
"url": "https://git.kernel.org/stable/c/f3f2247ac31cb71d1f05f56536df5946c6652f4a"
},
{
"url": "https://git.kernel.org/stable/c/7007c894631cf43041dcfa0da7142bbaa7eb673c"
},
{
"url": "https://git.kernel.org/stable/c/dcead36b19d999d687cd9c99b7f37520d9102b57"
},
{
"url": "https://git.kernel.org/stable/c/f2141881b530738777c28bb51c62175895c8178b"
},
{
"url": "https://git.kernel.org/stable/c/901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544"
}
],
"title": "Reinstate some of \"swiotlb: rework \"fix info leak with DMA_FROM_DEVICE\"\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48853",
"datePublished": "2024-07-16T12:25:19.814Z",
"dateReserved": "2024-07-16T11:38:08.913Z",
"dateUpdated": "2025-12-21T11:36:18.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50814 (GCVE-0-2022-50814)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr
KASAN reported this Bug:
[17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60
[17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958
...
[17619.698934] The buggy address belongs to the variable:
[17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip]
There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr.
The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by
param_get/set_int.
Replacing param_get/set_int to param_get/set_ushort can fix this bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f081fda293ffba54216a7dab66faba7275475006 , < d88b88514ef28515ccfa1f1787c2aedef75a79dd
(git)
Affected: f081fda293ffba54216a7dab66faba7275475006 , < 272093471305261c4e07a2fc97c2d1e53cd56819 (git) Affected: f081fda293ffba54216a7dab66faba7275475006 , < f8a983d6e01b198320d310cb1326364d7d973b2a (git) Affected: f081fda293ffba54216a7dab66faba7275475006 , < 5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15 (git) Affected: f081fda293ffba54216a7dab66faba7275475006 , < d74f9340097a881869c4c22ca376654cc2516ecc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/zip/zip_crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d88b88514ef28515ccfa1f1787c2aedef75a79dd",
"status": "affected",
"version": "f081fda293ffba54216a7dab66faba7275475006",
"versionType": "git"
},
{
"lessThan": "272093471305261c4e07a2fc97c2d1e53cd56819",
"status": "affected",
"version": "f081fda293ffba54216a7dab66faba7275475006",
"versionType": "git"
},
{
"lessThan": "f8a983d6e01b198320d310cb1326364d7d973b2a",
"status": "affected",
"version": "f081fda293ffba54216a7dab66faba7275475006",
"versionType": "git"
},
{
"lessThan": "5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15",
"status": "affected",
"version": "f081fda293ffba54216a7dab66faba7275475006",
"versionType": "git"
},
{
"lessThan": "d74f9340097a881869c4c22ca376654cc2516ecc",
"status": "affected",
"version": "f081fda293ffba54216a7dab66faba7275475006",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/hisilicon/zip/zip_crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr\n\nKASAN reported this Bug:\n\n\t[17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60\n\t[17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958\n\t...\n\t[17619.698934] The buggy address belongs to the variable:\n\t[17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip]\n\nThere is a mismatch in hisi_zip when get/set the variable sgl_sge_nr.\nThe type of sgl_sge_nr is u16, and get/set sgl_sge_nr by\nparam_get/set_int.\n\nReplacing param_get/set_int to param_get/set_ushort can fix this bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:30.862Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d88b88514ef28515ccfa1f1787c2aedef75a79dd"
},
{
"url": "https://git.kernel.org/stable/c/272093471305261c4e07a2fc97c2d1e53cd56819"
},
{
"url": "https://git.kernel.org/stable/c/f8a983d6e01b198320d310cb1326364d7d973b2a"
},
{
"url": "https://git.kernel.org/stable/c/5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15"
},
{
"url": "https://git.kernel.org/stable/c/d74f9340097a881869c4c22ca376654cc2516ecc"
}
],
"title": "crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50814",
"datePublished": "2025-12-30T12:08:30.862Z",
"dateReserved": "2025-12-30T12:06:07.130Z",
"dateUpdated": "2025-12-30T12:08:30.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40329 (GCVE-0-2025-40329)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09
VLAI?
EPSS
Title
drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb
The Mesa issue referenced below pointed out a possible deadlock:
[ 1231.611031] Possible interrupt unsafe locking scenario:
[ 1231.611033] CPU0 CPU1
[ 1231.611034] ---- ----
[ 1231.611035] lock(&xa->xa_lock#17);
[ 1231.611038] local_irq_disable();
[ 1231.611039] lock(&fence->lock);
[ 1231.611041] lock(&xa->xa_lock#17);
[ 1231.611044] <Interrupt>
[ 1231.611045] lock(&fence->lock);
[ 1231.611047]
*** DEADLOCK ***
In this example, CPU0 would be any function accessing job->dependencies
through the xa_* functions that don't disable interrupts (eg:
drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).
CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling
callback so in an interrupt context. It will deadlock when trying to
grab the xa_lock which is already held by CPU0.
Replacing all xa_* usage by their xa_*_irq counterparts would fix
this issue, but Christian pointed out another issue: dma_fence_signal
takes fence.lock and so does dma_fence_add_callback.
dma_fence_signal() // locks f1.lock
-> drm_sched_entity_kill_jobs_cb()
-> foreach dependencies
-> dma_fence_add_callback() // locks f2.lock
This will deadlock if f1 and f2 share the same spinlock.
To fix both issues, the code iterating on dependencies and re-arming them
is moved out to drm_sched_entity_kill_jobs_work().
[phasta: commit message nits]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 70150b9443dddf02157d821c68abf438f55a2e8e
(git)
Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 0d63031ee4a57be0252cb9a4e09ae921c75cece9 (git) Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 3e8ada4fd838e3fd2cca94000dac054f3a347c01 (git) Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 487df8b698345dd5a91346335f05170ed5f29d4e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70150b9443dddf02157d821c68abf438f55a2e8e",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "0d63031ee4a57be0252cb9a4e09ae921c75cece9",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "3e8ada4fd838e3fd2cca94000dac054f3a347c01",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
},
{
"lessThan": "487df8b698345dd5a91346335f05170ed5f29d4e",
"status": "affected",
"version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/scheduler/sched_entity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb\n\nThe Mesa issue referenced below pointed out a possible deadlock:\n\n[ 1231.611031] Possible interrupt unsafe locking scenario:\n\n[ 1231.611033] CPU0 CPU1\n[ 1231.611034] ---- ----\n[ 1231.611035] lock(\u0026xa-\u003exa_lock#17);\n[ 1231.611038] local_irq_disable();\n[ 1231.611039] lock(\u0026fence-\u003elock);\n[ 1231.611041] lock(\u0026xa-\u003exa_lock#17);\n[ 1231.611044] \u003cInterrupt\u003e\n[ 1231.611045] lock(\u0026fence-\u003elock);\n[ 1231.611047]\n *** DEADLOCK ***\n\nIn this example, CPU0 would be any function accessing job-\u003edependencies\nthrough the xa_* functions that don\u0027t disable interrupts (eg:\ndrm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).\n\nCPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling\ncallback so in an interrupt context. It will deadlock when trying to\ngrab the xa_lock which is already held by CPU0.\n\nReplacing all xa_* usage by their xa_*_irq counterparts would fix\nthis issue, but Christian pointed out another issue: dma_fence_signal\ntakes fence.lock and so does dma_fence_add_callback.\n\n dma_fence_signal() // locks f1.lock\n -\u003e drm_sched_entity_kill_jobs_cb()\n -\u003e foreach dependencies\n -\u003e dma_fence_add_callback() // locks f2.lock\n\nThis will deadlock if f1 and f2 share the same spinlock.\n\nTo fix both issues, the code iterating on dependencies and re-arming them\nis moved out to drm_sched_entity_kill_jobs_work().\n\n[phasta: commit message nits]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T04:09:46.156Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70150b9443dddf02157d821c68abf438f55a2e8e"
},
{
"url": "https://git.kernel.org/stable/c/0d63031ee4a57be0252cb9a4e09ae921c75cece9"
},
{
"url": "https://git.kernel.org/stable/c/3e8ada4fd838e3fd2cca94000dac054f3a347c01"
},
{
"url": "https://git.kernel.org/stable/c/487df8b698345dd5a91346335f05170ed5f29d4e"
}
],
"title": "drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40329",
"datePublished": "2025-12-09T04:09:46.156Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-09T04:09:46.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50750 (GCVE-0-2022-50750)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
In case mipi_dsi_attach() fails, call drm_panel_remove() to
avoid memory leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
849b2e3ff9698226ab91e034d52cbb1da92a5b4c , < 0b7c47b7f358f932159a9d5beec9616ef8a0c6b4
(git)
Affected: 849b2e3ff9698226ab91e034d52cbb1da92a5b4c , < 576828e59a0e03bbc763872912b04f3e3a1b3311 (git) Affected: 849b2e3ff9698226ab91e034d52cbb1da92a5b4c , < 13fc167e1645c43c631d7752d98e377f0e4cbb15 (git) Affected: 849b2e3ff9698226ab91e034d52cbb1da92a5b4c , < 23fddf78eac8d79c56f93ab69b6c47a0816967c9 (git) Affected: 849b2e3ff9698226ab91e034d52cbb1da92a5b4c , < 465611e812587e72bf235034edce0e51be3d6809 (git) Affected: 849b2e3ff9698226ab91e034d52cbb1da92a5b4c , < c62102165dd79284d42383d2f7ed17301bd8e629 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-sitronix-st7701.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b7c47b7f358f932159a9d5beec9616ef8a0c6b4",
"status": "affected",
"version": "849b2e3ff9698226ab91e034d52cbb1da92a5b4c",
"versionType": "git"
},
{
"lessThan": "576828e59a0e03bbc763872912b04f3e3a1b3311",
"status": "affected",
"version": "849b2e3ff9698226ab91e034d52cbb1da92a5b4c",
"versionType": "git"
},
{
"lessThan": "13fc167e1645c43c631d7752d98e377f0e4cbb15",
"status": "affected",
"version": "849b2e3ff9698226ab91e034d52cbb1da92a5b4c",
"versionType": "git"
},
{
"lessThan": "23fddf78eac8d79c56f93ab69b6c47a0816967c9",
"status": "affected",
"version": "849b2e3ff9698226ab91e034d52cbb1da92a5b4c",
"versionType": "git"
},
{
"lessThan": "465611e812587e72bf235034edce0e51be3d6809",
"status": "affected",
"version": "849b2e3ff9698226ab91e034d52cbb1da92a5b4c",
"versionType": "git"
},
{
"lessThan": "c62102165dd79284d42383d2f7ed17301bd8e629",
"status": "affected",
"version": "849b2e3ff9698226ab91e034d52cbb1da92a5b4c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-sitronix-st7701.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure\n\nIn case mipi_dsi_attach() fails, call drm_panel_remove() to\navoid memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:45.447Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b7c47b7f358f932159a9d5beec9616ef8a0c6b4"
},
{
"url": "https://git.kernel.org/stable/c/576828e59a0e03bbc763872912b04f3e3a1b3311"
},
{
"url": "https://git.kernel.org/stable/c/13fc167e1645c43c631d7752d98e377f0e4cbb15"
},
{
"url": "https://git.kernel.org/stable/c/23fddf78eac8d79c56f93ab69b6c47a0816967c9"
},
{
"url": "https://git.kernel.org/stable/c/465611e812587e72bf235034edce0e51be3d6809"
},
{
"url": "https://git.kernel.org/stable/c/c62102165dd79284d42383d2f7ed17301bd8e629"
}
],
"title": "drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50750",
"datePublished": "2025-12-24T13:05:45.447Z",
"dateReserved": "2025-12-24T13:02:21.544Z",
"dateUpdated": "2025-12-24T13:05:45.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54069 (GCVE-0-2023-54069)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
When we calculate the end position of ext4_free_extent, this position may
be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if
ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the
computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not
the first case of adjusting the best extent, that is, new_bex_end > 0, the
following BUG_ON will be triggered:
=========================================================
kernel BUG at fs/ext4/mballoc.c:5116!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279
RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430
Call Trace:
<TASK>
ext4_mb_use_best_found+0x203/0x2f0
ext4_mb_try_best_found+0x163/0x240
ext4_mb_regular_allocator+0x158/0x1550
ext4_mb_new_blocks+0x86a/0xe10
ext4_ext_map_blocks+0xb0c/0x13a0
ext4_map_blocks+0x2cd/0x8f0
ext4_iomap_begin+0x27b/0x400
iomap_iter+0x222/0x3d0
__iomap_dio_rw+0x243/0xcb0
iomap_dio_rw+0x16/0x80
=========================================================
A simple reproducer demonstrating the problem:
mkfs.ext4 -F /dev/sda -b 4096 100M
mount /dev/sda /tmp/test
fallocate -l1M /tmp/test/tmp
fallocate -l10M /tmp/test/file
fallocate -i -o 1M -l16777203M /tmp/test/file
fsstress -d /tmp/test -l 0 -n 100000 -p 8 &
sleep 10 && killall -9 fsstress
rm -f /tmp/test/tmp
xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192"
We simply refactor the logic for adjusting the best extent by adding
a temporary ext4_free_extent ex and use extent_logical_end() to avoid
overflow, which also simplifies the code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8659c5f4ffaacbe932849b98462c3d635b4eacea , < 83ecffd40c65844a73c2e93d7c841455786605ac
(git)
Affected: fc7237e191b99f88e859316fab2b06c2c26c8344 , < 58fe961c606c446f5612f6897827b1cac42c2e89 (git) Affected: 613f6cde5ebb005a37fda117cdda7b4126170c13 , < f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1 (git) Affected: 9d4430b7f862ce8835ca4e054b6916d15c8e0862 , < fcefddf3a151b2c416b20120c06bb1ba9ad676fb (git) Affected: 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 , < b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90 (git) Affected: 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 , < bc056e7163ac7db945366de219745cf94f32a3e6 (git) Affected: 46772ab99409cc72241227dd8f5295f358233fda (git) Affected: 25a60b4533268477920faaeebd99e7e69c0735cd (git) Affected: cec4ef62b36b04e0bc8905732adab091f4bc1cfd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83ecffd40c65844a73c2e93d7c841455786605ac",
"status": "affected",
"version": "8659c5f4ffaacbe932849b98462c3d635b4eacea",
"versionType": "git"
},
{
"lessThan": "58fe961c606c446f5612f6897827b1cac42c2e89",
"status": "affected",
"version": "fc7237e191b99f88e859316fab2b06c2c26c8344",
"versionType": "git"
},
{
"lessThan": "f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1",
"status": "affected",
"version": "613f6cde5ebb005a37fda117cdda7b4126170c13",
"versionType": "git"
},
{
"lessThan": "fcefddf3a151b2c416b20120c06bb1ba9ad676fb",
"status": "affected",
"version": "9d4430b7f862ce8835ca4e054b6916d15c8e0862",
"versionType": "git"
},
{
"lessThan": "b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90",
"status": "affected",
"version": "93cdf49f6eca5e23f6546b8f28457b2e6a6961d9",
"versionType": "git"
},
{
"lessThan": "bc056e7163ac7db945366de219745cf94f32a3e6",
"status": "affected",
"version": "93cdf49f6eca5e23f6546b8f28457b2e6a6961d9",
"versionType": "git"
},
{
"status": "affected",
"version": "46772ab99409cc72241227dd8f5295f358233fda",
"versionType": "git"
},
{
"status": "affected",
"version": "25a60b4533268477920faaeebd99e7e69c0735cd",
"versionType": "git"
},
{
"status": "affected",
"version": "cec4ef62b36b04e0bc8905732adab091f4bc1cfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.260",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.260",
"versionStartIncluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.200",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.138",
"versionStartIncluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.61",
"versionStartIncluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix BUG in ext4_mb_new_inode_pa() due to overflow\n\nWhen we calculate the end position of ext4_free_extent, this position may\nbe exactly where ext4_lblk_t (i.e. uint) overflows. For example, if\nac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the\ncomputed end is 0x100000000, which is 0. If ac-\u003eac_o_ex.fe_logical is not\nthe first case of adjusting the best extent, that is, new_bex_end \u003e 0, the\nfollowing BUG_ON will be triggered:\n\n=========================================================\nkernel BUG at fs/ext4/mballoc.c:5116!\ninvalid opcode: 0000 [#1] PREEMPT SMP PTI\nCPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279\nRIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430\nCall Trace:\n \u003cTASK\u003e\n ext4_mb_use_best_found+0x203/0x2f0\n ext4_mb_try_best_found+0x163/0x240\n ext4_mb_regular_allocator+0x158/0x1550\n ext4_mb_new_blocks+0x86a/0xe10\n ext4_ext_map_blocks+0xb0c/0x13a0\n ext4_map_blocks+0x2cd/0x8f0\n ext4_iomap_begin+0x27b/0x400\n iomap_iter+0x222/0x3d0\n __iomap_dio_rw+0x243/0xcb0\n iomap_dio_rw+0x16/0x80\n=========================================================\n\nA simple reproducer demonstrating the problem:\n\n\tmkfs.ext4 -F /dev/sda -b 4096 100M\n\tmount /dev/sda /tmp/test\n\tfallocate -l1M /tmp/test/tmp\n\tfallocate -l10M /tmp/test/file\n\tfallocate -i -o 1M -l16777203M /tmp/test/file\n\tfsstress -d /tmp/test -l 0 -n 100000 -p 8 \u0026\n\tsleep 10 \u0026\u0026 killall -9 fsstress\n\trm -f /tmp/test/tmp\n\txfs_io -c \"open -ad /tmp/test/file\" -c \"pwrite -S 0xff 0 8192\"\n\nWe simply refactor the logic for adjusting the best extent by adding\na temporary ext4_free_extent ex and use extent_logical_end() to avoid\noverflow, which also simplifies the code."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:13.504Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83ecffd40c65844a73c2e93d7c841455786605ac"
},
{
"url": "https://git.kernel.org/stable/c/58fe961c606c446f5612f6897827b1cac42c2e89"
},
{
"url": "https://git.kernel.org/stable/c/f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1"
},
{
"url": "https://git.kernel.org/stable/c/fcefddf3a151b2c416b20120c06bb1ba9ad676fb"
},
{
"url": "https://git.kernel.org/stable/c/b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90"
},
{
"url": "https://git.kernel.org/stable/c/bc056e7163ac7db945366de219745cf94f32a3e6"
}
],
"title": "ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54069",
"datePublished": "2025-12-24T12:23:13.504Z",
"dateReserved": "2025-12-24T12:21:05.093Z",
"dateUpdated": "2025-12-24T12:23:13.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54205 (GCVE-0-2023-54205)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain
of_irq_find_parent() returns a node pointer with refcount incremented,
We should use of_node_put() on it when not needed anymore.
Add missing of_node_put() to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d86f4d71e42a9fa1866f030074e54d7571d16ec1 , < 95ab6d7905ebb52dc2ed6357c38e536753824068
(git)
Affected: d86f4d71e42a9fa1866f030074e54d7571d16ec1 , < 8ab860dd8717a7e4a143988885fea0d7e5a9412e (git) Affected: d86f4d71e42a9fa1866f030074e54d7571d16ec1 , < af54707c0ccab52b3d532402436ea101011a9299 (git) Affected: d86f4d71e42a9fa1866f030074e54d7571d16ec1 , < 601be03fa8b81747a154bdef9b559411a5b921e8 (git) Affected: d86f4d71e42a9fa1866f030074e54d7571d16ec1 , < 9ae053d1eb87875d56f95b6a123a69827225a70e (git) Affected: d86f4d71e42a9fa1866f030074e54d7571d16ec1 , < dcef18c8ac40aa85bb339f64c1dd31dd458b06fb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/stm32/pinctrl-stm32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95ab6d7905ebb52dc2ed6357c38e536753824068",
"status": "affected",
"version": "d86f4d71e42a9fa1866f030074e54d7571d16ec1",
"versionType": "git"
},
{
"lessThan": "8ab860dd8717a7e4a143988885fea0d7e5a9412e",
"status": "affected",
"version": "d86f4d71e42a9fa1866f030074e54d7571d16ec1",
"versionType": "git"
},
{
"lessThan": "af54707c0ccab52b3d532402436ea101011a9299",
"status": "affected",
"version": "d86f4d71e42a9fa1866f030074e54d7571d16ec1",
"versionType": "git"
},
{
"lessThan": "601be03fa8b81747a154bdef9b559411a5b921e8",
"status": "affected",
"version": "d86f4d71e42a9fa1866f030074e54d7571d16ec1",
"versionType": "git"
},
{
"lessThan": "9ae053d1eb87875d56f95b6a123a69827225a70e",
"status": "affected",
"version": "d86f4d71e42a9fa1866f030074e54d7571d16ec1",
"versionType": "git"
},
{
"lessThan": "dcef18c8ac40aa85bb339f64c1dd31dd458b06fb",
"status": "affected",
"version": "d86f4d71e42a9fa1866f030074e54d7571d16ec1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/stm32/pinctrl-stm32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain\n\nof_irq_find_parent() returns a node pointer with refcount incremented,\nWe should use of_node_put() on it when not needed anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:05.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95ab6d7905ebb52dc2ed6357c38e536753824068"
},
{
"url": "https://git.kernel.org/stable/c/8ab860dd8717a7e4a143988885fea0d7e5a9412e"
},
{
"url": "https://git.kernel.org/stable/c/af54707c0ccab52b3d532402436ea101011a9299"
},
{
"url": "https://git.kernel.org/stable/c/601be03fa8b81747a154bdef9b559411a5b921e8"
},
{
"url": "https://git.kernel.org/stable/c/9ae053d1eb87875d56f95b6a123a69827225a70e"
},
{
"url": "https://git.kernel.org/stable/c/dcef18c8ac40aa85bb339f64c1dd31dd458b06fb"
}
],
"title": "pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54205",
"datePublished": "2025-12-30T12:11:05.295Z",
"dateReserved": "2025-12-30T12:06:44.499Z",
"dateUpdated": "2025-12-30T12:11:05.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54076 (GCVE-0-2023-54076)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
smb: client: fix missed ses refcounting
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix missed ses refcounting
Use new cifs_smb_ses_inc_refcount() helper to get an active reference
of @ses and @ses->dfs_root_ses (if set). This will prevent
@ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses()
and thus potentially causing an use-after-free bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8e3554150d6c80a84b3cb046615d1a0e943811dc , < eb382196e6f6e05cfafdab797840e5a96c6e7bf0
(git)
Affected: 8e3554150d6c80a84b3cb046615d1a0e943811dc , < bf99f6be2d20146942bce6f9e90a0ceef12cbc1e (git) Affected: f30d226bcc9f0e2d97b4a6e94c43a28148fbeab6 (git) Affected: c082c3be0f96e759ff2e361d929832fda0b93851 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/dfs.c",
"fs/smb/client/smb2transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb382196e6f6e05cfafdab797840e5a96c6e7bf0",
"status": "affected",
"version": "8e3554150d6c80a84b3cb046615d1a0e943811dc",
"versionType": "git"
},
{
"lessThan": "bf99f6be2d20146942bce6f9e90a0ceef12cbc1e",
"status": "affected",
"version": "8e3554150d6c80a84b3cb046615d1a0e943811dc",
"versionType": "git"
},
{
"status": "affected",
"version": "f30d226bcc9f0e2d97b4a6e94c43a28148fbeab6",
"versionType": "git"
},
{
"status": "affected",
"version": "c082c3be0f96e759ff2e361d929832fda0b93851",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/dfs.c",
"fs/smb/client/smb2transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix missed ses refcounting\n\nUse new cifs_smb_ses_inc_refcount() helper to get an active reference\nof @ses and @ses-\u003edfs_root_ses (if set). This will prevent\n@ses-\u003edfs_root_ses of being put in the next call to cifs_put_smb_ses()\nand thus potentially causing an use-after-free bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:18.330Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb382196e6f6e05cfafdab797840e5a96c6e7bf0"
},
{
"url": "https://git.kernel.org/stable/c/bf99f6be2d20146942bce6f9e90a0ceef12cbc1e"
}
],
"title": "smb: client: fix missed ses refcounting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54076",
"datePublished": "2025-12-24T12:23:18.330Z",
"dateReserved": "2025-12-24T12:21:05.093Z",
"dateUpdated": "2025-12-24T12:23:18.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53755 (GCVE-0-2023-53755)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
dmaengine: ptdma: check for null desc before calling pt_cmd_callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ptdma: check for null desc before calling pt_cmd_callback
Resolves a panic that can occur on AMD systems, typically during host
shutdown, after the PTDMA driver had been exercised. The issue was
the pt_issue_pending() function is mistakenly assuming that there will
be at least one descriptor in the Submitted queue when the function
is called. However, it is possible that both the Submitted and Issued
queues could be empty, which could result in pt_cmd_callback() being
mistakenly called with a NULL pointer.
Ref: Bugzilla Bug 216856.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6fa7e0e836e23e2c758ac3930b040c8abbbf8a6f , < 8ae2113702613207efc05453bc9a3df2b992bf45
(git)
Affected: 6fa7e0e836e23e2c758ac3930b040c8abbbf8a6f , < 5bba023b1241c7af5d40447503a68de282ad5190 (git) Affected: 6fa7e0e836e23e2c758ac3930b040c8abbbf8a6f , < 928469986171a6f763b34b039427f5667ba3fd50 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ptdma/ptdma-dmaengine.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ae2113702613207efc05453bc9a3df2b992bf45",
"status": "affected",
"version": "6fa7e0e836e23e2c758ac3930b040c8abbbf8a6f",
"versionType": "git"
},
{
"lessThan": "5bba023b1241c7af5d40447503a68de282ad5190",
"status": "affected",
"version": "6fa7e0e836e23e2c758ac3930b040c8abbbf8a6f",
"versionType": "git"
},
{
"lessThan": "928469986171a6f763b34b039427f5667ba3fd50",
"status": "affected",
"version": "6fa7e0e836e23e2c758ac3930b040c8abbbf8a6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ptdma/ptdma-dmaengine.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ptdma: check for null desc before calling pt_cmd_callback\n\nResolves a panic that can occur on AMD systems, typically during host\nshutdown, after the PTDMA driver had been exercised. The issue was\nthe pt_issue_pending() function is mistakenly assuming that there will\nbe at least one descriptor in the Submitted queue when the function\nis called. However, it is possible that both the Submitted and Issued\nqueues could be empty, which could result in pt_cmd_callback() being\nmistakenly called with a NULL pointer.\nRef: Bugzilla Bug 216856."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:15.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ae2113702613207efc05453bc9a3df2b992bf45"
},
{
"url": "https://git.kernel.org/stable/c/5bba023b1241c7af5d40447503a68de282ad5190"
},
{
"url": "https://git.kernel.org/stable/c/928469986171a6f763b34b039427f5667ba3fd50"
}
],
"title": "dmaengine: ptdma: check for null desc before calling pt_cmd_callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53755",
"datePublished": "2025-12-08T01:19:15.999Z",
"dateReserved": "2025-12-08T01:18:04.280Z",
"dateUpdated": "2025-12-08T01:19:15.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54229 (GCVE-0-2023-54229)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-05 11:36
VLAI?
EPSS
Title
wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range
Because of what seems to be a typo, a 6Ghz-only phy for which the BDF
does not allow the 7115Mhz channel will fail to register:
WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954
Modules linked in: ath11k_pci sbsa_gwdt
CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9
Hardware name: Freebox V7R Board (DT)
Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : wiphy_register+0x914/0x954
lr : ieee80211_register_hw+0x67c/0xc10
sp : ffffff800b123aa0
x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418
x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168
x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014
x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f
x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd
x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718
x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006
x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284
x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
wiphy_register+0x914/0x954
ieee80211_register_hw+0x67c/0xc10
ath11k_mac_register+0x7c4/0xe10
ath11k_core_qmi_firmware_ready+0x1f4/0x570
ath11k_qmi_driver_event_work+0x198/0x590
process_one_work+0x1b8/0x328
worker_thread+0x6c/0x414
kthread+0x100/0x104
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22
ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22
ath11k_pci 0002:01:00.0: failed to create pdev core: -22
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
22eeadcdeab63e88983401f699f61a0121c03a0d , < 532f8bac60419eb28158770470b9bb655de207c8
(git)
Affected: 22eeadcdeab63e88983401f699f61a0121c03a0d , < f97832620d7f320bea81707f34631371e87a419b (git) Affected: 22eeadcdeab63e88983401f699f61a0121c03a0d , < 8d1342108c2bf11aaaf293becfc010ecdb6170d9 (git) Affected: 22eeadcdeab63e88983401f699f61a0121c03a0d , < 32ca096e712a78b2f0d2e48d33dc0caaba9f9866 (git) Affected: 22eeadcdeab63e88983401f699f61a0121c03a0d , < e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "532f8bac60419eb28158770470b9bb655de207c8",
"status": "affected",
"version": "22eeadcdeab63e88983401f699f61a0121c03a0d",
"versionType": "git"
},
{
"lessThan": "f97832620d7f320bea81707f34631371e87a419b",
"status": "affected",
"version": "22eeadcdeab63e88983401f699f61a0121c03a0d",
"versionType": "git"
},
{
"lessThan": "8d1342108c2bf11aaaf293becfc010ecdb6170d9",
"status": "affected",
"version": "22eeadcdeab63e88983401f699f61a0121c03a0d",
"versionType": "git"
},
{
"lessThan": "32ca096e712a78b2f0d2e48d33dc0caaba9f9866",
"status": "affected",
"version": "22eeadcdeab63e88983401f699f61a0121c03a0d",
"versionType": "git"
},
{
"lessThan": "e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14",
"status": "affected",
"version": "22eeadcdeab63e88983401f699f61a0121c03a0d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix registration of 6Ghz-only phy without the full channel range\n\nBecause of what seems to be a typo, a 6Ghz-only phy for which the BDF\ndoes not allow the 7115Mhz channel will fail to register:\n\n WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954\n Modules linked in: ath11k_pci sbsa_gwdt\n CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9\n Hardware name: Freebox V7R Board (DT)\n Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : wiphy_register+0x914/0x954\n lr : ieee80211_register_hw+0x67c/0xc10\n sp : ffffff800b123aa0\n x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418\n x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168\n x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014\n x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f\n x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd\n x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718\n x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006\n x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284\n x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n wiphy_register+0x914/0x954\n ieee80211_register_hw+0x67c/0xc10\n ath11k_mac_register+0x7c4/0xe10\n ath11k_core_qmi_firmware_ready+0x1f4/0x570\n ath11k_qmi_driver_event_work+0x198/0x590\n process_one_work+0x1b8/0x328\n worker_thread+0x6c/0x414\n kthread+0x100/0x104\n ret_from_fork+0x10/0x20\n ---[ end trace 0000000000000000 ]---\n ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22\n ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22\n ath11k_pci 0002:01:00.0: failed to create pdev core: -22"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:36:55.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/532f8bac60419eb28158770470b9bb655de207c8"
},
{
"url": "https://git.kernel.org/stable/c/f97832620d7f320bea81707f34631371e87a419b"
},
{
"url": "https://git.kernel.org/stable/c/8d1342108c2bf11aaaf293becfc010ecdb6170d9"
},
{
"url": "https://git.kernel.org/stable/c/32ca096e712a78b2f0d2e48d33dc0caaba9f9866"
},
{
"url": "https://git.kernel.org/stable/c/e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14"
}
],
"title": "wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54229",
"datePublished": "2025-12-30T12:11:21.549Z",
"dateReserved": "2025-12-30T12:06:44.502Z",
"dateUpdated": "2026-01-05T11:36:55.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54238 (GCVE-0-2023-54238)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
mlx5: fix skb leak while fifo resync and push
Summary
In the Linux kernel, the following vulnerability has been resolved:
mlx5: fix skb leak while fifo resync and push
During ptp resync operation SKBs were poped from the fifo but were never
freed neither by napi_consume nor by dev_kfree_skb_any. Add call to
napi_consume_skb to properly free SKBs.
Another leak was happening because mlx5e_skb_fifo_has_room() had an error
in the check. Comparing free running counters works well unless C promotes
the types to something wider than the counter. In this case counters are
u16 but the result of the substraction is promouted to int and it causes
wrong result (negative value) of the check when producer have already
overlapped but consumer haven't yet. Explicit cast to u16 fixes the issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
58a518948f60153e8f6cb8361d2712aa3a1af94a , < 234cffda95e1049f58e8ec136ef105c633f0ed19
(git)
Affected: 58a518948f60153e8f6cb8361d2712aa3a1af94a , < 68504c66d08c70fb92799722e25a932d311d74fd (git) Affected: 58a518948f60153e8f6cb8361d2712aa3a1af94a , < e435941b1da1a0be4ff8a7ae425774c76a5ac514 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c",
"drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "234cffda95e1049f58e8ec136ef105c633f0ed19",
"status": "affected",
"version": "58a518948f60153e8f6cb8361d2712aa3a1af94a",
"versionType": "git"
},
{
"lessThan": "68504c66d08c70fb92799722e25a932d311d74fd",
"status": "affected",
"version": "58a518948f60153e8f6cb8361d2712aa3a1af94a",
"versionType": "git"
},
{
"lessThan": "e435941b1da1a0be4ff8a7ae425774c76a5ac514",
"status": "affected",
"version": "58a518948f60153e8f6cb8361d2712aa3a1af94a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c",
"drivers/net/ethernet/mellanox/mlx5/core/en/txrx.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlx5: fix skb leak while fifo resync and push\n\nDuring ptp resync operation SKBs were poped from the fifo but were never\nfreed neither by napi_consume nor by dev_kfree_skb_any. Add call to\nnapi_consume_skb to properly free SKBs.\n\nAnother leak was happening because mlx5e_skb_fifo_has_room() had an error\nin the check. Comparing free running counters works well unless C promotes\nthe types to something wider than the counter. In this case counters are\nu16 but the result of the substraction is promouted to int and it causes\nwrong result (negative value) of the check when producer have already\noverlapped but consumer haven\u0027t yet. Explicit cast to u16 fixes the issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:27.702Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/234cffda95e1049f58e8ec136ef105c633f0ed19"
},
{
"url": "https://git.kernel.org/stable/c/68504c66d08c70fb92799722e25a932d311d74fd"
},
{
"url": "https://git.kernel.org/stable/c/e435941b1da1a0be4ff8a7ae425774c76a5ac514"
}
],
"title": "mlx5: fix skb leak while fifo resync and push",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54238",
"datePublished": "2025-12-30T12:11:27.702Z",
"dateReserved": "2025-12-30T12:06:44.508Z",
"dateUpdated": "2025-12-30T12:11:27.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40074 (GCVE-0-2025-40074)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
ipv4: start using dst_dev_rcu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: start using dst_dev_rcu()
Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.
Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),
ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c",
"net/ipv4/ip_fragment.c",
"net/ipv4/ipmr.c",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "923e0734c386984d45de508528a7a7ad91d791cc",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c",
"net/ipv4/ip_fragment.c",
"net/ipv4/ipmr.c",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: start using dst_dev_rcu()\n\nChange icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.\n\nChange ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),\nipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:30.009Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/923e0734c386984d45de508528a7a7ad91d791cc"
},
{
"url": "https://git.kernel.org/stable/c/6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8"
}
],
"title": "ipv4: start using dst_dev_rcu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40074",
"datePublished": "2025-10-28T11:48:41.202Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-01T06:17:30.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53834 (GCVE-0-2023-53834)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
The affected lines were resulting in a NULL pointer dereference on our
platform because the device tree contained the following list of
compatible strings:
power-sensor@40 {
compatible = "ti,ina232", "ti,ina231";
...
};
Since the driver doesn't declare a compatible string "ti,ina232", the OF
matching succeeds on "ti,ina231". But the I2C device ID info is
populated via the first compatible string, cf. modalias population in
of_i2c_get_board_info(). Since there is no "ina232" entry in the legacy
I2C device ID table either, the struct i2c_device_id *id pointer in the
probe function is NULL.
Fix this by using the already populated type variable instead, which
points to the proper driver data. Since the name is also wanted, add a
generic one to the ina2xx_config table.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c43a102e67db99c8bfe6e8a9280cec13ff53b789 , < a8e2ae6296d56478fb98ae7f739846ed121f154f
(git)
Affected: c43a102e67db99c8bfe6e8a9280cec13ff53b789 , < 77b689cc27d489b75d33f1a368356d70eb0ce08c (git) Affected: c43a102e67db99c8bfe6e8a9280cec13ff53b789 , < 13f3ce53b65aa8b44cad7039d31e62c9ffd6c5d1 (git) Affected: c43a102e67db99c8bfe6e8a9280cec13ff53b789 , < a41e19cc0d6b6a445a4133170b90271e4a2553dc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/ina2xx-adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8e2ae6296d56478fb98ae7f739846ed121f154f",
"status": "affected",
"version": "c43a102e67db99c8bfe6e8a9280cec13ff53b789",
"versionType": "git"
},
{
"lessThan": "77b689cc27d489b75d33f1a368356d70eb0ce08c",
"status": "affected",
"version": "c43a102e67db99c8bfe6e8a9280cec13ff53b789",
"versionType": "git"
},
{
"lessThan": "13f3ce53b65aa8b44cad7039d31e62c9ffd6c5d1",
"status": "affected",
"version": "c43a102e67db99c8bfe6e8a9280cec13ff53b789",
"versionType": "git"
},
{
"lessThan": "a41e19cc0d6b6a445a4133170b90271e4a2553dc",
"status": "affected",
"version": "c43a102e67db99c8bfe6e8a9280cec13ff53b789",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/adc/ina2xx-adc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ina2xx: avoid NULL pointer dereference on OF device match\n\nThe affected lines were resulting in a NULL pointer dereference on our\nplatform because the device tree contained the following list of\ncompatible strings:\n\n power-sensor@40 {\n compatible = \"ti,ina232\", \"ti,ina231\";\n ...\n };\n\nSince the driver doesn\u0027t declare a compatible string \"ti,ina232\", the OF\nmatching succeeds on \"ti,ina231\". But the I2C device ID info is\npopulated via the first compatible string, cf. modalias population in\nof_i2c_get_board_info(). Since there is no \"ina232\" entry in the legacy\nI2C device ID table either, the struct i2c_device_id *id pointer in the\nprobe function is NULL.\n\nFix this by using the already populated type variable instead, which\npoints to the proper driver data. Since the name is also wanted, add a\ngeneric one to the ina2xx_config table."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:49.742Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8e2ae6296d56478fb98ae7f739846ed121f154f"
},
{
"url": "https://git.kernel.org/stable/c/77b689cc27d489b75d33f1a368356d70eb0ce08c"
},
{
"url": "https://git.kernel.org/stable/c/13f3ce53b65aa8b44cad7039d31e62c9ffd6c5d1"
},
{
"url": "https://git.kernel.org/stable/c/a41e19cc0d6b6a445a4133170b90271e4a2553dc"
}
],
"title": "iio: adc: ina2xx: avoid NULL pointer dereference on OF device match",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53834",
"datePublished": "2025-12-09T01:29:49.742Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:49.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68172 (GCVE-0-2025-68172)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42
VLAI?
EPSS
Title
crypto: aspeed - fix double free caused by devm
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: aspeed - fix double free caused by devm
The clock obtained via devm_clk_get_enabled() is automatically managed
by devres and will be disabled and freed on driver detach. Manually
calling clk_disable_unprepare() in error path and remove function
causes double free.
Remove the manual clock cleanup in both aspeed_acry_probe()'s error
path and aspeed_acry_remove().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 0dd6474ced33489076e6c0f3fe5077bf12e85b28
(git)
Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 29d0504077044a7e1ffbd09a6118018d5954a6e5 (git) Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < e8407dfd267018f4647ffb061a9bd4a6d7ebacc6 (git) Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/aspeed/aspeed-acry.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0dd6474ced33489076e6c0f3fe5077bf12e85b28",
"status": "affected",
"version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
"versionType": "git"
},
{
"lessThan": "29d0504077044a7e1ffbd09a6118018d5954a6e5",
"status": "affected",
"version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
"versionType": "git"
},
{
"lessThan": "e8407dfd267018f4647ffb061a9bd4a6d7ebacc6",
"status": "affected",
"version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
"versionType": "git"
},
{
"lessThan": "3c9bf72cc1ced1297b235f9422d62b613a3fdae9",
"status": "affected",
"version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/aspeed/aspeed-acry.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aspeed - fix double free caused by devm\n\nThe clock obtained via devm_clk_get_enabled() is automatically managed\nby devres and will be disabled and freed on driver detach. Manually\ncalling clk_disable_unprepare() in error path and remove function\ncauses double free.\n\nRemove the manual clock cleanup in both aspeed_acry_probe()\u0027s error\npath and aspeed_acry_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:42:52.141Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0dd6474ced33489076e6c0f3fe5077bf12e85b28"
},
{
"url": "https://git.kernel.org/stable/c/29d0504077044a7e1ffbd09a6118018d5954a6e5"
},
{
"url": "https://git.kernel.org/stable/c/e8407dfd267018f4647ffb061a9bd4a6d7ebacc6"
},
{
"url": "https://git.kernel.org/stable/c/3c9bf72cc1ced1297b235f9422d62b613a3fdae9"
}
],
"title": "crypto: aspeed - fix double free caused by devm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68172",
"datePublished": "2025-12-16T13:42:52.141Z",
"dateReserved": "2025-12-16T13:41:40.251Z",
"dateUpdated": "2025-12-16T13:42:52.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68757 (GCVE-0-2025-68757)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
drm/vgem-fence: Fix potential deadlock on release
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vgem-fence: Fix potential deadlock on release
A timer that expires a vgem fence automatically in 10 seconds is now
released with timer_delete_sync() from fence->ops.release() called on last
dma_fence_put(). In some scenarios, it can run in IRQ context, which is
not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was
demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while
working on new IGT subtests syncobj_timeline@stress-* as user space
replacements of some problematic test cases of a dma-fence-chain selftest
[1].
[117.004338] ================================
[117.004340] WARNING: inconsistent lock state
[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U
[117.004346] --------------------------------
[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:
[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190
[117.004361] {HARDIRQ-ON-W} state was registered at:
[117.004363] lock_acquire+0xc4/0x2e0
[117.004366] call_timer_fn+0x80/0x2a0
[117.004368] __run_timers+0x231/0x310
[117.004370] run_timer_softirq+0x76/0xe0
[117.004372] handle_softirqs+0xd4/0x4d0
[117.004375] __irq_exit_rcu+0x13f/0x160
[117.004377] irq_exit_rcu+0xe/0x20
[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004385] cpuidle_enter_state+0x12b/0x8a0
[117.004388] cpuidle_enter+0x2e/0x50
[117.004393] call_cpuidle+0x22/0x60
[117.004395] do_idle+0x1fd/0x260
[117.004398] cpu_startup_entry+0x29/0x30
[117.004401] start_secondary+0x12d/0x160
[117.004404] common_startup_64+0x13e/0x141
[117.004407] irq event stamp: 2282669
[117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.004426]
other info that might help us debug this:
[117.004429] Possible unsafe locking scenario:
[117.004432] CPU0
[117.004433] ----
[117.004434] lock((&fence->timer));
[117.004436] <Interrupt>
[117.004438] lock((&fence->timer));
[117.004440]
*** DEADLOCK ***
[117.004443] 1 lock held by swapper/0/0:
[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0
[117.004450]
stack backtrace:
[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004456] Call Trace:
[117.004456] <IRQ>
[117.004457] dump_stack_lvl+0x91/0xf0
[117.004460] dump_stack+0x10/0x20
[117.004461] print_usage_bug.part.0+0x260/0x360
[117.004463] mark_lock+0x76e/0x9c0
[117.004465] ? register_lock_class+0x48/0x4a0
[117.004467] __lock_acquire+0xbc3/0x2860
[117.004469] lock_acquire+0xc4/0x2e0
[117.004470] ? __timer_delete_sync+0x4b/0x190
[117.004472] ? __timer_delete_sync+0x4b/0x190
[117.004473] __timer_delete_sync+0x68/0x190
[117.004474] ? __timer_delete_sync+0x4b/0x190
[117.004475] timer_delete_sync+0x10/0x20
[117.004476] vgem_fence_release+0x19/0x30 [vgem]
[117.004478] dma_fence_release+0xc1/0x3b0
[117.004480] ? dma_fence_release+0xa1/0x3b0
[117.004481] dma_fence_chain_release+0xe7/0x130
[117.004483] dma_fence_release+0xc1/0x3b0
[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004485] dma_fence_chain_irq_work+0x59/0x80
[117.004487] irq_work_single+0x75/0xa0
[117.004490] irq_work_r
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4077798484459a2eced2050045099a466ecb618a , < 37289a18099fc7ce916933bd542926a7334791a3
(git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 489b2158aec92a3fc256d70992416869f86e16e0 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 338e388c0d80ffc04963b6b0ec702ffdfd2c4eba (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 4f335cb8fad69b2be5accf0ebac3a8b345915f4e (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 1f0ca9d3e7c38a39f1f12377c24decf0bba46e54 (git) Affected: 4077798484459a2eced2050045099a466ecb618a , < 78b4d6463e9e69e5103f98b367f8984ad12cdc6f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "37289a18099fc7ce916933bd542926a7334791a3",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "489b2158aec92a3fc256d70992416869f86e16e0",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "338e388c0d80ffc04963b6b0ec702ffdfd2c4eba",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "4f335cb8fad69b2be5accf0ebac3a8b345915f4e",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "1f0ca9d3e7c38a39f1f12377c24decf0bba46e54",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
},
{
"lessThan": "78b4d6463e9e69e5103f98b367f8984ad12cdc6f",
"status": "affected",
"version": "4077798484459a2eced2050045099a466ecb618a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vgem/vgem_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence-\u003eops.release() called on last\ndma_fence_put(). In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used. One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -\u003e {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363] lock_acquire+0xc4/0x2e0\n[117.004366] call_timer_fn+0x80/0x2a0\n[117.004368] __run_timers+0x231/0x310\n[117.004370] run_timer_softirq+0x76/0xe0\n[117.004372] handle_softirqs+0xd4/0x4d0\n[117.004375] __irq_exit_rcu+0x13f/0x160\n[117.004377] irq_exit_rcu+0xe/0x20\n[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385] cpuidle_enter_state+0x12b/0x8a0\n[117.004388] cpuidle_enter+0x2e/0x50\n[117.004393] call_cpuidle+0x22/0x60\n[117.004395] do_idle+0x1fd/0x260\n[117.004398] cpu_startup_entry+0x29/0x30\n[117.004401] start_secondary+0x12d/0x160\n[117.004404] common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last enabled at (2282668): [\u003cffffffff8289db71\u003e] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [\u003cffffffff82882021\u003e] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last enabled at (2254702): [\u003cffffffff8289fd00\u003e] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [\u003cffffffff813d4ddf\u003e] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429] Possible unsafe locking scenario:\n[117.004432] CPU0\n[117.004433] ----\n[117.004434] lock((\u0026fence-\u003etimer));\n[117.004436] \u003cInterrupt\u003e\n[117.004438] lock((\u0026fence-\u003etimer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445] #0: ffffc90000003d50 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456] \u003cIRQ\u003e\n[117.004457] dump_stack_lvl+0x91/0xf0\n[117.004460] dump_stack+0x10/0x20\n[117.004461] print_usage_bug.part.0+0x260/0x360\n[117.004463] mark_lock+0x76e/0x9c0\n[117.004465] ? register_lock_class+0x48/0x4a0\n[117.004467] __lock_acquire+0xbc3/0x2860\n[117.004469] lock_acquire+0xc4/0x2e0\n[117.004470] ? __timer_delete_sync+0x4b/0x190\n[117.004472] ? __timer_delete_sync+0x4b/0x190\n[117.004473] __timer_delete_sync+0x68/0x190\n[117.004474] ? __timer_delete_sync+0x4b/0x190\n[117.004475] timer_delete_sync+0x10/0x20\n[117.004476] vgem_fence_release+0x19/0x30 [vgem]\n[117.004478] dma_fence_release+0xc1/0x3b0\n[117.004480] ? dma_fence_release+0xa1/0x3b0\n[117.004481] dma_fence_chain_release+0xe7/0x130\n[117.004483] dma_fence_release+0xc1/0x3b0\n[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485] dma_fence_chain_irq_work+0x59/0x80\n[117.004487] irq_work_single+0x75/0xa0\n[117.004490] irq_work_r\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:44.021Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3"
},
{
"url": "https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0"
},
{
"url": "https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a"
},
{
"url": "https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0"
},
{
"url": "https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"
},
{
"url": "https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e"
},
{
"url": "https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"
},
{
"url": "https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f"
}
],
"title": "drm/vgem-fence: Fix potential deadlock on release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68757",
"datePublished": "2026-01-05T09:32:30.496Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-19T12:18:44.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54305 (GCVE-0-2023-54305)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
ext4: refuse to create ea block when umounted
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: refuse to create ea block when umounted
The ea block expansion need to access s_root while it is
already set as NULL when umount is triggered. Refuse this
request to avoid panic.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e50e5129f384ae282adebfb561189cdb19b81cee , < aedea161d031502a423ed1c7597754681a4f8cda
(git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 21f6a80d9234422e2eb445734b22c78fc5bf6719 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < a92b67e768bde433b9385cde56c09deb58db269e (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 0dc0fa313bb4e86382a3e7125429710d44383196 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 116008ada3d0de4991099edaf6b8c2e9cd6f225a (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 05cbf6ddd9847c7b4f0662c048f195b09405a9d0 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < a458a8c1d1fc4e10a1813786132b09a3863ad3f2 (git) Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < f31173c19901a96bb2ebf6bcfec8a08df7095c91 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aedea161d031502a423ed1c7597754681a4f8cda",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "21f6a80d9234422e2eb445734b22c78fc5bf6719",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "a92b67e768bde433b9385cde56c09deb58db269e",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "0dc0fa313bb4e86382a3e7125429710d44383196",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "116008ada3d0de4991099edaf6b8c2e9cd6f225a",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "05cbf6ddd9847c7b4f0662c048f195b09405a9d0",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "a458a8c1d1fc4e10a1813786132b09a3863ad3f2",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
},
{
"lessThan": "f31173c19901a96bb2ebf6bcfec8a08df7095c91",
"status": "affected",
"version": "e50e5129f384ae282adebfb561189cdb19b81cee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refuse to create ea block when umounted\n\nThe ea block expansion need to access s_root while it is\nalready set as NULL when umount is triggered. Refuse this\nrequest to avoid panic."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:19.878Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aedea161d031502a423ed1c7597754681a4f8cda"
},
{
"url": "https://git.kernel.org/stable/c/21f6a80d9234422e2eb445734b22c78fc5bf6719"
},
{
"url": "https://git.kernel.org/stable/c/a92b67e768bde433b9385cde56c09deb58db269e"
},
{
"url": "https://git.kernel.org/stable/c/0dc0fa313bb4e86382a3e7125429710d44383196"
},
{
"url": "https://git.kernel.org/stable/c/116008ada3d0de4991099edaf6b8c2e9cd6f225a"
},
{
"url": "https://git.kernel.org/stable/c/05cbf6ddd9847c7b4f0662c048f195b09405a9d0"
},
{
"url": "https://git.kernel.org/stable/c/a458a8c1d1fc4e10a1813786132b09a3863ad3f2"
},
{
"url": "https://git.kernel.org/stable/c/f31173c19901a96bb2ebf6bcfec8a08df7095c91"
}
],
"title": "ext4: refuse to create ea block when umounted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54305",
"datePublished": "2025-12-30T12:23:39.163Z",
"dateReserved": "2025-12-30T12:06:44.529Z",
"dateUpdated": "2026-01-05T11:37:19.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54179 (GCVE-0-2023-54179)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2026-01-05 10:51
VLAI?
EPSS
Title
scsi: qla2xxx: Array index may go out of bound
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Array index may go out of bound
Klocwork reports array 'vha->host_str' of size 16 may use index value(s)
16..19. Use snprintf() instead of sprintf().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e697f466bf61280b7e996c9ea096d7ec371c31ea
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ea64c727f20123342020257cfa956fbfbd6d12ff (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bcd773969a87d9802053c0db5be84abd6594a024 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 748d8f8698a2f48ffe32dd7b35dbab1810ed1f82 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2b3bdef089b920b4a19fefb4f4e6dda56a4bb583 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e934737e18ff069a66cd53cd7f7a0b34ae2c24fe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d721b591b95cf3f290f8a7cbe90aa2ee0368388d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e697f466bf61280b7e996c9ea096d7ec371c31ea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ea64c727f20123342020257cfa956fbfbd6d12ff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bcd773969a87d9802053c0db5be84abd6594a024",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "748d8f8698a2f48ffe32dd7b35dbab1810ed1f82",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2b3bdef089b920b4a19fefb4f4e6dda56a4bb583",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e934737e18ff069a66cd53cd7f7a0b34ae2c24fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d721b591b95cf3f290f8a7cbe90aa2ee0368388d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_os.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Array index may go out of bound\n\nKlocwork reports array \u0027vha-\u003ehost_str\u0027 of size 16 may use index value(s)\n16..19. Use snprintf() instead of sprintf()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:51:15.685Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e697f466bf61280b7e996c9ea096d7ec371c31ea"
},
{
"url": "https://git.kernel.org/stable/c/ea64c727f20123342020257cfa956fbfbd6d12ff"
},
{
"url": "https://git.kernel.org/stable/c/bcd773969a87d9802053c0db5be84abd6594a024"
},
{
"url": "https://git.kernel.org/stable/c/748d8f8698a2f48ffe32dd7b35dbab1810ed1f82"
},
{
"url": "https://git.kernel.org/stable/c/2b3bdef089b920b4a19fefb4f4e6dda56a4bb583"
},
{
"url": "https://git.kernel.org/stable/c/e934737e18ff069a66cd53cd7f7a0b34ae2c24fe"
},
{
"url": "https://git.kernel.org/stable/c/d721b591b95cf3f290f8a7cbe90aa2ee0368388d"
}
],
"title": "scsi: qla2xxx: Array index may go out of bound",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54179",
"datePublished": "2025-12-30T12:08:51.065Z",
"dateReserved": "2025-12-30T12:06:44.497Z",
"dateUpdated": "2026-01-05T10:51:15.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50742 (GCVE-0-2022-50742)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
misc: ocxl: fix possible refcount leak in afu_ioctl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: ocxl: fix possible refcount leak in afu_ioctl()
eventfd_ctx_put need to be called to put the refcount that gotten by
eventfd_ctx_fdget when ocxl_irq_set_handler fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
060146614643ddc5978c73ffac0329762b4651c9 , < fc797285c40a9cc441357abb3521d3e51c743f67
(git)
Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < 7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1 (git) Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < 11bd8bbdf8f6f5c1145bb158793107a57e3a1f07 (git) Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < 843433a02e344d30fbb62dfd834c60631baaa527 (git) Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < 66032c43291672bae8b93184d2806f05be3e16df (git) Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < c3b69ba5114c860d730870c03ab4ee45276e5e35 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/ocxl/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc797285c40a9cc441357abb3521d3e51c743f67",
"status": "affected",
"version": "060146614643ddc5978c73ffac0329762b4651c9",
"versionType": "git"
},
{
"lessThan": "7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1",
"status": "affected",
"version": "060146614643ddc5978c73ffac0329762b4651c9",
"versionType": "git"
},
{
"lessThan": "11bd8bbdf8f6f5c1145bb158793107a57e3a1f07",
"status": "affected",
"version": "060146614643ddc5978c73ffac0329762b4651c9",
"versionType": "git"
},
{
"lessThan": "843433a02e344d30fbb62dfd834c60631baaa527",
"status": "affected",
"version": "060146614643ddc5978c73ffac0329762b4651c9",
"versionType": "git"
},
{
"lessThan": "66032c43291672bae8b93184d2806f05be3e16df",
"status": "affected",
"version": "060146614643ddc5978c73ffac0329762b4651c9",
"versionType": "git"
},
{
"lessThan": "c3b69ba5114c860d730870c03ab4ee45276e5e35",
"status": "affected",
"version": "060146614643ddc5978c73ffac0329762b4651c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/ocxl/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ocxl: fix possible refcount leak in afu_ioctl()\n\neventfd_ctx_put need to be called to put the refcount that gotten by\neventfd_ctx_fdget when ocxl_irq_set_handler fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:39.566Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc797285c40a9cc441357abb3521d3e51c743f67"
},
{
"url": "https://git.kernel.org/stable/c/7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1"
},
{
"url": "https://git.kernel.org/stable/c/11bd8bbdf8f6f5c1145bb158793107a57e3a1f07"
},
{
"url": "https://git.kernel.org/stable/c/843433a02e344d30fbb62dfd834c60631baaa527"
},
{
"url": "https://git.kernel.org/stable/c/66032c43291672bae8b93184d2806f05be3e16df"
},
{
"url": "https://git.kernel.org/stable/c/c3b69ba5114c860d730870c03ab4ee45276e5e35"
}
],
"title": "misc: ocxl: fix possible refcount leak in afu_ioctl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50742",
"datePublished": "2025-12-24T13:05:39.566Z",
"dateReserved": "2025-12-24T13:02:21.543Z",
"dateUpdated": "2025-12-24T13:05:39.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40360 (GCVE-0-2025-40360)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:39 – Updated: 2025-12-16 13:39
VLAI?
EPSS
Title
drm/sysfb: Do not dereference NULL pointer in plane reset
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/sysfb: Do not dereference NULL pointer in plane reset
The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not
deref that pointer, but forward NULL to the other plane-reset helpers.
Clears plane->state to NULL.
v2:
- fix typo in commit description (Javier)
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b715650220311e50448cb499c71084ca8aeeeece , < 6abeff03cb79a2c7f4554a8e8738acd35bb37152
(git)
Affected: b715650220311e50448cb499c71084ca8aeeeece , < c4faf7f417eea8b8d5cc570a1015736f307aa2d5 (git) Affected: b715650220311e50448cb499c71084ca8aeeeece , < b61ed8005bd3102510fab5015ac6a275c9c5ea16 (git) Affected: b715650220311e50448cb499c71084ca8aeeeece , < 6bdef5648a60e49d4a3b02461ab7ae3776877e77 (git) Affected: b715650220311e50448cb499c71084ca8aeeeece , < c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232 (git) Affected: b715650220311e50448cb499c71084ca8aeeeece , < 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem_atomic_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6abeff03cb79a2c7f4554a8e8738acd35bb37152",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "c4faf7f417eea8b8d5cc570a1015736f307aa2d5",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "b61ed8005bd3102510fab5015ac6a275c9c5ea16",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "6bdef5648a60e49d4a3b02461ab7ae3776877e77",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
},
{
"lessThan": "14e02ed3876f4ab0ed6d3f41972175f8b8df3d70",
"status": "affected",
"version": "b715650220311e50448cb499c71084ca8aeeeece",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem_atomic_helper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sysfb: Do not dereference NULL pointer in plane reset\n\nThe plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not\nderef that pointer, but forward NULL to the other plane-reset helpers.\nClears plane-\u003estate to NULL.\n\nv2:\n- fix typo in commit description (Javier)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:39:59.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6abeff03cb79a2c7f4554a8e8738acd35bb37152"
},
{
"url": "https://git.kernel.org/stable/c/c4faf7f417eea8b8d5cc570a1015736f307aa2d5"
},
{
"url": "https://git.kernel.org/stable/c/b61ed8005bd3102510fab5015ac6a275c9c5ea16"
},
{
"url": "https://git.kernel.org/stable/c/6bdef5648a60e49d4a3b02461ab7ae3776877e77"
},
{
"url": "https://git.kernel.org/stable/c/c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232"
},
{
"url": "https://git.kernel.org/stable/c/14e02ed3876f4ab0ed6d3f41972175f8b8df3d70"
}
],
"title": "drm/sysfb: Do not dereference NULL pointer in plane reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40360",
"datePublished": "2025-12-16T13:39:59.490Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:39:59.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68753 (GCVE-0-2025-68753)
Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.
Fix by adding a bounds check before put_user().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
634ec0b2906efd46f6f57977e172aa3470aca432 , < ea2c921d9de6e32ca50cb817b9d57bb881be70de
(git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6d4f17782ce4facf3197e79707df411ee3d7b30a (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < df692cf2b601a54b34edfdb9e683d67483aa8ce1 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187 (git) Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 298e753880b6ea99ac30df34959a7a03b0878eed (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea2c921d9de6e32ca50cb817b9d57bb881be70de",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "6d4f17782ce4facf3197e79707df411ee3d7b30a",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "df692cf2b601a54b34edfdb9e683d67483aa8ce1",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
},
{
"lessThan": "298e753880b6ea99ac30df34959a7a03b0878eed",
"status": "affected",
"version": "634ec0b2906efd46f6f57977e172aa3470aca432",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/motu/motu-hwdep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: add bounds check in put_user loop for DSP events\n\nIn the DSP event handling code, a put_user() loop copies event data.\nWhen the user buffer size is not aligned to 4 bytes, it could overwrite\nbeyond the buffer boundary.\n\nFix by adding a bounds check before put_user()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:24.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea2c921d9de6e32ca50cb817b9d57bb881be70de"
},
{
"url": "https://git.kernel.org/stable/c/6d4f17782ce4facf3197e79707df411ee3d7b30a"
},
{
"url": "https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f"
},
{
"url": "https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1"
},
{
"url": "https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187"
},
{
"url": "https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed"
}
],
"title": "ALSA: firewire-motu: add bounds check in put_user loop for DSP events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68753",
"datePublished": "2026-01-05T09:32:27.029Z",
"dateReserved": "2025-12-24T10:30:51.033Z",
"dateUpdated": "2026-01-11T16:30:24.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54133 (GCVE-0-2023-54133)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
nfp: clean mc addresses in application firmware when closing port
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfp: clean mc addresses in application firmware when closing port
When moving devices from one namespace to another, mc addresses are
cleaned in software while not removed from application firmware. Thus
the mc addresses are remained and will cause resource leak.
Now use `__dev_mc_unsync` to clean mc addresses when closing port.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/netronome/nfp/nfp_net_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c427221733d49fd1e1b79b4a86746acf3ef660e7",
"status": "affected",
"version": "e20aa071cd955aabc15be0ec1e914283592ddef4",
"versionType": "git"
},
{
"lessThan": "cc7eab25b1cf3f9594fe61142d3523ce4d14a788",
"status": "affected",
"version": "e20aa071cd955aabc15be0ec1e914283592ddef4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/netronome/nfp/nfp_net_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: clean mc addresses in application firmware when closing port\n\nWhen moving devices from one namespace to another, mc addresses are\ncleaned in software while not removed from application firmware. Thus\nthe mc addresses are remained and will cause resource leak.\n\nNow use `__dev_mc_unsync` to clean mc addresses when closing port."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:49.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c427221733d49fd1e1b79b4a86746acf3ef660e7"
},
{
"url": "https://git.kernel.org/stable/c/cc7eab25b1cf3f9594fe61142d3523ce4d14a788"
}
],
"title": "nfp: clean mc addresses in application firmware when closing port",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54133",
"datePublished": "2025-12-24T13:06:49.919Z",
"dateReserved": "2025-12-24T13:02:52.522Z",
"dateUpdated": "2025-12-24T13:06:49.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54020 (GCVE-0-2023-54020)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
dmaengine: sf-pdma: pdma_desc memory leak fix
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: sf-pdma: pdma_desc memory leak fix
Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a
DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally
allocate a new sf_pdma_desc each time it is called.
The driver previously recycled descs, by checking the in_use flag, only
allocating additional descs if the existing one was in use. This logic
was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread
support for a DMA channel"), but sf_pdma_free_desc() was not changed to
handle the new behaviour.
As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous
descriptor is leaked, over time leading to memory starvation:
unreferenced object 0xffffffe008447300 (size 192):
comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s)
hex dump (first 32 bytes):
00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................
00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............
backtrace:
[<00000000064a04f4>] kmemleak_alloc+0x1e/0x28
[<00000000018927a7>] kmem_cache_alloc+0x11e/0x178
[<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112
Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant
in_use flag.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5ab2782c944e324008ef5d658f2494a9f0e3c5ac , < ad222c9af25e3f074c180e389b3477dce42afc4f
(git)
Affected: b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc , < 03fece43fa109beba7cc9948c02f5e2d1205d607 (git) Affected: b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc , < 8bd5040bd43f2b5ba3c898b09a3197a0c7ace126 (git) Affected: b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc , < b02e07015a5ac7bbc029da931ae17914b8ae0339 (git) Affected: b9b4992f897be9b0b9e3a3b956cab6b75ccc3f11 (git) Affected: 4c7350b1dd8a192af844de32fc99b9e34c876fda (git) Affected: a93b3f1e11971a91b6441b6d47488f4492cc113f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/sf-pdma/sf-pdma.c",
"drivers/dma/sf-pdma/sf-pdma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad222c9af25e3f074c180e389b3477dce42afc4f",
"status": "affected",
"version": "5ab2782c944e324008ef5d658f2494a9f0e3c5ac",
"versionType": "git"
},
{
"lessThan": "03fece43fa109beba7cc9948c02f5e2d1205d607",
"status": "affected",
"version": "b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc",
"versionType": "git"
},
{
"lessThan": "8bd5040bd43f2b5ba3c898b09a3197a0c7ace126",
"status": "affected",
"version": "b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc",
"versionType": "git"
},
{
"lessThan": "b02e07015a5ac7bbc029da931ae17914b8ae0339",
"status": "affected",
"version": "b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc",
"versionType": "git"
},
{
"status": "affected",
"version": "b9b4992f897be9b0b9e3a3b956cab6b75ccc3f11",
"versionType": "git"
},
{
"status": "affected",
"version": "4c7350b1dd8a192af844de32fc99b9e34c876fda",
"versionType": "git"
},
{
"status": "affected",
"version": "a93b3f1e11971a91b6441b6d47488f4492cc113f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/sf-pdma/sf-pdma.c",
"drivers/dma/sf-pdma/sf-pdma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: sf-pdma: pdma_desc memory leak fix\n\nCommit b2cc5c465c2c (\"dmaengine: sf-pdma: Add multithread support for a\nDMA channel\") changed sf_pdma_prep_dma_memcpy() to unconditionally\nallocate a new sf_pdma_desc each time it is called.\n\nThe driver previously recycled descs, by checking the in_use flag, only\nallocating additional descs if the existing one was in use. This logic\nwas removed in commit b2cc5c465c2c (\"dmaengine: sf-pdma: Add multithread\nsupport for a DMA channel\"), but sf_pdma_free_desc() was not changed to\nhandle the new behaviour.\n\nAs a result, each time sf_pdma_prep_dma_memcpy() is called, the previous\ndescriptor is leaked, over time leading to memory starvation:\n\n unreferenced object 0xffffffe008447300 (size 192):\n comm \"irq/39-mchp_dsc\", pid 343, jiffies 4294906910 (age 981.200s)\n hex dump (first 32 bytes):\n 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................\n 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............\n backtrace:\n [\u003c00000000064a04f4\u003e] kmemleak_alloc+0x1e/0x28\n [\u003c00000000018927a7\u003e] kmem_cache_alloc+0x11e/0x178\n [\u003c000000002aea8d16\u003e] sf_pdma_prep_dma_memcpy+0x40/0x112\n\nAdd the missing kfree() to sf_pdma_free_desc(), and remove the redundant\nin_use flag."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:50.583Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad222c9af25e3f074c180e389b3477dce42afc4f"
},
{
"url": "https://git.kernel.org/stable/c/03fece43fa109beba7cc9948c02f5e2d1205d607"
},
{
"url": "https://git.kernel.org/stable/c/8bd5040bd43f2b5ba3c898b09a3197a0c7ace126"
},
{
"url": "https://git.kernel.org/stable/c/b02e07015a5ac7bbc029da931ae17914b8ae0339"
}
],
"title": "dmaengine: sf-pdma: pdma_desc memory leak fix",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54020",
"datePublished": "2025-12-24T10:55:50.583Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:50.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40317 (GCVE-0-2025-40317)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
regmap: slimbus: fix bus_context pointer in regmap init calls
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap: slimbus: fix bus_context pointer in regmap init calls
Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in
wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap.
That commit breaks audio playback, for instance, on sdm845 Thundercomm
Dragonboard 845c board:
Unable to handle kernel paging request at virtual address ffff8000847cbad4
...
CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT
Hardware name: Thundercomm Dragonboard 845c (DT)
...
Call trace:
slim_xfer_msg+0x24/0x1ac [slimbus] (P)
slim_read+0x48/0x74 [slimbus]
regmap_slimbus_read+0x18/0x24 [regmap_slimbus]
_regmap_raw_read+0xe8/0x174
_regmap_bus_read+0x44/0x80
_regmap_read+0x60/0xd8
_regmap_update_bits+0xf4/0x140
_regmap_select_page+0xa8/0x124
_regmap_raw_write_impl+0x3b8/0x65c
_regmap_bus_raw_write+0x60/0x80
_regmap_write+0x58/0xc0
regmap_write+0x4c/0x80
wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]
snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]
__soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]
dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]
dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]
snd_pcm_hw_params+0x124/0x464 [snd_pcm]
snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]
snd_pcm_ioctl+0x34/0x4c [snd_pcm]
__arm64_sys_ioctl+0xac/0x104
invoke_syscall+0x48/0x104
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x34/0xec
el0t_64_sync_handler+0xa0/0xf0
el0t_64_sync+0x198/0x19c
The __devm_regmap_init_slimbus() started to be used instead of
__regmap_init_slimbus() after the commit mentioned above and turns out
the incorrect bus_context pointer (3rd argument) was used in
__devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal
to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or
the first user of devm_regmap_init_slimbus() but we should fix it till
the point where __devm_regmap_init_slimbus() was introduced therefore
two "Fixes" tags.
While at this, also correct the same argument in __regmap_init_slimbus().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d6f7fb053ad543da74119df3c4cd7bb46220471 , < c0f05129e5734ff3fd14b2c242709314d9ca5433
(git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1 (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < d979639f099c6e51f06ce4dd8d8e56364d6c17ba (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 8143e4075d131c528540417a51966f6697be14eb (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < a16e92f8d7dc7371e68f17a9926cb92d2244be7b (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < b65f3303349eaee333e47d2a99045aa12fa0c3a7 (git) Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 434f7349a1f00618a620b316f091bd13a12bc8d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-slimbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c0f05129e5734ff3fd14b2c242709314d9ca5433",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "d979639f099c6e51f06ce4dd8d8e56364d6c17ba",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "8143e4075d131c528540417a51966f6697be14eb",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "a16e92f8d7dc7371e68f17a9926cb92d2244be7b",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "b65f3303349eaee333e47d2a99045aa12fa0c3a7",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
},
{
"lessThan": "434f7349a1f00618a620b316f091bd13a12bc8d2",
"status": "affected",
"version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-slimbus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: slimbus: fix bus_context pointer in regmap init calls\n\nCommit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in\nwcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap.\nThat commit breaks audio playback, for instance, on sdm845 Thundercomm\nDragonboard 845c board:\n\n Unable to handle kernel paging request at virtual address ffff8000847cbad4\n ...\n CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT\n Hardware name: Thundercomm Dragonboard 845c (DT)\n ...\n Call trace:\n slim_xfer_msg+0x24/0x1ac [slimbus] (P)\n slim_read+0x48/0x74 [slimbus]\n regmap_slimbus_read+0x18/0x24 [regmap_slimbus]\n _regmap_raw_read+0xe8/0x174\n _regmap_bus_read+0x44/0x80\n _regmap_read+0x60/0xd8\n _regmap_update_bits+0xf4/0x140\n _regmap_select_page+0xa8/0x124\n _regmap_raw_write_impl+0x3b8/0x65c\n _regmap_bus_raw_write+0x60/0x80\n _regmap_write+0x58/0xc0\n regmap_write+0x4c/0x80\n wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]\n snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]\n __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]\n dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]\n dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]\n snd_pcm_hw_params+0x124/0x464 [snd_pcm]\n snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]\n snd_pcm_ioctl+0x34/0x4c [snd_pcm]\n __arm64_sys_ioctl+0xac/0x104\n invoke_syscall+0x48/0x104\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xec\n el0t_64_sync_handler+0xa0/0xf0\n el0t_64_sync+0x198/0x19c\n\nThe __devm_regmap_init_slimbus() started to be used instead of\n__regmap_init_slimbus() after the commit mentioned above and turns out\nthe incorrect bus_context pointer (3rd argument) was used in\n__devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal\nto \u0026slimbus-\u003edev). Correct it. The wcd934x codec seems to be the only or\nthe first user of devm_regmap_init_slimbus() but we should fix it till\nthe point where __devm_regmap_init_slimbus() was introduced therefore\ntwo \"Fixes\" tags.\n\nWhile at this, also correct the same argument in __regmap_init_slimbus()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:44.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c0f05129e5734ff3fd14b2c242709314d9ca5433"
},
{
"url": "https://git.kernel.org/stable/c/02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1"
},
{
"url": "https://git.kernel.org/stable/c/d979639f099c6e51f06ce4dd8d8e56364d6c17ba"
},
{
"url": "https://git.kernel.org/stable/c/8143e4075d131c528540417a51966f6697be14eb"
},
{
"url": "https://git.kernel.org/stable/c/2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c"
},
{
"url": "https://git.kernel.org/stable/c/a16e92f8d7dc7371e68f17a9926cb92d2244be7b"
},
{
"url": "https://git.kernel.org/stable/c/b65f3303349eaee333e47d2a99045aa12fa0c3a7"
},
{
"url": "https://git.kernel.org/stable/c/434f7349a1f00618a620b316f091bd13a12bc8d2"
}
],
"title": "regmap: slimbus: fix bus_context pointer in regmap init calls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40317",
"datePublished": "2025-12-08T00:46:44.287Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:44.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54095 (GCVE-0-2023-54095)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both
PCI and VIO buses. struct notifier_block is a linked list node, so this
causes any notifiers later registered to either bus type to also be
registered to the other since they share the same node.
This causes issues in (at least) the vgaarb code, which registers a
notifier for PCI buses. pci_notify() ends up being called on a vio
device, converted with to_pci_dev() even though it's not a PCI device,
and finally makes a bad access in vga_arbiter_add_pci_device() as
discovered with KASAN:
BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00
Read of size 4 at addr c000000264c26fdc by task swapper/0/1
Call Trace:
dump_stack_lvl+0x1bc/0x2b8 (unreliable)
print_report+0x3f4/0xc60
kasan_report+0x244/0x698
__asan_load4+0xe8/0x250
vga_arbiter_add_pci_device+0x60/0xe00
pci_notify+0x88/0x444
notifier_call_chain+0x104/0x320
blocking_notifier_call_chain+0xa0/0x140
device_add+0xac8/0x1d30
device_register+0x58/0x80
vio_register_device_node+0x9ac/0xce0
vio_bus_scan_register_devices+0xc4/0x13c
__machine_initcall_pseries_vio_device_init+0x94/0xf0
do_one_initcall+0x12c/0xaa8
kernel_init_freeable+0xa48/0xba8
kernel_init+0x64/0x400
ret_from_kernel_thread+0x5c/0x64
Fix this by creating separate notifier_block structs for each bus type.
[mpe: Add #ifdef to fix CONFIG_IBMVIO=n build]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < dc0d107e624ca96aef6dd8722eb33ba3a6d157b0
(git)
Affected: d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < 075a4dcdbc9a5ea793cb8ec8b78a6c0b7636fd52 (git) Affected: d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < 65bf8a196ba25cf65a858b5bb8de80f0aad76691 (git) Affected: d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < f08944e3c6962b00827de7263a9e20688e79ad84 (git) Affected: d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < a9ddbfed53465bc7c411231db32a488066c0c1be (git) Affected: d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < f17d5efaafba3d5f02f0373f7c5f44711d676f3e (git) Affected: d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < c46af58588253e5e4063bb5ddc78cd12fdf9e55d (git) Affected: d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < 6670c65bf863cd0d44ca24d4c10ef6755b8d9529 (git) Affected: d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6 , < c37b6908f7b2bd24dcaaf14a180e28c9132b9c58 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc0d107e624ca96aef6dd8722eb33ba3a6d157b0",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
},
{
"lessThan": "075a4dcdbc9a5ea793cb8ec8b78a6c0b7636fd52",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
},
{
"lessThan": "65bf8a196ba25cf65a858b5bb8de80f0aad76691",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
},
{
"lessThan": "f08944e3c6962b00827de7263a9e20688e79ad84",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
},
{
"lessThan": "a9ddbfed53465bc7c411231db32a488066c0c1be",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
},
{
"lessThan": "f17d5efaafba3d5f02f0373f7c5f44711d676f3e",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
},
{
"lessThan": "c46af58588253e5e4063bb5ddc78cd12fdf9e55d",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
},
{
"lessThan": "6670c65bf863cd0d44ca24d4c10ef6755b8d9529",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
},
{
"lessThan": "c37b6908f7b2bd24dcaaf14a180e28c9132b9c58",
"status": "affected",
"version": "d6b9a81b2a45786384f5bd3516bd6ddfb4b772c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/iommu: Fix notifiers being shared by PCI and VIO buses\n\nfail_iommu_setup() registers the fail_iommu_bus_notifier struct to both\nPCI and VIO buses. struct notifier_block is a linked list node, so this\ncauses any notifiers later registered to either bus type to also be\nregistered to the other since they share the same node.\n\nThis causes issues in (at least) the vgaarb code, which registers a\nnotifier for PCI buses. pci_notify() ends up being called on a vio\ndevice, converted with to_pci_dev() even though it\u0027s not a PCI device,\nand finally makes a bad access in vga_arbiter_add_pci_device() as\ndiscovered with KASAN:\n\n BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00\n Read of size 4 at addr c000000264c26fdc by task swapper/0/1\n\n Call Trace:\n dump_stack_lvl+0x1bc/0x2b8 (unreliable)\n print_report+0x3f4/0xc60\n kasan_report+0x244/0x698\n __asan_load4+0xe8/0x250\n vga_arbiter_add_pci_device+0x60/0xe00\n pci_notify+0x88/0x444\n notifier_call_chain+0x104/0x320\n blocking_notifier_call_chain+0xa0/0x140\n device_add+0xac8/0x1d30\n device_register+0x58/0x80\n vio_register_device_node+0x9ac/0xce0\n vio_bus_scan_register_devices+0xc4/0x13c\n __machine_initcall_pseries_vio_device_init+0x94/0xf0\n do_one_initcall+0x12c/0xaa8\n kernel_init_freeable+0xa48/0xba8\n kernel_init+0x64/0x400\n ret_from_kernel_thread+0x5c/0x64\n\nFix this by creating separate notifier_block structs for each bus type.\n\n[mpe: Add #ifdef to fix CONFIG_IBMVIO=n build]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:23.157Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc0d107e624ca96aef6dd8722eb33ba3a6d157b0"
},
{
"url": "https://git.kernel.org/stable/c/075a4dcdbc9a5ea793cb8ec8b78a6c0b7636fd52"
},
{
"url": "https://git.kernel.org/stable/c/65bf8a196ba25cf65a858b5bb8de80f0aad76691"
},
{
"url": "https://git.kernel.org/stable/c/f08944e3c6962b00827de7263a9e20688e79ad84"
},
{
"url": "https://git.kernel.org/stable/c/a9ddbfed53465bc7c411231db32a488066c0c1be"
},
{
"url": "https://git.kernel.org/stable/c/f17d5efaafba3d5f02f0373f7c5f44711d676f3e"
},
{
"url": "https://git.kernel.org/stable/c/c46af58588253e5e4063bb5ddc78cd12fdf9e55d"
},
{
"url": "https://git.kernel.org/stable/c/6670c65bf863cd0d44ca24d4c10ef6755b8d9529"
},
{
"url": "https://git.kernel.org/stable/c/c37b6908f7b2bd24dcaaf14a180e28c9132b9c58"
}
],
"title": "powerpc/iommu: Fix notifiers being shared by PCI and VIO buses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54095",
"datePublished": "2025-12-24T13:06:23.157Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:23.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40273 (GCVE-0-2025-40273)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50
VLAI?
EPSS
Title
NFSD: free copynotify stateid in nfs4_free_ol_stateid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: free copynotify stateid in nfs4_free_ol_stateid()
Typically copynotify stateid is freed either when parent's stateid
is being close/freed or in nfsd4_laundromat if the stateid hasn't
been used in a lease period.
However, in case when the server got an OPEN (which created
a parent stateid), followed by a COPY_NOTIFY using that stateid,
followed by a client reboot. New client instance while doing
CREATE_SESSION would force expire previous state of this client.
It leads to the open state being freed thru release_openowner->
nfs4_free_ol_stateid() and it finds that it still has copynotify
stateid associated with it. We currently print a warning and is
triggerred
WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]
This patch, instead, frees the associated copynotify stateid here.
If the parent stateid is freed (without freeing the copynotify
stateids associated with it), it leads to the list corruption
when laundromat ends up freeing the copynotify state later.
[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink
[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary)
[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN
[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024
[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]
[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200
[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200
[ 1626.861182] sp : ffff8000881d7a40
[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200
[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20
[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8
[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000
[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065
[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3
[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000
[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001
[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000
[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d
[ 1626.868167] Call trace:
[ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P)
[ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd]
[ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd]
[ 1626.869813] laundromat_main+0x24/0x60 [nfsd]
[ 1626.870231] process_one_work+0x584/0x1050
[ 1626.870595] worker_thread+0x4c4/0xc60
[ 1626.870893] kthread+0x2f8/0x398
[ 1626.871146] ret_from_fork+0x10/0x20
[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)
[ 1626.871892] SMP: stopping secondary CPUs
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
624322f1adc58acd0b69f77a6ddc764207e97241 , < 935a2dc8928670bb2c37e21025331e61ec48ccf4
(git)
Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < b114996a095da39e38410a0328d4a8aca8c36088 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 839f56f626723f36904764858467e7a3881b975d (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < d7be15a634aa3874827d0d3ea47452ee878b8df7 (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb (git) Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 4aa17144d5abc3c756883e3a010246f0dba8b468 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "935a2dc8928670bb2c37e21025331e61ec48ccf4",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "b114996a095da39e38410a0328d4a8aca8c36088",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "839f56f626723f36904764858467e7a3881b975d",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "d7be15a634aa3874827d0d3ea47452ee878b8df7",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
},
{
"lessThan": "4aa17144d5abc3c756883e3a010246f0dba8b468",
"status": "affected",
"version": "624322f1adc58acd0b69f77a6ddc764207e97241",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: free copynotify stateid in nfs4_free_ol_stateid()\n\nTypically copynotify stateid is freed either when parent\u0027s stateid\nis being close/freed or in nfsd4_laundromat if the stateid hasn\u0027t\nbeen used in a lease period.\n\nHowever, in case when the server got an OPEN (which created\na parent stateid), followed by a COPY_NOTIFY using that stateid,\nfollowed by a client reboot. New client instance while doing\nCREATE_SESSION would force expire previous state of this client.\nIt leads to the open state being freed thru release_openowner-\u003e\nnfs4_free_ol_stateid() and it finds that it still has copynotify\nstateid associated with it. We currently print a warning and is\ntriggerred\n\nWARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]\n\nThis patch, instead, frees the associated copynotify stateid here.\n\nIf the parent stateid is freed (without freeing the copynotify\nstateids associated with it), it leads to the list corruption\nwhen laundromat ends up freeing the copynotify state later.\n\n[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink\n[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary)\n[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN\n[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024\n[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]\n[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.861182] sp : ffff8000881d7a40\n[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200\n[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20\n[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8\n[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000\n[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065\n[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3\n[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000\n[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001\n[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000\n[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d\n[ 1626.868167] Call trace:\n[ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P)\n[ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd]\n[ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd]\n[ 1626.869813] laundromat_main+0x24/0x60 [nfsd]\n[ 1626.870231] process_one_work+0x584/0x1050\n[ 1626.870595] worker_thread+0x4c4/0xc60\n[ 1626.870893] kthread+0x2f8/0x398\n[ 1626.871146] ret_from_fork+0x10/0x20\n[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)\n[ 1626.871892] SMP: stopping secondary CPUs"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:55.723Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/935a2dc8928670bb2c37e21025331e61ec48ccf4"
},
{
"url": "https://git.kernel.org/stable/c/b114996a095da39e38410a0328d4a8aca8c36088"
},
{
"url": "https://git.kernel.org/stable/c/839f56f626723f36904764858467e7a3881b975d"
},
{
"url": "https://git.kernel.org/stable/c/29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66"
},
{
"url": "https://git.kernel.org/stable/c/d7be15a634aa3874827d0d3ea47452ee878b8df7"
},
{
"url": "https://git.kernel.org/stable/c/f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb"
},
{
"url": "https://git.kernel.org/stable/c/4aa17144d5abc3c756883e3a010246f0dba8b468"
}
],
"title": "NFSD: free copynotify stateid in nfs4_free_ol_stateid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40273",
"datePublished": "2025-12-06T21:50:55.723Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-06T21:50:55.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50679 (GCVE-0-2022-50679)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
i40e: Fix DMA mappings leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: Fix DMA mappings leak
During reallocation of RX buffers, new DMA mappings are created for
those buffers.
steps for reproduction:
while :
do
for ((i=0; i<=8160; i=i+32))
do
ethtool -G enp130s0f0 rx $i tx $i
sleep 0.5
ethtool -g enp130s0f0
done
done
This resulted in crash:
i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536
Driver BUG
WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50
Call Trace:
i40e_free_rx_resources+0x70/0x80 [i40e]
i40e_set_ringparam+0x27c/0x800 [i40e]
ethnl_set_rings+0x1b2/0x290
genl_family_rcv_msg_doit.isra.15+0x10f/0x150
genl_family_rcv_msg+0xb3/0x160
? rings_fill_reply+0x1a0/0x1a0
genl_rcv_msg+0x47/0x90
? genl_family_rcv_msg+0x160/0x160
netlink_rcv_skb+0x4c/0x120
genl_rcv+0x24/0x40
netlink_unicast+0x196/0x230
netlink_sendmsg+0x204/0x3d0
sock_sendmsg+0x4c/0x50
__sys_sendto+0xee/0x160
? handle_mm_fault+0xbe/0x1e0
? syscall_trace_enter+0x1d3/0x2c0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x5b/0x1a0
entry_SYSCALL_64_after_hwframe+0x65/0xca
RIP: 0033:0x7f5eac8b035b
Missing register, driver bug
WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140
Call Trace:
xdp_rxq_info_unreg+0x1e/0x50
i40e_free_rx_resources+0x70/0x80 [i40e]
i40e_set_ringparam+0x27c/0x800 [i40e]
ethnl_set_rings+0x1b2/0x290
genl_family_rcv_msg_doit.isra.15+0x10f/0x150
genl_family_rcv_msg+0xb3/0x160
? rings_fill_reply+0x1a0/0x1a0
genl_rcv_msg+0x47/0x90
? genl_family_rcv_msg+0x160/0x160
netlink_rcv_skb+0x4c/0x120
genl_rcv+0x24/0x40
netlink_unicast+0x196/0x230
netlink_sendmsg+0x204/0x3d0
sock_sendmsg+0x4c/0x50
__sys_sendto+0xee/0x160
? handle_mm_fault+0xbe/0x1e0
? syscall_trace_enter+0x1d3/0x2c0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x5b/0x1a0
entry_SYSCALL_64_after_hwframe+0x65/0xca
RIP: 0033:0x7f5eac8b035b
This was caused because of new buffers with different RX ring count should
substitute older ones, but those buffers were freed in
i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi,
thus kfree on rx_bi caused leak of already mapped DMA.
Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally
reallocate back to rx_bi when BPF program unloads.
If BPF program is loaded/unloaded and XSK pools are created, reallocate
RX queues accordingly in XSP_SETUP_XSK_POOL handler.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
be1222b585fdc410b8c1dbcc57dd03a00f04eff5 , < ed5baf3d0a33caaca4cd4073ebb0854cc77a616d
(git)
Affected: be1222b585fdc410b8c1dbcc57dd03a00f04eff5 , < 94a171c982b8a8137a00721c1e62bc2713435bca (git) Affected: be1222b585fdc410b8c1dbcc57dd03a00f04eff5 , < 5f499596dfa3db9b3172645b6de9e1096a669c95 (git) Affected: be1222b585fdc410b8c1dbcc57dd03a00f04eff5 , < aae425efdfd1b1d8452260a3cb49344ebf20b1f5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_ethtool.c",
"drivers/net/ethernet/intel/i40e/i40e_main.c",
"drivers/net/ethernet/intel/i40e/i40e_txrx.c",
"drivers/net/ethernet/intel/i40e/i40e_txrx.h",
"drivers/net/ethernet/intel/i40e/i40e_xsk.c",
"drivers/net/ethernet/intel/i40e/i40e_xsk.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed5baf3d0a33caaca4cd4073ebb0854cc77a616d",
"status": "affected",
"version": "be1222b585fdc410b8c1dbcc57dd03a00f04eff5",
"versionType": "git"
},
{
"lessThan": "94a171c982b8a8137a00721c1e62bc2713435bca",
"status": "affected",
"version": "be1222b585fdc410b8c1dbcc57dd03a00f04eff5",
"versionType": "git"
},
{
"lessThan": "5f499596dfa3db9b3172645b6de9e1096a669c95",
"status": "affected",
"version": "be1222b585fdc410b8c1dbcc57dd03a00f04eff5",
"versionType": "git"
},
{
"lessThan": "aae425efdfd1b1d8452260a3cb49344ebf20b1f5",
"status": "affected",
"version": "be1222b585fdc410b8c1dbcc57dd03a00f04eff5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_ethtool.c",
"drivers/net/ethernet/intel/i40e/i40e_main.c",
"drivers/net/ethernet/intel/i40e/i40e_txrx.c",
"drivers/net/ethernet/intel/i40e/i40e_txrx.h",
"drivers/net/ethernet/intel/i40e/i40e_xsk.c",
"drivers/net/ethernet/intel/i40e/i40e_xsk.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix DMA mappings leak\n\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers.\n\nsteps for reproduction:\nwhile :\ndo\nfor ((i=0; i\u003c=8160; i=i+32))\ndo\nethtool -G enp130s0f0 rx $i tx $i\nsleep 0.5\nethtool -g enp130s0f0\ndone\ndone\n\nThis resulted in crash:\ni40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536\nDriver BUG\nWARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50\nCall Trace:\ni40e_free_rx_resources+0x70/0x80 [i40e]\ni40e_set_ringparam+0x27c/0x800 [i40e]\nethnl_set_rings+0x1b2/0x290\ngenl_family_rcv_msg_doit.isra.15+0x10f/0x150\ngenl_family_rcv_msg+0xb3/0x160\n? rings_fill_reply+0x1a0/0x1a0\ngenl_rcv_msg+0x47/0x90\n? genl_family_rcv_msg+0x160/0x160\nnetlink_rcv_skb+0x4c/0x120\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x196/0x230\nnetlink_sendmsg+0x204/0x3d0\nsock_sendmsg+0x4c/0x50\n__sys_sendto+0xee/0x160\n? handle_mm_fault+0xbe/0x1e0\n? syscall_trace_enter+0x1d3/0x2c0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x5b/0x1a0\nentry_SYSCALL_64_after_hwframe+0x65/0xca\nRIP: 0033:0x7f5eac8b035b\nMissing register, driver bug\nWARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140\nCall Trace:\nxdp_rxq_info_unreg+0x1e/0x50\ni40e_free_rx_resources+0x70/0x80 [i40e]\ni40e_set_ringparam+0x27c/0x800 [i40e]\nethnl_set_rings+0x1b2/0x290\ngenl_family_rcv_msg_doit.isra.15+0x10f/0x150\ngenl_family_rcv_msg+0xb3/0x160\n? rings_fill_reply+0x1a0/0x1a0\ngenl_rcv_msg+0x47/0x90\n? genl_family_rcv_msg+0x160/0x160\nnetlink_rcv_skb+0x4c/0x120\ngenl_rcv+0x24/0x40\nnetlink_unicast+0x196/0x230\nnetlink_sendmsg+0x204/0x3d0\nsock_sendmsg+0x4c/0x50\n__sys_sendto+0xee/0x160\n? handle_mm_fault+0xbe/0x1e0\n? syscall_trace_enter+0x1d3/0x2c0\n__x64_sys_sendto+0x24/0x30\ndo_syscall_64+0x5b/0x1a0\nentry_SYSCALL_64_after_hwframe+0x65/0xca\nRIP: 0033:0x7f5eac8b035b\n\nThis was caused because of new buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in\ni40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi,\nthus kfree on rx_bi caused leak of already mapped DMA.\n\nFix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally\nreallocate back to rx_bi when BPF program unloads.\n\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XSP_SETUP_XSK_POOL handler."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:32.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed5baf3d0a33caaca4cd4073ebb0854cc77a616d"
},
{
"url": "https://git.kernel.org/stable/c/94a171c982b8a8137a00721c1e62bc2713435bca"
},
{
"url": "https://git.kernel.org/stable/c/5f499596dfa3db9b3172645b6de9e1096a669c95"
},
{
"url": "https://git.kernel.org/stable/c/aae425efdfd1b1d8452260a3cb49344ebf20b1f5"
}
],
"title": "i40e: Fix DMA mappings leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50679",
"datePublished": "2025-12-09T01:29:32.925Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:32.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53990 (GCVE-0-2023-53990)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
SMB3: Add missing locks to protect deferred close file list
Summary
In the Linux kernel, the following vulnerability has been resolved:
SMB3: Add missing locks to protect deferred close file list
cifs_del_deferred_close function has a critical section which modifies
the deferred close file list. We must acquire deferred_lock before
calling cifs_del_deferred_close function.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
860efae127888ae535bc4eda1b7f27642727c69e , < 0f87e18203bd30f71eb1a65259e28e291b6cc43a
(git)
Affected: ca08d0eac020d48a3141dbec0a3cf64fbdb17cde , < 3aa9d065b0685b4e6052f3f2a2462966fdc44fd2 (git) Affected: ca08d0eac020d48a3141dbec0a3cf64fbdb17cde , < cb36365dac25d546ca4af0eb22acb43c9b4ddfdf (git) Affected: ca08d0eac020d48a3141dbec0a3cf64fbdb17cde , < 32a046ccaeea6c19965c04a4c521e703f6607924 (git) Affected: ca08d0eac020d48a3141dbec0a3cf64fbdb17cde , < ab9ddc87a9055c4bebd6524d5d761d605d52e557 (git) Affected: 60b6d38add7b9c17d6e5d49ee8e930ea1a5650c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f87e18203bd30f71eb1a65259e28e291b6cc43a",
"status": "affected",
"version": "860efae127888ae535bc4eda1b7f27642727c69e",
"versionType": "git"
},
{
"lessThan": "3aa9d065b0685b4e6052f3f2a2462966fdc44fd2",
"status": "affected",
"version": "ca08d0eac020d48a3141dbec0a3cf64fbdb17cde",
"versionType": "git"
},
{
"lessThan": "cb36365dac25d546ca4af0eb22acb43c9b4ddfdf",
"status": "affected",
"version": "ca08d0eac020d48a3141dbec0a3cf64fbdb17cde",
"versionType": "git"
},
{
"lessThan": "32a046ccaeea6c19965c04a4c521e703f6607924",
"status": "affected",
"version": "ca08d0eac020d48a3141dbec0a3cf64fbdb17cde",
"versionType": "git"
},
{
"lessThan": "ab9ddc87a9055c4bebd6524d5d761d605d52e557",
"status": "affected",
"version": "ca08d0eac020d48a3141dbec0a3cf64fbdb17cde",
"versionType": "git"
},
{
"status": "affected",
"version": "60b6d38add7b9c17d6e5d49ee8e930ea1a5650c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/misc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.15.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSMB3: Add missing locks to protect deferred close file list\n\ncifs_del_deferred_close function has a critical section which modifies\nthe deferred close file list. We must acquire deferred_lock before\ncalling cifs_del_deferred_close function."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:29.156Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f87e18203bd30f71eb1a65259e28e291b6cc43a"
},
{
"url": "https://git.kernel.org/stable/c/3aa9d065b0685b4e6052f3f2a2462966fdc44fd2"
},
{
"url": "https://git.kernel.org/stable/c/cb36365dac25d546ca4af0eb22acb43c9b4ddfdf"
},
{
"url": "https://git.kernel.org/stable/c/32a046ccaeea6c19965c04a4c521e703f6607924"
},
{
"url": "https://git.kernel.org/stable/c/ab9ddc87a9055c4bebd6524d5d761d605d52e557"
}
],
"title": "SMB3: Add missing locks to protect deferred close file list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53990",
"datePublished": "2025-12-24T10:55:29.156Z",
"dateReserved": "2025-12-24T10:53:46.175Z",
"dateUpdated": "2025-12-24T10:55:29.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40321 (GCVE-0-2025-40321)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
Currently, whenever there is a need to transmit an Action frame,
the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to
firmware. The P2P interfaces were available when wpa_supplicant is managing
the wlan interface.
However, the P2P interfaces are not created/initialized when only hostapd
is managing the wlan interface. And if hostapd receives an ANQP Query REQ
Action frame even from an un-associated STA, the brcmfmac driver tries
to use an uninitialized P2P vif pointer for sending the IOVAR to firmware.
This NULL pointer dereferencing triggers a driver crash.
[ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000000
[...]
[ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)
[...]
[ 1417.075653] Call trace:
[ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
[ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]
[ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]
[ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]
[ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158
[ 1417.076302] genl_rcv_msg+0x220/0x2a0
[ 1417.076317] netlink_rcv_skb+0x68/0x140
[ 1417.076330] genl_rcv+0x40/0x60
[ 1417.076343] netlink_unicast+0x330/0x3b8
[ 1417.076357] netlink_sendmsg+0x19c/0x3f8
[ 1417.076370] __sock_sendmsg+0x64/0xc0
[ 1417.076391] ____sys_sendmsg+0x268/0x2a0
[ 1417.076408] ___sys_sendmsg+0xb8/0x118
[ 1417.076427] __sys_sendmsg+0x90/0xf8
[ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40
[ 1417.076465] invoke_syscall+0x50/0x120
[ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0
[ 1417.076506] do_el0_svc+0x24/0x38
[ 1417.076525] el0_svc+0x30/0x100
[ 1417.076548] el0t_64_sync_handler+0x100/0x130
[ 1417.076569] el0t_64_sync+0x190/0x198
[ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
Fix this, by always using the vif corresponding to the wdev on which the
Action frame Transmission request was initiated by the userspace. This way,
even if P2P vif is not available, the IOVAR is sent to firmware on AP vif
and the ANQP Query RESP Action frame is transmitted without crashing the
driver.
Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev()
to brcmf_p2p_attach(). Because the former function would not get executed
when only hostapd is managing wlan interface, and it is not safe to do
reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior
init_completion().
And in the brcmf_p2p_tx_action_frame() function, the condition check for
P2P Presence response frame is not needed, since the wpa_supplicant is
properly sending the P2P Presense Response frame on the P2P-GO vif instead
of the P2P-Device vif.
[Cc stable]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < c863b9c7b4e9af0b7931cb791ec91971a50f1a25
(git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < e1fc9afcce9139791260f962541282d47fbb508d (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 55f60a72a178909ece4e32987e4c642ba57e1cf4 (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < c2b0f8d3e7358c33d90f0e62765d474f25f26a45 (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 64e3175d1c8a3bea02032e7c9d1befd5f43786fa (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < a6eed58249e7d60f856900e682992300f770f64b (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a (git) Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 3776c685ebe5f43e9060af06872661de55e80b9a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c863b9c7b4e9af0b7931cb791ec91971a50f1a25",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "e1fc9afcce9139791260f962541282d47fbb508d",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "55f60a72a178909ece4e32987e4c642ba57e1cf4",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "c2b0f8d3e7358c33d90f0e62765d474f25f26a45",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "64e3175d1c8a3bea02032e7c9d1befd5f43786fa",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "a6eed58249e7d60f856900e682992300f770f64b",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
},
{
"lessThan": "3776c685ebe5f43e9060af06872661de55e80b9a",
"status": "affected",
"version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode\n\nCurrently, whenever there is a need to transmit an Action frame,\nthe brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to\nfirmware. The P2P interfaces were available when wpa_supplicant is managing\nthe wlan interface.\n\nHowever, the P2P interfaces are not created/initialized when only hostapd\nis managing the wlan interface. And if hostapd receives an ANQP Query REQ\nAction frame even from an un-associated STA, the brcmfmac driver tries\nto use an uninitialized P2P vif pointer for sending the IOVAR to firmware.\nThis NULL pointer dereferencing triggers a driver crash.\n\n [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000000\n [...]\n [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)\n [...]\n [ 1417.075653] Call trace:\n [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]\n [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]\n [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]\n [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]\n [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158\n [ 1417.076302] genl_rcv_msg+0x220/0x2a0\n [ 1417.076317] netlink_rcv_skb+0x68/0x140\n [ 1417.076330] genl_rcv+0x40/0x60\n [ 1417.076343] netlink_unicast+0x330/0x3b8\n [ 1417.076357] netlink_sendmsg+0x19c/0x3f8\n [ 1417.076370] __sock_sendmsg+0x64/0xc0\n [ 1417.076391] ____sys_sendmsg+0x268/0x2a0\n [ 1417.076408] ___sys_sendmsg+0xb8/0x118\n [ 1417.076427] __sys_sendmsg+0x90/0xf8\n [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40\n [ 1417.076465] invoke_syscall+0x50/0x120\n [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0\n [ 1417.076506] do_el0_svc+0x24/0x38\n [ 1417.076525] el0_svc+0x30/0x100\n [ 1417.076548] el0t_64_sync_handler+0x100/0x130\n [ 1417.076569] el0t_64_sync+0x190/0x198\n [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)\n\nFix this, by always using the vif corresponding to the wdev on which the\nAction frame Transmission request was initiated by the userspace. This way,\neven if P2P vif is not available, the IOVAR is sent to firmware on AP vif\nand the ANQP Query RESP Action frame is transmitted without crashing the\ndriver.\n\nMove init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev()\nto brcmf_p2p_attach(). Because the former function would not get executed\nwhen only hostapd is managing wlan interface, and it is not safe to do\nreinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior\ninit_completion().\n\nAnd in the brcmf_p2p_tx_action_frame() function, the condition check for\nP2P Presence response frame is not needed, since the wpa_supplicant is\nproperly sending the P2P Presense Response frame on the P2P-GO vif instead\nof the P2P-Device vif.\n\n[Cc stable]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:48.724Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c863b9c7b4e9af0b7931cb791ec91971a50f1a25"
},
{
"url": "https://git.kernel.org/stable/c/e1fc9afcce9139791260f962541282d47fbb508d"
},
{
"url": "https://git.kernel.org/stable/c/55f60a72a178909ece4e32987e4c642ba57e1cf4"
},
{
"url": "https://git.kernel.org/stable/c/c2b0f8d3e7358c33d90f0e62765d474f25f26a45"
},
{
"url": "https://git.kernel.org/stable/c/64e3175d1c8a3bea02032e7c9d1befd5f43786fa"
},
{
"url": "https://git.kernel.org/stable/c/a6eed58249e7d60f856900e682992300f770f64b"
},
{
"url": "https://git.kernel.org/stable/c/dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a"
},
{
"url": "https://git.kernel.org/stable/c/3776c685ebe5f43e9060af06872661de55e80b9a"
}
],
"title": "wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40321",
"datePublished": "2025-12-08T00:46:48.724Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:48.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54125 (GCVE-0-2023-54125)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
fs/ntfs3: Return error for inconsistent extended attributes
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Return error for inconsistent extended attributes
ntfs_read_ea is called when we want to read extended attributes. There
are some sanity checks for the validity of the EAs. However, it fails to
return a proper error code for the inconsistent attributes, which might
lead to unpredicted memory accesses after return.
[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0
[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199
[ 138.931132]
[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4
[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 138.947327] Call Trace:
[ 138.949557] <TASK>
[ 138.951539] dump_stack_lvl+0x4d/0x67
[ 138.956834] print_report+0x16f/0x4a6
[ 138.960798] ? ntfs_set_ea+0x453/0xbf0
[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200
[ 138.969793] ? ntfs_set_ea+0x453/0xbf0
[ 138.973523] kasan_report+0xb8/0x140
[ 138.976740] ? ntfs_set_ea+0x453/0xbf0
[ 138.980578] __asan_store4+0x76/0xa0
[ 138.984669] ntfs_set_ea+0x453/0xbf0
[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10
[ 138.993390] ? kernel_text_address+0xd3/0xe0
[ 138.998270] ? __kernel_text_address+0x16/0x50
[ 139.002121] ? unwind_get_return_address+0x3e/0x60
[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 139.010177] ? arch_stack_walk+0xa2/0x100
[ 139.013657] ? filter_irq_stacks+0x27/0x80
[ 139.017018] ntfs_setxattr+0x405/0x440
[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10
[ 139.026569] ? kvmalloc_node+0x2d/0x120
[ 139.030329] ? kasan_save_stack+0x41/0x60
[ 139.033883] ? kasan_save_stack+0x2a/0x60
[ 139.037338] ? kasan_set_track+0x29/0x40
[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30
[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0
[ 139.047255] ? __kmalloc_node+0x68/0x150
[ 139.051264] ? kvmalloc_node+0x2d/0x120
[ 139.055301] ? vmemdup_user+0x2b/0xa0
[ 139.058584] __vfs_setxattr+0x121/0x170
[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10
[ 139.066282] __vfs_setxattr_noperm+0x97/0x300
[ 139.070061] __vfs_setxattr_locked+0x145/0x170
[ 139.073580] vfs_setxattr+0x137/0x2a0
[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10
[ 139.080223] ? __kasan_check_write+0x18/0x20
[ 139.084234] do_setxattr+0xce/0x150
[ 139.087768] setxattr+0x126/0x140
[ 139.091250] ? __pfx_setxattr+0x10/0x10
[ 139.094948] ? __virt_addr_valid+0xcb/0x140
[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330
[ 139.102688] ? debug_smp_processor_id+0x1b/0x30
[ 139.105985] ? kasan_quarantine_put+0x5b/0x190
[ 139.109980] ? putname+0x84/0xa0
[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0
[ 139.117961] ? putname+0x84/0xa0
[ 139.121316] ? preempt_count_sub+0x1c/0xd0
[ 139.124427] ? __mnt_want_write+0xae/0x100
[ 139.127836] ? mnt_want_write+0x8f/0x150
[ 139.130954] path_setxattr+0x164/0x180
[ 139.133998] ? __pfx_path_setxattr+0x10/0x10
[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10
[ 139.141299] ? debug_smp_processor_id+0x1b/0x30
[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80
[ 139.150796] __x64_sys_setxattr+0x71/0x90
[ 139.155407] do_syscall_64+0x3f/0x90
[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 139.163843] RIP: 0033:0x7f108cae4469
[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088
[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc
[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469
[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6
[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618
[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0
[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b , < 1474098b590a426d90f27bb992f17c326e0b60c1
(git)
Affected: 0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b , < c9db0ff04649aa0b45f497183c957fe260f229f6 (git) Affected: 333feb7ba84f69f9b423422417aaac54fd9e7c84 (git) Affected: 000a9a72efa4a9df289bab9c9e8ba1639c72e0d6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1474098b590a426d90f27bb992f17c326e0b60c1",
"status": "affected",
"version": "0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b",
"versionType": "git"
},
{
"lessThan": "c9db0ff04649aa0b45f497183c957fe260f229f6",
"status": "affected",
"version": "0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b",
"versionType": "git"
},
{
"status": "affected",
"version": "333feb7ba84f69f9b423422417aaac54fd9e7c84",
"versionType": "git"
},
{
"status": "affected",
"version": "000a9a72efa4a9df289bab9c9e8ba1639c72e0d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.40",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Return error for inconsistent extended attributes\n\nntfs_read_ea is called when we want to read extended attributes. There\nare some sanity checks for the validity of the EAs. However, it fails to\nreturn a proper error code for the inconsistent attributes, which might\nlead to unpredicted memory accesses after return.\n\n[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0\n[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199\n[ 138.931132]\n[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4\n[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 138.947327] Call Trace:\n[ 138.949557] \u003cTASK\u003e\n[ 138.951539] dump_stack_lvl+0x4d/0x67\n[ 138.956834] print_report+0x16f/0x4a6\n[ 138.960798] ? ntfs_set_ea+0x453/0xbf0\n[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200\n[ 138.969793] ? ntfs_set_ea+0x453/0xbf0\n[ 138.973523] kasan_report+0xb8/0x140\n[ 138.976740] ? ntfs_set_ea+0x453/0xbf0\n[ 138.980578] __asan_store4+0x76/0xa0\n[ 138.984669] ntfs_set_ea+0x453/0xbf0\n[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10\n[ 138.993390] ? kernel_text_address+0xd3/0xe0\n[ 138.998270] ? __kernel_text_address+0x16/0x50\n[ 139.002121] ? unwind_get_return_address+0x3e/0x60\n[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10\n[ 139.010177] ? arch_stack_walk+0xa2/0x100\n[ 139.013657] ? filter_irq_stacks+0x27/0x80\n[ 139.017018] ntfs_setxattr+0x405/0x440\n[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10\n[ 139.026569] ? kvmalloc_node+0x2d/0x120\n[ 139.030329] ? kasan_save_stack+0x41/0x60\n[ 139.033883] ? kasan_save_stack+0x2a/0x60\n[ 139.037338] ? kasan_set_track+0x29/0x40\n[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30\n[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0\n[ 139.047255] ? __kmalloc_node+0x68/0x150\n[ 139.051264] ? kvmalloc_node+0x2d/0x120\n[ 139.055301] ? vmemdup_user+0x2b/0xa0\n[ 139.058584] __vfs_setxattr+0x121/0x170\n[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10\n[ 139.066282] __vfs_setxattr_noperm+0x97/0x300\n[ 139.070061] __vfs_setxattr_locked+0x145/0x170\n[ 139.073580] vfs_setxattr+0x137/0x2a0\n[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10\n[ 139.080223] ? __kasan_check_write+0x18/0x20\n[ 139.084234] do_setxattr+0xce/0x150\n[ 139.087768] setxattr+0x126/0x140\n[ 139.091250] ? __pfx_setxattr+0x10/0x10\n[ 139.094948] ? __virt_addr_valid+0xcb/0x140\n[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330\n[ 139.102688] ? debug_smp_processor_id+0x1b/0x30\n[ 139.105985] ? kasan_quarantine_put+0x5b/0x190\n[ 139.109980] ? putname+0x84/0xa0\n[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0\n[ 139.117961] ? putname+0x84/0xa0\n[ 139.121316] ? preempt_count_sub+0x1c/0xd0\n[ 139.124427] ? __mnt_want_write+0xae/0x100\n[ 139.127836] ? mnt_want_write+0x8f/0x150\n[ 139.130954] path_setxattr+0x164/0x180\n[ 139.133998] ? __pfx_path_setxattr+0x10/0x10\n[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10\n[ 139.141299] ? debug_smp_processor_id+0x1b/0x30\n[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80\n[ 139.150796] __x64_sys_setxattr+0x71/0x90\n[ 139.155407] do_syscall_64+0x3f/0x90\n[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 139.163843] RIP: 0033:0x7f108cae4469\n[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc\n[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469\n[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6\n[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618\n[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0\n[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:56.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1474098b590a426d90f27bb992f17c326e0b60c1"
},
{
"url": "https://git.kernel.org/stable/c/c9db0ff04649aa0b45f497183c957fe260f229f6"
}
],
"title": "fs/ntfs3: Return error for inconsistent extended attributes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54125",
"datePublished": "2025-12-24T13:06:43.977Z",
"dateReserved": "2025-12-24T13:02:52.521Z",
"dateUpdated": "2026-01-05T10:33:56.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54297 (GCVE-0-2023-54297)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
btrfs: zoned: fix memory leak after finding block group with super blocks
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: fix memory leak after finding block group with super blocks
At exclude_super_stripes(), if we happen to find a block group that has
super blocks mapped to it and we are on a zoned filesystem, we error out
as this is not supposed to happen, indicating either a bug or maybe some
memory corruption for example. However we are exiting the function without
freeing the memory allocated for the logical address of the super blocks.
Fix this by freeing the logical address.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
12659251ca5df05a484eb122c2c34c18d84e797c , < ab80a901f8daca07c4a54af0ab0de745c9918294
(git)
Affected: 12659251ca5df05a484eb122c2c34c18d84e797c , < c35ea606196243063e63785918c7c8fe27c45798 (git) Affected: 12659251ca5df05a484eb122c2c34c18d84e797c , < cca627afb463a4b47721eac017516ba200de85c3 (git) Affected: 12659251ca5df05a484eb122c2c34c18d84e797c , < f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab80a901f8daca07c4a54af0ab0de745c9918294",
"status": "affected",
"version": "12659251ca5df05a484eb122c2c34c18d84e797c",
"versionType": "git"
},
{
"lessThan": "c35ea606196243063e63785918c7c8fe27c45798",
"status": "affected",
"version": "12659251ca5df05a484eb122c2c34c18d84e797c",
"versionType": "git"
},
{
"lessThan": "cca627afb463a4b47721eac017516ba200de85c3",
"status": "affected",
"version": "12659251ca5df05a484eb122c2c34c18d84e797c",
"versionType": "git"
},
{
"lessThan": "f1a07c2b4e2c473ec322b8b9ece071b8c88a3512",
"status": "affected",
"version": "12659251ca5df05a484eb122c2c34c18d84e797c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/block-group.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix memory leak after finding block group with super blocks\n\nAt exclude_super_stripes(), if we happen to find a block group that has\nsuper blocks mapped to it and we are on a zoned filesystem, we error out\nas this is not supposed to happen, indicating either a bug or maybe some\nmemory corruption for example. However we are exiting the function without\nfreeing the memory allocated for the logical address of the super blocks.\nFix this by freeing the logical address."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:33.834Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab80a901f8daca07c4a54af0ab0de745c9918294"
},
{
"url": "https://git.kernel.org/stable/c/c35ea606196243063e63785918c7c8fe27c45798"
},
{
"url": "https://git.kernel.org/stable/c/cca627afb463a4b47721eac017516ba200de85c3"
},
{
"url": "https://git.kernel.org/stable/c/f1a07c2b4e2c473ec322b8b9ece071b8c88a3512"
}
],
"title": "btrfs: zoned: fix memory leak after finding block group with super blocks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54297",
"datePublished": "2025-12-30T12:23:33.834Z",
"dateReserved": "2025-12-30T12:06:44.528Z",
"dateUpdated": "2025-12-30T12:23:33.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40279 (GCVE-0-2025-40279)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: act_connmark: initialize struct tc_ife to fix kernel leak
In tcf_connmark_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.
Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 218b67c8c8246d47a2a7910eae80abe4861fe2b7
(git)
Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 73cc56c608c209d3d666cc571293b090a471da70 (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 31e4aa93e2e5b5647fc235b0f6ee329646878f9e (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 51cb05d4fd632596816ba44e882e84db9fb28a7e (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 25837889ec062f2b7618142cd80253dff3da5343 (git) Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 62b656e43eaeae445a39cd8021a4f47065af4389 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_connmark.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "218b67c8c8246d47a2a7910eae80abe4861fe2b7",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "73cc56c608c209d3d666cc571293b090a471da70",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "31e4aa93e2e5b5647fc235b0f6ee329646878f9e",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "51cb05d4fd632596816ba44e882e84db9fb28a7e",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "25837889ec062f2b7618142cd80253dff3da5343",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
},
{
"lessThan": "62b656e43eaeae445a39cd8021a4f47065af4389",
"status": "affected",
"version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_connmark.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_connmark: initialize struct tc_ife to fix kernel leak\n\nIn tcf_connmark_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:03.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/218b67c8c8246d47a2a7910eae80abe4861fe2b7"
},
{
"url": "https://git.kernel.org/stable/c/73cc56c608c209d3d666cc571293b090a471da70"
},
{
"url": "https://git.kernel.org/stable/c/31e4aa93e2e5b5647fc235b0f6ee329646878f9e"
},
{
"url": "https://git.kernel.org/stable/c/51cb05d4fd632596816ba44e882e84db9fb28a7e"
},
{
"url": "https://git.kernel.org/stable/c/25837889ec062f2b7618142cd80253dff3da5343"
},
{
"url": "https://git.kernel.org/stable/c/62b656e43eaeae445a39cd8021a4f47065af4389"
}
],
"title": "net: sched: act_connmark: initialize struct tc_ife to fix kernel leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40279",
"datePublished": "2025-12-06T21:51:03.010Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:03.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68264 (GCVE-0-2025-68264)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
ext4: refresh inline data size before write operations
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: refresh inline data size before write operations
The cached ei->i_inline_size can become stale between the initial size
check and when ext4_update_inline_data()/ext4_create_inline_data() use
it. Although ext4_get_max_inline_size() reads the correct value at the
time of the check, concurrent xattr operations can modify i_inline_size
before ext4_write_lock_xattr() is acquired.
This causes ext4_update_inline_data() and ext4_create_inline_data() to
work with stale capacity values, leading to a BUG_ON() crash in
ext4_write_inline_data():
kernel BUG at fs/ext4/inline.c:1331!
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
The race window:
1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)
2. Size check passes for 50-byte write
3. [Another thread adds xattr, i_inline_size changes to 40]
4. ext4_write_lock_xattr() acquires lock
5. ext4_update_inline_data() uses stale i_inline_size = 60
6. Attempts to write 50 bytes but only 40 bytes actually available
7. BUG_ON() triggers
Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock()
immediately after acquiring xattr_sem. This ensures ext4_update_inline_data()
and ext4_create_inline_data() work with current values that are protected
from concurrent modifications.
This is similar to commit a54c4613dac1 ("ext4: fix race writing to an
inline_data file while its xattrs are changing") which fixed i_inline_off
staleness. This patch addresses the related i_inline_size staleness issue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
67cf5b09a46f72e048501b84996f2f77bc42e947 , < 54ab81ae5f218452e64470cd8a8139bb5880fe2b
(git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 43bf001f0fe4e59bba47c897505222f959f4a1cc (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 89c2c41f0974e530b2d032c3695095aa0559adb1 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 1687a055a555347b002f406676a1aaae4668f242 (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < ca43ea29b4c4d2764aec8a26cffcfb677a871e6e (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 58df743faf21ceb1880f930aa5dd428e2a5e415d (git) Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 892e1cf17555735e9d021ab036c36bc7b58b0e3b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54ab81ae5f218452e64470cd8a8139bb5880fe2b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "43bf001f0fe4e59bba47c897505222f959f4a1cc",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "89c2c41f0974e530b2d032c3695095aa0559adb1",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "1687a055a555347b002f406676a1aaae4668f242",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "ca43ea29b4c4d2764aec8a26cffcfb677a871e6e",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "58df743faf21ceb1880f930aa5dd428e2a5e415d",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
},
{
"lessThan": "892e1cf17555735e9d021ab036c36bc7b58b0e3b",
"status": "affected",
"version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inline.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refresh inline data size before write operations\n\nThe cached ei-\u003ei_inline_size can become stale between the initial size\ncheck and when ext4_update_inline_data()/ext4_create_inline_data() use\nit. Although ext4_get_max_inline_size() reads the correct value at the\ntime of the check, concurrent xattr operations can modify i_inline_size\nbefore ext4_write_lock_xattr() is acquired.\n\nThis causes ext4_update_inline_data() and ext4_create_inline_data() to\nwork with stale capacity values, leading to a BUG_ON() crash in\next4_write_inline_data():\n\n kernel BUG at fs/ext4/inline.c:1331!\n BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nThe race window:\n1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)\n2. Size check passes for 50-byte write\n3. [Another thread adds xattr, i_inline_size changes to 40]\n4. ext4_write_lock_xattr() acquires lock\n5. ext4_update_inline_data() uses stale i_inline_size = 60\n6. Attempts to write 50 bytes but only 40 bytes actually available\n7. BUG_ON() triggers\n\nFix this by recalculating i_inline_size via ext4_find_inline_data_nolock()\nimmediately after acquiring xattr_sem. This ensures ext4_update_inline_data()\nand ext4_create_inline_data() work with current values that are protected\nfrom concurrent modifications.\n\nThis is similar to commit a54c4613dac1 (\"ext4: fix race writing to an\ninline_data file while its xattrs are changing\") which fixed i_inline_off\nstaleness. This patch addresses the related i_inline_size staleness issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:14.011Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54ab81ae5f218452e64470cd8a8139bb5880fe2b"
},
{
"url": "https://git.kernel.org/stable/c/43bf001f0fe4e59bba47c897505222f959f4a1cc"
},
{
"url": "https://git.kernel.org/stable/c/89c2c41f0974e530b2d032c3695095aa0559adb1"
},
{
"url": "https://git.kernel.org/stable/c/1687a055a555347b002f406676a1aaae4668f242"
},
{
"url": "https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b"
},
{
"url": "https://git.kernel.org/stable/c/ca43ea29b4c4d2764aec8a26cffcfb677a871e6e"
},
{
"url": "https://git.kernel.org/stable/c/58df743faf21ceb1880f930aa5dd428e2a5e415d"
},
{
"url": "https://git.kernel.org/stable/c/892e1cf17555735e9d021ab036c36bc7b58b0e3b"
}
],
"title": "ext4: refresh inline data size before write operations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68264",
"datePublished": "2025-12-16T14:45:06.268Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-01-19T12:18:14.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50660 (GCVE-0-2022-50660)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
wifi: ipw2200: fix memory leak in ipw_wdev_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ipw2200: fix memory leak in ipw_wdev_init()
In the error path of ipw_wdev_init(), exception value is returned, and
the memory applied for in the function is not released. Also the memory
is not released in ipw_pci_probe(). As a result, memory leakage occurs.
So memory release needs to be added to the error path of ipw_wdev_init().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 75d20ba9506eb90d92e660e04dd887ff1495fcc3
(git)
Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < fb3517b92a45c8004ac26250ae041a24eb23fef1 (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 112c1af02b8f535baf42ef9d807aea963705ef15 (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 8a2eb9d9d0c1535bc8e22840193bff4cdcac878b (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 9424ea9d557ef41d86eb40b6349ae991c3dcff89 (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 62ec7e8bf42f1542f966dda687c654aae81718c8 (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 1f590fb3d14e5db3a9e06ee141b1685c429278ce (git) Affected: a3caa99e6c68f466c13cfea74097f6fb01b45e25 , < 9fe21dc626117fb44a8eb393713a86a620128ce3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/ipw2x00/ipw2200.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75d20ba9506eb90d92e660e04dd887ff1495fcc3",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "fb3517b92a45c8004ac26250ae041a24eb23fef1",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "112c1af02b8f535baf42ef9d807aea963705ef15",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "8a2eb9d9d0c1535bc8e22840193bff4cdcac878b",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "9424ea9d557ef41d86eb40b6349ae991c3dcff89",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "62ec7e8bf42f1542f966dda687c654aae81718c8",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "1f590fb3d14e5db3a9e06ee141b1685c429278ce",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
},
{
"lessThan": "9fe21dc626117fb44a8eb393713a86a620128ce3",
"status": "affected",
"version": "a3caa99e6c68f466c13cfea74097f6fb01b45e25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/ipw2x00/ipw2200.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ipw2200: fix memory leak in ipw_wdev_init()\n\nIn the error path of ipw_wdev_init(), exception value is returned, and\nthe memory applied for in the function is not released. Also the memory\nis not released in ipw_pci_probe(). As a result, memory leakage occurs.\nSo memory release needs to be added to the error path of ipw_wdev_init()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:08.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75d20ba9506eb90d92e660e04dd887ff1495fcc3"
},
{
"url": "https://git.kernel.org/stable/c/fb3517b92a45c8004ac26250ae041a24eb23fef1"
},
{
"url": "https://git.kernel.org/stable/c/112c1af02b8f535baf42ef9d807aea963705ef15"
},
{
"url": "https://git.kernel.org/stable/c/8a2eb9d9d0c1535bc8e22840193bff4cdcac878b"
},
{
"url": "https://git.kernel.org/stable/c/9424ea9d557ef41d86eb40b6349ae991c3dcff89"
},
{
"url": "https://git.kernel.org/stable/c/62ec7e8bf42f1542f966dda687c654aae81718c8"
},
{
"url": "https://git.kernel.org/stable/c/1f590fb3d14e5db3a9e06ee141b1685c429278ce"
},
{
"url": "https://git.kernel.org/stable/c/9fe21dc626117fb44a8eb393713a86a620128ce3"
}
],
"title": "wifi: ipw2200: fix memory leak in ipw_wdev_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50660",
"datePublished": "2025-12-09T01:29:08.387Z",
"dateReserved": "2025-12-09T01:26:45.989Z",
"dateUpdated": "2025-12-09T01:29:08.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50887 (GCVE-0-2022-50887)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
EPSS
Title
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
I got the the following report:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /i2c/pmic@62/regulators/exten
In of_get_regulator(), the node is returned from of_parse_phandle()
with refcount incremented, after using it, of_node_put() need be called.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 0e88505ac0a6ae97746bcdbd4b042ee9f20455ae
(git)
Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 4dfcf5087db9a34a300d6b99009232d4537c3e6a (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 3ac888db0f67813d91373a9a61c840f815cd4ec9 (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < d39937f8de641c44a337cec4a2e5d3e8add20a7d (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < f48c474efe05cf9ce5e535b5e0ddd710e963936c (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < cda1895f3b7f324ece1614308a815a3994983b97 (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 2b93c58adddd98812ad928bbc2063038f3df1ffd (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < 2f98469c3141f8e42ba11075a273fb795bbad57f (git) Affected: 69511a452e6dc6b74fe4f3671a51b1b44b9c57e3 , < f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e88505ac0a6ae97746bcdbd4b042ee9f20455ae",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "4dfcf5087db9a34a300d6b99009232d4537c3e6a",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "3ac888db0f67813d91373a9a61c840f815cd4ec9",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "d39937f8de641c44a337cec4a2e5d3e8add20a7d",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "f48c474efe05cf9ce5e535b5e0ddd710e963936c",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "cda1895f3b7f324ece1614308a815a3994983b97",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "2b93c58adddd98812ad928bbc2063038f3df1ffd",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "2f98469c3141f8e42ba11075a273fb795bbad57f",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
},
{
"lessThan": "f2b41b748c19962b82709d9f23c6b2b0ce9d2f91",
"status": "affected",
"version": "69511a452e6dc6b74fe4f3671a51b1b44b9c57e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix unbalanced of node refcount in regulator_dev_lookup()\n\nI got the the following report:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 2,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /i2c/pmic@62/regulators/exten\n\nIn of_get_regulator(), the node is returned from of_parse_phandle()\nwith refcount incremented, after using it, of_node_put() need be called."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:05.505Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e88505ac0a6ae97746bcdbd4b042ee9f20455ae"
},
{
"url": "https://git.kernel.org/stable/c/4dfcf5087db9a34a300d6b99009232d4537c3e6a"
},
{
"url": "https://git.kernel.org/stable/c/3ac888db0f67813d91373a9a61c840f815cd4ec9"
},
{
"url": "https://git.kernel.org/stable/c/d39937f8de641c44a337cec4a2e5d3e8add20a7d"
},
{
"url": "https://git.kernel.org/stable/c/f48c474efe05cf9ce5e535b5e0ddd710e963936c"
},
{
"url": "https://git.kernel.org/stable/c/cda1895f3b7f324ece1614308a815a3994983b97"
},
{
"url": "https://git.kernel.org/stable/c/2b93c58adddd98812ad928bbc2063038f3df1ffd"
},
{
"url": "https://git.kernel.org/stable/c/2f98469c3141f8e42ba11075a273fb795bbad57f"
},
{
"url": "https://git.kernel.org/stable/c/f2b41b748c19962b82709d9f23c6b2b0ce9d2f91"
}
],
"title": "regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50887",
"datePublished": "2025-12-30T12:37:05.505Z",
"dateReserved": "2025-12-30T12:35:41.595Z",
"dateUpdated": "2025-12-30T12:37:05.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50850 (GCVE-0-2022-50850)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
scsi: ipr: Fix WARNING in ipr_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ipr: Fix WARNING in ipr_init()
ipr_init() will not call unregister_reboot_notifier() when
pci_register_driver() fails, which causes a WARNING. Call
unregister_reboot_notifier() when pci_register_driver() fails.
notifier callback ipr_halt [ipr] already registered
WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29
notifier_chain_register+0x16d/0x230
Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore
led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm
drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks
agpgart cfbft
CPU: 3 PID: 299 Comm: modprobe Tainted: G W
6.1.0-rc1-00190-g39508d23b672-dirty #332
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:notifier_chain_register+0x16d/0x230
Call Trace:
<TASK>
__blocking_notifier_chain_register+0x73/0xb0
ipr_init+0x30/0x1000 [ipr]
do_one_initcall+0xdb/0x480
do_init_module+0x1cf/0x680
load_module+0x6a50/0x70a0
__do_sys_finit_module+0x12f/0x1c0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < 020b66023712b1cc42c6ab8b76e4ec13efe4a092
(git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < e965c4a60c1daa6e24355e35d78ca8e9f195196f (git) Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < 5debd337f534b122f7c5eac6557a41b5636c9b51 (git) Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < eccbec017c95b9b9ecd4c05c6f5234d1487c72cc (git) Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < f4ba143b04a17559f2c85e18b47db117f40d8cf3 (git) Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < e59da172059f05c594fda03a9e8a3a0e1f5116c0 (git) Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < 8c739021b2022fbc40f71d3fa2e9162beef0c84a (git) Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < 4399a8632e5f8f1f695d91d992c7d418fb451f07 (git) Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < e6f108bffc3708ddcff72324f7d40dfcd0204894 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ipr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "020b66023712b1cc42c6ab8b76e4ec13efe4a092",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
},
{
"lessThan": "e965c4a60c1daa6e24355e35d78ca8e9f195196f",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
},
{
"lessThan": "5debd337f534b122f7c5eac6557a41b5636c9b51",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
},
{
"lessThan": "eccbec017c95b9b9ecd4c05c6f5234d1487c72cc",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
},
{
"lessThan": "f4ba143b04a17559f2c85e18b47db117f40d8cf3",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
},
{
"lessThan": "e59da172059f05c594fda03a9e8a3a0e1f5116c0",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
},
{
"lessThan": "8c739021b2022fbc40f71d3fa2e9162beef0c84a",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
},
{
"lessThan": "4399a8632e5f8f1f695d91d992c7d418fb451f07",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
},
{
"lessThan": "e6f108bffc3708ddcff72324f7d40dfcd0204894",
"status": "affected",
"version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/ipr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ipr: Fix WARNING in ipr_init()\n\nipr_init() will not call unregister_reboot_notifier() when\npci_register_driver() fails, which causes a WARNING. Call\nunregister_reboot_notifier() when pci_register_driver() fails.\n\nnotifier callback ipr_halt [ipr] already registered\nWARNING: CPU: 3 PID: 299 at kernel/notifier.c:29\nnotifier_chain_register+0x16d/0x230\nModules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore\nled_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm\ndrm_display_helper drm_kms_helper drm drm_panel_orientation_quirks\nagpgart cfbft\nCPU: 3 PID: 299 Comm: modprobe Tainted: G W\n6.1.0-rc1-00190-g39508d23b672-dirty #332\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:notifier_chain_register+0x16d/0x230\nCall Trace:\n \u003cTASK\u003e\n __blocking_notifier_chain_register+0x73/0xb0\n ipr_init+0x30/0x1000 [ipr]\n do_one_initcall+0xdb/0x480\n do_init_module+0x1cf/0x680\n load_module+0x6a50/0x70a0\n __do_sys_finit_module+0x12f/0x1c0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:27.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/020b66023712b1cc42c6ab8b76e4ec13efe4a092"
},
{
"url": "https://git.kernel.org/stable/c/e965c4a60c1daa6e24355e35d78ca8e9f195196f"
},
{
"url": "https://git.kernel.org/stable/c/5debd337f534b122f7c5eac6557a41b5636c9b51"
},
{
"url": "https://git.kernel.org/stable/c/eccbec017c95b9b9ecd4c05c6f5234d1487c72cc"
},
{
"url": "https://git.kernel.org/stable/c/f4ba143b04a17559f2c85e18b47db117f40d8cf3"
},
{
"url": "https://git.kernel.org/stable/c/e59da172059f05c594fda03a9e8a3a0e1f5116c0"
},
{
"url": "https://git.kernel.org/stable/c/8c739021b2022fbc40f71d3fa2e9162beef0c84a"
},
{
"url": "https://git.kernel.org/stable/c/4399a8632e5f8f1f695d91d992c7d418fb451f07"
},
{
"url": "https://git.kernel.org/stable/c/e6f108bffc3708ddcff72324f7d40dfcd0204894"
}
],
"title": "scsi: ipr: Fix WARNING in ipr_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50850",
"datePublished": "2025-12-30T12:15:27.089Z",
"dateReserved": "2025-12-30T12:06:07.134Z",
"dateUpdated": "2025-12-30T12:15:27.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54215 (GCVE-0-2023-54215)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
virtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs()
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs()
Free the cpumask allocated by create_affinity_masks() before returning
from the function.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa450621efab58121fe8e57f7a7b80fee6e0bae1",
"status": "affected",
"version": "3dad56823b5332ffdbe1867b2d7b50fbacea124a",
"versionType": "git"
},
{
"lessThan": "df9557046440b0a62250fee3169a8f6a139f55a6",
"status": "affected",
"version": "3dad56823b5332ffdbe1867b2d7b50fbacea124a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs()\n\nFree the cpumask allocated by create_affinity_masks() before returning\nfrom the function."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:12.063Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa450621efab58121fe8e57f7a7b80fee6e0bae1"
},
{
"url": "https://git.kernel.org/stable/c/df9557046440b0a62250fee3169a8f6a139f55a6"
}
],
"title": "virtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54215",
"datePublished": "2025-12-30T12:11:12.063Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2025-12-30T12:11:12.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50826 (GCVE-0-2022-50826)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()
Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()
with a subdev state of NULL leads to a NULL pointer dereference. This
can currently happen in imgu_subdev_set_selection() when the state
passed in is NULL, as this method first gets pointers to both the "try"
and "active" states and only then decides which to use.
The same issue has been addressed for imgu_subdev_get_selection() with
commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active
selection access"). However the issue still persists in
imgu_subdev_set_selection().
Therefore, apply a similar fix as done in the aforementioned commit to
imgu_subdev_set_selection(). To keep things a bit cleaner, introduce
helper functions for "crop" and "compose" access and use them in both
imgu_subdev_set_selection() and imgu_subdev_get_selection().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < fa6bbb4894b9b947063c6ff90018a954c5f9f4b3
(git)
Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < 611d617bdb6c5d636a9861ec1c98e813fc8a5556 (git) Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < 5038ee677606106c91564f9c4557d808d14bad70 (git) Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < dc608edf7d45ba0c2ad14c06eccd66474fec7847 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/ipu3/ipu3-v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa6bbb4894b9b947063c6ff90018a954c5f9f4b3",
"status": "affected",
"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
"versionType": "git"
},
{
"lessThan": "611d617bdb6c5d636a9861ec1c98e813fc8a5556",
"status": "affected",
"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
"versionType": "git"
},
{
"lessThan": "5038ee677606106c91564f9c4557d808d14bad70",
"status": "affected",
"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
"versionType": "git"
},
{
"lessThan": "dc608edf7d45ba0c2ad14c06eccd66474fec7847",
"status": "affected",
"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/ipu3/ipu3-v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()\n\nCalling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()\nwith a subdev state of NULL leads to a NULL pointer dereference. This\ncan currently happen in imgu_subdev_set_selection() when the state\npassed in is NULL, as this method first gets pointers to both the \"try\"\nand \"active\" states and only then decides which to use.\n\nThe same issue has been addressed for imgu_subdev_get_selection() with\ncommit 30d03a0de650 (\"ipu3-imgu: Fix NULL pointer dereference in active\nselection access\"). However the issue still persists in\nimgu_subdev_set_selection().\n\nTherefore, apply a similar fix as done in the aforementioned commit to\nimgu_subdev_set_selection(). To keep things a bit cleaner, introduce\nhelper functions for \"crop\" and \"compose\" access and use them in both\nimgu_subdev_set_selection() and imgu_subdev_get_selection()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:38.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3"
},
{
"url": "https://git.kernel.org/stable/c/611d617bdb6c5d636a9861ec1c98e813fc8a5556"
},
{
"url": "https://git.kernel.org/stable/c/5038ee677606106c91564f9c4557d808d14bad70"
},
{
"url": "https://git.kernel.org/stable/c/dc608edf7d45ba0c2ad14c06eccd66474fec7847"
}
],
"title": "ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50826",
"datePublished": "2025-12-30T12:08:38.950Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2025-12-30T12:08:38.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50886 (GCVE-0-2022-50886)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
EPSS
Title
mmc: toshsd: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: toshsd: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host(), besides, free_irq() also needs be called.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 34ae492f8d172f0bd193c24cad588b35419ea47a
(git)
Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 3329e7b7132ca727263fb0ee214cf52cc6dcaaad (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 3dbb69a0242c31ea4c9eee22b1c41b515fe509a0 (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < aabbedcb6c9a72d12d35dc672e83f0c8064d8a61 (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 6444079767b68b1fbed0e7668081146e80dcb719 (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < 647e370dd0ef7e212d8d014bda748e461eab2e8c (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < bfd77b194c94aefbde4efc30ddf8607dd9244672 (git) Affected: a5eb8bbd66ccf9f169419f9652544aec771b7c57 , < f670744a316ea983113a65313dcd387b5a992444 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/toshsd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34ae492f8d172f0bd193c24cad588b35419ea47a",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "3329e7b7132ca727263fb0ee214cf52cc6dcaaad",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "3dbb69a0242c31ea4c9eee22b1c41b515fe509a0",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "aabbedcb6c9a72d12d35dc672e83f0c8064d8a61",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "6444079767b68b1fbed0e7668081146e80dcb719",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "647e370dd0ef7e212d8d014bda748e461eab2e8c",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "bfd77b194c94aefbde4efc30ddf8607dd9244672",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
},
{
"lessThan": "f670744a316ea983113a65313dcd387b5a992444",
"status": "affected",
"version": "a5eb8bbd66ccf9f169419f9652544aec771b7c57",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/toshsd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: toshsd: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and goto error path which will call\nmmc_free_host(), besides, free_irq() also needs be called."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:34:12.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34ae492f8d172f0bd193c24cad588b35419ea47a"
},
{
"url": "https://git.kernel.org/stable/c/3329e7b7132ca727263fb0ee214cf52cc6dcaaad"
},
{
"url": "https://git.kernel.org/stable/c/4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff"
},
{
"url": "https://git.kernel.org/stable/c/3dbb69a0242c31ea4c9eee22b1c41b515fe509a0"
},
{
"url": "https://git.kernel.org/stable/c/aabbedcb6c9a72d12d35dc672e83f0c8064d8a61"
},
{
"url": "https://git.kernel.org/stable/c/6444079767b68b1fbed0e7668081146e80dcb719"
},
{
"url": "https://git.kernel.org/stable/c/647e370dd0ef7e212d8d014bda748e461eab2e8c"
},
{
"url": "https://git.kernel.org/stable/c/bfd77b194c94aefbde4efc30ddf8607dd9244672"
},
{
"url": "https://git.kernel.org/stable/c/f670744a316ea983113a65313dcd387b5a992444"
}
],
"title": "mmc: toshsd: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50886",
"datePublished": "2025-12-30T12:34:12.782Z",
"dateReserved": "2025-12-30T12:26:05.425Z",
"dateUpdated": "2025-12-30T12:34:12.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50614 (GCVE-0-2022-50614)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic
The dma_map_single() doesn't permit zero length mapping. It causes a follow
panic.
A panic was reported on arm64:
[ 60.137988] ------------[ cut here ]------------
[ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624!
[ 60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l
2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2_v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn
c videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy_rcar_gen3_usb3 usb_dmac display_connector pwm_bl
[ 60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+ #237
[ 60.193387] Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT)
[ 60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590
[ 60.213149] lr : swiotlb_map+0x88/0x1f0
[ 60.216982] sp : ffff80000a883bc0
[ 60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 0000000000000000
[ 60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1f77c0
[ 60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a000000
[ 60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 0000000000000000
[ 60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7b9180
[ 60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 0000000000000000
[ 60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
[ 60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 0000000000000000
[ 60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 0000000000000001
[ 60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 0000000040000010
[ 60.291658] Call trace:
[ 60.294100] swiotlb_tbl_map_single+0x2c0/0x590
[ 60.298629] swiotlb_map+0x88/0x1f0
[ 60.302115] dma_map_page_attrs+0x188/0x230
[ 60.306299] pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test]
[ 60.312660] __arm64_sys_ioctl+0xa8/0xf0
[ 60.316583] invoke_syscall+0x44/0x108
[ 60.320334] el0_svc_common.constprop.0+0xcc/0xf0
[ 60.325038] do_el0_svc+0x2c/0xb8
[ 60.328351] el0_svc+0x2c/0x88
[ 60.331406] el0t_64_sync_handler+0xb8/0xc0
[ 60.335587] el0t_64_sync+0x18c/0x190
[ 60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000)
[ 60.345344] ---[ end trace 0000000000000000 ]---
To fix it, this patch adds a checking the payload length if it is zero.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
343dc693f7b79885197f9d37dd8b711b0e3ffc8f , < 0df206bdc6204b758585bbe159a55e23e7917b13
(git)
Affected: 343dc693f7b79885197f9d37dd8b711b0e3ffc8f , < e5ebcbb4f967af2083d409271aaf7c7d8351603f (git) Affected: 343dc693f7b79885197f9d37dd8b711b0e3ffc8f , < 279116cb0bc5cd8af65d6a00ffe074bd09842f88 (git) Affected: 343dc693f7b79885197f9d37dd8b711b0e3ffc8f , < 6c01739c2aba19553beb20491b05515af9246f0f (git) Affected: 343dc693f7b79885197f9d37dd8b711b0e3ffc8f , < 8e30538eca016de8e252bef174beadecd64239f0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/pci_endpoint_test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0df206bdc6204b758585bbe159a55e23e7917b13",
"status": "affected",
"version": "343dc693f7b79885197f9d37dd8b711b0e3ffc8f",
"versionType": "git"
},
{
"lessThan": "e5ebcbb4f967af2083d409271aaf7c7d8351603f",
"status": "affected",
"version": "343dc693f7b79885197f9d37dd8b711b0e3ffc8f",
"versionType": "git"
},
{
"lessThan": "279116cb0bc5cd8af65d6a00ffe074bd09842f88",
"status": "affected",
"version": "343dc693f7b79885197f9d37dd8b711b0e3ffc8f",
"versionType": "git"
},
{
"lessThan": "6c01739c2aba19553beb20491b05515af9246f0f",
"status": "affected",
"version": "343dc693f7b79885197f9d37dd8b711b0e3ffc8f",
"versionType": "git"
},
{
"lessThan": "8e30538eca016de8e252bef174beadecd64239f0",
"status": "affected",
"version": "343dc693f7b79885197f9d37dd8b711b0e3ffc8f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/pci_endpoint_test.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.148",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.74",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic\n\nThe dma_map_single() doesn\u0027t permit zero length mapping. It causes a follow\npanic.\n\nA panic was reported on arm64:\n\n[ 60.137988] ------------[ cut here ]------------\n[ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624!\n[ 60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP\n[ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l\n2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2_v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn\nc videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy_rcar_gen3_usb3 usb_dmac display_connector pwm_bl\n[ 60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+ #237\n[ 60.193387] Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT)\n[ 60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590\n[ 60.213149] lr : swiotlb_map+0x88/0x1f0\n[ 60.216982] sp : ffff80000a883bc0\n[ 60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 0000000000000000\n[ 60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1f77c0\n[ 60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a000000\n[ 60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 0000000000000000\n[ 60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7b9180\n[ 60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 0000000000000000\n[ 60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n[ 60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 0000000000000000\n[ 60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 0000000000000001\n[ 60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 0000000040000010\n[ 60.291658] Call trace:\n[ 60.294100] swiotlb_tbl_map_single+0x2c0/0x590\n[ 60.298629] swiotlb_map+0x88/0x1f0\n[ 60.302115] dma_map_page_attrs+0x188/0x230\n[ 60.306299] pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test]\n[ 60.312660] __arm64_sys_ioctl+0xa8/0xf0\n[ 60.316583] invoke_syscall+0x44/0x108\n[ 60.320334] el0_svc_common.constprop.0+0xcc/0xf0\n[ 60.325038] do_el0_svc+0x2c/0xb8\n[ 60.328351] el0_svc+0x2c/0x88\n[ 60.331406] el0t_64_sync_handler+0xb8/0xc0\n[ 60.335587] el0t_64_sync+0x18c/0x190\n[ 60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000)\n[ 60.345344] ---[ end trace 0000000000000000 ]---\n\nTo fix it, this patch adds a checking the payload length if it is zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:26.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0df206bdc6204b758585bbe159a55e23e7917b13"
},
{
"url": "https://git.kernel.org/stable/c/e5ebcbb4f967af2083d409271aaf7c7d8351603f"
},
{
"url": "https://git.kernel.org/stable/c/279116cb0bc5cd8af65d6a00ffe074bd09842f88"
},
{
"url": "https://git.kernel.org/stable/c/6c01739c2aba19553beb20491b05515af9246f0f"
},
{
"url": "https://git.kernel.org/stable/c/8e30538eca016de8e252bef174beadecd64239f0"
}
],
"title": "misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50614",
"datePublished": "2025-12-08T01:16:26.689Z",
"dateReserved": "2025-12-08T01:14:55.188Z",
"dateUpdated": "2025-12-08T01:16:26.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54106 (GCVE-0-2023-54106)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
net/mlx5: fix potential memory leak in mlx5e_init_rep_rx
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: fix potential memory leak in mlx5e_init_rep_rx
The memory pointed to by the priv->rx_res pointer is not freed in the error
path of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing
the memory in the error path, thereby making the error path identical to
mlx5e_cleanup_rep_rx().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
af8bbf7300686961f74e72e2dc10a76672603cb3 , < 0582a3caaa3e2f7b80bcb113ad3c910eac15a63e
(git)
Affected: af8bbf7300686961f74e72e2dc10a76672603cb3 , < c265d8c2e25546a6b7ee16d36f2bb79b6160c2c3 (git) Affected: af8bbf7300686961f74e72e2dc10a76672603cb3 , < c6cf0b6097bf1bf1b2a89b521e9ecd26b581a93a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0582a3caaa3e2f7b80bcb113ad3c910eac15a63e",
"status": "affected",
"version": "af8bbf7300686961f74e72e2dc10a76672603cb3",
"versionType": "git"
},
{
"lessThan": "c265d8c2e25546a6b7ee16d36f2bb79b6160c2c3",
"status": "affected",
"version": "af8bbf7300686961f74e72e2dc10a76672603cb3",
"versionType": "git"
},
{
"lessThan": "c6cf0b6097bf1bf1b2a89b521e9ecd26b581a93a",
"status": "affected",
"version": "af8bbf7300686961f74e72e2dc10a76672603cb3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fix potential memory leak in mlx5e_init_rep_rx\n\nThe memory pointed to by the priv-\u003erx_res pointer is not freed in the error\npath of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing\nthe memory in the error path, thereby making the error path identical to\nmlx5e_cleanup_rep_rx()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:30.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0582a3caaa3e2f7b80bcb113ad3c910eac15a63e"
},
{
"url": "https://git.kernel.org/stable/c/c265d8c2e25546a6b7ee16d36f2bb79b6160c2c3"
},
{
"url": "https://git.kernel.org/stable/c/c6cf0b6097bf1bf1b2a89b521e9ecd26b581a93a"
}
],
"title": "net/mlx5: fix potential memory leak in mlx5e_init_rep_rx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54106",
"datePublished": "2025-12-24T13:06:30.829Z",
"dateReserved": "2025-12-24T13:02:52.517Z",
"dateUpdated": "2025-12-24T13:06:30.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54149 (GCVE-0-2023-54149)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:07 – Updated: 2025-12-24 13:07
VLAI?
EPSS
Title
net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses
When using the felix driver (the only one which supports UC filtering
and MC filtering) as a DSA master for a random other DSA switch, one can
see the following stack trace when the downstream switch ports join a
VLAN-aware bridge:
=============================
WARNING: suspicious RCU usage
-----------------------------
net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage!
stack backtrace:
Workqueue: dsa_ordered dsa_slave_switchdev_event_work
Call trace:
lockdep_rcu_suspicious+0x170/0x210
vlan_for_each+0x8c/0x188
dsa_slave_sync_uc+0x128/0x178
__hw_addr_sync_dev+0x138/0x158
dsa_slave_set_rx_mode+0x58/0x70
__dev_set_rx_mode+0x88/0xa8
dev_uc_add+0x74/0xa0
dsa_port_bridge_host_fdb_add+0xec/0x180
dsa_slave_switchdev_event_work+0x7c/0x1c8
process_one_work+0x290/0x568
What it's saying is that vlan_for_each() expects rtnl_lock() context and
it's not getting it, when it's called from the DSA master's ndo_set_rx_mode().
The caller of that - dsa_slave_set_rx_mode() - is the slave DSA
interface's dsa_port_bridge_host_fdb_add() which comes from the deferred
dsa_slave_switchdev_event_work().
We went to great lengths to avoid the rtnl_lock() context in that call
path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from
dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not
an option due to the possibility of deadlocking when calling
dsa_flush_workqueue() from the call paths that do hold rtnl_lock() -
basically all of them.
So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(),
the state of the 8021q driver on this device is really not protected
from concurrent access by anything.
Looking at net/8021q/, I don't think that vlan_info->vid_list was
particularly designed with RCU traversal in mind, so introducing an RCU
read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so
easy, and it also wouldn't be exactly what we need anyway.
In general I believe that the solution isn't in net/8021q/ anyway;
vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock()
to be held per se - since it's not a netdev state change that we're
blocking, but rather, just concurrent additions/removals to a VLAN list.
We don't even need sleepable context - the callback of vlan_for_each()
just schedules deferred work.
The proposed escape is to remove the dependency on vlan_for_each() and
to open-code a non-sleepable, rtnl-free alternative to that, based on
copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and
.ndo_vlan_rx_kill_vid().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
64fdc5f341db01200e33105265d4b8450122a82e , < 3948c69b3837fec2ee5a90fbc911c343199be0ac
(git)
Affected: 64fdc5f341db01200e33105265d4b8450122a82e , < 3f9e79f31e51b7d5bf95c617540deb6cf2816a3f (git) Affected: 64fdc5f341db01200e33105265d4b8450122a82e , < d06f925f13976ab82167c93467c70a337a0a3cda (git) Affected: 2daf967a24334865e51520e55190a646dd480cd7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/dsa.h",
"net/dsa/dsa.c",
"net/dsa/slave.c",
"net/dsa/switch.c",
"net/dsa/switch.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3948c69b3837fec2ee5a90fbc911c343199be0ac",
"status": "affected",
"version": "64fdc5f341db01200e33105265d4b8450122a82e",
"versionType": "git"
},
{
"lessThan": "3f9e79f31e51b7d5bf95c617540deb6cf2816a3f",
"status": "affected",
"version": "64fdc5f341db01200e33105265d4b8450122a82e",
"versionType": "git"
},
{
"lessThan": "d06f925f13976ab82167c93467c70a337a0a3cda",
"status": "affected",
"version": "64fdc5f341db01200e33105265d4b8450122a82e",
"versionType": "git"
},
{
"status": "affected",
"version": "2daf967a24334865e51520e55190a646dd480cd7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/dsa.h",
"net/dsa/dsa.c",
"net/dsa/slave.c",
"net/dsa/switch.c",
"net/dsa/switch.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses\n\nWhen using the felix driver (the only one which supports UC filtering\nand MC filtering) as a DSA master for a random other DSA switch, one can\nsee the following stack trace when the downstream switch ports join a\nVLAN-aware bridge:\n\n=============================\nWARNING: suspicious RCU usage\n-----------------------------\nnet/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage!\n\nstack backtrace:\nWorkqueue: dsa_ordered dsa_slave_switchdev_event_work\nCall trace:\n lockdep_rcu_suspicious+0x170/0x210\n vlan_for_each+0x8c/0x188\n dsa_slave_sync_uc+0x128/0x178\n __hw_addr_sync_dev+0x138/0x158\n dsa_slave_set_rx_mode+0x58/0x70\n __dev_set_rx_mode+0x88/0xa8\n dev_uc_add+0x74/0xa0\n dsa_port_bridge_host_fdb_add+0xec/0x180\n dsa_slave_switchdev_event_work+0x7c/0x1c8\n process_one_work+0x290/0x568\n\nWhat it\u0027s saying is that vlan_for_each() expects rtnl_lock() context and\nit\u0027s not getting it, when it\u0027s called from the DSA master\u0027s ndo_set_rx_mode().\n\nThe caller of that - dsa_slave_set_rx_mode() - is the slave DSA\ninterface\u0027s dsa_port_bridge_host_fdb_add() which comes from the deferred\ndsa_slave_switchdev_event_work().\n\nWe went to great lengths to avoid the rtnl_lock() context in that call\npath in commit 0faf890fc519 (\"net: dsa: drop rtnl_lock from\ndsa_slave_switchdev_event_work\"), and calling rtnl_lock() is simply not\nan option due to the possibility of deadlocking when calling\ndsa_flush_workqueue() from the call paths that do hold rtnl_lock() -\nbasically all of them.\n\nSo, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(),\nthe state of the 8021q driver on this device is really not protected\nfrom concurrent access by anything.\n\nLooking at net/8021q/, I don\u0027t think that vlan_info-\u003evid_list was\nparticularly designed with RCU traversal in mind, so introducing an RCU\nread-side form of vlan_for_each() - vlan_for_each_rcu() - won\u0027t be so\neasy, and it also wouldn\u0027t be exactly what we need anyway.\n\nIn general I believe that the solution isn\u0027t in net/8021q/ anyway;\nvlan_for_each() is not cut out for this task. DSA doesn\u0027t need rtnl_lock()\nto be held per se - since it\u0027s not a netdev state change that we\u0027re\nblocking, but rather, just concurrent additions/removals to a VLAN list.\nWe don\u0027t even need sleepable context - the callback of vlan_for_each()\njust schedules deferred work.\n\nThe proposed escape is to remove the dependency on vlan_for_each() and\nto open-code a non-sleepable, rtnl-free alternative to that, based on\ncopies of the VLAN list modified from .ndo_vlan_rx_add_vid() and\n.ndo_vlan_rx_kill_vid()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:07:00.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3948c69b3837fec2ee5a90fbc911c343199be0ac"
},
{
"url": "https://git.kernel.org/stable/c/3f9e79f31e51b7d5bf95c617540deb6cf2816a3f"
},
{
"url": "https://git.kernel.org/stable/c/d06f925f13976ab82167c93467c70a337a0a3cda"
}
],
"title": "net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54149",
"datePublished": "2025-12-24T13:07:00.977Z",
"dateReserved": "2025-12-24T13:02:52.528Z",
"dateUpdated": "2025-12-24T13:07:00.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54053 (GCVE-0-2023-54053)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
wifi: iwlwifi: pcie: fix possible NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: pcie: fix possible NULL pointer dereference
It is possible that iwl_pci_probe() will fail and free the trans,
then afterwards iwl_pci_remove() will be called and crash by trying
to access trans which is already freed, fix it.
iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2
wfpm id 0xa5a5a5a2
iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2
...
BUG: kernel NULL pointer dereference, address: 0000000000000028
...
RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi]
pci_device_remove+0x3e/0xb0
device_release_driver_internal+0x103/0x1f0
driver_detach+0x4c/0x90
bus_remove_driver+0x5c/0xd0
driver_unregister+0x31/0x50
pci_unregister_driver+0x40/0x90
iwl_pci_unregister_driver+0x15/0x20 [iwlwifi]
__exit_compat+0x9/0x98 [iwlwifi]
__x64_sys_delete_module+0x147/0x260
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
809805a820c6445f7a701ded24fdc6bbc841d1e4 , < f6f2d16c77f936041b8ac495fceabded4ec6c83c
(git)
Affected: 809805a820c6445f7a701ded24fdc6bbc841d1e4 , < 0fc0d287c1e7dcb39a3b9bb0f8679cd68c2156c7 (git) Affected: 809805a820c6445f7a701ded24fdc6bbc841d1e4 , < 7545f21eee1356ec98581125c4dba9c4c0cc7397 (git) Affected: 809805a820c6445f7a701ded24fdc6bbc841d1e4 , < 0f9a1bcb94016d3a3c455a77b01f6bb06e15f6eb (git) Affected: 809805a820c6445f7a701ded24fdc6bbc841d1e4 , < dcd23aa6cc0ded7950b60ce1badb80b84045c6c0 (git) Affected: 809805a820c6445f7a701ded24fdc6bbc841d1e4 , < b655b9a9f8467684cfa8906713d33b71ea8c8f54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/pcie/drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6f2d16c77f936041b8ac495fceabded4ec6c83c",
"status": "affected",
"version": "809805a820c6445f7a701ded24fdc6bbc841d1e4",
"versionType": "git"
},
{
"lessThan": "0fc0d287c1e7dcb39a3b9bb0f8679cd68c2156c7",
"status": "affected",
"version": "809805a820c6445f7a701ded24fdc6bbc841d1e4",
"versionType": "git"
},
{
"lessThan": "7545f21eee1356ec98581125c4dba9c4c0cc7397",
"status": "affected",
"version": "809805a820c6445f7a701ded24fdc6bbc841d1e4",
"versionType": "git"
},
{
"lessThan": "0f9a1bcb94016d3a3c455a77b01f6bb06e15f6eb",
"status": "affected",
"version": "809805a820c6445f7a701ded24fdc6bbc841d1e4",
"versionType": "git"
},
{
"lessThan": "dcd23aa6cc0ded7950b60ce1badb80b84045c6c0",
"status": "affected",
"version": "809805a820c6445f7a701ded24fdc6bbc841d1e4",
"versionType": "git"
},
{
"lessThan": "b655b9a9f8467684cfa8906713d33b71ea8c8f54",
"status": "affected",
"version": "809805a820c6445f7a701ded24fdc6bbc841d1e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/intel/iwlwifi/pcie/drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: pcie: fix possible NULL pointer dereference\n\nIt is possible that iwl_pci_probe() will fail and free the trans,\nthen afterwards iwl_pci_remove() will be called and crash by trying\nto access trans which is already freed, fix it.\n\niwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2\n\t\t wfpm id 0xa5a5a5a2\niwlwifi 0000:01:00.0: Can\u0027t find a correct rfid for crf id 0x5a2\n...\nBUG: kernel NULL pointer dereference, address: 0000000000000028\n...\nRIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi]\npci_device_remove+0x3e/0xb0\ndevice_release_driver_internal+0x103/0x1f0\ndriver_detach+0x4c/0x90\nbus_remove_driver+0x5c/0xd0\ndriver_unregister+0x31/0x50\npci_unregister_driver+0x40/0x90\niwl_pci_unregister_driver+0x15/0x20 [iwlwifi]\n__exit_compat+0x9/0x98 [iwlwifi]\n__x64_sys_delete_module+0x147/0x260"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:35.583Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6f2d16c77f936041b8ac495fceabded4ec6c83c"
},
{
"url": "https://git.kernel.org/stable/c/0fc0d287c1e7dcb39a3b9bb0f8679cd68c2156c7"
},
{
"url": "https://git.kernel.org/stable/c/7545f21eee1356ec98581125c4dba9c4c0cc7397"
},
{
"url": "https://git.kernel.org/stable/c/0f9a1bcb94016d3a3c455a77b01f6bb06e15f6eb"
},
{
"url": "https://git.kernel.org/stable/c/dcd23aa6cc0ded7950b60ce1badb80b84045c6c0"
},
{
"url": "https://git.kernel.org/stable/c/b655b9a9f8467684cfa8906713d33b71ea8c8f54"
}
],
"title": "wifi: iwlwifi: pcie: fix possible NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54053",
"datePublished": "2025-12-24T12:23:02.498Z",
"dateReserved": "2025-12-24T12:21:05.090Z",
"dateUpdated": "2026-01-05T10:33:35.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40075 (GCVE-0-2025-40075)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-18 13:37
VLAI?
EPSS
Title
tcp_metrics: use dst_dev_net_rcu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp_metrics: use dst_dev_net_rcu()
Replace three dst_dev() with a lockdep enabled helper.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 4b89397807eb04986427c4786d065e9442834ad4
(git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 07613a95326ebad2d1b88d883cd72546025a4f3e (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 50c127a69cd6285300931853b352a1918cfa180f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b89397807eb04986427c4786d065e9442834ad4",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "07613a95326ebad2d1b88d883cd72546025a4f3e",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "50c127a69cd6285300931853b352a1918cfa180f",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_metrics: use dst_dev_net_rcu()\n\nReplace three dst_dev() with a lockdep enabled helper."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T13:37:18.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b89397807eb04986427c4786d065e9442834ad4"
},
{
"url": "https://git.kernel.org/stable/c/07613a95326ebad2d1b88d883cd72546025a4f3e"
},
{
"url": "https://git.kernel.org/stable/c/50c127a69cd6285300931853b352a1918cfa180f"
}
],
"title": "tcp_metrics: use dst_dev_net_rcu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40075",
"datePublished": "2025-10-28T11:48:41.791Z",
"dateReserved": "2025-04-16T07:20:57.160Z",
"dateUpdated": "2025-12-18T13:37:18.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50849 (GCVE-0-2022-50849)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
Summary
In the Linux kernel, the following vulnerability has been resolved:
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
An oops can be induced by running 'cat /proc/kcore > /dev/null' on
devices using pstore with the ram backend because kmap_atomic() assumes
lowmem pages are accessible with __va().
Unable to handle kernel paging request at virtual address ffffff807ff2b000
Mem abort info:
ESR = 0x96000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000
[ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in: dm_integrity
CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba
Hardware name: Google Lazor (rev3 - 8) (DT)
pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __memcpy+0x110/0x260
lr : vread+0x194/0x294
sp : ffffffc013ee39d0
x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000
x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000
x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000
x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60
x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001
x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b
x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78
x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000
Call trace:
__memcpy+0x110/0x260
read_kcore+0x584/0x778
proc_reg_read+0xb4/0xe4
During early boot, memblock reserves the pages for the ramoops reserved
memory node in DT that would otherwise be part of the direct lowmem
mapping. Pstore's ram backend reuses those reserved pages to change the
memory type (writeback or non-cached) by passing the pages to vmap()
(see pfn_to_page() usage in persistent_ram_vmap() for more details) with
specific flags. When read_kcore() starts iterating over the vmalloc
region, it runs over the virtual address that vmap() returned for
ramoops. In aligned_vread() the virtual address is passed to
vmalloc_to_page() which returns the page struct for the reserved lowmem
area. That lowmem page is passed to kmap_atomic(), which effectively
calls page_to_virt() that assumes a lowmem page struct must be directly
accessible with __va() and friends. These pages are mapped via vmap()
though, and the lowmem mapping was never made, so accessing them via the
lowmem virtual address oopses like above.
Let's side-step this problem by passing VM_IOREMAP to vmap(). This will
tell vread() to not include the ramoops region in the kcore. Instead the
area will look like a bunch of zeros. The alternative is to teach kmap()
about vmalloc areas that intersect with lowmem. Presumably such a change
isn't a one-liner, and there isn't much interest in inspecting the
ramoops region in kcore files anyway, so the most expedient route is
taken for now.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
404a6043385de17273624b076599669db5ad891f , < 1579bed1613802a323a1e14567faa95c149e105e
(git)
Affected: 404a6043385de17273624b076599669db5ad891f , < fdebcc33b663d2e8da937653ddfbfc1315047eaa (git) Affected: 404a6043385de17273624b076599669db5ad891f , < 6d9460214e363e1f3d0756ee5d947e76e3e6f86c (git) Affected: 404a6043385de17273624b076599669db5ad891f , < 4d3126f242a0090342ffe925c35fb4f4252b7562 (git) Affected: 404a6043385de17273624b076599669db5ad891f , < 295f59cd2cdeed841850d02dddde3a122cbf6fc6 (git) Affected: 404a6043385de17273624b076599669db5ad891f , < ebc73c4f266281e2cad1a372ecd81572d95375b6 (git) Affected: 404a6043385de17273624b076599669db5ad891f , < 69dbff7d2681c55a4d979fd9b75576303e69979f (git) Affected: 404a6043385de17273624b076599669db5ad891f , < 2f82381d0681b10f9ddd27be98c27363b5a3cd1c (git) Affected: 404a6043385de17273624b076599669db5ad891f , < e6b842741b4f39007215fd7e545cb55aa3d358a2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1579bed1613802a323a1e14567faa95c149e105e",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
},
{
"lessThan": "fdebcc33b663d2e8da937653ddfbfc1315047eaa",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
},
{
"lessThan": "6d9460214e363e1f3d0756ee5d947e76e3e6f86c",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
},
{
"lessThan": "4d3126f242a0090342ffe925c35fb4f4252b7562",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
},
{
"lessThan": "295f59cd2cdeed841850d02dddde3a122cbf6fc6",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
},
{
"lessThan": "ebc73c4f266281e2cad1a372ecd81572d95375b6",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
},
{
"lessThan": "69dbff7d2681c55a4d979fd9b75576303e69979f",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
},
{
"lessThan": "2f82381d0681b10f9ddd27be98c27363b5a3cd1c",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
},
{
"lessThan": "e6b842741b4f39007215fd7e545cb55aa3d358a2",
"status": "affected",
"version": "404a6043385de17273624b076599669db5ad891f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: Avoid kcore oops by vmap()ing with VM_IOREMAP\n\nAn oops can be induced by running \u0027cat /proc/kcore \u003e /dev/null\u0027 on\ndevices using pstore with the ram backend because kmap_atomic() assumes\nlowmem pages are accessible with __va().\n\n Unable to handle kernel paging request at virtual address ffffff807ff2b000\n Mem abort info:\n ESR = 0x96000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x06: level 2 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000\n [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#1] PREEMPT SMP\n Modules linked in: dm_integrity\n CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba\n Hardware name: Google Lazor (rev3 - 8) (DT)\n pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __memcpy+0x110/0x260\n lr : vread+0x194/0x294\n sp : ffffffc013ee39d0\n x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000\n x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000\n x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000\n x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60\n x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001\n x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b\n x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000\n x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78\n x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000\n Call trace:\n __memcpy+0x110/0x260\n read_kcore+0x584/0x778\n proc_reg_read+0xb4/0xe4\n\nDuring early boot, memblock reserves the pages for the ramoops reserved\nmemory node in DT that would otherwise be part of the direct lowmem\nmapping. Pstore\u0027s ram backend reuses those reserved pages to change the\nmemory type (writeback or non-cached) by passing the pages to vmap()\n(see pfn_to_page() usage in persistent_ram_vmap() for more details) with\nspecific flags. When read_kcore() starts iterating over the vmalloc\nregion, it runs over the virtual address that vmap() returned for\nramoops. In aligned_vread() the virtual address is passed to\nvmalloc_to_page() which returns the page struct for the reserved lowmem\narea. That lowmem page is passed to kmap_atomic(), which effectively\ncalls page_to_virt() that assumes a lowmem page struct must be directly\naccessible with __va() and friends. These pages are mapped via vmap()\nthough, and the lowmem mapping was never made, so accessing them via the\nlowmem virtual address oopses like above.\n\nLet\u0027s side-step this problem by passing VM_IOREMAP to vmap(). This will\ntell vread() to not include the ramoops region in the kcore. Instead the\narea will look like a bunch of zeros. The alternative is to teach kmap()\nabout vmalloc areas that intersect with lowmem. Presumably such a change\nisn\u0027t a one-liner, and there isn\u0027t much interest in inspecting the\nramoops region in kcore files anyway, so the most expedient route is\ntaken for now."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:26.431Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1579bed1613802a323a1e14567faa95c149e105e"
},
{
"url": "https://git.kernel.org/stable/c/fdebcc33b663d2e8da937653ddfbfc1315047eaa"
},
{
"url": "https://git.kernel.org/stable/c/6d9460214e363e1f3d0756ee5d947e76e3e6f86c"
},
{
"url": "https://git.kernel.org/stable/c/4d3126f242a0090342ffe925c35fb4f4252b7562"
},
{
"url": "https://git.kernel.org/stable/c/295f59cd2cdeed841850d02dddde3a122cbf6fc6"
},
{
"url": "https://git.kernel.org/stable/c/ebc73c4f266281e2cad1a372ecd81572d95375b6"
},
{
"url": "https://git.kernel.org/stable/c/69dbff7d2681c55a4d979fd9b75576303e69979f"
},
{
"url": "https://git.kernel.org/stable/c/2f82381d0681b10f9ddd27be98c27363b5a3cd1c"
},
{
"url": "https://git.kernel.org/stable/c/e6b842741b4f39007215fd7e545cb55aa3d358a2"
}
],
"title": "pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50849",
"datePublished": "2025-12-30T12:15:26.431Z",
"dateReserved": "2025-12-30T12:06:07.134Z",
"dateUpdated": "2025-12-30T12:15:26.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38321 (GCVE-0-2025-38321)
Vulnerability from cvelistv5 – Published: 2025-07-10 08:14 – Updated: 2026-01-02 15:30
VLAI?
EPSS
Title
smb: Log an error when close_all_cached_dirs fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: Log an error when close_all_cached_dirs fails
Under low-memory conditions, close_all_cached_dirs() can't move the
dentries to a separate list to dput() them once the locks are dropped.
This will result in a "Dentry still in use" error, so add an error
message that makes it clear this is what happened:
[ 495.281119] CIFS: VFS: \\otters.example.com\share Out of memory while dropping dentries
[ 495.281595] ------------[ cut here ]------------
[ 495.281887] BUG: Dentry ffff888115531138{i=78,n=/} still in use (2) [unmount of cifs cifs]
[ 495.282391] WARNING: CPU: 1 PID: 2329 at fs/dcache.c:1536 umount_check+0xc8/0xf0
Also, bail out of looping through all tcons as soon as a single
allocation fails, since we're already in trouble, and kmalloc() attempts
for subseqeuent tcons are likely to fail just like the first one did.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
73934e535cffbda1490fa97d82690a0f9aa73e94 , < b8ced2b9a23a1a2c1e0ed8d0d02512e51bdf38da
(git)
Affected: 548812afd96982a76a93ba76c0582ea670c40d9e , < 43f26094d6702e494e800532c3f1606e7a68eb30 (git) Affected: 3fa640d035e5ae526769615c35cb9ed4be6e3662 , < 4479db143390bdcadc1561292aab579cdfa9f6c6 (git) Affected: 3fa640d035e5ae526769615c35cb9ed4be6e3662 , < a2182743a8b4969481f64aec4908ff162e8a206c (git) Affected: ff4528bbc82d0d90073751f7b49e7b9e9c7e5638 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8ced2b9a23a1a2c1e0ed8d0d02512e51bdf38da",
"status": "affected",
"version": "73934e535cffbda1490fa97d82690a0f9aa73e94",
"versionType": "git"
},
{
"lessThan": "43f26094d6702e494e800532c3f1606e7a68eb30",
"status": "affected",
"version": "548812afd96982a76a93ba76c0582ea670c40d9e",
"versionType": "git"
},
{
"lessThan": "4479db143390bdcadc1561292aab579cdfa9f6c6",
"status": "affected",
"version": "3fa640d035e5ae526769615c35cb9ed4be6e3662",
"versionType": "git"
},
{
"lessThan": "a2182743a8b4969481f64aec4908ff162e8a206c",
"status": "affected",
"version": "3fa640d035e5ae526769615c35cb9ed4be6e3662",
"versionType": "git"
},
{
"status": "affected",
"version": "ff4528bbc82d0d90073751f7b49e7b9e9c7e5638",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/cached_dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "6.6.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "6.12.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: Log an error when close_all_cached_dirs fails\n\nUnder low-memory conditions, close_all_cached_dirs() can\u0027t move the\ndentries to a separate list to dput() them once the locks are dropped.\nThis will result in a \"Dentry still in use\" error, so add an error\nmessage that makes it clear this is what happened:\n\n[ 495.281119] CIFS: VFS: \\\\otters.example.com\\share Out of memory while dropping dentries\n[ 495.281595] ------------[ cut here ]------------\n[ 495.281887] BUG: Dentry ffff888115531138{i=78,n=/} still in use (2) [unmount of cifs cifs]\n[ 495.282391] WARNING: CPU: 1 PID: 2329 at fs/dcache.c:1536 umount_check+0xc8/0xf0\n\nAlso, bail out of looping through all tcons as soon as a single\nallocation fails, since we\u0027re already in trouble, and kmalloc() attempts\nfor subseqeuent tcons are likely to fail just like the first one did."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:30:21.661Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8ced2b9a23a1a2c1e0ed8d0d02512e51bdf38da"
},
{
"url": "https://git.kernel.org/stable/c/43f26094d6702e494e800532c3f1606e7a68eb30"
},
{
"url": "https://git.kernel.org/stable/c/4479db143390bdcadc1561292aab579cdfa9f6c6"
},
{
"url": "https://git.kernel.org/stable/c/a2182743a8b4969481f64aec4908ff162e8a206c"
}
],
"title": "smb: Log an error when close_all_cached_dirs fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38321",
"datePublished": "2025-07-10T08:14:57.046Z",
"dateReserved": "2025-04-16T04:51:24.004Z",
"dateUpdated": "2026-01-02T15:30:21.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50718 (GCVE-0-2022-50718)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
drm/amdgpu: fix pci device refcount leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix pci device refcount leak
As comment of pci_get_domain_bus_and_slot() says, it returns
a pci device with refcount increment, when finish using it,
the caller must decrement the reference count by calling
pci_dev_put().
So before returning from amdgpu_device_resume|suspend_display_audio(),
pci_dev_put() is called to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3f12acc8d6d4b2e62fab8f652d7075a859d80b42 , < 3725a8f26bdbc38dfdf545836117f1e069277c91
(git)
Affected: 3f12acc8d6d4b2e62fab8f652d7075a859d80b42 , < 02105f0b3021ee5853b2fa50853c42f35fc01cfd (git) Affected: 3f12acc8d6d4b2e62fab8f652d7075a859d80b42 , < f13661b72a61708cecb06562f8acff068a4f31f7 (git) Affected: 3f12acc8d6d4b2e62fab8f652d7075a859d80b42 , < d7352b410471cbebf6350b2990bae82bb0d59a76 (git) Affected: 3f12acc8d6d4b2e62fab8f652d7075a859d80b42 , < b85e285e3d6352b02947fc1b72303673dfacb0aa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3725a8f26bdbc38dfdf545836117f1e069277c91",
"status": "affected",
"version": "3f12acc8d6d4b2e62fab8f652d7075a859d80b42",
"versionType": "git"
},
{
"lessThan": "02105f0b3021ee5853b2fa50853c42f35fc01cfd",
"status": "affected",
"version": "3f12acc8d6d4b2e62fab8f652d7075a859d80b42",
"versionType": "git"
},
{
"lessThan": "f13661b72a61708cecb06562f8acff068a4f31f7",
"status": "affected",
"version": "3f12acc8d6d4b2e62fab8f652d7075a859d80b42",
"versionType": "git"
},
{
"lessThan": "d7352b410471cbebf6350b2990bae82bb0d59a76",
"status": "affected",
"version": "3f12acc8d6d4b2e62fab8f652d7075a859d80b42",
"versionType": "git"
},
{
"lessThan": "b85e285e3d6352b02947fc1b72303673dfacb0aa",
"status": "affected",
"version": "3f12acc8d6d4b2e62fab8f652d7075a859d80b42",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix pci device refcount leak\n\nAs comment of pci_get_domain_bus_and_slot() says, it returns\na pci device with refcount increment, when finish using it,\nthe caller must decrement the reference count by calling\npci_dev_put().\n\nSo before returning from amdgpu_device_resume|suspend_display_audio(),\npci_dev_put() is called to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:41.971Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3725a8f26bdbc38dfdf545836117f1e069277c91"
},
{
"url": "https://git.kernel.org/stable/c/02105f0b3021ee5853b2fa50853c42f35fc01cfd"
},
{
"url": "https://git.kernel.org/stable/c/f13661b72a61708cecb06562f8acff068a4f31f7"
},
{
"url": "https://git.kernel.org/stable/c/d7352b410471cbebf6350b2990bae82bb0d59a76"
},
{
"url": "https://git.kernel.org/stable/c/b85e285e3d6352b02947fc1b72303673dfacb0aa"
}
],
"title": "drm/amdgpu: fix pci device refcount leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50718",
"datePublished": "2025-12-24T12:22:41.971Z",
"dateReserved": "2025-12-24T12:20:40.329Z",
"dateUpdated": "2025-12-24T12:22:41.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40332 (GCVE-0-2025-40332)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-26 16:17
VLAI?
EPSS
Title
drm/amdkfd: Fix mmap write lock not release
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix mmap write lock not release
If mmap write lock is taken while draining retry fault, mmap write lock
is not released because svm_range_restore_pages calls mmap_read_unlock
then returns. This causes deadlock and system hangs later because mmap
read or write lock cannot be taken.
Downgrade mmap write lock to read lock if draining retry fault fix this
bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e64be12f8401819662e608efa247638b61d023cd , < e2105ba1c262dcaa9573f11844b6e1e1ca762c3f
(git)
Affected: f844732e3ad9c4b78df7436232949b8d2096d1a6 , < f7569ef1cf978aa87aa81b5e9bf40a77497f3685 (git) Affected: f844732e3ad9c4b78df7436232949b8d2096d1a6 , < 7574f30337e19045f03126b4c51f525b84e5049e (git) Affected: 177660d7ecb34298dab5f0d1efc7e8b02f934551 (git) Affected: 5a3c09bd25cc0a55ec9c048710d379fa2c84b4e7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e2105ba1c262dcaa9573f11844b6e1e1ca762c3f",
"status": "affected",
"version": "e64be12f8401819662e608efa247638b61d023cd",
"versionType": "git"
},
{
"lessThan": "f7569ef1cf978aa87aa81b5e9bf40a77497f3685",
"status": "affected",
"version": "f844732e3ad9c4b78df7436232949b8d2096d1a6",
"versionType": "git"
},
{
"lessThan": "7574f30337e19045f03126b4c51f525b84e5049e",
"status": "affected",
"version": "f844732e3ad9c4b78df7436232949b8d2096d1a6",
"versionType": "git"
},
{
"status": "affected",
"version": "177660d7ecb34298dab5f0d1efc7e8b02f934551",
"versionType": "git"
},
{
"status": "affected",
"version": "5a3c09bd25cc0a55ec9c048710d379fa2c84b4e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.12.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix mmap write lock not release\n\nIf mmap write lock is taken while draining retry fault, mmap write lock\nis not released because svm_range_restore_pages calls mmap_read_unlock\nthen returns. This causes deadlock and system hangs later because mmap\nread or write lock cannot be taken.\n\nDowngrade mmap write lock to read lock if draining retry fault fix this\nbug."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:49.499Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e2105ba1c262dcaa9573f11844b6e1e1ca762c3f"
},
{
"url": "https://git.kernel.org/stable/c/f7569ef1cf978aa87aa81b5e9bf40a77497f3685"
},
{
"url": "https://git.kernel.org/stable/c/7574f30337e19045f03126b4c51f525b84e5049e"
}
],
"title": "drm/amdkfd: Fix mmap write lock not release",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40332",
"datePublished": "2025-12-09T04:09:49.164Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-26T16:17:49.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54090 (GCVE-0-2023-54090)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
ixgbe: Fix panic during XDP_TX with > 64 CPUs
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbe: Fix panic during XDP_TX with > 64 CPUs
Commit 4fe815850bdc ("ixgbe: let the xdpdrv work with more than 64 cpus")
adds support to allow XDP programs to run on systems with more than
64 CPUs by locking the XDP TX rings and indexing them using cpu % 64
(IXGBE_MAX_XDP_QS).
Upon trying this out patch on a system with more than 64 cores,
the kernel paniced with an array-index-out-of-bounds at the return in
ixgbe_determine_xdp_ring in ixgbe.h, which means ixgbe_determine_xdp_q_idx
was just returning the cpu instead of cpu % IXGBE_MAX_XDP_QS. An example
splat:
==========================================================================
UBSAN: array-index-out-of-bounds in
/var/lib/dkms/ixgbe/5.18.6+focal-1/build/src/ixgbe.h:1147:26
index 65 is out of range for type 'ixgbe_ring *[64]'
==========================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000058
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 65 PID: 408 Comm: ksoftirqd/65
Tainted: G IOE 5.15.0-48-generic #54~20.04.1-Ubuntu
Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.5.4 01/13/2020
RIP: 0010:ixgbe_xmit_xdp_ring+0x1b/0x1c0 [ixgbe]
Code: 3b 52 d4 cf e9 42 f2 ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 b9
00 00 00 00 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 <44> 0f b7
47 58 0f b7 47 5a 0f b7 57 54 44 0f b7 76 08 66 41 39 c0
RSP: 0018:ffffbc3fcd88fcb0 EFLAGS: 00010282
RAX: ffff92a253260980 RBX: ffffbc3fe68b00a0 RCX: 0000000000000000
RDX: ffff928b5f659000 RSI: ffff928b5f659000 RDI: 0000000000000000
RBP: ffffbc3fcd88fce0 R08: ffff92b9dfc20580 R09: 0000000000000001
R10: 3d3d3d3d3d3d3d3d R11: 3d3d3d3d3d3d3d3d R12: 0000000000000000
R13: ffff928b2f0fa8c0 R14: ffff928b9be20050 R15: 000000000000003c
FS: 0000000000000000(0000) GS:ffff92b9dfc00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000058 CR3: 000000011dd6a002 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
ixgbe_poll+0x103e/0x1280 [ixgbe]
? sched_clock_cpu+0x12/0xe0
__napi_poll+0x30/0x160
net_rx_action+0x11c/0x270
__do_softirq+0xda/0x2ee
run_ksoftirqd+0x2f/0x50
smpboot_thread_fn+0xb7/0x150
? sort_range+0x30/0x30
kthread+0x127/0x150
? set_kthread_struct+0x50/0x50
ret_from_fork+0x1f/0x30
</TASK>
I think this is how it happens:
Upon loading the first XDP program on a system with more than 64 CPUs,
ixgbe_xdp_locking_key is incremented in ixgbe_xdp_setup. However,
immediately after this, the rings are reconfigured by ixgbe_setup_tc.
ixgbe_setup_tc calls ixgbe_clear_interrupt_scheme which calls
ixgbe_free_q_vectors which calls ixgbe_free_q_vector in a loop.
ixgbe_free_q_vector decrements ixgbe_xdp_locking_key once per call if
it is non-zero. Commenting out the decrement in ixgbe_free_q_vector
stopped my system from panicing.
I suspect to make the original patch work, I would need to load an XDP
program and then replace it in order to get ixgbe_xdp_locking_key back
above 0 since ixgbe_setup_tc is only called when transitioning between
XDP and non-XDP ring configurations, while ixgbe_xdp_locking_key is
incremented every time ixgbe_xdp_setup is called.
Also, ixgbe_setup_tc can be called via ethtool --set-channels, so this
becomes another path to decrement ixgbe_xdp_locking_key to 0 on systems
with more than 64 CPUs.
Since ixgbe_xdp_locking_key only protects the XDP_TX path and is tied
to the number of CPUs present, there is no reason to disable it upon
unloading an XDP program. To avoid confusion, I have moved enabling
ixgbe_xdp_locking_key into ixgbe_sw_init, which is part of the probe path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4fe815850bdc8d4cc94e06fe1de069424a895826 , < 1924450175349e64f8dfc3689efcb653dba0418e
(git)
Affected: 4fe815850bdc8d4cc94e06fe1de069424a895826 , < 785b2b5b47b1aa4c31862948b312ea845401c5ec (git) Affected: 4fe815850bdc8d4cc94e06fe1de069424a895826 , < 4cd43a19900d0b98c1ec4bb6984763369d2e19ec (git) Affected: 4fe815850bdc8d4cc94e06fe1de069424a895826 , < c23ae5091a8b3e50fe755257df020907e7c029bb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c",
"drivers/net/ethernet/intel/ixgbe/ixgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1924450175349e64f8dfc3689efcb653dba0418e",
"status": "affected",
"version": "4fe815850bdc8d4cc94e06fe1de069424a895826",
"versionType": "git"
},
{
"lessThan": "785b2b5b47b1aa4c31862948b312ea845401c5ec",
"status": "affected",
"version": "4fe815850bdc8d4cc94e06fe1de069424a895826",
"versionType": "git"
},
{
"lessThan": "4cd43a19900d0b98c1ec4bb6984763369d2e19ec",
"status": "affected",
"version": "4fe815850bdc8d4cc94e06fe1de069424a895826",
"versionType": "git"
},
{
"lessThan": "c23ae5091a8b3e50fe755257df020907e7c029bb",
"status": "affected",
"version": "4fe815850bdc8d4cc94e06fe1de069424a895826",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe_lib.c",
"drivers/net/ethernet/intel/ixgbe/ixgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: Fix panic during XDP_TX with \u003e 64 CPUs\n\nCommit 4fe815850bdc (\"ixgbe: let the xdpdrv work with more than 64 cpus\")\nadds support to allow XDP programs to run on systems with more than\n64 CPUs by locking the XDP TX rings and indexing them using cpu % 64\n(IXGBE_MAX_XDP_QS).\n\nUpon trying this out patch on a system with more than 64 cores,\nthe kernel paniced with an array-index-out-of-bounds at the return in\nixgbe_determine_xdp_ring in ixgbe.h, which means ixgbe_determine_xdp_q_idx\nwas just returning the cpu instead of cpu % IXGBE_MAX_XDP_QS. An example\nsplat:\n\n ==========================================================================\n UBSAN: array-index-out-of-bounds in\n /var/lib/dkms/ixgbe/5.18.6+focal-1/build/src/ixgbe.h:1147:26\n index 65 is out of range for type \u0027ixgbe_ring *[64]\u0027\n ==========================================================================\n BUG: kernel NULL pointer dereference, address: 0000000000000058\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 65 PID: 408 Comm: ksoftirqd/65\n Tainted: G IOE 5.15.0-48-generic #54~20.04.1-Ubuntu\n Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.5.4 01/13/2020\n RIP: 0010:ixgbe_xmit_xdp_ring+0x1b/0x1c0 [ixgbe]\n Code: 3b 52 d4 cf e9 42 f2 ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 b9\n 00 00 00 00 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 \u003c44\u003e 0f b7\n 47 58 0f b7 47 5a 0f b7 57 54 44 0f b7 76 08 66 41 39 c0\n RSP: 0018:ffffbc3fcd88fcb0 EFLAGS: 00010282\n RAX: ffff92a253260980 RBX: ffffbc3fe68b00a0 RCX: 0000000000000000\n RDX: ffff928b5f659000 RSI: ffff928b5f659000 RDI: 0000000000000000\n RBP: ffffbc3fcd88fce0 R08: ffff92b9dfc20580 R09: 0000000000000001\n R10: 3d3d3d3d3d3d3d3d R11: 3d3d3d3d3d3d3d3d R12: 0000000000000000\n R13: ffff928b2f0fa8c0 R14: ffff928b9be20050 R15: 000000000000003c\n FS: 0000000000000000(0000) GS:ffff92b9dfc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000058 CR3: 000000011dd6a002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ixgbe_poll+0x103e/0x1280 [ixgbe]\n ? sched_clock_cpu+0x12/0xe0\n __napi_poll+0x30/0x160\n net_rx_action+0x11c/0x270\n __do_softirq+0xda/0x2ee\n run_ksoftirqd+0x2f/0x50\n smpboot_thread_fn+0xb7/0x150\n ? sort_range+0x30/0x30\n kthread+0x127/0x150\n ? set_kthread_struct+0x50/0x50\n ret_from_fork+0x1f/0x30\n \u003c/TASK\u003e\n\nI think this is how it happens:\n\nUpon loading the first XDP program on a system with more than 64 CPUs,\nixgbe_xdp_locking_key is incremented in ixgbe_xdp_setup. However,\nimmediately after this, the rings are reconfigured by ixgbe_setup_tc.\nixgbe_setup_tc calls ixgbe_clear_interrupt_scheme which calls\nixgbe_free_q_vectors which calls ixgbe_free_q_vector in a loop.\nixgbe_free_q_vector decrements ixgbe_xdp_locking_key once per call if\nit is non-zero. Commenting out the decrement in ixgbe_free_q_vector\nstopped my system from panicing.\n\nI suspect to make the original patch work, I would need to load an XDP\nprogram and then replace it in order to get ixgbe_xdp_locking_key back\nabove 0 since ixgbe_setup_tc is only called when transitioning between\nXDP and non-XDP ring configurations, while ixgbe_xdp_locking_key is\nincremented every time ixgbe_xdp_setup is called.\n\nAlso, ixgbe_setup_tc can be called via ethtool --set-channels, so this\nbecomes another path to decrement ixgbe_xdp_locking_key to 0 on systems\nwith more than 64 CPUs.\n\nSince ixgbe_xdp_locking_key only protects the XDP_TX path and is tied\nto the number of CPUs present, there is no reason to disable it upon\nunloading an XDP program. To avoid confusion, I have moved enabling\nixgbe_xdp_locking_key into ixgbe_sw_init, which is part of the probe path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:19.666Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1924450175349e64f8dfc3689efcb653dba0418e"
},
{
"url": "https://git.kernel.org/stable/c/785b2b5b47b1aa4c31862948b312ea845401c5ec"
},
{
"url": "https://git.kernel.org/stable/c/4cd43a19900d0b98c1ec4bb6984763369d2e19ec"
},
{
"url": "https://git.kernel.org/stable/c/c23ae5091a8b3e50fe755257df020907e7c029bb"
}
],
"title": "ixgbe: Fix panic during XDP_TX with \u003e 64 CPUs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54090",
"datePublished": "2025-12-24T13:06:19.666Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:19.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50864 (GCVE-0-2022-50864)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
nilfs2: fix shift-out-of-bounds due to too large exponent of block size
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix shift-out-of-bounds due to too large exponent of block size
If field s_log_block_size of superblock data is corrupted and too large,
init_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds
warning followed by a kernel panic (if panic_on_warn is set):
shift exponent 38973 is too large for 32-bit type 'int'
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
ubsan_epilogue+0xb/0x50
__ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5
init_nilfs.cold.11+0x18/0x1d [nilfs2]
nilfs_mount+0x9b5/0x12b0 [nilfs2]
...
This fixes the issue by adding and using a new helper function for getting
block size with sanity check.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8a9d2191e9f43bbcd256a9a6871bd73434c83f2f , < ec93b5430ec0f60877a5388bb023d60624f9ab9f
(git)
Affected: 8a9d2191e9f43bbcd256a9a6871bd73434c83f2f , < 8b6ef451b5701b37d9a5905534595776a662edfc (git) Affected: 8a9d2191e9f43bbcd256a9a6871bd73434c83f2f , < ddb6615a168f97b91175e00eda4c644741cf531c (git) Affected: 8a9d2191e9f43bbcd256a9a6871bd73434c83f2f , < a16731fa1b96226c75bbf18e73513b14fc318360 (git) Affected: 8a9d2191e9f43bbcd256a9a6871bd73434c83f2f , < ebeccaaef67a4895d2496ab8d9c2fb8d89201211 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/the_nilfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec93b5430ec0f60877a5388bb023d60624f9ab9f",
"status": "affected",
"version": "8a9d2191e9f43bbcd256a9a6871bd73434c83f2f",
"versionType": "git"
},
{
"lessThan": "8b6ef451b5701b37d9a5905534595776a662edfc",
"status": "affected",
"version": "8a9d2191e9f43bbcd256a9a6871bd73434c83f2f",
"versionType": "git"
},
{
"lessThan": "ddb6615a168f97b91175e00eda4c644741cf531c",
"status": "affected",
"version": "8a9d2191e9f43bbcd256a9a6871bd73434c83f2f",
"versionType": "git"
},
{
"lessThan": "a16731fa1b96226c75bbf18e73513b14fc318360",
"status": "affected",
"version": "8a9d2191e9f43bbcd256a9a6871bd73434c83f2f",
"versionType": "git"
},
{
"lessThan": "ebeccaaef67a4895d2496ab8d9c2fb8d89201211",
"status": "affected",
"version": "8a9d2191e9f43bbcd256a9a6871bd73434c83f2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/the_nilfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix shift-out-of-bounds due to too large exponent of block size\n\nIf field s_log_block_size of superblock data is corrupted and too large,\ninit_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds\nwarning followed by a kernel panic (if panic_on_warn is set):\n\n shift exponent 38973 is too large for 32-bit type \u0027int\u0027\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xcd/0x134\n ubsan_epilogue+0xb/0x50\n __ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5\n init_nilfs.cold.11+0x18/0x1d [nilfs2]\n nilfs_mount+0x9b5/0x12b0 [nilfs2]\n ...\n\nThis fixes the issue by adding and using a new helper function for getting\nblock size with sanity check."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:03.940Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec93b5430ec0f60877a5388bb023d60624f9ab9f"
},
{
"url": "https://git.kernel.org/stable/c/8b6ef451b5701b37d9a5905534595776a662edfc"
},
{
"url": "https://git.kernel.org/stable/c/ddb6615a168f97b91175e00eda4c644741cf531c"
},
{
"url": "https://git.kernel.org/stable/c/a16731fa1b96226c75bbf18e73513b14fc318360"
},
{
"url": "https://git.kernel.org/stable/c/ebeccaaef67a4895d2496ab8d9c2fb8d89201211"
}
],
"title": "nilfs2: fix shift-out-of-bounds due to too large exponent of block size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50864",
"datePublished": "2025-12-30T12:15:36.489Z",
"dateReserved": "2025-12-30T12:06:07.135Z",
"dateUpdated": "2026-01-02T15:05:03.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50661 (GCVE-0-2022-50661)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
seccomp: Move copy_seccomp() to no failure path.
Summary
In the Linux kernel, the following vulnerability has been resolved:
seccomp: Move copy_seccomp() to no failure path.
Our syzbot instance reported memory leaks in do_seccomp() [0], similar
to the report [1]. It shows that we miss freeing struct seccomp_filter
and some objects included in it.
We can reproduce the issue with the program below [2] which calls one
seccomp() and two clone() syscalls.
The first clone()d child exits earlier than its parent and sends a
signal to kill it during the second clone(), more precisely before the
fatal_signal_pending() test in copy_process(). When the parent receives
the signal, it has to destroy the embryonic process and return -EINTR to
user space. In the failure path, we have to call seccomp_filter_release()
to decrement the filter's refcount.
Initially, we called it in free_task() called from the failure path, but
the commit 3a15fb6ed92c ("seccomp: release filter after task is fully
dead") moved it to release_task() to notify user space as early as possible
that the filter is no longer used.
To keep the change and current seccomp refcount semantics, let's move
copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in
free_task() for future debugging.
[0]:
unreferenced object 0xffff8880063add00 (size 256):
comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.914s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
backtrace:
do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
unreferenced object 0xffffc90000035000 (size 4096):
comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
__vmalloc_node_range (mm/vmalloc.c:3226)
__vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))
bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)
bpf_prog_alloc (kernel/bpf/core.c:129)
bpf_prog_create_from_user (net/core/filter.c:1414)
do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
unreferenced object 0xffff888003fa1000 (size 1024):
comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)
bpf_prog_alloc (kernel/bpf/core.c:129)
bpf_prog_create_from_user (net/core/filter.c:1414)
do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
unreferenced object 0xffff888006360240 (size 16):
comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)
hex dump (first 16 bytes):
01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........
backtrace:
bpf_prog_store_orig_filter (net/core/filter.c:1137)
bpf_prog_create_from_user (net/core/filter.c:1428)
do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
unreferenced object 0xffff888
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < d4a895e924b486f2a38463114509e1088ef4d7f5
(git)
Affected: 3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < a31a647a3d1073a642c5bbe3457731fb353cb980 (git) Affected: 3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < 29a69fa075d0577eff1137426669de21187ec182 (git) Affected: 3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < 5b81f0c6c60e35bf8153230ddfb03ebb14e17986 (git) Affected: 3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3 , < a1140cb215fa13dcec06d12ba0c3ee105633b7c4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/fork.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d4a895e924b486f2a38463114509e1088ef4d7f5",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
},
{
"lessThan": "a31a647a3d1073a642c5bbe3457731fb353cb980",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
},
{
"lessThan": "29a69fa075d0577eff1137426669de21187ec182",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
},
{
"lessThan": "5b81f0c6c60e35bf8153230ddfb03ebb14e17986",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
},
{
"lessThan": "a1140cb215fa13dcec06d12ba0c3ee105633b7c4",
"status": "affected",
"version": "3a15fb6ed92cb32b0a83f406aa4a96f28c9adbc3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/fork.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: Move copy_seccomp() to no failure path.\n\nOur syzbot instance reported memory leaks in do_seccomp() [0], similar\nto the report [1]. It shows that we miss freeing struct seccomp_filter\nand some objects included in it.\n\nWe can reproduce the issue with the program below [2] which calls one\nseccomp() and two clone() syscalls.\n\nThe first clone()d child exits earlier than its parent and sends a\nsignal to kill it during the second clone(), more precisely before the\nfatal_signal_pending() test in copy_process(). When the parent receives\nthe signal, it has to destroy the embryonic process and return -EINTR to\nuser space. In the failure path, we have to call seccomp_filter_release()\nto decrement the filter\u0027s refcount.\n\nInitially, we called it in free_task() called from the failure path, but\nthe commit 3a15fb6ed92c (\"seccomp: release filter after task is fully\ndead\") moved it to release_task() to notify user space as early as possible\nthat the filter is no longer used.\n\nTo keep the change and current seccomp refcount semantics, let\u0027s move\ncopy_seccomp() just after the signal check and add a WARN_ON_ONCE() in\nfree_task() for future debugging.\n\n[0]:\nunreferenced object 0xffff8880063add00 (size 256):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.914s)\n hex dump (first 32 bytes):\n 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................\n ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................\n backtrace:\n do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffffc90000035000 (size 4096):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n __vmalloc_node_range (mm/vmalloc.c:3226)\n __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))\n bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)\n bpf_prog_alloc (kernel/bpf/core.c:129)\n bpf_prog_create_from_user (net/core/filter.c:1414)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888003fa1000 (size 1024):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)\n bpf_prog_alloc (kernel/bpf/core.c:129)\n bpf_prog_create_from_user (net/core/filter.c:1414)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888006360240 (size 16):\n comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n hex dump (first 16 bytes):\n 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........\n backtrace:\n bpf_prog_store_orig_filter (net/core/filter.c:1137)\n bpf_prog_create_from_user (net/core/filter.c:1428)\n do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:09.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d4a895e924b486f2a38463114509e1088ef4d7f5"
},
{
"url": "https://git.kernel.org/stable/c/a31a647a3d1073a642c5bbe3457731fb353cb980"
},
{
"url": "https://git.kernel.org/stable/c/29a69fa075d0577eff1137426669de21187ec182"
},
{
"url": "https://git.kernel.org/stable/c/5b81f0c6c60e35bf8153230ddfb03ebb14e17986"
},
{
"url": "https://git.kernel.org/stable/c/a1140cb215fa13dcec06d12ba0c3ee105633b7c4"
}
],
"title": "seccomp: Move copy_seccomp() to no failure path.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50661",
"datePublished": "2025-12-09T01:29:09.498Z",
"dateReserved": "2025-12-09T01:26:45.989Z",
"dateUpdated": "2025-12-09T01:29:09.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68330 (GCVE-0-2025-68330)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2026-01-02 15:35
VLAI?
EPSS
Title
iio: accel: bmc150: Fix irq assumption regression
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: accel: bmc150: Fix irq assumption regression
The code in bmc150-accel-core.c unconditionally calls
bmc150_accel_set_interrupt() in the iio_buffer_setup_ops,
such as on the runtime PM resume path giving a kernel
splat like this if the device has no interrupts:
Unable to handle kernel NULL pointer dereference at virtual
address 00000001 when read
PC is at bmc150_accel_set_interrupt+0x98/0x194
LR is at __pm_runtime_resume+0x5c/0x64
(...)
Call trace:
bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108
bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc
__iio_update_buffers from enable_store+0x84/0xc8
enable_store from kernfs_fop_write_iter+0x154/0x1b4
This bug seems to have been in the driver since the beginning,
but it only manifests recently, I do not know why.
Store the IRQ number in the state struct, as this is a common
pattern in other drivers, then use this to determine if we have
IRQ support or not.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c16bff4844ffa678ba0c9d077e9797506924ccdd , < aad9d048a3211c48ec02efa405bf462856feb862
(git)
Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < c891f504bb66604c822e7985e093cf39b97fdeb0 (git) Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < cdd4a9e98004bd7c7488311951fa6dbae38b2b80 (git) Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 65ad4ed983fd9ee0259d86391d6a53f78203918c (git) Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3 (git) Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 3aa385a9c75c09b59dcab2ff76423439d23673ab (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/bmc150-accel-core.c",
"drivers/iio/accel/bmc150-accel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aad9d048a3211c48ec02efa405bf462856feb862",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "c891f504bb66604c822e7985e093cf39b97fdeb0",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "cdd4a9e98004bd7c7488311951fa6dbae38b2b80",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "65ad4ed983fd9ee0259d86391d6a53f78203918c",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
},
{
"lessThan": "3aa385a9c75c09b59dcab2ff76423439d23673ab",
"status": "affected",
"version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/accel/bmc150-accel-core.c",
"drivers/iio/accel/bmc150-accel.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: bmc150: Fix irq assumption regression\n\nThe code in bmc150-accel-core.c unconditionally calls\nbmc150_accel_set_interrupt() in the iio_buffer_setup_ops,\nsuch as on the runtime PM resume path giving a kernel\nsplat like this if the device has no interrupts:\n\nUnable to handle kernel NULL pointer dereference at virtual\n address 00000001 when read\n\nPC is at bmc150_accel_set_interrupt+0x98/0x194\nLR is at __pm_runtime_resume+0x5c/0x64\n(...)\nCall trace:\nbmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108\nbmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc\n__iio_update_buffers from enable_store+0x84/0xc8\nenable_store from kernfs_fop_write_iter+0x154/0x1b4\n\nThis bug seems to have been in the driver since the beginning,\nbut it only manifests recently, I do not know why.\n\nStore the IRQ number in the state struct, as this is a common\npattern in other drivers, then use this to determine if we have\nIRQ support or not."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:35:09.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aad9d048a3211c48ec02efa405bf462856feb862"
},
{
"url": "https://git.kernel.org/stable/c/c891f504bb66604c822e7985e093cf39b97fdeb0"
},
{
"url": "https://git.kernel.org/stable/c/cdd4a9e98004bd7c7488311951fa6dbae38b2b80"
},
{
"url": "https://git.kernel.org/stable/c/65ad4ed983fd9ee0259d86391d6a53f78203918c"
},
{
"url": "https://git.kernel.org/stable/c/93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3"
},
{
"url": "https://git.kernel.org/stable/c/3aa385a9c75c09b59dcab2ff76423439d23673ab"
}
],
"title": "iio: accel: bmc150: Fix irq assumption regression",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68330",
"datePublished": "2025-12-22T16:12:23.864Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2026-01-02T15:35:09.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54135 (GCVE-0-2023-54135)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
maple_tree: fix potential out-of-bounds access in mas_wr_end_piv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
maple_tree: fix potential out-of-bounds access in mas_wr_end_piv()
Check the write offset end bounds before using it as the offset into the
pivot array. This avoids a possible out-of-bounds access on the pivot
array if the write extends to the last slot in the node, in which case the
node maximum should be used as the end pivot.
akpm: this doesn't affect any current callers, but new users of mapletree
may encounter this problem if backported into earlier kernels, so let's
fix it in -stable kernels in case of this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
54a611b605901c7d5d05b6b8f5d04a6ceb0962aa , < 4e2ad53ababeaac44d71162650984abfe783960c
(git)
Affected: 54a611b605901c7d5d05b6b8f5d04a6ceb0962aa , < dc4751bd4aba01ccfc02f91adfeee0ba4cda405c (git) Affected: 54a611b605901c7d5d05b6b8f5d04a6ceb0962aa , < f5fcf6555a2a4f32947d17b92b173837cc652891 (git) Affected: 54a611b605901c7d5d05b6b8f5d04a6ceb0962aa , < cd00dd2585c4158e81fdfac0bbcc0446afbad26d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/maple_tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e2ad53ababeaac44d71162650984abfe783960c",
"status": "affected",
"version": "54a611b605901c7d5d05b6b8f5d04a6ceb0962aa",
"versionType": "git"
},
{
"lessThan": "dc4751bd4aba01ccfc02f91adfeee0ba4cda405c",
"status": "affected",
"version": "54a611b605901c7d5d05b6b8f5d04a6ceb0962aa",
"versionType": "git"
},
{
"lessThan": "f5fcf6555a2a4f32947d17b92b173837cc652891",
"status": "affected",
"version": "54a611b605901c7d5d05b6b8f5d04a6ceb0962aa",
"versionType": "git"
},
{
"lessThan": "cd00dd2585c4158e81fdfac0bbcc0446afbad26d",
"status": "affected",
"version": "54a611b605901c7d5d05b6b8f5d04a6ceb0962aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/maple_tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.37",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.1",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmaple_tree: fix potential out-of-bounds access in mas_wr_end_piv()\n\nCheck the write offset end bounds before using it as the offset into the\npivot array. This avoids a possible out-of-bounds access on the pivot\narray if the write extends to the last slot in the node, in which case the\nnode maximum should be used as the end pivot.\n\nakpm: this doesn\u0027t affect any current callers, but new users of mapletree\nmay encounter this problem if backported into earlier kernels, so let\u0027s\nfix it in -stable kernels in case of this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:51.329Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e2ad53ababeaac44d71162650984abfe783960c"
},
{
"url": "https://git.kernel.org/stable/c/dc4751bd4aba01ccfc02f91adfeee0ba4cda405c"
},
{
"url": "https://git.kernel.org/stable/c/f5fcf6555a2a4f32947d17b92b173837cc652891"
},
{
"url": "https://git.kernel.org/stable/c/cd00dd2585c4158e81fdfac0bbcc0446afbad26d"
}
],
"title": "maple_tree: fix potential out-of-bounds access in mas_wr_end_piv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54135",
"datePublished": "2025-12-24T13:06:51.329Z",
"dateReserved": "2025-12-24T13:02:52.522Z",
"dateUpdated": "2025-12-24T13:06:51.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68724 (GCVE-0-2025-68724)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 60a7be5ee74408147e439164ac067e418ca74bb4
(git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c13c6e9de91d7f1dd7df756b1fa5a1f968839d76 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < dfc1613961828745165aec6552c3818fa14ab725 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c73be4f51eed98fa0c7c189db8f279e1c86bfbf7 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 6af753ac5205115e6c310c8c4236c01b59a1c44f (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < b7090a5c153105b9fd221a5a81459ee8cd5babd6 (git) Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < df0845cf447ae1556c3440b8b155de0926cbaa56 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "60a7be5ee74408147e439164ac067e418ca74bb4",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c13c6e9de91d7f1dd7df756b1fa5a1f968839d76",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "dfc1613961828745165aec6552c3818fa14ab725",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "c73be4f51eed98fa0c7c189db8f279e1c86bfbf7",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "6af753ac5205115e6c310c8c4236c01b59a1c44f",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "b7090a5c153105b9fd221a5a81459ee8cd5babd6",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
},
{
"lessThan": "df0845cf447ae1556c3440b8b155de0926cbaa56",
"status": "affected",
"version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/asymmetric_keys/asymmetric_type.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.18"
},
{
"lessThan": "3.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "3.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "3.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:35.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/60a7be5ee74408147e439164ac067e418ca74bb4"
},
{
"url": "https://git.kernel.org/stable/c/c13c6e9de91d7f1dd7df756b1fa5a1f968839d76"
},
{
"url": "https://git.kernel.org/stable/c/dfc1613961828745165aec6552c3818fa14ab725"
},
{
"url": "https://git.kernel.org/stable/c/5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c"
},
{
"url": "https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7"
},
{
"url": "https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f"
},
{
"url": "https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6"
},
{
"url": "https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56"
}
],
"title": "crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68724",
"datePublished": "2025-12-24T10:33:08.932Z",
"dateReserved": "2025-12-24T10:30:51.027Z",
"dateUpdated": "2026-01-19T12:18:35.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50834 (GCVE-0-2022-50834)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10
VLAI?
EPSS
Title
nfc: Fix potential resource leaks
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: Fix potential resource leaks
nfc_get_device() take reference for the device, add missing
nfc_put_device() to release it when not need anymore.
Also fix the style warnning by use error EOPNOTSUPP instead of
ENOTSUPP.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5ce3f32b5264b337bfd13a780452a17705307725 , < 277f0d0a9084e7454e5532c823a7a876a7b00af7
(git)
Affected: 5ce3f32b5264b337bfd13a780452a17705307725 , < d1d912e7f82d7216ba4e266048ec1d1f5ea93839 (git) Affected: 5ce3f32b5264b337bfd13a780452a17705307725 , < d8e410315ad393b23520b5db0706be853589c548 (git) Affected: 5ce3f32b5264b337bfd13a780452a17705307725 , < e0f5c962c066e769c187f037fedc883f8abd4e82 (git) Affected: 5ce3f32b5264b337bfd13a780452a17705307725 , < b63bc2db244c1b57e36f16ea5f2a1becda413f68 (git) Affected: 5ce3f32b5264b337bfd13a780452a17705307725 , < a743128fca394a43425020a4f287d3168d94d04f (git) Affected: 5ce3f32b5264b337bfd13a780452a17705307725 , < b32f6bef248562bb5191ada527717ea50b319466 (git) Affected: 5ce3f32b5264b337bfd13a780452a17705307725 , < df49908f3c52d211aea5e2a14a93bbe67a2cb3af (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "277f0d0a9084e7454e5532c823a7a876a7b00af7",
"status": "affected",
"version": "5ce3f32b5264b337bfd13a780452a17705307725",
"versionType": "git"
},
{
"lessThan": "d1d912e7f82d7216ba4e266048ec1d1f5ea93839",
"status": "affected",
"version": "5ce3f32b5264b337bfd13a780452a17705307725",
"versionType": "git"
},
{
"lessThan": "d8e410315ad393b23520b5db0706be853589c548",
"status": "affected",
"version": "5ce3f32b5264b337bfd13a780452a17705307725",
"versionType": "git"
},
{
"lessThan": "e0f5c962c066e769c187f037fedc883f8abd4e82",
"status": "affected",
"version": "5ce3f32b5264b337bfd13a780452a17705307725",
"versionType": "git"
},
{
"lessThan": "b63bc2db244c1b57e36f16ea5f2a1becda413f68",
"status": "affected",
"version": "5ce3f32b5264b337bfd13a780452a17705307725",
"versionType": "git"
},
{
"lessThan": "a743128fca394a43425020a4f287d3168d94d04f",
"status": "affected",
"version": "5ce3f32b5264b337bfd13a780452a17705307725",
"versionType": "git"
},
{
"lessThan": "b32f6bef248562bb5191ada527717ea50b319466",
"status": "affected",
"version": "5ce3f32b5264b337bfd13a780452a17705307725",
"versionType": "git"
},
{
"lessThan": "df49908f3c52d211aea5e2a14a93bbe67a2cb3af",
"status": "affected",
"version": "5ce3f32b5264b337bfd13a780452a17705307725",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: Fix potential resource leaks\n\nnfc_get_device() take reference for the device, add missing\nnfc_put_device() to release it when not need anymore.\nAlso fix the style warnning by use error EOPNOTSUPP instead of\nENOTSUPP."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:55.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/277f0d0a9084e7454e5532c823a7a876a7b00af7"
},
{
"url": "https://git.kernel.org/stable/c/d1d912e7f82d7216ba4e266048ec1d1f5ea93839"
},
{
"url": "https://git.kernel.org/stable/c/d8e410315ad393b23520b5db0706be853589c548"
},
{
"url": "https://git.kernel.org/stable/c/e0f5c962c066e769c187f037fedc883f8abd4e82"
},
{
"url": "https://git.kernel.org/stable/c/b63bc2db244c1b57e36f16ea5f2a1becda413f68"
},
{
"url": "https://git.kernel.org/stable/c/a743128fca394a43425020a4f287d3168d94d04f"
},
{
"url": "https://git.kernel.org/stable/c/b32f6bef248562bb5191ada527717ea50b319466"
},
{
"url": "https://git.kernel.org/stable/c/df49908f3c52d211aea5e2a14a93bbe67a2cb3af"
}
],
"title": "nfc: Fix potential resource leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50834",
"datePublished": "2025-12-30T12:10:55.025Z",
"dateReserved": "2025-12-30T12:06:07.132Z",
"dateUpdated": "2025-12-30T12:10:55.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50819 (GCVE-0-2022-50819)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
When userspace tries to map the dmabuf and if for some reason
(e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be
set to NULL. Otherwise, when the userspace subsequently closes the
dmabuf fd, we'd try to erroneously free the invalid sg table from
release_udmabuf resulting in the following crash reported by syzbot:
general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted
5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 07/22/2022
RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]
RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]
RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c
8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14
02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2
RSP: 0018:ffffc900037efd30 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000
RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000
R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000
FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78
__dentry_kill+0x42b/0x640 fs/dcache.c:612
dentry_kill fs/dcache.c:733 [inline]
dput+0x806/0xdb0 fs/dcache.c:913
__fput+0x39c/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:177
ptrace_notify+0x114/0x140 kernel/signal.c:2353
ptrace_report_syscall include/linux/ptrace.h:420 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
syscall_exit_work kernel/entry/common.c:249 [inline]
syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276
__syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc1c0c35b6b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24
0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b
RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006
RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c
R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]
RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]
RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
284562e1f34874e267d4f499362c3816f8f6bc3f , < bbe2f6f90310b3a0b5de4e0dc022b36faabfd718
(git)
Affected: 284562e1f34874e267d4f499362c3816f8f6bc3f , < dfbed8c92eb853929f4fa676ba493391dab47be4 (git) Affected: 284562e1f34874e267d4f499362c3816f8f6bc3f , < fc285549f454c0f50f87ec945fc0bf44719c0fa4 (git) Affected: 284562e1f34874e267d4f499362c3816f8f6bc3f , < 9861e43f097a50678041f973347b3a88f2da09cf (git) Affected: 284562e1f34874e267d4f499362c3816f8f6bc3f , < d9c04a1b7a15b5e74b2977461d9511e497f05d8f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma-buf/udmabuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bbe2f6f90310b3a0b5de4e0dc022b36faabfd718",
"status": "affected",
"version": "284562e1f34874e267d4f499362c3816f8f6bc3f",
"versionType": "git"
},
{
"lessThan": "dfbed8c92eb853929f4fa676ba493391dab47be4",
"status": "affected",
"version": "284562e1f34874e267d4f499362c3816f8f6bc3f",
"versionType": "git"
},
{
"lessThan": "fc285549f454c0f50f87ec945fc0bf44719c0fa4",
"status": "affected",
"version": "284562e1f34874e267d4f499362c3816f8f6bc3f",
"versionType": "git"
},
{
"lessThan": "9861e43f097a50678041f973347b3a88f2da09cf",
"status": "affected",
"version": "284562e1f34874e267d4f499362c3816f8f6bc3f",
"versionType": "git"
},
{
"lessThan": "d9c04a1b7a15b5e74b2977461d9511e497f05d8f",
"status": "affected",
"version": "284562e1f34874e267d4f499362c3816f8f6bc3f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma-buf/udmabuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: Set ubuf-\u003esg = NULL if the creation of sg table fails\n\nWhen userspace tries to map the dmabuf and if for some reason\n(e.g. OOM) the creation of the sg table fails, ubuf-\u003esg needs to be\nset to NULL. Otherwise, when the userspace subsequently closes the\ndmabuf fd, we\u0027d try to erroneously free the invalid sg table from\nrelease_udmabuf resulting in the following crash reported by syzbot:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 3609 Comm: syz-executor487 Not tainted\n5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 07/22/2022\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114\nCode: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c\n8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 14\n02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2\nRSP: 0018:ffffc900037efd30 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000\nRBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000\nR13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000\nFS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78\n __dentry_kill+0x42b/0x640 fs/dcache.c:612\n dentry_kill fs/dcache.c:733 [inline]\n dput+0x806/0xdb0 fs/dcache.c:913\n __fput+0x39c/0x9d0 fs/file_table.c:333\n task_work_run+0xdd/0x1a0 kernel/task_work.c:177\n ptrace_notify+0x114/0x140 kernel/signal.c:2353\n ptrace_report_syscall include/linux/ptrace.h:420 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]\n syscall_exit_work kernel/entry/common.c:249 [inline]\n syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276\n __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]\n syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fc1c0c35b6b\nCode: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24\n0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 \u003c48\u003e 3d 00\nf0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44\nRSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b\nRDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006\nRBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c\nR13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140\n \u003c/TASK\u003e\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:50.111Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bbe2f6f90310b3a0b5de4e0dc022b36faabfd718"
},
{
"url": "https://git.kernel.org/stable/c/dfbed8c92eb853929f4fa676ba493391dab47be4"
},
{
"url": "https://git.kernel.org/stable/c/fc285549f454c0f50f87ec945fc0bf44719c0fa4"
},
{
"url": "https://git.kernel.org/stable/c/9861e43f097a50678041f973347b3a88f2da09cf"
},
{
"url": "https://git.kernel.org/stable/c/d9c04a1b7a15b5e74b2977461d9511e497f05d8f"
}
],
"title": "udmabuf: Set ubuf-\u003esg = NULL if the creation of sg table fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50819",
"datePublished": "2025-12-30T12:08:34.225Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2026-01-02T15:04:50.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54299 (GCVE-0-2023-54299)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
usb: typec: bus: verify partner exists in typec_altmode_attention
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: bus: verify partner exists in typec_altmode_attention
Some usb hubs will negotiate DisplayPort Alt mode with the device
but will then negotiate a data role swap after entering the alt
mode. The data role swap causes the device to unregister all alt
modes, however the usb hub will still send Attention messages
even after failing to reregister the Alt Mode. type_altmode_attention
currently does not verify whether or not a device's altmode partner
exists, which results in a NULL pointer error when dereferencing
the typec_altmode and typec_altmode_ops belonging to the altmode
partner.
Verify the presence of a device's altmode partner before sending
the Attention message to the Alt Mode driver.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8a37d87d72f0c69f837229c04d2fcd7117ea57e7 , < 5f71716772b88cbe0e1788f6a38d7871aff2120b
(git)
Affected: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 , < 38e1f2ee82bacbbfded8f1c06794a443d038d054 (git) Affected: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 , < 0ad6bad31da692f8d7acacab07eabe7586239ae0 (git) Affected: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 , < 0d3b5fe47938e9c451466845304a2bd74e967a80 (git) Affected: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 , < d49547950bf7f3480d6ca05fe055978e5f0d9e5b (git) Affected: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 , < 1101867a1711c27d8bbe0e83136bec47f8c1ca2a (git) Affected: 8a37d87d72f0c69f837229c04d2fcd7117ea57e7 , < f23643306430f86e2f413ee2b986e0773e79da31 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/bus.c",
"drivers/usb/typec/tcpm/tcpm.c",
"include/linux/usb/typec_altmode.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f71716772b88cbe0e1788f6a38d7871aff2120b",
"status": "affected",
"version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7",
"versionType": "git"
},
{
"lessThan": "38e1f2ee82bacbbfded8f1c06794a443d038d054",
"status": "affected",
"version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7",
"versionType": "git"
},
{
"lessThan": "0ad6bad31da692f8d7acacab07eabe7586239ae0",
"status": "affected",
"version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7",
"versionType": "git"
},
{
"lessThan": "0d3b5fe47938e9c451466845304a2bd74e967a80",
"status": "affected",
"version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7",
"versionType": "git"
},
{
"lessThan": "d49547950bf7f3480d6ca05fe055978e5f0d9e5b",
"status": "affected",
"version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7",
"versionType": "git"
},
{
"lessThan": "1101867a1711c27d8bbe0e83136bec47f8c1ca2a",
"status": "affected",
"version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7",
"versionType": "git"
},
{
"lessThan": "f23643306430f86e2f413ee2b986e0773e79da31",
"status": "affected",
"version": "8a37d87d72f0c69f837229c04d2fcd7117ea57e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/bus.c",
"drivers/usb/typec/tcpm/tcpm.c",
"include/linux/usb/typec_altmode.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: bus: verify partner exists in typec_altmode_attention\n\nSome usb hubs will negotiate DisplayPort Alt mode with the device\nbut will then negotiate a data role swap after entering the alt\nmode. The data role swap causes the device to unregister all alt\nmodes, however the usb hub will still send Attention messages\neven after failing to reregister the Alt Mode. type_altmode_attention\ncurrently does not verify whether or not a device\u0027s altmode partner\nexists, which results in a NULL pointer error when dereferencing\nthe typec_altmode and typec_altmode_ops belonging to the altmode\npartner.\n\nVerify the presence of a device\u0027s altmode partner before sending\nthe Attention message to the Alt Mode driver."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:35.146Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f71716772b88cbe0e1788f6a38d7871aff2120b"
},
{
"url": "https://git.kernel.org/stable/c/38e1f2ee82bacbbfded8f1c06794a443d038d054"
},
{
"url": "https://git.kernel.org/stable/c/0ad6bad31da692f8d7acacab07eabe7586239ae0"
},
{
"url": "https://git.kernel.org/stable/c/0d3b5fe47938e9c451466845304a2bd74e967a80"
},
{
"url": "https://git.kernel.org/stable/c/d49547950bf7f3480d6ca05fe055978e5f0d9e5b"
},
{
"url": "https://git.kernel.org/stable/c/1101867a1711c27d8bbe0e83136bec47f8c1ca2a"
},
{
"url": "https://git.kernel.org/stable/c/f23643306430f86e2f413ee2b986e0773e79da31"
}
],
"title": "usb: typec: bus: verify partner exists in typec_altmode_attention",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54299",
"datePublished": "2025-12-30T12:23:35.146Z",
"dateReserved": "2025-12-30T12:06:44.528Z",
"dateUpdated": "2025-12-30T12:23:35.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50861 (GCVE-0-2022-50861)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
NFSD: Finish converting the NFSv2 GETACL result encoder
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Finish converting the NFSv2 GETACL result encoder
The xdr_stream conversion inadvertently left some code that set the
page_len of the send buffer. The XDR stream encoders should handle
this automatically now.
This oversight adds garbage past the end of the Reply message.
Clients typically ignore the garbage, but NFSD does not need to send
it, as it leaks stale memory contents onto the wire.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6677b0d16abe77702040768c96e2ea17cd5b3f6e , < a20b0abab966a189a79aba6ebf41f59024a3224d
(git)
Affected: f8cba47344f794b54373189bec23195b51020faf , < 5030d4d2bf8b6f6f3d16401ab92a88bc5aa2377a (git) Affected: f8cba47344f794b54373189bec23195b51020faf , < d5b867fd2d7f79630b1a2906a7bb4f4b75bf297a (git) Affected: f8cba47344f794b54373189bec23195b51020faf , < 2b825efb0577a32a872e872a869e0947cf9dd6d3 (git) Affected: f8cba47344f794b54373189bec23195b51020faf , < ea5021e911d3479346a75ac9b7d9dcd751b0fb99 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs2acl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a20b0abab966a189a79aba6ebf41f59024a3224d",
"status": "affected",
"version": "6677b0d16abe77702040768c96e2ea17cd5b3f6e",
"versionType": "git"
},
{
"lessThan": "5030d4d2bf8b6f6f3d16401ab92a88bc5aa2377a",
"status": "affected",
"version": "f8cba47344f794b54373189bec23195b51020faf",
"versionType": "git"
},
{
"lessThan": "d5b867fd2d7f79630b1a2906a7bb4f4b75bf297a",
"status": "affected",
"version": "f8cba47344f794b54373189bec23195b51020faf",
"versionType": "git"
},
{
"lessThan": "2b825efb0577a32a872e872a869e0947cf9dd6d3",
"status": "affected",
"version": "f8cba47344f794b54373189bec23195b51020faf",
"versionType": "git"
},
{
"lessThan": "ea5021e911d3479346a75ac9b7d9dcd751b0fb99",
"status": "affected",
"version": "f8cba47344f794b54373189bec23195b51020faf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs2acl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Finish converting the NFSv2 GETACL result encoder\n\nThe xdr_stream conversion inadvertently left some code that set the\npage_len of the send buffer. The XDR stream encoders should handle\nthis automatically now.\n\nThis oversight adds garbage past the end of the Reply message.\nClients typically ignore the garbage, but NFSD does not need to send\nit, as it leaks stale memory contents onto the wire."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:34.511Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a20b0abab966a189a79aba6ebf41f59024a3224d"
},
{
"url": "https://git.kernel.org/stable/c/5030d4d2bf8b6f6f3d16401ab92a88bc5aa2377a"
},
{
"url": "https://git.kernel.org/stable/c/d5b867fd2d7f79630b1a2906a7bb4f4b75bf297a"
},
{
"url": "https://git.kernel.org/stable/c/2b825efb0577a32a872e872a869e0947cf9dd6d3"
},
{
"url": "https://git.kernel.org/stable/c/ea5021e911d3479346a75ac9b7d9dcd751b0fb99"
}
],
"title": "NFSD: Finish converting the NFSv2 GETACL result encoder",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50861",
"datePublished": "2025-12-30T12:15:34.511Z",
"dateReserved": "2025-12-30T12:06:07.135Z",
"dateUpdated": "2025-12-30T12:15:34.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53809 (GCVE-0-2023-53809)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-09 00:01
VLAI?
EPSS
Title
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
When a file descriptor of pppol2tp socket is passed as file descriptor
of UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().
This situation is reproduced by the following program:
int main(void)
{
int sock;
struct sockaddr_pppol2tp addr;
sock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (sock < 0) {
perror("socket");
return 1;
}
addr.sa_family = AF_PPPOX;
addr.sa_protocol = PX_PROTO_OL2TP;
addr.pppol2tp.pid = 0;
addr.pppol2tp.fd = sock;
addr.pppol2tp.addr.sin_family = PF_INET;
addr.pppol2tp.addr.sin_port = htons(0);
addr.pppol2tp.addr.sin_addr.s_addr = inet_addr("192.168.0.1");
addr.pppol2tp.s_tunnel = 1;
addr.pppol2tp.s_session = 0;
addr.pppol2tp.d_tunnel = 0;
addr.pppol2tp.d_session = 0;
if (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) {
perror("connect");
return 1;
}
return 0;
}
This program causes the following lockdep warning:
============================================
WARNING: possible recursive locking detected
6.2.0-rc5-00205-gc96618275234 #56 Not tainted
--------------------------------------------
repro/8607 is trying to acquire lock:
ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0
but task is already holding lock:
ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sk_lock-AF_PPPOX);
lock(sk_lock-AF_PPPOX);
*** DEADLOCK ***
May be due to missing lock nesting notation
1 lock held by repro/8607:
#0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30
stack backtrace:
CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x100/0x178
__lock_acquire.cold+0x119/0x3b9
? lockdep_hardirqs_on_prepare+0x410/0x410
lock_acquire+0x1e0/0x610
? l2tp_tunnel_register+0x2b7/0x11c0
? lock_downgrade+0x710/0x710
? __fget_files+0x283/0x3e0
lock_sock_nested+0x3a/0xf0
? l2tp_tunnel_register+0x2b7/0x11c0
l2tp_tunnel_register+0x2b7/0x11c0
? sprintf+0xc4/0x100
? l2tp_tunnel_del_work+0x6b0/0x6b0
? debug_object_deactivate+0x320/0x320
? lockdep_init_map_type+0x16d/0x7a0
? lockdep_init_map_type+0x16d/0x7a0
? l2tp_tunnel_create+0x2bf/0x4b0
? l2tp_tunnel_create+0x3c6/0x4b0
pppol2tp_connect+0x14e1/0x1a30
? pppol2tp_put_sk+0xd0/0xd0
? aa_sk_perm+0x2b7/0xa80
? aa_af_perm+0x260/0x260
? bpf_lsm_socket_connect+0x9/0x10
? pppol2tp_put_sk+0xd0/0xd0
__sys_connect_file+0x14f/0x190
__sys_connect+0x133/0x160
? __sys_connect_file+0x190/0x190
? lockdep_hardirqs_on+0x7d/0x100
? ktime_get_coarse_real_ts64+0x1b7/0x200
? ktime_get_coarse_real_ts64+0x147/0x200
? __audit_syscall_entry+0x396/0x500
__x64_sys_connect+0x72/0xb0
do_syscall_64+0x38/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
This patch fixes the issue by getting/creating the tunnel before
locking the pppol2tp socket.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2d77e5c0ad79004b5ef901895437e9cce6dfcc7e , < 4a413d360959962995e16a899cf2b9ef53e9fcb9
(git)
Affected: 77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce , < f6df58aa15f7d469f69b1dd21b001ff483255244 (git) Affected: cef0845b6dcfa2f6c2c832e7f9622551456c741d , < 4bb736b40475528ac1aa8c98b368563618488a70 (git) Affected: 0b2c59720e65885a394a017d0cf9cab118914682 , < 5370647dd745bb3d8f37057006be207ddd8e9314 (git) Affected: 0b2c59720e65885a394a017d0cf9cab118914682 , < 9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_ppp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a413d360959962995e16a899cf2b9ef53e9fcb9",
"status": "affected",
"version": "2d77e5c0ad79004b5ef901895437e9cce6dfcc7e",
"versionType": "git"
},
{
"lessThan": "f6df58aa15f7d469f69b1dd21b001ff483255244",
"status": "affected",
"version": "77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce",
"versionType": "git"
},
{
"lessThan": "4bb736b40475528ac1aa8c98b368563618488a70",
"status": "affected",
"version": "cef0845b6dcfa2f6c2c832e7f9622551456c741d",
"versionType": "git"
},
{
"lessThan": "5370647dd745bb3d8f37057006be207ddd8e9314",
"status": "affected",
"version": "0b2c59720e65885a394a017d0cf9cab118914682",
"versionType": "git"
},
{
"lessThan": "9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac",
"status": "affected",
"version": "0b2c59720e65885a394a017d0cf9cab118914682",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_ppp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.10.166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.15.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()\n\nWhen a file descriptor of pppol2tp socket is passed as file descriptor\nof UDP socket, a recursive deadlock occurs in l2tp_tunnel_register().\nThis situation is reproduced by the following program:\n\nint main(void)\n{\n\tint sock;\n\tstruct sockaddr_pppol2tp addr;\n\n\tsock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);\n\tif (sock \u003c 0) {\n\t\tperror(\"socket\");\n\t\treturn 1;\n\t}\n\n\taddr.sa_family = AF_PPPOX;\n\taddr.sa_protocol = PX_PROTO_OL2TP;\n\taddr.pppol2tp.pid = 0;\n\taddr.pppol2tp.fd = sock;\n\taddr.pppol2tp.addr.sin_family = PF_INET;\n\taddr.pppol2tp.addr.sin_port = htons(0);\n\taddr.pppol2tp.addr.sin_addr.s_addr = inet_addr(\"192.168.0.1\");\n\taddr.pppol2tp.s_tunnel = 1;\n\taddr.pppol2tp.s_session = 0;\n\taddr.pppol2tp.d_tunnel = 0;\n\taddr.pppol2tp.d_session = 0;\n\n\tif (connect(sock, (const struct sockaddr *)\u0026addr, sizeof(addr)) \u003c 0) {\n\t\tperror(\"connect\");\n\t\treturn 1;\n\t}\n\n\treturn 0;\n}\n\nThis program causes the following lockdep warning:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.2.0-rc5-00205-gc96618275234 #56 Not tainted\n --------------------------------------------\n repro/8607 is trying to acquire lock:\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0\n\n but task is already holding lock:\n ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(sk_lock-AF_PPPOX);\n lock(sk_lock-AF_PPPOX);\n\n *** DEADLOCK ***\n\n May be due to missing lock nesting notation\n\n 1 lock held by repro/8607:\n #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30\n\n stack backtrace:\n CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x100/0x178\n __lock_acquire.cold+0x119/0x3b9\n ? lockdep_hardirqs_on_prepare+0x410/0x410\n lock_acquire+0x1e0/0x610\n ? l2tp_tunnel_register+0x2b7/0x11c0\n ? lock_downgrade+0x710/0x710\n ? __fget_files+0x283/0x3e0\n lock_sock_nested+0x3a/0xf0\n ? l2tp_tunnel_register+0x2b7/0x11c0\n l2tp_tunnel_register+0x2b7/0x11c0\n ? sprintf+0xc4/0x100\n ? l2tp_tunnel_del_work+0x6b0/0x6b0\n ? debug_object_deactivate+0x320/0x320\n ? lockdep_init_map_type+0x16d/0x7a0\n ? lockdep_init_map_type+0x16d/0x7a0\n ? l2tp_tunnel_create+0x2bf/0x4b0\n ? l2tp_tunnel_create+0x3c6/0x4b0\n pppol2tp_connect+0x14e1/0x1a30\n ? pppol2tp_put_sk+0xd0/0xd0\n ? aa_sk_perm+0x2b7/0xa80\n ? aa_af_perm+0x260/0x260\n ? bpf_lsm_socket_connect+0x9/0x10\n ? pppol2tp_put_sk+0xd0/0xd0\n __sys_connect_file+0x14f/0x190\n __sys_connect+0x133/0x160\n ? __sys_connect_file+0x190/0x190\n ? lockdep_hardirqs_on+0x7d/0x100\n ? ktime_get_coarse_real_ts64+0x1b7/0x200\n ? ktime_get_coarse_real_ts64+0x147/0x200\n ? __audit_syscall_entry+0x396/0x500\n __x64_sys_connect+0x72/0xb0\n do_syscall_64+0x38/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes the issue by getting/creating the tunnel before\nlocking the pppol2tp socket."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:01:07.120Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a413d360959962995e16a899cf2b9ef53e9fcb9"
},
{
"url": "https://git.kernel.org/stable/c/f6df58aa15f7d469f69b1dd21b001ff483255244"
},
{
"url": "https://git.kernel.org/stable/c/4bb736b40475528ac1aa8c98b368563618488a70"
},
{
"url": "https://git.kernel.org/stable/c/5370647dd745bb3d8f37057006be207ddd8e9314"
},
{
"url": "https://git.kernel.org/stable/c/9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac"
}
],
"title": "l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53809",
"datePublished": "2025-12-09T00:01:07.120Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-09T00:01:07.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50755 (GCVE-0-2022-50755)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
udf: Avoid double brelse() in udf_rename()
Summary
In the Linux kernel, the following vulnerability has been resolved:
udf: Avoid double brelse() in udf_rename()
syzbot reported a warning like below [1]:
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0
...
Call Trace:
<TASK>
invalidate_bh_lru+0x99/0x150
smp_call_function_many_cond+0xe2a/0x10c0
? generic_remap_file_range_prep+0x50/0x50
? __brelse+0xa0/0xa0
? __mutex_lock+0x21c/0x12d0
? smp_call_on_cpu+0x250/0x250
? rcu_read_lock_sched_held+0xb/0x60
? lock_release+0x587/0x810
? __brelse+0xa0/0xa0
? generic_remap_file_range_prep+0x50/0x50
on_each_cpu_cond_mask+0x3c/0x80
blkdev_flush_mapping+0x13a/0x2f0
blkdev_put_whole+0xd3/0xf0
blkdev_put+0x222/0x760
deactivate_locked_super+0x96/0x160
deactivate_super+0xda/0x100
cleanup_mnt+0x222/0x3d0
task_work_run+0x149/0x240
? task_work_cancel+0x30/0x30
do_exit+0xb29/0x2a40
? reacquire_held_locks+0x4a0/0x4a0
? do_raw_spin_lock+0x12a/0x2b0
? mm_update_next_owner+0x7c0/0x7c0
? rwlock_bug.part.0+0x90/0x90
? zap_other_threads+0x234/0x2d0
do_group_exit+0xd0/0x2a0
__x64_sys_exit_group+0x3a/0x50
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The cause of the issue is that brelse() is called on both ofibh.sbh
and ofibh.ebh by udf_find_entry() when it returns NULL. However,
brelse() is called by udf_rename(), too. So, b_count on buffer_head
becomes unbalanced.
This patch fixes the issue by not calling brelse() by udf_rename()
when udf_find_entry() returns NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < 78eba2778ae10fb2a9d450e14d26eb6f6bf1f906
(git)
Affected: 231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < 9d2cad69547abea961fa80426d600b861de1952b (git) Affected: 231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < d6da7ec0f94f5208c848e0e94b70f54a0bd9c587 (git) Affected: 231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < 156d440dea97deada629bb51cb17887abd862605 (git) Affected: 231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < 40dba68d418237b1ae2beaa06d46a94dd946278e (git) Affected: 231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < e7a6a53c871460727be09f4414ccb29fb8697526 (git) Affected: 231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < 4fca09045509f5bde8fc28e68fbca38cb4bdcf2e (git) Affected: 231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < 090bf49833c51da297ec74f98ad2bf44daea9311 (git) Affected: 231473f6ddcef9c01993e0bfe36acc6f8e425c31 , < c791730f2554a9ebb8f18df9368dc27d4ebc38c2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/udf/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78eba2778ae10fb2a9d450e14d26eb6f6bf1f906",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
},
{
"lessThan": "9d2cad69547abea961fa80426d600b861de1952b",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
},
{
"lessThan": "d6da7ec0f94f5208c848e0e94b70f54a0bd9c587",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
},
{
"lessThan": "156d440dea97deada629bb51cb17887abd862605",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
},
{
"lessThan": "40dba68d418237b1ae2beaa06d46a94dd946278e",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
},
{
"lessThan": "e7a6a53c871460727be09f4414ccb29fb8697526",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
},
{
"lessThan": "4fca09045509f5bde8fc28e68fbca38cb4bdcf2e",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
},
{
"lessThan": "090bf49833c51da297ec74f98ad2bf44daea9311",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
},
{
"lessThan": "c791730f2554a9ebb8f18df9368dc27d4ebc38c2",
"status": "affected",
"version": "231473f6ddcef9c01993e0bfe36acc6f8e425c31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/udf/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: Avoid double brelse() in udf_rename()\n\nsyzbot reported a warning like below [1]:\n\nVFS: brelse: Trying to free free buffer\nWARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0\n...\nCall Trace:\n \u003cTASK\u003e\n invalidate_bh_lru+0x99/0x150\n smp_call_function_many_cond+0xe2a/0x10c0\n ? generic_remap_file_range_prep+0x50/0x50\n ? __brelse+0xa0/0xa0\n ? __mutex_lock+0x21c/0x12d0\n ? smp_call_on_cpu+0x250/0x250\n ? rcu_read_lock_sched_held+0xb/0x60\n ? lock_release+0x587/0x810\n ? __brelse+0xa0/0xa0\n ? generic_remap_file_range_prep+0x50/0x50\n on_each_cpu_cond_mask+0x3c/0x80\n blkdev_flush_mapping+0x13a/0x2f0\n blkdev_put_whole+0xd3/0xf0\n blkdev_put+0x222/0x760\n deactivate_locked_super+0x96/0x160\n deactivate_super+0xda/0x100\n cleanup_mnt+0x222/0x3d0\n task_work_run+0x149/0x240\n ? task_work_cancel+0x30/0x30\n do_exit+0xb29/0x2a40\n ? reacquire_held_locks+0x4a0/0x4a0\n ? do_raw_spin_lock+0x12a/0x2b0\n ? mm_update_next_owner+0x7c0/0x7c0\n ? rwlock_bug.part.0+0x90/0x90\n ? zap_other_threads+0x234/0x2d0\n do_group_exit+0xd0/0x2a0\n __x64_sys_exit_group+0x3a/0x50\n do_syscall_64+0x34/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe cause of the issue is that brelse() is called on both ofibh.sbh\nand ofibh.ebh by udf_find_entry() when it returns NULL. However,\nbrelse() is called by udf_rename(), too. So, b_count on buffer_head\nbecomes unbalanced.\n\nThis patch fixes the issue by not calling brelse() by udf_rename()\nwhen udf_find_entry() returns NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:26.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78eba2778ae10fb2a9d450e14d26eb6f6bf1f906"
},
{
"url": "https://git.kernel.org/stable/c/9d2cad69547abea961fa80426d600b861de1952b"
},
{
"url": "https://git.kernel.org/stable/c/d6da7ec0f94f5208c848e0e94b70f54a0bd9c587"
},
{
"url": "https://git.kernel.org/stable/c/156d440dea97deada629bb51cb17887abd862605"
},
{
"url": "https://git.kernel.org/stable/c/40dba68d418237b1ae2beaa06d46a94dd946278e"
},
{
"url": "https://git.kernel.org/stable/c/e7a6a53c871460727be09f4414ccb29fb8697526"
},
{
"url": "https://git.kernel.org/stable/c/4fca09045509f5bde8fc28e68fbca38cb4bdcf2e"
},
{
"url": "https://git.kernel.org/stable/c/090bf49833c51da297ec74f98ad2bf44daea9311"
},
{
"url": "https://git.kernel.org/stable/c/c791730f2554a9ebb8f18df9368dc27d4ebc38c2"
}
],
"title": "udf: Avoid double brelse() in udf_rename()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50755",
"datePublished": "2025-12-24T13:05:48.928Z",
"dateReserved": "2025-12-24T13:02:21.544Z",
"dateUpdated": "2026-01-02T15:04:26.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53836 (GCVE-0-2023-53836)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
bpf, sockmap: Fix skb refcnt race after locking changes
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix skb refcnt race after locking changes
There is a race where skb's from the sk_psock_backlog can be referenced
after userspace side has already skb_consumed() the sk_buff and its refcnt
dropped to zer0 causing use after free.
The flow is the following:
while ((skb = skb_peek(&psock->ingress_skb))
sk_psock_handle_Skb(psock, skb, ..., ingress)
if (!ingress) ...
sk_psock_skb_ingress
sk_psock_skb_ingress_enqueue(skb)
msg->skb = skb
sk_psock_queue_msg(psock, msg)
skb_dequeue(&psock->ingress_skb)
The sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is
what the application reads when recvmsg() is called. An application can
read this anytime after the msg is placed on the queue. The recvmsg hook
will also read msg->skb and then after user space reads the msg will call
consume_skb(skb) on it effectively free'ing it.
But, the race is in above where backlog queue still has a reference to
the skb and calls skb_dequeue(). If the skb_dequeue happens after the
user reads and free's the skb we have a use after free.
The !ingress case does not suffer from this problem because it uses
sendmsg_*(sk, msg) which does not pass the sk_buff further down the
stack.
The following splat was observed with 'test_progs -t sockmap_listen':
[ 1022.710250][ T2556] general protection fault, ...
[...]
[ 1022.712830][ T2556] Workqueue: events sk_psock_backlog
[ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80
[ 1022.713653][ T2556] Code: ...
[...]
[ 1022.720699][ T2556] Call Trace:
[ 1022.720984][ T2556] <TASK>
[ 1022.721254][ T2556] ? die_addr+0x32/0x80^M
[ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0
[ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30
[ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80
[ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300
[ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0
[ 1022.723633][ T2556] worker_thread+0x4f/0x3a0
[ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10
[ 1022.724386][ T2556] kthread+0xfd/0x130
[ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10
[ 1022.725066][ T2556] ret_from_fork+0x2d/0x50
[ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10
[ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30
[ 1022.726201][ T2556] </TASK>
To fix we add an skb_get() before passing the skb to be enqueued in the
engress queue. This bumps the skb->users refcnt so that consume_skb()
and kfree_skb will not immediately free the sk_buff. With this we can
be sure the skb is still around when we do the dequeue. Then we just
need to decrement the refcnt or free the skb in the backlog case which
we do by calling kfree_skb() on the ingress case as well as the sendmsg
case.
Before locking change from fixes tag we had the sock locked so we
couldn't race with user and there was no issue here.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3 , < 65ad600b9bde68d2d28709943ab00b51ca8f0a1d
(git)
Affected: 799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3 , < 923877254f002ae87d441382bb1096d9e773d56d (git) Affected: 799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3 , < e6b5e47adb9166e732cdf7e6e034946e3f89f36d (git) Affected: 799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3 , < a454d84ee20baf7bd7be90721b9821f73c7d23d9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65ad600b9bde68d2d28709943ab00b51ca8f0a1d",
"status": "affected",
"version": "799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3",
"versionType": "git"
},
{
"lessThan": "923877254f002ae87d441382bb1096d9e773d56d",
"status": "affected",
"version": "799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3",
"versionType": "git"
},
{
"lessThan": "e6b5e47adb9166e732cdf7e6e034946e3f89f36d",
"status": "affected",
"version": "799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3",
"versionType": "git"
},
{
"lessThan": "a454d84ee20baf7bd7be90721b9821f73c7d23d9",
"status": "affected",
"version": "799aa7f98d53e0f541fa6b4dc9aa47b4ff2178e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skmsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix skb refcnt race after locking changes\n\nThere is a race where skb\u0027s from the sk_psock_backlog can be referenced\nafter userspace side has already skb_consumed() the sk_buff and its refcnt\ndropped to zer0 causing use after free.\n\nThe flow is the following:\n\n while ((skb = skb_peek(\u0026psock-\u003eingress_skb))\n sk_psock_handle_Skb(psock, skb, ..., ingress)\n if (!ingress) ...\n sk_psock_skb_ingress\n sk_psock_skb_ingress_enqueue(skb)\n msg-\u003eskb = skb\n sk_psock_queue_msg(psock, msg)\n skb_dequeue(\u0026psock-\u003eingress_skb)\n\nThe sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is\nwhat the application reads when recvmsg() is called. An application can\nread this anytime after the msg is placed on the queue. The recvmsg hook\nwill also read msg-\u003eskb and then after user space reads the msg will call\nconsume_skb(skb) on it effectively free\u0027ing it.\n\nBut, the race is in above where backlog queue still has a reference to\nthe skb and calls skb_dequeue(). If the skb_dequeue happens after the\nuser reads and free\u0027s the skb we have a use after free.\n\nThe !ingress case does not suffer from this problem because it uses\nsendmsg_*(sk, msg) which does not pass the sk_buff further down the\nstack.\n\nThe following splat was observed with \u0027test_progs -t sockmap_listen\u0027:\n\n [ 1022.710250][ T2556] general protection fault, ...\n [...]\n [ 1022.712830][ T2556] Workqueue: events sk_psock_backlog\n [ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80\n [ 1022.713653][ T2556] Code: ...\n [...]\n [ 1022.720699][ T2556] Call Trace:\n [ 1022.720984][ T2556] \u003cTASK\u003e\n [ 1022.721254][ T2556] ? die_addr+0x32/0x80^M\n [ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0\n [ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30\n [ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80\n [ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300\n [ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0\n [ 1022.723633][ T2556] worker_thread+0x4f/0x3a0\n [ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10\n [ 1022.724386][ T2556] kthread+0xfd/0x130\n [ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10\n [ 1022.725066][ T2556] ret_from_fork+0x2d/0x50\n [ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10\n [ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30\n [ 1022.726201][ T2556] \u003c/TASK\u003e\n\nTo fix we add an skb_get() before passing the skb to be enqueued in the\nengress queue. This bumps the skb-\u003eusers refcnt so that consume_skb()\nand kfree_skb will not immediately free the sk_buff. With this we can\nbe sure the skb is still around when we do the dequeue. Then we just\nneed to decrement the refcnt or free the skb in the backlog case which\nwe do by calling kfree_skb() on the ingress case as well as the sendmsg\ncase.\n\nBefore locking change from fixes tag we had the sock locked so we\ncouldn\u0027t race with user and there was no issue here."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:52.004Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65ad600b9bde68d2d28709943ab00b51ca8f0a1d"
},
{
"url": "https://git.kernel.org/stable/c/923877254f002ae87d441382bb1096d9e773d56d"
},
{
"url": "https://git.kernel.org/stable/c/e6b5e47adb9166e732cdf7e6e034946e3f89f36d"
},
{
"url": "https://git.kernel.org/stable/c/a454d84ee20baf7bd7be90721b9821f73c7d23d9"
}
],
"title": "bpf, sockmap: Fix skb refcnt race after locking changes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53836",
"datePublished": "2025-12-09T01:29:52.004Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:52.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38664 (GCVE-0-2025-38664)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:02 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
Add check for the return value of devm_kmemdup()
to prevent potential null pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c7648810961682b9388be2dd041df06915647445 , < 35370d3b44efe194fd5ad55bac987e629597d782
(git)
Affected: c7648810961682b9388be2dd041df06915647445 , < 435462f8ab2b9c5340a5414ce02f70117d0cfede (git) Affected: c7648810961682b9388be2dd041df06915647445 , < 7c5a13c76dd37e9e4f8d48b87376a54f4399ce15 (git) Affected: c7648810961682b9388be2dd041df06915647445 , < 1c30093d58cd3d02d8358e2b1f4a06a0aae0bf5b (git) Affected: c7648810961682b9388be2dd041df06915647445 , < 3028f2a4e746b499043bbb8ab816f975473a0535 (git) Affected: c7648810961682b9388be2dd041df06915647445 , < 0fde7dccbf4c8a6d7940ecaf4c3d80a12f405dd7 (git) Affected: c7648810961682b9388be2dd041df06915647445 , < 6d640a8ea62435a7f6f89869bee4fa99423d07ca (git) Affected: c7648810961682b9388be2dd041df06915647445 , < 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:50.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ddp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35370d3b44efe194fd5ad55bac987e629597d782",
"status": "affected",
"version": "c7648810961682b9388be2dd041df06915647445",
"versionType": "git"
},
{
"lessThan": "435462f8ab2b9c5340a5414ce02f70117d0cfede",
"status": "affected",
"version": "c7648810961682b9388be2dd041df06915647445",
"versionType": "git"
},
{
"lessThan": "7c5a13c76dd37e9e4f8d48b87376a54f4399ce15",
"status": "affected",
"version": "c7648810961682b9388be2dd041df06915647445",
"versionType": "git"
},
{
"lessThan": "1c30093d58cd3d02d8358e2b1f4a06a0aae0bf5b",
"status": "affected",
"version": "c7648810961682b9388be2dd041df06915647445",
"versionType": "git"
},
{
"lessThan": "3028f2a4e746b499043bbb8ab816f975473a0535",
"status": "affected",
"version": "c7648810961682b9388be2dd041df06915647445",
"versionType": "git"
},
{
"lessThan": "0fde7dccbf4c8a6d7940ecaf4c3d80a12f405dd7",
"status": "affected",
"version": "c7648810961682b9388be2dd041df06915647445",
"versionType": "git"
},
{
"lessThan": "6d640a8ea62435a7f6f89869bee4fa99423d07ca",
"status": "affected",
"version": "c7648810961682b9388be2dd041df06915647445",
"versionType": "git"
},
{
"lessThan": "4ff12d82dac119b4b99b5a78b5af3bf2474c0a36",
"status": "affected",
"version": "c7648810961682b9388be2dd041df06915647445",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ddp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.101",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.41",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.101",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.41",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.9",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix a null pointer dereference in ice_copy_and_init_pkg()\n\nAdd check for the return value of devm_kmemdup()\nto prevent potential null pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:44:32.084Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35370d3b44efe194fd5ad55bac987e629597d782"
},
{
"url": "https://git.kernel.org/stable/c/435462f8ab2b9c5340a5414ce02f70117d0cfede"
},
{
"url": "https://git.kernel.org/stable/c/7c5a13c76dd37e9e4f8d48b87376a54f4399ce15"
},
{
"url": "https://git.kernel.org/stable/c/1c30093d58cd3d02d8358e2b1f4a06a0aae0bf5b"
},
{
"url": "https://git.kernel.org/stable/c/3028f2a4e746b499043bbb8ab816f975473a0535"
},
{
"url": "https://git.kernel.org/stable/c/0fde7dccbf4c8a6d7940ecaf4c3d80a12f405dd7"
},
{
"url": "https://git.kernel.org/stable/c/6d640a8ea62435a7f6f89869bee4fa99423d07ca"
},
{
"url": "https://git.kernel.org/stable/c/4ff12d82dac119b4b99b5a78b5af3bf2474c0a36"
}
],
"title": "ice: Fix a null pointer dereference in ice_copy_and_init_pkg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38664",
"datePublished": "2025-08-22T16:02:56.707Z",
"dateReserved": "2025-04-16T04:51:24.031Z",
"dateUpdated": "2025-11-03T17:40:50.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38728 (GCVE-0-2025-38728)
Vulnerability from cvelistv5 – Published: 2025-09-04 15:33 – Updated: 2025-11-03 17:41
VLAI?
EPSS
Title
smb3: fix for slab out of bounds on mount to ksmbd
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb3: fix for slab out of bounds on mount to ksmbd
With KASAN enabled, it is possible to get a slab out of bounds
during mount to ksmbd due to missing check in parse_server_interfaces()
(see below):
BUG: KASAN: slab-out-of-bounds in
parse_server_interfaces+0x14ee/0x1880 [cifs]
Read of size 4 at addr ffff8881433dba98 by task mount/9827
CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G
OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,
BIOS 2.13.1 06/14/2019
Call Trace:
<TASK>
dump_stack_lvl+0x9f/0xf0
print_report+0xd1/0x670
__virt_addr_valid+0x22c/0x430
? parse_server_interfaces+0x14ee/0x1880 [cifs]
? kasan_complete_mode_report_info+0x2a/0x1f0
? parse_server_interfaces+0x14ee/0x1880 [cifs]
kasan_report+0xd6/0x110
parse_server_interfaces+0x14ee/0x1880 [cifs]
__asan_report_load_n_noabort+0x13/0x20
parse_server_interfaces+0x14ee/0x1880 [cifs]
? __pfx_parse_server_interfaces+0x10/0x10 [cifs]
? trace_hardirqs_on+0x51/0x60
SMB3_request_interfaces+0x1ad/0x3f0 [cifs]
? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]
? SMB2_tcon+0x23c/0x15d0 [cifs]
smb3_qfs_tcon+0x173/0x2b0 [cifs]
? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
? cifs_get_tcon+0x105d/0x2120 [cifs]
? do_raw_spin_unlock+0x5d/0x200
? cifs_get_tcon+0x105d/0x2120 [cifs]
? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]
cifs_mount_get_tcon+0x369/0xb90 [cifs]
? dfs_cache_find+0xe7/0x150 [cifs]
dfs_mount_share+0x985/0x2970 [cifs]
? check_path.constprop.0+0x28/0x50
? save_trace+0x54/0x370
? __pfx_dfs_mount_share+0x10/0x10 [cifs]
? __lock_acquire+0xb82/0x2ba0
? __kasan_check_write+0x18/0x20
cifs_mount+0xbc/0x9e0 [cifs]
? __pfx_cifs_mount+0x10/0x10 [cifs]
? do_raw_spin_unlock+0x5d/0x200
? cifs_setup_cifs_sb+0x29d/0x810 [cifs]
cifs_smb3_do_mount+0x263/0x1990 [cifs]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe856be475f7cf5ffcde57341d175ce9fd09434b , < 9bdb8e98a0073c73ab3e6c631ec78877ceb64565
(git)
Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < a0620e1525663edd8c4594f49fb75fe5be4724b0 (git) Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < 8de33d4d72e8fae3502ec3850bd7b14e7c7328b6 (git) Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < a542f93a123555d09c3ce8bc947f7b56ad8e6463 (git) Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < f6eda5b0e8f8123564c5b34f5801d63243032eac (git) Affected: fe856be475f7cf5ffcde57341d175ce9fd09434b , < 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:41:57.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bdb8e98a0073c73ab3e6c631ec78877ceb64565",
"status": "affected",
"version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
"versionType": "git"
},
{
"lessThan": "a0620e1525663edd8c4594f49fb75fe5be4724b0",
"status": "affected",
"version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
"versionType": "git"
},
{
"lessThan": "8de33d4d72e8fae3502ec3850bd7b14e7c7328b6",
"status": "affected",
"version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
"versionType": "git"
},
{
"lessThan": "a542f93a123555d09c3ce8bc947f7b56ad8e6463",
"status": "affected",
"version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
"versionType": "git"
},
{
"lessThan": "f6eda5b0e8f8123564c5b34f5801d63243032eac",
"status": "affected",
"version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
"versionType": "git"
},
{
"lessThan": "7d34ec36abb84fdfb6632a0f2cbda90379ae21fc",
"status": "affected",
"version": "fe856be475f7cf5ffcde57341d175ce9fd09434b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix for slab out of bounds on mount to ksmbd\n\nWith KASAN enabled, it is possible to get a slab out of bounds\nduring mount to ksmbd due to missing check in parse_server_interfaces()\n(see below):\n\n BUG: KASAN: slab-out-of-bounds in\n parse_server_interfaces+0x14ee/0x1880 [cifs]\n Read of size 4 at addr ffff8881433dba98 by task mount/9827\n\n CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G\n OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary)\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: Dell Inc. Precision Tower 3620/0MWYPT,\n BIOS 2.13.1 06/14/2019\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x9f/0xf0\n print_report+0xd1/0x670\n __virt_addr_valid+0x22c/0x430\n ? parse_server_interfaces+0x14ee/0x1880 [cifs]\n ? kasan_complete_mode_report_info+0x2a/0x1f0\n ? parse_server_interfaces+0x14ee/0x1880 [cifs]\n kasan_report+0xd6/0x110\n parse_server_interfaces+0x14ee/0x1880 [cifs]\n __asan_report_load_n_noabort+0x13/0x20\n parse_server_interfaces+0x14ee/0x1880 [cifs]\n ? __pfx_parse_server_interfaces+0x10/0x10 [cifs]\n ? trace_hardirqs_on+0x51/0x60\n SMB3_request_interfaces+0x1ad/0x3f0 [cifs]\n ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs]\n ? SMB2_tcon+0x23c/0x15d0 [cifs]\n smb3_qfs_tcon+0x173/0x2b0 [cifs]\n ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]\n ? cifs_get_tcon+0x105d/0x2120 [cifs]\n ? do_raw_spin_unlock+0x5d/0x200\n ? cifs_get_tcon+0x105d/0x2120 [cifs]\n ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs]\n cifs_mount_get_tcon+0x369/0xb90 [cifs]\n ? dfs_cache_find+0xe7/0x150 [cifs]\n dfs_mount_share+0x985/0x2970 [cifs]\n ? check_path.constprop.0+0x28/0x50\n ? save_trace+0x54/0x370\n ? __pfx_dfs_mount_share+0x10/0x10 [cifs]\n ? __lock_acquire+0xb82/0x2ba0\n ? __kasan_check_write+0x18/0x20\n cifs_mount+0xbc/0x9e0 [cifs]\n ? __pfx_cifs_mount+0x10/0x10 [cifs]\n ? do_raw_spin_unlock+0x5d/0x200\n ? cifs_setup_cifs_sb+0x29d/0x810 [cifs]\n cifs_smb3_do_mount+0x263/0x1990 [cifs]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:56:54.890Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bdb8e98a0073c73ab3e6c631ec78877ceb64565"
},
{
"url": "https://git.kernel.org/stable/c/a0620e1525663edd8c4594f49fb75fe5be4724b0"
},
{
"url": "https://git.kernel.org/stable/c/8de33d4d72e8fae3502ec3850bd7b14e7c7328b6"
},
{
"url": "https://git.kernel.org/stable/c/a542f93a123555d09c3ce8bc947f7b56ad8e6463"
},
{
"url": "https://git.kernel.org/stable/c/f6eda5b0e8f8123564c5b34f5801d63243032eac"
},
{
"url": "https://git.kernel.org/stable/c/7d34ec36abb84fdfb6632a0f2cbda90379ae21fc"
}
],
"title": "smb3: fix for slab out of bounds on mount to ksmbd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38728",
"datePublished": "2025-09-04T15:33:26.039Z",
"dateReserved": "2025-04-16T04:51:24.033Z",
"dateUpdated": "2025-11-03T17:41:57.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54144 (GCVE-0-2023-54144)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
drm/amdkfd: Fix kernel warning during topology setup
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix kernel warning during topology setup
This patch fixes the following kernel warning seen during
driver load by correctly initializing the p2plink attr before
creating the sysfs file:
[ +0.002865] ------------[ cut here ]------------
[ +0.002327] kobject: '(null)' (0000000056260cfb): is not initialized, yet kobject_put() is being called.
[ +0.004780] WARNING: CPU: 32 PID: 1006 at lib/kobject.c:718 kobject_put+0xaa/0x1c0
[ +0.001361] Call Trace:
[ +0.001234] <TASK>
[ +0.001067] kfd_remove_sysfs_node_entry+0x24a/0x2d0 [amdgpu]
[ +0.003147] kfd_topology_update_sysfs+0x3d/0x750 [amdgpu]
[ +0.002890] kfd_topology_add_device+0xbd7/0xc70 [amdgpu]
[ +0.002844] ? lock_release+0x13c/0x2e0
[ +0.001936] ? smu_cmn_send_smc_msg_with_param+0x1e8/0x2d0 [amdgpu]
[ +0.003313] ? amdgpu_dpm_get_mclk+0x54/0x60 [amdgpu]
[ +0.002703] kgd2kfd_device_init.cold+0x39f/0x4ed [amdgpu]
[ +0.002930] amdgpu_amdkfd_device_init+0x13d/0x1f0 [amdgpu]
[ +0.002944] amdgpu_device_init.cold+0x1464/0x17b4 [amdgpu]
[ +0.002970] ? pci_bus_read_config_word+0x43/0x80
[ +0.002380] amdgpu_driver_load_kms+0x15/0x100 [amdgpu]
[ +0.002744] amdgpu_pci_probe+0x147/0x370 [amdgpu]
[ +0.002522] local_pci_probe+0x40/0x80
[ +0.001896] work_for_cpu_fn+0x10/0x20
[ +0.001892] process_one_work+0x26e/0x5a0
[ +0.002029] worker_thread+0x1fd/0x3e0
[ +0.001890] ? process_one_work+0x5a0/0x5a0
[ +0.002115] kthread+0xea/0x110
[ +0.001618] ? kthread_complete_and_exit+0x20/0x20
[ +0.002422] ret_from_fork+0x1f/0x30
[ +0.001808] </TASK>
[ +0.001103] irq event stamp: 59837
[ +0.001718] hardirqs last enabled at (59849): [<ffffffffb30fab12>] __up_console_sem+0x52/0x60
[ +0.004414] hardirqs last disabled at (59860): [<ffffffffb30faaf7>] __up_console_sem+0x37/0x60
[ +0.004414] softirqs last enabled at (59654): [<ffffffffb307d9c7>] irq_exit_rcu+0xd7/0x130
[ +0.004205] softirqs last disabled at (59649): [<ffffffffb307d9c7>] irq_exit_rcu+0xd7/0x130
[ +0.004203] ---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0f28cca87e9afc22280c44d378d2a6e249933977 , < 2d5a6742a242091292cc0a2b607be701a45d0c4e
(git)
Affected: 0f28cca87e9afc22280c44d378d2a6e249933977 , < 306888b1246bf44e703b6f1ccc746c2746c1a981 (git) Affected: 0f28cca87e9afc22280c44d378d2a6e249933977 , < cf97eb7e47d4671084c7e114c5d88a3d0540ecbd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d5a6742a242091292cc0a2b607be701a45d0c4e",
"status": "affected",
"version": "0f28cca87e9afc22280c44d378d2a6e249933977",
"versionType": "git"
},
{
"lessThan": "306888b1246bf44e703b6f1ccc746c2746c1a981",
"status": "affected",
"version": "0f28cca87e9afc22280c44d378d2a6e249933977",
"versionType": "git"
},
{
"lessThan": "cf97eb7e47d4671084c7e114c5d88a3d0540ecbd",
"status": "affected",
"version": "0f28cca87e9afc22280c44d378d2a6e249933977",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix kernel warning during topology setup\n\nThis patch fixes the following kernel warning seen during\ndriver load by correctly initializing the p2plink attr before\ncreating the sysfs file:\n\n[ +0.002865] ------------[ cut here ]------------\n[ +0.002327] kobject: \u0027(null)\u0027 (0000000056260cfb): is not initialized, yet kobject_put() is being called.\n[ +0.004780] WARNING: CPU: 32 PID: 1006 at lib/kobject.c:718 kobject_put+0xaa/0x1c0\n[ +0.001361] Call Trace:\n[ +0.001234] \u003cTASK\u003e\n[ +0.001067] kfd_remove_sysfs_node_entry+0x24a/0x2d0 [amdgpu]\n[ +0.003147] kfd_topology_update_sysfs+0x3d/0x750 [amdgpu]\n[ +0.002890] kfd_topology_add_device+0xbd7/0xc70 [amdgpu]\n[ +0.002844] ? lock_release+0x13c/0x2e0\n[ +0.001936] ? smu_cmn_send_smc_msg_with_param+0x1e8/0x2d0 [amdgpu]\n[ +0.003313] ? amdgpu_dpm_get_mclk+0x54/0x60 [amdgpu]\n[ +0.002703] kgd2kfd_device_init.cold+0x39f/0x4ed [amdgpu]\n[ +0.002930] amdgpu_amdkfd_device_init+0x13d/0x1f0 [amdgpu]\n[ +0.002944] amdgpu_device_init.cold+0x1464/0x17b4 [amdgpu]\n[ +0.002970] ? pci_bus_read_config_word+0x43/0x80\n[ +0.002380] amdgpu_driver_load_kms+0x15/0x100 [amdgpu]\n[ +0.002744] amdgpu_pci_probe+0x147/0x370 [amdgpu]\n[ +0.002522] local_pci_probe+0x40/0x80\n[ +0.001896] work_for_cpu_fn+0x10/0x20\n[ +0.001892] process_one_work+0x26e/0x5a0\n[ +0.002029] worker_thread+0x1fd/0x3e0\n[ +0.001890] ? process_one_work+0x5a0/0x5a0\n[ +0.002115] kthread+0xea/0x110\n[ +0.001618] ? kthread_complete_and_exit+0x20/0x20\n[ +0.002422] ret_from_fork+0x1f/0x30\n[ +0.001808] \u003c/TASK\u003e\n[ +0.001103] irq event stamp: 59837\n[ +0.001718] hardirqs last enabled at (59849): [\u003cffffffffb30fab12\u003e] __up_console_sem+0x52/0x60\n[ +0.004414] hardirqs last disabled at (59860): [\u003cffffffffb30faaf7\u003e] __up_console_sem+0x37/0x60\n[ +0.004414] softirqs last enabled at (59654): [\u003cffffffffb307d9c7\u003e] irq_exit_rcu+0xd7/0x130\n[ +0.004205] softirqs last disabled at (59649): [\u003cffffffffb307d9c7\u003e] irq_exit_rcu+0xd7/0x130\n[ +0.004203] ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:57.546Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d5a6742a242091292cc0a2b607be701a45d0c4e"
},
{
"url": "https://git.kernel.org/stable/c/306888b1246bf44e703b6f1ccc746c2746c1a981"
},
{
"url": "https://git.kernel.org/stable/c/cf97eb7e47d4671084c7e114c5d88a3d0540ecbd"
}
],
"title": "drm/amdkfd: Fix kernel warning during topology setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54144",
"datePublished": "2025-12-24T13:06:57.546Z",
"dateReserved": "2025-12-24T13:02:52.523Z",
"dateUpdated": "2025-12-24T13:06:57.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54207 (GCVE-0-2023-54207)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
HID: uclogic: Correct devm device reference for hidinput input_dev name
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: uclogic: Correct devm device reference for hidinput input_dev name
Reference the HID device rather than the input device for the devm
allocation of the input_dev name. Referencing the input_dev would lead to a
use-after-free when the input_dev was unregistered and subsequently fires a
uevent that depends on the name. At the point of firing the uevent, the
name would be freed by devres management.
Use devm_kasprintf to simplify the logic for allocating memory and
formatting the input_dev name string.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cce2dbdf258e6b27b2b100f511531edabb77f427 , < f283805d984343b2f216e2f4c6c7af265b9542ae
(git)
Affected: cce2dbdf258e6b27b2b100f511531edabb77f427 , < 4c2707dfee5847dc0b5ecfbe512c29c93832fdc4 (git) Affected: cce2dbdf258e6b27b2b100f511531edabb77f427 , < 58f0d1c0e494a88f301bf455da7df4366f179bbb (git) Affected: cce2dbdf258e6b27b2b100f511531edabb77f427 , < dd613a4e45f8d35f49a63a2064e5308fa5619e29 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-uclogic-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f283805d984343b2f216e2f4c6c7af265b9542ae",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
},
{
"lessThan": "4c2707dfee5847dc0b5ecfbe512c29c93832fdc4",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
},
{
"lessThan": "58f0d1c0e494a88f301bf455da7df4366f179bbb",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
},
{
"lessThan": "dd613a4e45f8d35f49a63a2064e5308fa5619e29",
"status": "affected",
"version": "cce2dbdf258e6b27b2b100f511531edabb77f427",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-uclogic-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.1"
},
{
"lessThan": "4.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Correct devm device reference for hidinput input_dev name\n\nReference the HID device rather than the input device for the devm\nallocation of the input_dev name. Referencing the input_dev would lead to a\nuse-after-free when the input_dev was unregistered and subsequently fires a\nuevent that depends on the name. At the point of firing the uevent, the\nname would be freed by devres management.\n\nUse devm_kasprintf to simplify the logic for allocating memory and\nformatting the input_dev name string."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:06.643Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f283805d984343b2f216e2f4c6c7af265b9542ae"
},
{
"url": "https://git.kernel.org/stable/c/4c2707dfee5847dc0b5ecfbe512c29c93832fdc4"
},
{
"url": "https://git.kernel.org/stable/c/58f0d1c0e494a88f301bf455da7df4366f179bbb"
},
{
"url": "https://git.kernel.org/stable/c/dd613a4e45f8d35f49a63a2064e5308fa5619e29"
}
],
"title": "HID: uclogic: Correct devm device reference for hidinput input_dev name",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54207",
"datePublished": "2025-12-30T12:11:06.643Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2025-12-30T12:11:06.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40282 (GCVE-0-2025-40282)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local
header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW
Add missing skb_reset_mac_header() for uncompressed ipv6 RX path.
For the compressed one, it is done in lowpan_header_decompress().
Log: (BlueZ 6lowpan-tester Client Recv Raw - Success)
------
kernel BUG at net/core/skbuff.c:212!
Call Trace:
<IRQ>
...
packet_rcv (net/packet/af_packet.c:2152)
...
<TASK>
__local_bh_enable_ip (kernel/softirq.c:407)
netif_rx (net/core/dev.c:5648)
chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359)
------
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
18722c247023035b9e2e2a08a887adec2a9a6e49 , < ea46a1d217bc82e01cf3d0424e50ebfe251e34bf
(git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 973e0271754c77db3e1b6b69adf2de85a79a4c8b (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < d566e9a2bfc848941b091ffd5f4e12c4e889d818 (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 4ebb90c3c309e6375dc3e841af92e2a039843e62 (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < c24ac6cfe4f9a47180a65592c47e7a310d2f9d93 (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 11cd7e068381666f842ad41d1cc58eecd0c75237 (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 70d84e7c3a44b81020a3c3d650a64c63593405bd (git) Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 3b78f50918276ab28fb22eac9aa49401ac436a3b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/6lowpan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ea46a1d217bc82e01cf3d0424e50ebfe251e34bf",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "973e0271754c77db3e1b6b69adf2de85a79a4c8b",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "d566e9a2bfc848941b091ffd5f4e12c4e889d818",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "4ebb90c3c309e6375dc3e841af92e2a039843e62",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "c24ac6cfe4f9a47180a65592c47e7a310d2f9d93",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "11cd7e068381666f842ad41d1cc58eecd0c75237",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "70d84e7c3a44b81020a3c3d650a64c63593405bd",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
},
{
"lessThan": "3b78f50918276ab28fb22eac9aa49401ac436a3b",
"status": "affected",
"version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/6lowpan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: 6lowpan: reset link-local header on ipv6 recv path\n\nBluetooth 6lowpan.c netdev has header_ops, so it must set link-local\nheader for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW\n\nAdd missing skb_reset_mac_header() for uncompressed ipv6 RX path.\n\nFor the compressed one, it is done in lowpan_header_decompress().\n\nLog: (BlueZ 6lowpan-tester Client Recv Raw - Success)\n------\nkernel BUG at net/core/skbuff.c:212!\nCall Trace:\n\u003cIRQ\u003e\n...\npacket_rcv (net/packet/af_packet.c:2152)\n...\n\u003cTASK\u003e\n__local_bh_enable_ip (kernel/softirq.c:407)\nnetif_rx (net/core/dev.c:5648)\nchan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359)\n------"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:06.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ea46a1d217bc82e01cf3d0424e50ebfe251e34bf"
},
{
"url": "https://git.kernel.org/stable/c/973e0271754c77db3e1b6b69adf2de85a79a4c8b"
},
{
"url": "https://git.kernel.org/stable/c/d566e9a2bfc848941b091ffd5f4e12c4e889d818"
},
{
"url": "https://git.kernel.org/stable/c/4ebb90c3c309e6375dc3e841af92e2a039843e62"
},
{
"url": "https://git.kernel.org/stable/c/c24ac6cfe4f9a47180a65592c47e7a310d2f9d93"
},
{
"url": "https://git.kernel.org/stable/c/11cd7e068381666f842ad41d1cc58eecd0c75237"
},
{
"url": "https://git.kernel.org/stable/c/70d84e7c3a44b81020a3c3d650a64c63593405bd"
},
{
"url": "https://git.kernel.org/stable/c/3b78f50918276ab28fb22eac9aa49401ac436a3b"
}
],
"title": "Bluetooth: 6lowpan: reset link-local header on ipv6 recv path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40282",
"datePublished": "2025-12-06T21:51:06.287Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:06.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54107 (GCVE-0-2023-54107)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
blk-cgroup: dropping parent refcount after pd_free_fn() is done
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: dropping parent refcount after pd_free_fn() is done
Some cgroup policies will access parent pd through child pd even
after pd_offline_fn() is done. If pd_free_fn() for parent is called
before child, then UAF can be triggered. Hence it's better to guarantee
the order of pd_free_fn().
Currently refcount of parent blkg is dropped in __blkg_release(), which
is before pd_free_fn() is called in blkg_free_work_fn() while
blkg_free_work_fn() is called asynchronously.
This patch make sure pd_free_fn() called from removing cgroup is ordered
by delaying dropping parent refcount after calling pd_free_fn() for
child.
BTW, pd_free_fn() will also be called from blkcg_deactivate_policy()
from deleting device, and following patches will guarantee the order.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c7241babf0855d8a6180cd1743ff0ec34de40b4e",
"status": "affected",
"version": "d578c770c85233af592e54537f93f3831bde7e9a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-cgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-cgroup: dropping parent refcount after pd_free_fn() is done\n\nSome cgroup policies will access parent pd through child pd even\nafter pd_offline_fn() is done. If pd_free_fn() for parent is called\nbefore child, then UAF can be triggered. Hence it\u0027s better to guarantee\nthe order of pd_free_fn().\n\nCurrently refcount of parent blkg is dropped in __blkg_release(), which\nis before pd_free_fn() is called in blkg_free_work_fn() while\nblkg_free_work_fn() is called asynchronously.\n\nThis patch make sure pd_free_fn() called from removing cgroup is ordered\nby delaying dropping parent refcount after calling pd_free_fn() for\nchild.\n\nBTW, pd_free_fn() will also be called from blkcg_deactivate_policy()\nfrom deleting device, and following patches will guarantee the order."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:48.969Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c7241babf0855d8a6180cd1743ff0ec34de40b4e"
}
],
"title": "blk-cgroup: dropping parent refcount after pd_free_fn() is done",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54107",
"datePublished": "2025-12-24T13:06:31.505Z",
"dateReserved": "2025-12-24T13:02:52.517Z",
"dateUpdated": "2026-01-05T10:33:48.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50649 (GCVE-0-2022-50649)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()
ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length
of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements
beyond the end of the adp5061_chg_type[] array.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fe8e81b7e899968690e5e87c25727178921b5b9a , < 24a0be36e9a21f63de2e6088607e689e59ec15f4
(git)
Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 3376a0cf138dfc90b449fde541ca228a33e1c143 (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 89f305a71418591cdda18180f712f91c9820f03b (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 7c8bc374659de19d846f7cab3eda9ebdb005c4cc (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 038e4aa71281d0cbc8aeb56ba05ff7fc5653a106 (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < dc52b73d3acd676ccbb440fcec617c547b903af2 (git) Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 9d47e01b9d807808224347935562f7043a358054 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/adp5061.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24a0be36e9a21f63de2e6088607e689e59ec15f4",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "3376a0cf138dfc90b449fde541ca228a33e1c143",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "89f305a71418591cdda18180f712f91c9820f03b",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "7c8bc374659de19d846f7cab3eda9ebdb005c4cc",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "038e4aa71281d0cbc8aeb56ba05ff7fc5653a106",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "dc52b73d3acd676ccbb440fcec617c547b903af2",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
},
{
"lessThan": "9d47e01b9d807808224347935562f7043a358054",
"status": "affected",
"version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/adp5061.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()\n\nADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length\nof 8, but adp5061_chg_type array size is 4, may end up reading 4 elements\nbeyond the end of the adp5061_chg_type[] array."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:26.076Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24a0be36e9a21f63de2e6088607e689e59ec15f4"
},
{
"url": "https://git.kernel.org/stable/c/3376a0cf138dfc90b449fde541ca228a33e1c143"
},
{
"url": "https://git.kernel.org/stable/c/89f305a71418591cdda18180f712f91c9820f03b"
},
{
"url": "https://git.kernel.org/stable/c/7c8bc374659de19d846f7cab3eda9ebdb005c4cc"
},
{
"url": "https://git.kernel.org/stable/c/038e4aa71281d0cbc8aeb56ba05ff7fc5653a106"
},
{
"url": "https://git.kernel.org/stable/c/dc52b73d3acd676ccbb440fcec617c547b903af2"
},
{
"url": "https://git.kernel.org/stable/c/9d47e01b9d807808224347935562f7043a358054"
}
],
"title": "power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50649",
"datePublished": "2025-12-09T00:00:23.331Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-23T13:30:26.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54019 (GCVE-0-2023-54019)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
sched/psi: use kernfs polling functions for PSI trigger polling
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/psi: use kernfs polling functions for PSI trigger polling
Destroying psi trigger in cgroup_file_release causes UAF issues when
a cgroup is removed from under a polling process. This is happening
because cgroup removal causes a call to cgroup_file_release while the
actual file is still alive. Destroying the trigger at this point would
also destroy its waitqueue head and if there is still a polling process
on that file accessing the waitqueue, it will step on the freed pointer:
do_select
vfs_poll
do_rmdir
cgroup_rmdir
kernfs_drain_open_files
cgroup_file_release
cgroup_pressure_release
psi_trigger_destroy
wake_up_pollfree(&t->event_wait)
// vfs_poll is unblocked
synchronize_rcu
kfree(t)
poll_freewait -> UAF access to the trigger's waitqueue head
Patch [1] fixed this issue for epoll() case using wake_up_pollfree(),
however the same issue exists for synchronous poll() case.
The root cause of this issue is that the lifecycles of the psi trigger's
waitqueue and of the file associated with the trigger are different. Fix
this by using kernfs_generic_poll function when polling on cgroup-specific
psi triggers. It internally uses kernfs_open_node->poll waitqueue head
with its lifecycle tied to the file's lifecycle. This also renders the
fix in [1] obsolete, so revert it.
[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < 92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a
(git)
Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < d124ab17024cc85a1079b7810a018a497ebc13da (git) Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < aff037078ecaecf34a7c2afab1341815f90fba5e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/psi.h",
"include/linux/psi_types.h",
"kernel/cgroup/cgroup.c",
"kernel/sched/psi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a",
"status": "affected",
"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
"versionType": "git"
},
{
"lessThan": "d124ab17024cc85a1079b7810a018a497ebc13da",
"status": "affected",
"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
"versionType": "git"
},
{
"lessThan": "aff037078ecaecf34a7c2afab1341815f90fba5e",
"status": "affected",
"version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/psi.h",
"include/linux/psi_types.h",
"kernel/cgroup/cgroup.c",
"kernel/sched/psi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: use kernfs polling functions for PSI trigger polling\n\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\n\ndo_select\n vfs_poll\n do_rmdir\n cgroup_rmdir\n kernfs_drain_open_files\n cgroup_file_release\n cgroup_pressure_release\n psi_trigger_destroy\n wake_up_pollfree(\u0026t-\u003eevent_wait)\n// vfs_poll is unblocked\n synchronize_rcu\n kfree(t)\n poll_freewait -\u003e UAF access to the trigger\u0027s waitqueue head\n\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger\u0027s\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node-\u003epoll waitqueue head\nwith its lifecycle tied to the file\u0027s lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:49.840Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a"
},
{
"url": "https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da"
},
{
"url": "https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e"
}
],
"title": "sched/psi: use kernfs polling functions for PSI trigger polling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54019",
"datePublished": "2025-12-24T10:55:49.840Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:49.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54066 (GCVE-0-2023-54066)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer
In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1ea76d16569b7fc242b860c7e19549be028b13d1 , < 578b67614ae0e4fba3945b66a4c8f9ae77115bcb
(git)
Affected: 1ea76d16569b7fc242b860c7e19549be028b13d1 , < 2a33fc57133d6f39d62285df6706aeb1714967f1 (git) Affected: 1ea76d16569b7fc242b860c7e19549be028b13d1 , < dfcd3c010209927b9f45b860f046635dc32e32e1 (git) Affected: 1ea76d16569b7fc242b860c7e19549be028b13d1 , < 72af676551efe820e309a6c7681c2c4372f37376 (git) Affected: 1ea76d16569b7fc242b860c7e19549be028b13d1 , < b97719a66970601cd3151a3e2020f4454a1c4ff6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb-v2/gl861.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "578b67614ae0e4fba3945b66a4c8f9ae77115bcb",
"status": "affected",
"version": "1ea76d16569b7fc242b860c7e19549be028b13d1",
"versionType": "git"
},
{
"lessThan": "2a33fc57133d6f39d62285df6706aeb1714967f1",
"status": "affected",
"version": "1ea76d16569b7fc242b860c7e19549be028b13d1",
"versionType": "git"
},
{
"lessThan": "dfcd3c010209927b9f45b860f046635dc32e32e1",
"status": "affected",
"version": "1ea76d16569b7fc242b860c7e19549be028b13d1",
"versionType": "git"
},
{
"lessThan": "72af676551efe820e309a6c7681c2c4372f37376",
"status": "affected",
"version": "1ea76d16569b7fc242b860c7e19549be028b13d1",
"versionType": "git"
},
{
"lessThan": "b97719a66970601cd3151a3e2020f4454a1c4ff6",
"status": "affected",
"version": "1ea76d16569b7fc242b860c7e19549be028b13d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb-v2/gl861.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer\n\nIn gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach gl861_i2c_master_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:38.439Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/578b67614ae0e4fba3945b66a4c8f9ae77115bcb"
},
{
"url": "https://git.kernel.org/stable/c/2a33fc57133d6f39d62285df6706aeb1714967f1"
},
{
"url": "https://git.kernel.org/stable/c/dfcd3c010209927b9f45b860f046635dc32e32e1"
},
{
"url": "https://git.kernel.org/stable/c/72af676551efe820e309a6c7681c2c4372f37376"
},
{
"url": "https://git.kernel.org/stable/c/b97719a66970601cd3151a3e2020f4454a1c4ff6"
}
],
"title": "media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54066",
"datePublished": "2025-12-24T12:23:11.431Z",
"dateReserved": "2025-12-24T12:21:05.092Z",
"dateUpdated": "2026-01-05T10:33:38.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50699 (GCVE-0-2022-50699)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
Summary
In the Linux kernel, the following vulnerability has been resolved:
selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
The following warning was triggered on a hardware environment:
SELinux: Converting 162 SID table entries...
BUG: sleeping function called from invalid context at
__might_sleep+0x60/0x74 0x0
in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar
CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1
Call trace:
dump_backtrace+0x0/0x1c8
show_stack+0x18/0x28
dump_stack+0xe8/0x15c
___might_sleep+0x168/0x17c
__might_sleep+0x60/0x74
__kmalloc_track_caller+0xa0/0x7dc
kstrdup+0x54/0xac
convert_context+0x48/0x2e4
sidtab_context_to_sid+0x1c4/0x36c
security_context_to_sid_core+0x168/0x238
security_context_to_sid_default+0x14/0x24
inode_doinit_use_xattr+0x164/0x1e4
inode_doinit_with_dentry+0x1c0/0x488
selinux_d_instantiate+0x20/0x34
security_d_instantiate+0x70/0xbc
d_splice_alias+0x4c/0x3c0
ext4_lookup+0x1d8/0x200 [ext4]
__lookup_slow+0x12c/0x1e4
walk_component+0x100/0x200
path_lookupat+0x88/0x118
filename_lookup+0x98/0x130
user_path_at_empty+0x48/0x60
vfs_statx+0x84/0x140
vfs_fstatat+0x20/0x30
__se_sys_newfstatat+0x30/0x74
__arm64_sys_newfstatat+0x1c/0x2c
el0_svc_common.constprop.0+0x100/0x184
do_el0_svc+0x1c/0x2c
el0_svc+0x20/0x34
el0_sync_handler+0x80/0x17c
el0_sync+0x13c/0x140
SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is
not valid (left unmapped).
It was found that within a critical section of spin_lock_irqsave in
sidtab_context_to_sid(), convert_context() (hooked by
sidtab_convert_params.func) might cause the process to sleep via
allocating memory with GFP_KERNEL, which is problematic.
As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func
has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL.
Therefore, fix this problem by adding a gfp_t argument for
convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC
properly in individual callers.
[PM: wrap long BUG() output lines, tweak subject line]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 2723875e9d677401d775a03a72abab7e9538c20c
(git)
Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 3006766d247bc93a25b34e92fff2f75bda597e2e (git) Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 277378631d26477451424cc73982b977961f3d8b (git) Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < abe3c631447dcd1ba7af972fe6f054bee6f136fa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/selinux/ss/services.c",
"security/selinux/ss/sidtab.c",
"security/selinux/ss/sidtab.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2723875e9d677401d775a03a72abab7e9538c20c",
"status": "affected",
"version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
"versionType": "git"
},
{
"lessThan": "3006766d247bc93a25b34e92fff2f75bda597e2e",
"status": "affected",
"version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
"versionType": "git"
},
{
"lessThan": "277378631d26477451424cc73982b977961f3d8b",
"status": "affected",
"version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
"versionType": "git"
},
{
"lessThan": "abe3c631447dcd1ba7af972fe6f054bee6f136fa",
"status": "affected",
"version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/selinux/ss/services.c",
"security/selinux/ss/sidtab.c",
"security/selinux/ss/sidtab.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()\n\nThe following warning was triggered on a hardware environment:\n\n SELinux: Converting 162 SID table entries...\n BUG: sleeping function called from invalid context at\n __might_sleep+0x60/0x74 0x0\n in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar\n CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1\n Call trace:\n dump_backtrace+0x0/0x1c8\n show_stack+0x18/0x28\n dump_stack+0xe8/0x15c\n ___might_sleep+0x168/0x17c\n __might_sleep+0x60/0x74\n __kmalloc_track_caller+0xa0/0x7dc\n kstrdup+0x54/0xac\n convert_context+0x48/0x2e4\n sidtab_context_to_sid+0x1c4/0x36c\n security_context_to_sid_core+0x168/0x238\n security_context_to_sid_default+0x14/0x24\n inode_doinit_use_xattr+0x164/0x1e4\n inode_doinit_with_dentry+0x1c0/0x488\n selinux_d_instantiate+0x20/0x34\n security_d_instantiate+0x70/0xbc\n d_splice_alias+0x4c/0x3c0\n ext4_lookup+0x1d8/0x200 [ext4]\n __lookup_slow+0x12c/0x1e4\n walk_component+0x100/0x200\n path_lookupat+0x88/0x118\n filename_lookup+0x98/0x130\n user_path_at_empty+0x48/0x60\n vfs_statx+0x84/0x140\n vfs_fstatat+0x20/0x30\n __se_sys_newfstatat+0x30/0x74\n __arm64_sys_newfstatat+0x1c/0x2c\n el0_svc_common.constprop.0+0x100/0x184\n do_el0_svc+0x1c/0x2c\n el0_svc+0x20/0x34\n el0_sync_handler+0x80/0x17c\n el0_sync+0x13c/0x140\n SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is\n not valid (left unmapped).\n\nIt was found that within a critical section of spin_lock_irqsave in\nsidtab_context_to_sid(), convert_context() (hooked by\nsidtab_convert_params.func) might cause the process to sleep via\nallocating memory with GFP_KERNEL, which is problematic.\n\nAs Ondrej pointed out [1], convert_context()/sidtab_convert_params.func\nhas another caller sidtab_convert_tree(), which is okay with GFP_KERNEL.\nTherefore, fix this problem by adding a gfp_t argument for\nconvert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC\nproperly in individual callers.\n\n[PM: wrap long BUG() output lines, tweak subject line]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:15.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2723875e9d677401d775a03a72abab7e9538c20c"
},
{
"url": "https://git.kernel.org/stable/c/3006766d247bc93a25b34e92fff2f75bda597e2e"
},
{
"url": "https://git.kernel.org/stable/c/277378631d26477451424cc73982b977961f3d8b"
},
{
"url": "https://git.kernel.org/stable/c/abe3c631447dcd1ba7af972fe6f054bee6f136fa"
}
],
"title": "selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50699",
"datePublished": "2025-12-24T10:55:15.468Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2025-12-24T10:55:15.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40219 (GCVE-0-2025-40219)
Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50
VLAI?
EPSS
Title
PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
Before disabling SR-IOV via config space accesses to the parent PF,
sriov_disable() first removes the PCI devices representing the VFs.
Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()")
such removal operations are serialized against concurrent remove and
rescan using the pci_rescan_remove_lock. No such locking was ever added
in sriov_disable() however. In particular when commit 18f9e9d150fc
("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device
removal into sriov_del_vfs() there was still no locking around the
pci_iov_remove_virtfn() calls.
On s390 the lack of serialization in sriov_disable() may cause double
remove and list corruption with the below (amended) trace being observed:
PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56)
GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001
00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480
0000000000000001 0000000000000000 0000000000000000 0000000180692828
00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8
#0 [3800313fb20] device_del at c9158ad5c
#1 [3800313fb88] pci_remove_bus_device at c915105ba
#2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198
#3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0
#4 [3800313fc60] zpci_bus_remove_device at c90fb6104
#5 [3800313fca0] __zpci_event_availability at c90fb3dca
#6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2
#7 [3800313fd60] crw_collect_info at c91905822
#8 [3800313fe10] kthread at c90feb390
#9 [3800313fe68] __ret_from_fork at c90f6aa64
#10 [3800313fe98] ret_from_fork at c9194f3f2.
This is because in addition to sriov_disable() removing the VFs, the
platform also generates hot-unplug events for the VFs. This being the
reverse operation to the hotplug events generated by sriov_enable() and
handled via pdev->no_vf_scan. And while the event processing takes
pci_rescan_remove_lock and checks whether the struct pci_dev still exists,
the lack of synchronization makes this checking racy.
Other races may also be possible of course though given that this lack of
locking persisted so long observable races seem very rare. Even on s390 the
list corruption was only observed with certain devices since the platform
events are only triggered by config accesses after the removal, so as long
as the removal finished synchronously they would not race. Either way the
locking is missing so fix this by adding it to the sriov_del_vfs() helper.
Just like PCI rescan-remove, locking is also missing in sriov_add_vfs()
including for the error case where pci_stop_and_remove_bus_device() is
called without the PCI rescan-remove lock being held. Even in the non-error
case, adding new PCI devices and buses should be serialized via the PCI
rescan-remove lock. Add the necessary locking.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
18f9e9d150fccfa747875df6f0a9f606740762b3 , < 5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf
(git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 1e8a80290f964bdbad225221c8a1594c7e01c8fd (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < a645ca21de09e3137cbb224fa6c23cca873a1d01 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < a24219172456f035d886857e265ca24c85b167c8 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 36039348bca77828bf06eae41b8f76e38cd15847 (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 53154cd40ccf285f1d1c24367824082061d155bd (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < ee40e5db052d7c6f406fdb95ad639c894c74674c (git) Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/iov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "1e8a80290f964bdbad225221c8a1594c7e01c8fd",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "a645ca21de09e3137cbb224fa6c23cca873a1d01",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "a24219172456f035d886857e265ca24c85b167c8",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "36039348bca77828bf06eae41b8f76e38cd15847",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "53154cd40ccf285f1d1c24367824082061d155bd",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "ee40e5db052d7c6f406fdb95ad639c894c74674c",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
},
{
"lessThan": "05703271c3cdcc0f2a8cf6ebdc45892b8ca83520",
"status": "affected",
"version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/iov.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV\n\nBefore disabling SR-IOV via config space accesses to the parent PF,\nsriov_disable() first removes the PCI devices representing the VFs.\n\nSince commit 9d16947b7583 (\"PCI: Add global pci_lock_rescan_remove()\")\nsuch removal operations are serialized against concurrent remove and\nrescan using the pci_rescan_remove_lock. No such locking was ever added\nin sriov_disable() however. In particular when commit 18f9e9d150fc\n(\"PCI/IOV: Factor out sriov_add_vfs()\") factored out the PCI device\nremoval into sriov_del_vfs() there was still no locking around the\npci_iov_remove_virtfn() calls.\n\nOn s390 the lack of serialization in sriov_disable() may cause double\nremove and list corruption with the below (amended) trace being observed:\n\n PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56)\n GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001\n\t00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480\n\t0000000000000001 0000000000000000 0000000000000000 0000000180692828\n\t00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8\n #0 [3800313fb20] device_del at c9158ad5c\n #1 [3800313fb88] pci_remove_bus_device at c915105ba\n #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198\n #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0\n #4 [3800313fc60] zpci_bus_remove_device at c90fb6104\n #5 [3800313fca0] __zpci_event_availability at c90fb3dca\n #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2\n #7 [3800313fd60] crw_collect_info at c91905822\n #8 [3800313fe10] kthread at c90feb390\n #9 [3800313fe68] __ret_from_fork at c90f6aa64\n #10 [3800313fe98] ret_from_fork at c9194f3f2.\n\nThis is because in addition to sriov_disable() removing the VFs, the\nplatform also generates hot-unplug events for the VFs. This being the\nreverse operation to the hotplug events generated by sriov_enable() and\nhandled via pdev-\u003eno_vf_scan. And while the event processing takes\npci_rescan_remove_lock and checks whether the struct pci_dev still exists,\nthe lack of synchronization makes this checking racy.\n\nOther races may also be possible of course though given that this lack of\nlocking persisted so long observable races seem very rare. Even on s390 the\nlist corruption was only observed with certain devices since the platform\nevents are only triggered by config accesses after the removal, so as long\nas the removal finished synchronously they would not race. Either way the\nlocking is missing so fix this by adding it to the sriov_del_vfs() helper.\n\nJust like PCI rescan-remove, locking is also missing in sriov_add_vfs()\nincluding for the error case where pci_stop_and_remove_bus_device() is\ncalled without the PCI rescan-remove lock being held. Even in the non-error\ncase, adding new PCI devices and buses should be serialized via the PCI\nrescan-remove lock. Add the necessary locking."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T14:50:42.996Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf"
},
{
"url": "https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd"
},
{
"url": "https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01"
},
{
"url": "https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8"
},
{
"url": "https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847"
},
{
"url": "https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd"
},
{
"url": "https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c"
},
{
"url": "https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520"
}
],
"title": "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40219",
"datePublished": "2025-12-04T14:50:42.996Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-04T14:50:42.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40304 (GCVE-0-2025-40304)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
Add bounds checking to prevent writes past framebuffer boundaries when
rendering text near screen edges. Return early if the Y position is off-screen
and clip image height to screen boundary. Break from the rendering loop if the
X position is off-screen. When clipping image width to fit the screen, update
the character count to match the clipped width to prevent buffer size
mismatches.
Without the character count update, bit_putcs_aligned and bit_putcs_unaligned
receive mismatched parameters where the buffer is allocated for the clipped
width but cnt reflects the original larger count, causing out-of-bounds writes.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 996bfaa7372d6718b6d860bdf78f6618e850c702
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f0982400648a3e00580253e0c48e991f34d2684c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ebc0730b490c7f27340b1222e01dd106e820320d (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 86df8ade88d290725554cefd03101ecd0fbd3752 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 15ba9acafb0517f8359ca30002c189a68ddbb939 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2d1359e11674ed4274934eac8a71877ae5ae7bbb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3637d34b35b287ab830e66048841ace404382b67 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "996bfaa7372d6718b6d860bdf78f6618e850c702",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f0982400648a3e00580253e0c48e991f34d2684c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ebc0730b490c7f27340b1222e01dd106e820320d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "86df8ade88d290725554cefd03101ecd0fbd3752",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "15ba9acafb0517f8359ca30002c189a68ddbb939",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d1359e11674ed4274934eac8a71877ae5ae7bbb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3637d34b35b287ab830e66048841ace404382b67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds\n\nAdd bounds checking to prevent writes past framebuffer boundaries when\nrendering text near screen edges. Return early if the Y position is off-screen\nand clip image height to screen boundary. Break from the rendering loop if the\nX position is off-screen. When clipping image width to fit the screen, update\nthe character count to match the clipped width to prevent buffer size\nmismatches.\n\nWithout the character count update, bit_putcs_aligned and bit_putcs_unaligned\nreceive mismatched parameters where the buffer is allocated for the clipped\nwidth but cnt reflects the original larger count, causing out-of-bounds writes."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:26.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/996bfaa7372d6718b6d860bdf78f6618e850c702"
},
{
"url": "https://git.kernel.org/stable/c/f0982400648a3e00580253e0c48e991f34d2684c"
},
{
"url": "https://git.kernel.org/stable/c/1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1"
},
{
"url": "https://git.kernel.org/stable/c/ebc0730b490c7f27340b1222e01dd106e820320d"
},
{
"url": "https://git.kernel.org/stable/c/86df8ade88d290725554cefd03101ecd0fbd3752"
},
{
"url": "https://git.kernel.org/stable/c/15ba9acafb0517f8359ca30002c189a68ddbb939"
},
{
"url": "https://git.kernel.org/stable/c/2d1359e11674ed4274934eac8a71877ae5ae7bbb"
},
{
"url": "https://git.kernel.org/stable/c/3637d34b35b287ab830e66048841ace404382b67"
}
],
"title": "fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40304",
"datePublished": "2025-12-08T00:46:29.013Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:26.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53784 (GCVE-0-2023-53784)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
drm: bridge: dw_hdmi: fix connector access for scdc
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm: bridge: dw_hdmi: fix connector access for scdc
Commit 5d844091f237 ("drm/scdc-helper: Pimp SCDC debugs") changed the scdc
interface to pick up an i2c adapter from a connector instead. However, in
the case of dw-hdmi, the wrong connector was being used to pass i2c adapter
information, since dw-hdmi's embedded connector structure is only populated
when the bridge attachment callback explicitly asks for it.
drm-meson is handling connector creation, so this won't happen, leading to
a NULL pointer dereference.
Fix it by having scdc functions access dw-hdmi's current connector pointer
instead, which is assigned during the bridge enablement stage.
[narmstrong: moved Fixes tag before first S-o-b and added Reported-by tag]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/synopsys/dw-hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "552f79aa9e801ed4f74d6b3221af78042ba4f235",
"status": "affected",
"version": "5d844091f2370f01752c3129b147861b9dcd3d98",
"versionType": "git"
},
{
"lessThan": "98703e4e061fb8715c7613cd227e32cdfd136b23",
"status": "affected",
"version": "5d844091f2370f01752c3129b147861b9dcd3d98",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/bridge/synopsys/dw-hdmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: bridge: dw_hdmi: fix connector access for scdc\n\nCommit 5d844091f237 (\"drm/scdc-helper: Pimp SCDC debugs\") changed the scdc\ninterface to pick up an i2c adapter from a connector instead. However, in\nthe case of dw-hdmi, the wrong connector was being used to pass i2c adapter\ninformation, since dw-hdmi\u0027s embedded connector structure is only populated\nwhen the bridge attachment callback explicitly asks for it.\n\ndrm-meson is handling connector creation, so this won\u0027t happen, leading to\na NULL pointer dereference.\n\nFix it by having scdc functions access dw-hdmi\u0027s current connector pointer\ninstead, which is assigned during the bridge enablement stage.\n\n[narmstrong: moved Fixes tag before first S-o-b and added Reported-by tag]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:39.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/552f79aa9e801ed4f74d6b3221af78042ba4f235"
},
{
"url": "https://git.kernel.org/stable/c/98703e4e061fb8715c7613cd227e32cdfd136b23"
}
],
"title": "drm: bridge: dw_hdmi: fix connector access for scdc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53784",
"datePublished": "2025-12-09T00:00:39.591Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-09T00:00:39.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54021 (GCVE-0-2023-54021)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
ext4: set goal start correctly in ext4_mb_normalize_request
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: set goal start correctly in ext4_mb_normalize_request
We need to set ac_g_ex to notify the goal start used in
ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in
ext4_mb_normalize_request.
Besides we should assure goal start is in range [first_data_block,
blocks_count) as ext4_mb_initialize_context does.
[ Added a check to make sure size is less than ar->pright; otherwise
we could end up passing an underflowed value of ar->pright - size to
ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on.
- TYT ]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c9de560ded61faa5b754137b7753da252391c55a , < 2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530
(git)
Affected: c9de560ded61faa5b754137b7753da252391c55a , < 390eee955d4de4662db5e3e9e9a9eae020432cb7 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < cee78217a7ae72d11c2e21e1a5263b8044489823 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < 3ca3005b502ca8ea87d6a344323b179b48c4e4a3 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < bc4a3e1d07a86ae5845321d371190244acacb2f2 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < c6bee8970075b256fc1b07bf4873049219380818 (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < abb330ffaa3a0ae7ce632e28c9260b461c01f19f (git) Affected: c9de560ded61faa5b754137b7753da252391c55a , < b07ffe6927c75d99af534d685282ea188d9f71a6 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "390eee955d4de4662db5e3e9e9a9eae020432cb7",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "cee78217a7ae72d11c2e21e1a5263b8044489823",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "3ca3005b502ca8ea87d6a344323b179b48c4e4a3",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "bc4a3e1d07a86ae5845321d371190244acacb2f2",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "c6bee8970075b256fc1b07bf4873049219380818",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "abb330ffaa3a0ae7ce632e28c9260b461c01f19f",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
},
{
"lessThan": "b07ffe6927c75d99af534d685282ea188d9f71a6",
"status": "affected",
"version": "c9de560ded61faa5b754137b7753da252391c55a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/mballoc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: set goal start correctly in ext4_mb_normalize_request\n\nWe need to set ac_g_ex to notify the goal start used in\next4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in\next4_mb_normalize_request.\nBesides we should assure goal start is in range [first_data_block,\nblocks_count) as ext4_mb_initialize_context does.\n\n[ Added a check to make sure size is less than ar-\u003epright; otherwise\n we could end up passing an underflowed value of ar-\u003epright - size to\n ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on.\n - TYT ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:30.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530"
},
{
"url": "https://git.kernel.org/stable/c/390eee955d4de4662db5e3e9e9a9eae020432cb7"
},
{
"url": "https://git.kernel.org/stable/c/cee78217a7ae72d11c2e21e1a5263b8044489823"
},
{
"url": "https://git.kernel.org/stable/c/3ca3005b502ca8ea87d6a344323b179b48c4e4a3"
},
{
"url": "https://git.kernel.org/stable/c/bc4a3e1d07a86ae5845321d371190244acacb2f2"
},
{
"url": "https://git.kernel.org/stable/c/c6bee8970075b256fc1b07bf4873049219380818"
},
{
"url": "https://git.kernel.org/stable/c/abb330ffaa3a0ae7ce632e28c9260b461c01f19f"
},
{
"url": "https://git.kernel.org/stable/c/b07ffe6927c75d99af534d685282ea188d9f71a6"
}
],
"title": "ext4: set goal start correctly in ext4_mb_normalize_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54021",
"datePublished": "2025-12-24T10:55:51.373Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2026-01-05T10:33:30.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50656 (GCVE-0-2022-50656)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
nfc: pn533: Clear nfc_target before being used
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: pn533: Clear nfc_target before being used
Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
memcpy
nla_put
nfc_genl_dump_targets
genl_lock_dumpit
netlink_dump
__netlink_dump_start
genl_family_rcv_msg_dumpit
genl_rcv_msg
netlink_rcv_skb
genl_rcv
netlink_unicast
netlink_sendmsg
sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 9da4a0411f3455e3885831d0758bee3e3d565bbc
(git)
Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 61a7e15d55fae329a245535c3bac494e401005b8 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < bef2f478513e7367ef3b05441f6afca981de29be (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < aea9e64dec2cc6cd742e07ecd4e6236fc76b389b (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 755019e37815a66bb0a23893debbd3dd640ccbd3 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < e491285b4d08884b622638be8e4961eb43b0af64 (git) Affected: 361f3cb7f9cfdb82c80926d0e7843c098c034545 , < 9f28157778ede0d4f183f7ab3b46995bb400abbe (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/pn533.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9da4a0411f3455e3885831d0758bee3e3d565bbc",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "61a7e15d55fae329a245535c3bac494e401005b8",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "bef2f478513e7367ef3b05441f6afca981de29be",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "aea9e64dec2cc6cd742e07ecd4e6236fc76b389b",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "755019e37815a66bb0a23893debbd3dd640ccbd3",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "e491285b4d08884b622638be8e4961eb43b0af64",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
},
{
"lessThan": "9f28157778ede0d4f183f7ab3b46995bb400abbe",
"status": "affected",
"version": "361f3cb7f9cfdb82c80926d0e7843c098c034545",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nfc/pn533/pn533.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: pn533: Clear nfc_target before being used\n\nFix a slab-out-of-bounds read that occurs in nla_put() called from\nnfc_genl_send_target() when target-\u003esensb_res_len, which is duplicated\nfrom an nfc_target in pn533, is too large as the nfc_target is not\nproperly initialized and retains garbage values. Clear nfc_targets with\nmemset() before they are used.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: slab-out-of-bounds in nla_put\nCall Trace:\n memcpy\n nla_put\n nfc_genl_dump_targets\n genl_lock_dumpit\n netlink_dump\n __netlink_dump_start\n genl_family_rcv_msg_dumpit\n genl_rcv_msg\n netlink_rcv_skb\n genl_rcv\n netlink_unicast\n netlink_sendmsg\n sock_sendmsg\n ____sys_sendmsg\n ___sys_sendmsg\n __sys_sendmsg\n do_syscall_64"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:31.691Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9da4a0411f3455e3885831d0758bee3e3d565bbc"
},
{
"url": "https://git.kernel.org/stable/c/61a7e15d55fae329a245535c3bac494e401005b8"
},
{
"url": "https://git.kernel.org/stable/c/bef2f478513e7367ef3b05441f6afca981de29be"
},
{
"url": "https://git.kernel.org/stable/c/8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03"
},
{
"url": "https://git.kernel.org/stable/c/aea9e64dec2cc6cd742e07ecd4e6236fc76b389b"
},
{
"url": "https://git.kernel.org/stable/c/aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6"
},
{
"url": "https://git.kernel.org/stable/c/755019e37815a66bb0a23893debbd3dd640ccbd3"
},
{
"url": "https://git.kernel.org/stable/c/e491285b4d08884b622638be8e4961eb43b0af64"
},
{
"url": "https://git.kernel.org/stable/c/9f28157778ede0d4f183f7ab3b46995bb400abbe"
}
],
"title": "nfc: pn533: Clear nfc_target before being used",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50656",
"datePublished": "2025-12-09T00:00:31.691Z",
"dateReserved": "2025-12-08T23:57:43.372Z",
"dateUpdated": "2025-12-09T00:00:31.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53825 (GCVE-0-2023-53825)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
Summary
In the Linux kernel, the following vulnerability has been resolved:
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720
("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by
updating kcm_tx_msg(head)->last_skb if partial data is copied so that the
following sendmsg() will resume from the skb.
However, we cannot know how many bytes were copied when we get the error.
Thus, we could mess up the MSG_MORE queue.
When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we
do so for UDP by udp_flush_pending_frames().
Even without this change, when the error occurred, the following sendmsg()
resumed from a wrong skb and the queue was messed up. However, we have
yet to get such a report, and only syzkaller stumbled on it. So, this
can be changed safely.
Note this does not change SOCK_SEQPACKET behaviour.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 21b467735b0888a8daa048f83d3b9b50fdab71ce
(git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 2e18493c421428a936946c452461b8e979088f17 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < e5b28ce127a690f3acc49a6a342e6c9442c9edd6 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 992b2ac783aad360b98ed9d4686e86176a20f6f1 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < a22730b1b4bf437c6bbfdeff5feddf54be4aeada (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/kcm/kcmsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21b467735b0888a8daa048f83d3b9b50fdab71ce",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "2e18493c421428a936946c452461b8e979088f17",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "e5b28ce127a690f3acc49a6a342e6c9442c9edd6",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "992b2ac783aad360b98ed9d4686e86176a20f6f1",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "a22730b1b4bf437c6bbfdeff5feddf54be4aeada",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/kcm/kcmsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().\n\nsyzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720\n(\"kcm: Fix memory leak in error path of kcm_sendmsg()\") suppressed it by\nupdating kcm_tx_msg(head)-\u003elast_skb if partial data is copied so that the\nfollowing sendmsg() will resume from the skb.\n\nHowever, we cannot know how many bytes were copied when we get the error.\nThus, we could mess up the MSG_MORE queue.\n\nWhen kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we\ndo so for UDP by udp_flush_pending_frames().\n\nEven without this change, when the error occurred, the following sendmsg()\nresumed from a wrong skb and the queue was messed up. However, we have\nyet to get such a report, and only syzkaller stumbled on it. So, this\ncan be changed safely.\n\nNote this does not change SOCK_SEQPACKET behaviour."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:38.539Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21b467735b0888a8daa048f83d3b9b50fdab71ce"
},
{
"url": "https://git.kernel.org/stable/c/d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b"
},
{
"url": "https://git.kernel.org/stable/c/1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b"
},
{
"url": "https://git.kernel.org/stable/c/2e18493c421428a936946c452461b8e979088f17"
},
{
"url": "https://git.kernel.org/stable/c/55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc"
},
{
"url": "https://git.kernel.org/stable/c/e5b28ce127a690f3acc49a6a342e6c9442c9edd6"
},
{
"url": "https://git.kernel.org/stable/c/992b2ac783aad360b98ed9d4686e86176a20f6f1"
},
{
"url": "https://git.kernel.org/stable/c/a22730b1b4bf437c6bbfdeff5feddf54be4aeada"
}
],
"title": "kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53825",
"datePublished": "2025-12-09T01:29:38.539Z",
"dateReserved": "2025-12-09T01:27:17.824Z",
"dateUpdated": "2025-12-09T01:29:38.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68345 (GCVE-0-2025-68345)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29
VLAI?
EPSS
Title
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
The acpi_get_first_physical_node() function can return NULL, in which
case the get_device() function also returns NULL, but this value is
then dereferenced without checking,so add a check to prevent a crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e63f9c81ca28b06eeeac3630faddc50717897351
(git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 7a35a505d76a4b6cd426b59ff2d800d0394cc5d3 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e6ba921b17797ccc545d80e0dbccb5fab91c248c (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c28946b7409b7b68fb0481ec738c8b04578b11c6 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 343fa9800cf9870ec681e21f0a6f2157b74ae520 (git) Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c34b04cc6178f33c08331568c7fd25c5b9a39f66 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e63f9c81ca28b06eeeac3630faddc50717897351",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "7a35a505d76a4b6cd426b59ff2d800d0394cc5d3",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "e6ba921b17797ccc545d80e0dbccb5fab91c248c",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c28946b7409b7b68fb0481ec738c8b04578b11c6",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "343fa9800cf9870ec681e21f0a6f2157b74ae520",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
},
{
"lessThan": "c34b04cc6178f33c08331568c7fd25c5b9a39f66",
"status": "affected",
"version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/hda/codecs/side-codecs/cs35l41_hda.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()\n\nThe acpi_get_first_physical_node() function can return NULL, in which\ncase the get_device() function also returns NULL, but this value is\nthen dereferenced without checking,so add a check to prevent a crash.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:29:49.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e63f9c81ca28b06eeeac3630faddc50717897351"
},
{
"url": "https://git.kernel.org/stable/c/7a35a505d76a4b6cd426b59ff2d800d0394cc5d3"
},
{
"url": "https://git.kernel.org/stable/c/e6ba921b17797ccc545d80e0dbccb5fab91c248c"
},
{
"url": "https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6"
},
{
"url": "https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520"
},
{
"url": "https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66"
}
],
"title": "ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68345",
"datePublished": "2025-12-24T10:32:38.378Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-01-11T16:29:49.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54067 (GCVE-0-2023-54067)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
btrfs: fix race when deleting free space root from the dirty cow roots list
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race when deleting free space root from the dirty cow roots list
When deleting the free space tree we are deleting the free space root
from the list fs_info->dirty_cowonly_roots without taking the lock that
protects it, which is struct btrfs_fs_info::trans_lock.
This unsynchronized list manipulation may cause chaos if there's another
concurrent manipulation of this list, such as when adding a root to it
with ctree.c:add_root_to_dirty_list().
This can result in all sorts of weird failures caused by a race, such as
the following crash:
[337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI
[337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]
[337571.279928] Code: 85 38 06 00 (...)
[337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206
[337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000
[337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070
[337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b
[337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600
[337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48
[337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000
[337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0
[337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[337571.282874] Call Trace:
[337571.283101] <TASK>
[337571.283327] ? __die_body+0x1b/0x60
[337571.283570] ? die_addr+0x39/0x60
[337571.283796] ? exc_general_protection+0x22e/0x430
[337571.284022] ? asm_exc_general_protection+0x22/0x30
[337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]
[337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]
[337571.284803] ? _raw_spin_unlock+0x15/0x30
[337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]
[337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]
[337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]
[337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410
[337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]
[337571.286358] ? mod_objcg_state+0xd2/0x360
[337571.286577] ? refill_obj_stock+0xb0/0x160
[337571.286798] ? seq_release+0x25/0x30
[337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0
[337571.287235] ? percpu_counter_add_batch+0x2e/0xa0
[337571.287455] ? __x64_sys_ioctl+0x88/0xc0
[337571.287675] __x64_sys_ioctl+0x88/0xc0
[337571.287901] do_syscall_64+0x38/0x90
[337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[337571.288352] RIP: 0033:0x7f478aaffe9b
So fix this by locking struct btrfs_fs_info::trans_lock before deleting
the free space root from that list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a5ed91828518ab076209266c2bc510adabd078df , < 6f1c81886b0b56cb88b311e5d2f203625474d892
(git)
Affected: a5ed91828518ab076209266c2bc510adabd078df , < 8ce9139aea5e60a247bde5af804312f54975f443 (git) Affected: a5ed91828518ab076209266c2bc510adabd078df , < babebf023e661b90b1c78b2baa384fb03a226879 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f1c81886b0b56cb88b311e5d2f203625474d892",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "8ce9139aea5e60a247bde5af804312f54975f443",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
},
{
"lessThan": "babebf023e661b90b1c78b2baa384fb03a226879",
"status": "affected",
"version": "a5ed91828518ab076209266c2bc510adabd078df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/free-space-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting free space root from the dirty cow roots list\n\nWhen deleting the free space tree we are deleting the free space root\nfrom the list fs_info-\u003edirty_cowonly_roots without taking the lock that\nprotects it, which is struct btrfs_fs_info::trans_lock.\nThis unsynchronized list manipulation may cause chaos if there\u0027s another\nconcurrent manipulation of this list, such as when adding a root to it\nwith ctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.279928] Code: 85 38 06 00 (...)\n [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [337571.282874] Call Trace:\n [337571.283101] \u003cTASK\u003e\n [337571.283327] ? __die_body+0x1b/0x60\n [337571.283570] ? die_addr+0x39/0x60\n [337571.283796] ? exc_general_protection+0x22e/0x430\n [337571.284022] ? asm_exc_general_protection+0x22/0x30\n [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n [337571.284803] ? _raw_spin_unlock+0x15/0x30\n [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]\n [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]\n [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]\n [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410\n [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]\n [337571.286358] ? mod_objcg_state+0xd2/0x360\n [337571.286577] ? refill_obj_stock+0xb0/0x160\n [337571.286798] ? seq_release+0x25/0x30\n [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0\n [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0\n [337571.287455] ? __x64_sys_ioctl+0x88/0xc0\n [337571.287675] __x64_sys_ioctl+0x88/0xc0\n [337571.287901] do_syscall_64+0x38/0x90\n [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe free space root from that list."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:12.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f1c81886b0b56cb88b311e5d2f203625474d892"
},
{
"url": "https://git.kernel.org/stable/c/8ce9139aea5e60a247bde5af804312f54975f443"
},
{
"url": "https://git.kernel.org/stable/c/babebf023e661b90b1c78b2baa384fb03a226879"
}
],
"title": "btrfs: fix race when deleting free space root from the dirty cow roots list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54067",
"datePublished": "2025-12-24T12:23:12.109Z",
"dateReserved": "2025-12-24T12:21:05.092Z",
"dateUpdated": "2025-12-24T12:23:12.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53992 (GCVE-0-2023-53992)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
wifi: cfg80211: ocb: don't leave if not joined
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: cfg80211: ocb: don't leave if not joined
If there's no OCB state, don't ask the driver/mac80211 to
leave, since that's just confusing. Since set/clear the
chandef state, that's a simple check.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6e0bd6c35b021dc73a81ebd1ef79761233c48b50 , < d7b0fe3487d203c04ee1bda91a63bd4dd398c350
(git)
Affected: 6e0bd6c35b021dc73a81ebd1ef79761233c48b50 , < 94332210902967b7d63294b43428c8ed075b20e6 (git) Affected: 6e0bd6c35b021dc73a81ebd1ef79761233c48b50 , < abc76cf552e13cfa88a204b362a86b0e08e95228 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/wireless/ocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7b0fe3487d203c04ee1bda91a63bd4dd398c350",
"status": "affected",
"version": "6e0bd6c35b021dc73a81ebd1ef79761233c48b50",
"versionType": "git"
},
{
"lessThan": "94332210902967b7d63294b43428c8ed075b20e6",
"status": "affected",
"version": "6e0bd6c35b021dc73a81ebd1ef79761233c48b50",
"versionType": "git"
},
{
"lessThan": "abc76cf552e13cfa88a204b362a86b0e08e95228",
"status": "affected",
"version": "6e0bd6c35b021dc73a81ebd1ef79761233c48b50",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/wireless/ocb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: ocb: don\u0027t leave if not joined\n\nIf there\u0027s no OCB state, don\u0027t ask the driver/mac80211 to\nleave, since that\u0027s just confusing. Since set/clear the\nchandef state, that\u0027s a simple check."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:22.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7b0fe3487d203c04ee1bda91a63bd4dd398c350"
},
{
"url": "https://git.kernel.org/stable/c/94332210902967b7d63294b43428c8ed075b20e6"
},
{
"url": "https://git.kernel.org/stable/c/abc76cf552e13cfa88a204b362a86b0e08e95228"
}
],
"title": "wifi: cfg80211: ocb: don\u0027t leave if not joined",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53992",
"datePublished": "2025-12-24T10:55:30.549Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2026-01-05T10:33:22.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54080 (GCVE-0-2023-54080)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
btrfs: zoned: skip splitting and logical rewriting on pre-alloc write
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: skip splitting and logical rewriting on pre-alloc write
When doing a relocation, there is a chance that at the time of
btrfs_reloc_clone_csums(), there is no checksum for the corresponding
region.
In this case, btrfs_finish_ordered_zoned()'s sum points to an invalid item
and so ordered_extent's logical is set to some invalid value. Then,
btrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a
block group and will hit an assert or a null pointer dereference as
following.
This can be reprodcued by running btrfs/028 several times (e.g, 4 to 16
times) with a null_blk setup. The device's zone size and capacity is set to
32 MB and the storage size is set to 5 GB on my setup.
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G W 6.5.0-rc6-kts+ #1
Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015
Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]
RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]
Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00
> 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00
RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088
RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827
R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000
R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0
Call Trace:
<TASK>
? die_addr+0x3c/0xa0
? exc_general_protection+0x148/0x220
? asm_exc_general_protection+0x22/0x30
? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]
? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs]
btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs]
? rcu_is_watching+0x11/0xb0
? lock_release+0x47a/0x620
? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs]
? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]
? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs]
? __smp_call_single_queue+0x124/0x350
? rcu_is_watching+0x11/0xb0
btrfs_work_helper+0x19f/0xc60 [btrfs]
? __pfx_try_to_wake_up+0x10/0x10
? _raw_spin_unlock_irq+0x24/0x50
? rcu_is_watching+0x11/0xb0
process_one_work+0x8c1/0x1430
? __pfx_lock_acquire+0x10/0x10
? __pfx_process_one_work+0x10/0x10
? __pfx_do_raw_spin_lock+0x10/0x10
? _raw_spin_lock_irq+0x52/0x60
worker_thread+0x100/0x12c0
? __kthread_parkme+0xc1/0x1f0
? __pfx_worker_thread+0x10/0x10
kthread+0x2ea/0x3c0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x30/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
On the zoned mode, writing to pre-allocated region means data relocation
write. Such write always uses WRITE command so there is no need of splitting
and rewriting logical address. Thus, we can just skip the function for the
case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/zoned.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3cfa44164688a076e8b476cafb5df87d07cfa63",
"status": "affected",
"version": "cbfce4c7fbde23cc8bcba44822a58c728caf6ec9",
"versionType": "git"
},
{
"lessThan": "c02d35d89b317994bd713ba82e160c5e7f22d9c8",
"status": "affected",
"version": "cbfce4c7fbde23cc8bcba44822a58c728caf6ec9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/zoned.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: skip splitting and logical rewriting on pre-alloc write\n\nWhen doing a relocation, there is a chance that at the time of\nbtrfs_reloc_clone_csums(), there is no checksum for the corresponding\nregion.\n\nIn this case, btrfs_finish_ordered_zoned()\u0027s sum points to an invalid item\nand so ordered_extent\u0027s logical is set to some invalid value. Then,\nbtrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a\nblock group and will hit an assert or a null pointer dereference as\nfollowing.\n\nThis can be reprodcued by running btrfs/028 several times (e.g, 4 to 16\ntimes) with a null_blk setup. The device\u0027s zone size and capacity is set to\n32 MB and the storage size is set to 5 GB on my setup.\n\n KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]\n CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G W 6.5.0-rc6-kts+ #1\n Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015\n Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]\n RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00\n \u003e 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00\n RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206\n RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088\n RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827\n R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000\n R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0\n Call Trace:\n \u003cTASK\u003e\n ? die_addr+0x3c/0xa0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs]\n ? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs]\n btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs]\n ? rcu_is_watching+0x11/0xb0\n ? lock_release+0x47a/0x620\n ? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs]\n ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs]\n ? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs]\n ? __smp_call_single_queue+0x124/0x350\n ? rcu_is_watching+0x11/0xb0\n btrfs_work_helper+0x19f/0xc60 [btrfs]\n ? __pfx_try_to_wake_up+0x10/0x10\n ? _raw_spin_unlock_irq+0x24/0x50\n ? rcu_is_watching+0x11/0xb0\n process_one_work+0x8c1/0x1430\n ? __pfx_lock_acquire+0x10/0x10\n ? __pfx_process_one_work+0x10/0x10\n ? __pfx_do_raw_spin_lock+0x10/0x10\n ? _raw_spin_lock_irq+0x52/0x60\n worker_thread+0x100/0x12c0\n ? __kthread_parkme+0xc1/0x1f0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x2ea/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nOn the zoned mode, writing to pre-allocated region means data relocation\nwrite. Such write always uses WRITE command so there is no need of splitting\nand rewriting logical address. Thus, we can just skip the function for the\ncase."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:12.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3cfa44164688a076e8b476cafb5df87d07cfa63"
},
{
"url": "https://git.kernel.org/stable/c/c02d35d89b317994bd713ba82e160c5e7f22d9c8"
}
],
"title": "btrfs: zoned: skip splitting and logical rewriting on pre-alloc write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54080",
"datePublished": "2025-12-24T13:06:12.625Z",
"dateReserved": "2025-12-24T13:02:52.515Z",
"dateUpdated": "2025-12-24T13:06:12.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54226 (GCVE-0-2023-54226)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
af_unix: Fix data races around sk->sk_shutdown.
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data races around sk->sk_shutdown.
KCSAN found a data race around sk->sk_shutdown where unix_release_sock()
and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll()
and unix_dgram_poll() read it locklessly.
We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE().
BUG: KCSAN: data-race in unix_poll / unix_release_sock
write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0:
unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631
unix_release+0x59/0x80 net/unix/af_unix.c:1042
__sock_release+0x7d/0x170 net/socket.c:653
sock_close+0x19/0x30 net/socket.c:1397
__fput+0x179/0x5e0 fs/file_table.c:321
____fput+0x15/0x20 fs/file_table.c:349
task_work_run+0x116/0x1a0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x72/0xdc
read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1:
unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170
sock_poll+0xcf/0x2b0 net/socket.c:1385
vfs_poll include/linux/poll.h:88 [inline]
ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855
ep_send_events fs/eventpoll.c:1694 [inline]
ep_poll fs/eventpoll.c:1823 [inline]
do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258
__do_sys_epoll_wait fs/eventpoll.c:2270 [inline]
__se_sys_epoll_wait fs/eventpoll.c:2265 [inline]
__x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
value changed: 0x00 -> 0x03
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1c488f4e95b498c977fbeae784983eb4cf6085e8
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 196528ad484443627779540697f4fb0ef0e01c52 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8307e372e7445ec7d3cd2ff107ce5078eaa02815 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a41559ae3681975f1ced815d8d4c983b6b938499 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e410895892f99700ce54347d42c8dbe962eea9f4 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f237f79b63c9242450e6869adcd2c10445859f28 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e1d09c2c2f5793474556b60f83900e088d0d366d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c488f4e95b498c977fbeae784983eb4cf6085e8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "196528ad484443627779540697f4fb0ef0e01c52",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8307e372e7445ec7d3cd2ff107ce5078eaa02815",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a41559ae3681975f1ced815d8d4c983b6b938499",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e410895892f99700ce54347d42c8dbe962eea9f4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f237f79b63c9242450e6869adcd2c10445859f28",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e1d09c2c2f5793474556b60f83900e088d0d366d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data races around sk-\u003esk_shutdown.\n\nKCSAN found a data race around sk-\u003esk_shutdown where unix_release_sock()\nand unix_shutdown() update it under unix_state_lock(), OTOH unix_poll()\nand unix_dgram_poll() read it locklessly.\n\nWe need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE().\n\nBUG: KCSAN: data-race in unix_poll / unix_release_sock\n\nwrite to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0:\n unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631\n unix_release+0x59/0x80 net/unix/af_unix.c:1042\n __sock_release+0x7d/0x170 net/socket.c:653\n sock_close+0x19/0x30 net/socket.c:1397\n __fput+0x179/0x5e0 fs/file_table.c:321\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x116/0x1a0 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:171 [inline]\n exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204\n __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]\n syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297\n do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nread to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1:\n unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170\n sock_poll+0xcf/0x2b0 net/socket.c:1385\n vfs_poll include/linux/poll.h:88 [inline]\n ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855\n ep_send_events fs/eventpoll.c:1694 [inline]\n ep_poll fs/eventpoll.c:1823 [inline]\n do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258\n __do_sys_epoll_wait fs/eventpoll.c:2270 [inline]\n __se_sys_epoll_wait fs/eventpoll.c:2265 [inline]\n __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nvalue changed: 0x00 -\u003e 0x03\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:19.522Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c488f4e95b498c977fbeae784983eb4cf6085e8"
},
{
"url": "https://git.kernel.org/stable/c/196528ad484443627779540697f4fb0ef0e01c52"
},
{
"url": "https://git.kernel.org/stable/c/8307e372e7445ec7d3cd2ff107ce5078eaa02815"
},
{
"url": "https://git.kernel.org/stable/c/a41559ae3681975f1ced815d8d4c983b6b938499"
},
{
"url": "https://git.kernel.org/stable/c/e410895892f99700ce54347d42c8dbe962eea9f4"
},
{
"url": "https://git.kernel.org/stable/c/f237f79b63c9242450e6869adcd2c10445859f28"
},
{
"url": "https://git.kernel.org/stable/c/e1d09c2c2f5793474556b60f83900e088d0d366d"
}
],
"title": "af_unix: Fix data races around sk-\u003esk_shutdown.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54226",
"datePublished": "2025-12-30T12:11:19.522Z",
"dateReserved": "2025-12-30T12:06:44.502Z",
"dateUpdated": "2025-12-30T12:11:19.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40345 (GCVE-0-2025-40345)
Vulnerability from cvelistv5 – Published: 2025-12-12 17:53 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
usb: storage: sddr55: Reject out-of-bound new_pba
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: storage: sddr55: Reject out-of-bound new_pba
Discovered by Atuin - Automated Vulnerability Discovery Engine.
new_pba comes from the status packet returned after each write.
A bogus device could report values beyond the block count derived
from info->capacity, letting the driver walk off the end of
pba_to_lba[] and corrupt heap memory.
Reject PBAs that exceed the computed block count and fail the
transfer so we avoid touching out-of-range mapping entries.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d00a6c04a502cd52425dbf35588732c652b16490
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 26e9b5da3231da7dc357b363883b5b7b51a64092 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aa64e0e17e3a5991a25e6a46007770c629039869 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 04a8a6393f3f2f471e05eacca33282dd30b01432 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5ebe8d479aaf4f41ac35e6955332304193c646f6 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b59d4fda7e7d0aff1043a7f742487cb829f5aac1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/sddr55.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d00a6c04a502cd52425dbf35588732c652b16490",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "26e9b5da3231da7dc357b363883b5b7b51a64092",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "aa64e0e17e3a5991a25e6a46007770c629039869",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "04a8a6393f3f2f471e05eacca33282dd30b01432",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5ebe8d479aaf4f41ac35e6955332304193c646f6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b59d4fda7e7d0aff1043a7f742487cb829f5aac1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/sddr55.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: storage: sddr55: Reject out-of-bound new_pba\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nnew_pba comes from the status packet returned after each write.\nA bogus device could report values beyond the block count derived\nfrom info-\u003ecapacity, letting the driver walk off the end of\npba_to_lba[] and corrupt heap memory.\n\nReject PBAs that exceed the computed block count and fail the\ntransfer so we avoid touching out-of-range mapping entries."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:43.244Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d00a6c04a502cd52425dbf35588732c652b16490"
},
{
"url": "https://git.kernel.org/stable/c/26e9b5da3231da7dc357b363883b5b7b51a64092"
},
{
"url": "https://git.kernel.org/stable/c/aa64e0e17e3a5991a25e6a46007770c629039869"
},
{
"url": "https://git.kernel.org/stable/c/04a8a6393f3f2f471e05eacca33282dd30b01432"
},
{
"url": "https://git.kernel.org/stable/c/a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f"
},
{
"url": "https://git.kernel.org/stable/c/5ebe8d479aaf4f41ac35e6955332304193c646f6"
},
{
"url": "https://git.kernel.org/stable/c/b59d4fda7e7d0aff1043a7f742487cb829f5aac1"
}
],
"title": "usb: storage: sddr55: Reject out-of-bound new_pba",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40345",
"datePublished": "2025-12-12T17:53:06.853Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:43.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54319 (GCVE-0-2023-54319)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
EPSS
Title
pinctrl: at91-pio4: check return value of devm_kasprintf()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: at91-pio4: check return value of devm_kasprintf()
devm_kasprintf() returns a pointer to dynamically allocated memory.
Pointer could be NULL in case allocation fails. Check pointer validity.
Identified with coccinelle (kmerr.cocci script).
Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks")
Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
776180848b574c9c01217fa958f10843ffce584f , < 8d788f2ba830d6d32499b198c526d577c590eedf
(git)
Affected: 776180848b574c9c01217fa958f10843ffce584f , < 3e8ce1d5a1a9d758b359e5c426543957f35991f8 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < aa3932eb07392d626486428e2ffddc660658e22a (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < f3c7b95c9991dab02e616fc251b6c3516e0bd0ac (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < 0a95dd17a73b7603818ad7c46c99d757232be331 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < 0af388fce352ed2ab383fd5d1a08db551ca15c38 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < 5bfd577cc728270d6cd7af6c652a1e7661f25487 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < 8a1fa202f47f39680a4305af744f499a324f8a03 (git) Affected: 776180848b574c9c01217fa958f10843ffce584f , < f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-at91-pio4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d788f2ba830d6d32499b198c526d577c590eedf",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "3e8ce1d5a1a9d758b359e5c426543957f35991f8",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "aa3932eb07392d626486428e2ffddc660658e22a",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "f3c7b95c9991dab02e616fc251b6c3516e0bd0ac",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "0a95dd17a73b7603818ad7c46c99d757232be331",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "0af388fce352ed2ab383fd5d1a08db551ca15c38",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "5bfd577cc728270d6cd7af6c652a1e7661f25487",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "8a1fa202f47f39680a4305af744f499a324f8a03",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
},
{
"lessThan": "f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0",
"status": "affected",
"version": "776180848b574c9c01217fa958f10843ffce584f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-at91-pio4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: at91-pio4: check return value of devm_kasprintf()\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory.\nPointer could be NULL in case allocation fails. Check pointer validity.\nIdentified with coccinelle (kmerr.cocci script).\n\nDepends-on: 1c4e5c470a56 (\"pinctrl: at91: use devm_kasprintf() to avoid potential leaks\")\nDepends-on: 5a8f9cf269e8 (\"pinctrl: at91-pio4: use proper format specifier for unsigned int\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:34:13.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d788f2ba830d6d32499b198c526d577c590eedf"
},
{
"url": "https://git.kernel.org/stable/c/3e8ce1d5a1a9d758b359e5c426543957f35991f8"
},
{
"url": "https://git.kernel.org/stable/c/aa3932eb07392d626486428e2ffddc660658e22a"
},
{
"url": "https://git.kernel.org/stable/c/f3c7b95c9991dab02e616fc251b6c3516e0bd0ac"
},
{
"url": "https://git.kernel.org/stable/c/0a95dd17a73b7603818ad7c46c99d757232be331"
},
{
"url": "https://git.kernel.org/stable/c/0af388fce352ed2ab383fd5d1a08db551ca15c38"
},
{
"url": "https://git.kernel.org/stable/c/5bfd577cc728270d6cd7af6c652a1e7661f25487"
},
{
"url": "https://git.kernel.org/stable/c/8a1fa202f47f39680a4305af744f499a324f8a03"
},
{
"url": "https://git.kernel.org/stable/c/f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0"
}
],
"title": "pinctrl: at91-pio4: check return value of devm_kasprintf()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54319",
"datePublished": "2025-12-30T12:34:13.468Z",
"dateReserved": "2025-12-30T12:28:53.859Z",
"dateUpdated": "2025-12-30T12:34:13.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50618 (GCVE-0-2022-50618)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
mmc: meson-gx: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: meson-gx: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
Fix this by checking the return value and goto error path which
will call mmc_free_host().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
51c5d8447bd71b7e539c19c46a03b73c0e91fa66 , < f5506e0bbb25102bd8ef2e1a3b483a0b934e454e
(git)
Affected: 51c5d8447bd71b7e539c19c46a03b73c0e91fa66 , < 9e11c6bb745be4e9b325cf96031b4ea34801342d (git) Affected: 51c5d8447bd71b7e539c19c46a03b73c0e91fa66 , < 64b2c441171febf075bd9632aca579afda8ab9fb (git) Affected: 51c5d8447bd71b7e539c19c46a03b73c0e91fa66 , < e0cfe7aa41f3965f5224affd88afd48c60f6ad1f (git) Affected: 51c5d8447bd71b7e539c19c46a03b73c0e91fa66 , < 42343e3c6195e934b9cb4c08b7ff84a3778d77f9 (git) Affected: 51c5d8447bd71b7e539c19c46a03b73c0e91fa66 , < f5ce76aeddf01ca8f2a80fc37119388d59db7c10 (git) Affected: 51c5d8447bd71b7e539c19c46a03b73c0e91fa66 , < 90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/meson-gx-mmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f5506e0bbb25102bd8ef2e1a3b483a0b934e454e",
"status": "affected",
"version": "51c5d8447bd71b7e539c19c46a03b73c0e91fa66",
"versionType": "git"
},
{
"lessThan": "9e11c6bb745be4e9b325cf96031b4ea34801342d",
"status": "affected",
"version": "51c5d8447bd71b7e539c19c46a03b73c0e91fa66",
"versionType": "git"
},
{
"lessThan": "64b2c441171febf075bd9632aca579afda8ab9fb",
"status": "affected",
"version": "51c5d8447bd71b7e539c19c46a03b73c0e91fa66",
"versionType": "git"
},
{
"lessThan": "e0cfe7aa41f3965f5224affd88afd48c60f6ad1f",
"status": "affected",
"version": "51c5d8447bd71b7e539c19c46a03b73c0e91fa66",
"versionType": "git"
},
{
"lessThan": "42343e3c6195e934b9cb4c08b7ff84a3778d77f9",
"status": "affected",
"version": "51c5d8447bd71b7e539c19c46a03b73c0e91fa66",
"versionType": "git"
},
{
"lessThan": "f5ce76aeddf01ca8f2a80fc37119388d59db7c10",
"status": "affected",
"version": "51c5d8447bd71b7e539c19c46a03b73c0e91fa66",
"versionType": "git"
},
{
"lessThan": "90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e",
"status": "affected",
"version": "51c5d8447bd71b7e539c19c46a03b73c0e91fa66",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/meson-gx-mmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: meson-gx: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it\u0027s not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nFix this by checking the return value and goto error path which\nwill call mmc_free_host()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:31.649Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f5506e0bbb25102bd8ef2e1a3b483a0b934e454e"
},
{
"url": "https://git.kernel.org/stable/c/9e11c6bb745be4e9b325cf96031b4ea34801342d"
},
{
"url": "https://git.kernel.org/stable/c/64b2c441171febf075bd9632aca579afda8ab9fb"
},
{
"url": "https://git.kernel.org/stable/c/e0cfe7aa41f3965f5224affd88afd48c60f6ad1f"
},
{
"url": "https://git.kernel.org/stable/c/42343e3c6195e934b9cb4c08b7ff84a3778d77f9"
},
{
"url": "https://git.kernel.org/stable/c/f5ce76aeddf01ca8f2a80fc37119388d59db7c10"
},
{
"url": "https://git.kernel.org/stable/c/90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e"
}
],
"title": "mmc: meson-gx: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50618",
"datePublished": "2025-12-08T01:16:31.649Z",
"dateReserved": "2025-12-08T01:14:55.189Z",
"dateUpdated": "2025-12-08T01:16:31.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50733 (GCVE-0-2022-50733)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
usb: idmouse: fix an uninit-value in idmouse_open
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: idmouse: fix an uninit-value in idmouse_open
In idmouse_create_image, if any ftip_command fails, it will
go to the reset label. However, this leads to the data in
bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check
for valid image incurs an uninitialized dereference.
Fix this by moving the check before reset label since this
check only be valid if the data after bulk_in_buffer[HEADER]
has concrete data.
Note that this is found by KMSAN, so only kernel compilation
is tested.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4244f72436ab77c3c29a6447af81734ab3925d85 , < b3304a6df957cc89a0590cb505388d659bf3db4c
(git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < 7dad42032f68718259590b0cc7654e9a95ff9762 (git) Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < f589b667567fde4f81d6e6c40f42b9f2224690ea (git) Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < 1eae30c0113dde7522088231584d62415011a035 (git) Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54 (git) Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < 20b8c456df584ebb2387dc23d40ebe4ff334417c (git) Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < 6163a5ae097bc78fa26c243fb384537e25610fd7 (git) Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < adad163d1cff248a5df9f7cec50158e6ca89f33b (git) Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < bce2b0539933e485d22d6f6f076c0fcd6f185c4c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/misc/idmouse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3304a6df957cc89a0590cb505388d659bf3db4c",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
},
{
"lessThan": "7dad42032f68718259590b0cc7654e9a95ff9762",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
},
{
"lessThan": "f589b667567fde4f81d6e6c40f42b9f2224690ea",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
},
{
"lessThan": "1eae30c0113dde7522088231584d62415011a035",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
},
{
"lessThan": "b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
},
{
"lessThan": "20b8c456df584ebb2387dc23d40ebe4ff334417c",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
},
{
"lessThan": "6163a5ae097bc78fa26c243fb384537e25610fd7",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
},
{
"lessThan": "adad163d1cff248a5df9f7cec50158e6ca89f33b",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
},
{
"lessThan": "bce2b0539933e485d22d6f6f076c0fcd6f185c4c",
"status": "affected",
"version": "4244f72436ab77c3c29a6447af81734ab3925d85",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/misc/idmouse.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.13"
},
{
"lessThan": "2.6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "2.6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "2.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: idmouse: fix an uninit-value in idmouse_open\n\nIn idmouse_create_image, if any ftip_command fails, it will\ngo to the reset label. However, this leads to the data in\nbulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check\nfor valid image incurs an uninitialized dereference.\n\nFix this by moving the check before reset label since this\ncheck only be valid if the data after bulk_in_buffer[HEADER]\nhas concrete data.\n\nNote that this is found by KMSAN, so only kernel compilation\nis tested."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:09.740Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3304a6df957cc89a0590cb505388d659bf3db4c"
},
{
"url": "https://git.kernel.org/stable/c/7dad42032f68718259590b0cc7654e9a95ff9762"
},
{
"url": "https://git.kernel.org/stable/c/f589b667567fde4f81d6e6c40f42b9f2224690ea"
},
{
"url": "https://git.kernel.org/stable/c/1eae30c0113dde7522088231584d62415011a035"
},
{
"url": "https://git.kernel.org/stable/c/b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54"
},
{
"url": "https://git.kernel.org/stable/c/20b8c456df584ebb2387dc23d40ebe4ff334417c"
},
{
"url": "https://git.kernel.org/stable/c/6163a5ae097bc78fa26c243fb384537e25610fd7"
},
{
"url": "https://git.kernel.org/stable/c/adad163d1cff248a5df9f7cec50158e6ca89f33b"
},
{
"url": "https://git.kernel.org/stable/c/bce2b0539933e485d22d6f6f076c0fcd6f185c4c"
}
],
"title": "usb: idmouse: fix an uninit-value in idmouse_open",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50733",
"datePublished": "2025-12-24T12:22:52.651Z",
"dateReserved": "2025-12-24T12:20:40.331Z",
"dateUpdated": "2026-01-02T15:04:09.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54164 (GCVE-0-2023-54164)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
Bluetooth: ISO: fix iso_conn related locking and validity issues
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: ISO: fix iso_conn related locking and validity issues
sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations
that check/update sk_state and access conn should hold lock_sock,
otherwise they can race.
The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock,
which is how it is in connect/disconnect_cfm -> iso_conn_del ->
iso_chan_del.
Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock
around updating sk_state and conn.
iso_conn_del must not occur during iso_connect_cis/bis, as it frees the
iso_conn. Hold hdev->lock longer to prevent that.
This should not reintroduce the issue fixed in commit 241f51931c35
("Bluetooth: ISO: Avoid circular locking dependency"), since the we
acquire locks in order. We retain the fix in iso_sock_connect to release
lock_sock before iso_connect_* acquires hdev->lock.
Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible
circular locking dependency"). We retain the fix in iso_conn_ready to
not acquire iso_conn_lock before lock_sock.
iso_conn_add shall return iso_conn with valid hcon. Make it so also when
reusing an old CIS connection waiting for disconnect timeout (see
__iso_sock_close where conn->hcon is set to NULL).
Trace with iso_conn_del after iso_chan_add in iso_connect_cis:
===============================================================
iso_sock_create:771: sock 00000000be9b69b7
iso_sock_init:693: sk 000000004dff667e
iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1
iso_sock_setsockopt:1289: sk 000000004dff667e
iso_sock_setsockopt:1289: sk 000000004dff667e
iso_sock_setsockopt:1289: sk 000000004dff667e
iso_sock_connect:875: sk 000000004dff667e
iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da
iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e
__iso_chan_add:214: conn 00000000daf8625e
iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12
iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16
iso_sock_clear_timer:117: sock 000000004dff667e state 3
<Note: sk_state is BT_BOUND (3), so iso_connect_cis is still
running at this point>
iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16
hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535
hci_conn_unlink:1102: hci0: hcon 000000007b65d182
hci_chan_list_flush:2780: hcon 000000007b65d182
iso_sock_getsockopt:1376: sk 000000004dff667e
iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
iso_sock_getsockopt:1376: sk 000000004dff667e
iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e
iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1
__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7
<Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets
BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it
must be that iso_chan_del occurred between iso_chan_add and end of
iso_connect_cis.>
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth
===============================================================
Trace with iso_conn_del before iso_chan_add in iso_connect_cis:
===============================================================
iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da
...
iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504
hci_dev_put:1487: hci0 orig refcnt 21
hci_event_packet:7607: hci0: e
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c524f9561c657b8af26dd4f67092b8928261aa62 , < e969bfed84c1f88dc722a678ee08488e86f0ec1a
(git)
Affected: 241f51931c35085449502c10f64fb3ecd6e02171 , < 88ad50f2b843a510bd7c922c0a4e2484aff9d645 (git) Affected: 241f51931c35085449502c10f64fb3ecd6e02171 , < d40ae85ee62e3666f45bc61864b22121346f88ef (git) Affected: 2539cbc625c560d5432e2f0fc04bfe4a889cf737 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e969bfed84c1f88dc722a678ee08488e86f0ec1a",
"status": "affected",
"version": "c524f9561c657b8af26dd4f67092b8928261aa62",
"versionType": "git"
},
{
"lessThan": "88ad50f2b843a510bd7c922c0a4e2484aff9d645",
"status": "affected",
"version": "241f51931c35085449502c10f64fb3ecd6e02171",
"versionType": "git"
},
{
"lessThan": "d40ae85ee62e3666f45bc61864b22121346f88ef",
"status": "affected",
"version": "241f51931c35085449502c10f64fb3ecd6e02171",
"versionType": "git"
},
{
"status": "affected",
"version": "2539cbc625c560d5432e2f0fc04bfe4a889cf737",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/iso.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: fix iso_conn related locking and validity issues\n\nsk-\u003esk_state indicates whether iso_pi(sk)-\u003econn is valid. Operations\nthat check/update sk_state and access conn should hold lock_sock,\notherwise they can race.\n\nThe order of taking locks is hci_dev_lock \u003e lock_sock \u003e iso_conn_lock,\nwhich is how it is in connect/disconnect_cfm -\u003e iso_conn_del -\u003e\niso_chan_del.\n\nFix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock\naround updating sk_state and conn.\n\niso_conn_del must not occur during iso_connect_cis/bis, as it frees the\niso_conn. Hold hdev-\u003elock longer to prevent that.\n\nThis should not reintroduce the issue fixed in commit 241f51931c35\n(\"Bluetooth: ISO: Avoid circular locking dependency\"), since the we\nacquire locks in order. We retain the fix in iso_sock_connect to release\nlock_sock before iso_connect_* acquires hdev-\u003elock.\n\nSimilarly for commit 6a5ad251b7cd (\"Bluetooth: ISO: Fix possible\ncircular locking dependency\"). We retain the fix in iso_conn_ready to\nnot acquire iso_conn_lock before lock_sock.\n\niso_conn_add shall return iso_conn with valid hcon. Make it so also when\nreusing an old CIS connection waiting for disconnect timeout (see\n__iso_sock_close where conn-\u003ehcon is set to NULL).\n\nTrace with iso_conn_del after iso_chan_add in iso_connect_cis:\n===============================================================\niso_sock_create:771: sock 00000000be9b69b7\niso_sock_init:693: sk 000000004dff667e\niso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_setsockopt:1289: sk 000000004dff667e\niso_sock_connect:875: sk 000000004dff667e\niso_connect_cis:353: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\nhci_get_route:1199: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\nhci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da\niso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e\n__iso_chan_add:214: conn 00000000daf8625e\niso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12\niso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16\niso_sock_clear_timer:117: sock 000000004dff667e state 3\n \u003cNote: sk_state is BT_BOUND (3), so iso_connect_cis is still\n running at this point\u003e\niso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16\nhci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535\nhci_conn_unlink:1102: hci0: hcon 000000007b65d182\nhci_chan_list_flush:2780: hcon 000000007b65d182\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getsockopt:1376: sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e\niso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1\n__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7\n \u003cNote: sk_state is BT_CONNECT (5), even though iso_chan_del sets\n BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it\n must be that iso_chan_del occurred between iso_chan_add and end of\n iso_connect_cis.\u003e\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth\n===============================================================\n\nTrace with iso_conn_del before iso_chan_add in iso_connect_cis:\n===============================================================\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_event_packet:7607: hci0: e\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:40.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e969bfed84c1f88dc722a678ee08488e86f0ec1a"
},
{
"url": "https://git.kernel.org/stable/c/88ad50f2b843a510bd7c922c0a4e2484aff9d645"
},
{
"url": "https://git.kernel.org/stable/c/d40ae85ee62e3666f45bc61864b22121346f88ef"
}
],
"title": "Bluetooth: ISO: fix iso_conn related locking and validity issues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54164",
"datePublished": "2025-12-30T12:08:40.357Z",
"dateReserved": "2025-12-30T12:06:44.495Z",
"dateUpdated": "2025-12-30T12:08:40.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53783 (GCVE-0-2023-53783)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
blk-iocost: fix divide by 0 error in calc_lcoefs()
Summary
In the Linux kernel, the following vulnerability has been resolved:
blk-iocost: fix divide by 0 error in calc_lcoefs()
echo max of u64 to cost.model can cause divide by 0 error.
# echo 8:0 rbps=18446744073709551615 > /sys/fs/cgroup/io.cost.model
divide error: 0000 [#1] PREEMPT SMP
RIP: 0010:calc_lcoefs+0x4c/0xc0
Call Trace:
<TASK>
ioc_refresh_params+0x2b3/0x4f0
ioc_cost_model_write+0x3cb/0x4c0
? _copy_from_iter+0x6d/0x6c0
? kernfs_fop_write_iter+0xfc/0x270
cgroup_file_write+0xa0/0x200
kernfs_fop_write_iter+0x17d/0x270
vfs_write+0x414/0x620
ksys_write+0x73/0x160
__x64_sys_write+0x1e/0x30
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
calc_lcoefs() uses the input value of cost.model in DIV_ROUND_UP_ULL,
overflow would happen if bps plus IOC_PAGE_SIZE is greater than
ULLONG_MAX, it can cause divide by 0 error.
Fix the problem by setting basecost
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7caa47151ab2e644dd221f741ec7578d9532c9a3 , < 9e8bf9f95f7a299fa9ea45b678d001806ad5e12c
(git)
Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < 6e291810fe83a384700eb24a1f714966391ed562 (git) Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < 3538ade9d8c2ba41088e395de916f2599fadba8f (git) Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < bf8eb1fd6110871e6232e8e7efe399276ef7e6f6 (git) Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < b96d7b4a9745fbd0c8384608ceb1f50415e862fa (git) Affected: 7caa47151ab2e644dd221f741ec7578d9532c9a3 , < 984af1e66b4126cf145153661cc24c213e2ec231 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/blk-iocost.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e8bf9f95f7a299fa9ea45b678d001806ad5e12c",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "6e291810fe83a384700eb24a1f714966391ed562",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "3538ade9d8c2ba41088e395de916f2599fadba8f",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "bf8eb1fd6110871e6232e8e7efe399276ef7e6f6",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "b96d7b4a9745fbd0c8384608ceb1f50415e862fa",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
},
{
"lessThan": "984af1e66b4126cf145153661cc24c213e2ec231",
"status": "affected",
"version": "7caa47151ab2e644dd221f741ec7578d9532c9a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/blk-iocost.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-iocost: fix divide by 0 error in calc_lcoefs()\n\necho max of u64 to cost.model can cause divide by 0 error.\n\n # echo 8:0 rbps=18446744073709551615 \u003e /sys/fs/cgroup/io.cost.model\n\n divide error: 0000 [#1] PREEMPT SMP\n RIP: 0010:calc_lcoefs+0x4c/0xc0\n Call Trace:\n \u003cTASK\u003e\n ioc_refresh_params+0x2b3/0x4f0\n ioc_cost_model_write+0x3cb/0x4c0\n ? _copy_from_iter+0x6d/0x6c0\n ? kernfs_fop_write_iter+0xfc/0x270\n cgroup_file_write+0xa0/0x200\n kernfs_fop_write_iter+0x17d/0x270\n vfs_write+0x414/0x620\n ksys_write+0x73/0x160\n __x64_sys_write+0x1e/0x30\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\ncalc_lcoefs() uses the input value of cost.model in DIV_ROUND_UP_ULL,\noverflow would happen if bps plus IOC_PAGE_SIZE is greater than\nULLONG_MAX, it can cause divide by 0 error.\n\nFix the problem by setting basecost"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:19.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e8bf9f95f7a299fa9ea45b678d001806ad5e12c"
},
{
"url": "https://git.kernel.org/stable/c/6e291810fe83a384700eb24a1f714966391ed562"
},
{
"url": "https://git.kernel.org/stable/c/3538ade9d8c2ba41088e395de916f2599fadba8f"
},
{
"url": "https://git.kernel.org/stable/c/bf8eb1fd6110871e6232e8e7efe399276ef7e6f6"
},
{
"url": "https://git.kernel.org/stable/c/b96d7b4a9745fbd0c8384608ceb1f50415e862fa"
},
{
"url": "https://git.kernel.org/stable/c/984af1e66b4126cf145153661cc24c213e2ec231"
}
],
"title": "blk-iocost: fix divide by 0 error in calc_lcoefs()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53783",
"datePublished": "2025-12-09T00:00:38.679Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-20T08:51:19.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53794 (GCVE-0-2023-53794)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
cifs: fix session state check in reconnect to avoid use-after-free issue
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix session state check in reconnect to avoid use-after-free issue
Don't collect exiting session in smb2_reconnect_server(), because it
will be released soon.
Note that the exiting session will stay in server->smb_ses_list until
it complete the cifs_free_ipc() and logoff() and then delete itself
from the list.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 7e4f5c3f01fb0e51ca438e43262d858daf9a0a76
(git)
Affected: 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 759ffc164d95a32c09528766d74d9b4fb054e8f4 (git) Affected: 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 , < 99f280700b4cc02d5f141b8d15f8e9fad0418f65 (git) Affected: 655e0c067f0e02ece03fd0591dabe3db2ae27552 (git) Affected: 875cc09c0767a4ac06b57af383709657f98b3ea1 (git) Affected: 599fe1409085059ba12a2c3897c853be9fa9e7cf (git) Affected: 2e4378ee60049b752c9dce16f62ce6fbd11b379a (git) Affected: 59b520454b323ec43b2ae757217332cea33091e0 (git) Affected: e20c888e2b3576e5f498c167729d274ef60b86f8 (git) Affected: 4ce7aa4e44d88ce64ea8ae2337b8910f3670b0ba (git) Affected: 419fad68e4c4135ff9859e9214dd6cf954413ca1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e4f5c3f01fb0e51ca438e43262d858daf9a0a76",
"status": "affected",
"version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
"versionType": "git"
},
{
"lessThan": "759ffc164d95a32c09528766d74d9b4fb054e8f4",
"status": "affected",
"version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
"versionType": "git"
},
{
"lessThan": "99f280700b4cc02d5f141b8d15f8e9fad0418f65",
"status": "affected",
"version": "4fcd1813e6404dd4420c7d12fb483f9320f0bf93",
"versionType": "git"
},
{
"status": "affected",
"version": "655e0c067f0e02ece03fd0591dabe3db2ae27552",
"versionType": "git"
},
{
"status": "affected",
"version": "875cc09c0767a4ac06b57af383709657f98b3ea1",
"versionType": "git"
},
{
"status": "affected",
"version": "599fe1409085059ba12a2c3897c853be9fa9e7cf",
"versionType": "git"
},
{
"status": "affected",
"version": "2e4378ee60049b752c9dce16f62ce6fbd11b379a",
"versionType": "git"
},
{
"status": "affected",
"version": "59b520454b323ec43b2ae757217332cea33091e0",
"versionType": "git"
},
{
"status": "affected",
"version": "e20c888e2b3576e5f498c167729d274ef60b86f8",
"versionType": "git"
},
{
"status": "affected",
"version": "4ce7aa4e44d88ce64ea8ae2337b8910f3670b0ba",
"versionType": "git"
},
{
"status": "affected",
"version": "419fad68e4c4135ff9859e9214dd6cf954413ca1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.103",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.1.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix session state check in reconnect to avoid use-after-free issue\n\nDon\u0027t collect exiting session in smb2_reconnect_server(), because it\nwill be released soon.\n\nNote that the exiting session will stay in server-\u003esmb_ses_list until\nit complete the cifs_free_ipc() and logoff() and then delete itself\nfrom the list."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:55.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e4f5c3f01fb0e51ca438e43262d858daf9a0a76"
},
{
"url": "https://git.kernel.org/stable/c/759ffc164d95a32c09528766d74d9b4fb054e8f4"
},
{
"url": "https://git.kernel.org/stable/c/99f280700b4cc02d5f141b8d15f8e9fad0418f65"
}
],
"title": "cifs: fix session state check in reconnect to avoid use-after-free issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53794",
"datePublished": "2025-12-09T00:00:51.061Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2026-01-05T10:32:55.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54241 (GCVE-0-2023-54241)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
MIPS: KVM: Fix NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
MIPS: KVM: Fix NULL pointer dereference
After commit 45c7e8af4a5e3f0bea4ac209 ("MIPS: Remove KVM_TE support") we
get a NULL pointer dereference when creating a KVM guest:
[ 146.243409] Starting KVM with MIPS VZ extensions
[ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c
[ 149.849177] Oops[#1]:
[ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671
[ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020
[ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740
[ 149.849209] $ 4 : 000000007400cce1 000000007400cce1 0000000000000000 0000000000000000
[ 149.849221] $ 8 : 000000240058bb36 ffffffff81421ac0 0000000000000000 0000000000400dc0
[ 149.849233] $12 : 9800000102a07cc8 ffffffff80e40e38 0000000000000001 0000000000400dc0
[ 149.849245] $16 : 0000000000000000 9800000106cd0000 9800000106cd0000 9800000100cce000
[ 149.849257] $20 : ffffffffc0632b28 ffffffffc05b31b0 9800000100ccca00 0000000000400000
[ 149.849269] $24 : 9800000106cd09ce ffffffff802f69d0
[ 149.849281] $28 : 9800000102a04000 9800000102a07cd0 98000001106a8000 ffffffffc063568c
[ 149.849293] Hi : 00000335b2111e66
[ 149.849295] Lo : 6668d90061ae0ae9
[ 149.849298] epc : ffffffffc06356ec kvm_vz_vcpu_setup+0xc4/0x328 [kvm]
[ 149.849324] ra : ffffffffc063568c kvm_vz_vcpu_setup+0x64/0x328 [kvm]
[ 149.849336] Status: 7400cce3 KX SX UX KERNEL EXL IE
[ 149.849351] Cause : 1000000c (ExcCode 03)
[ 149.849354] BadVA : 0000000000000300
[ 149.849357] PrId : 0014c004 (ICT Loongson-3)
[ 149.849360] Modules linked in: kvm nfnetlink_queue nfnetlink_log nfnetlink fuse sha256_generic libsha256 cfg80211 rfkill binfmt_misc vfat fat snd_hda_codec_hdmi input_leds led_class snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_pcm snd_timer snd serio_raw xhci_pci radeon drm_suballoc_helper drm_display_helper xhci_hcd ip_tables x_tables
[ 149.849432] Process qemu-system-mip (pid: 2265, threadinfo=00000000ae2982d2, task=0000000038e09ad4, tls=000000ffeba16030)
[ 149.849439] Stack : 9800000000000003 9800000100ccca00 9800000100ccc000 ffffffffc062cef4
[ 149.849453] 9800000102a07d18 c89b63a7ab338e00 0000000000000000 ffffffff811a0000
[ 149.849465] 0000000000000000 9800000106cd0000 ffffffff80e59938 98000001106a8920
[ 149.849476] ffffffff80e57f30 ffffffffc062854c ffffffff811a0000 9800000102bf4240
[ 149.849488] ffffffffc05b0000 ffffffff80e3a798 000000ff78000000 000000ff78000010
[ 149.849500] 0000000000000255 98000001021f7de0 98000001023f0078 ffffffff81434000
[ 149.849511] 0000000000000000 0000000000000000 9800000102ae0000 980000025e92ae28
[ 149.849523] 0000000000000000 c89b63a7ab338e00 0000000000000001 ffffffff8119dce0
[ 149.849535] 000000ff78000010 ffffffff804f3d3c 9800000102a07eb0 0000000000000255
[ 149.849546] 0000000000000000 ffffffff8049460c 000000ff78000010 0000000000000255
[ 149.849558] ...
[ 149.849565] Call Trace:
[ 149.849567] [<ffffffffc06356ec>] kvm_vz_vcpu_setup+0xc4/0x328 [kvm]
[ 149.849586] [<ffffffffc062cef4>] kvm_arch_vcpu_create+0x184/0x228 [kvm]
[ 149.849605] [<ffffffffc062854c>] kvm_vm_ioctl+0x64c/0xf28 [kvm]
[ 149.849623] [<ffffffff805209c0>] sys_ioctl+0xc8/0x118
[ 149.849631] [<ffffffff80219eb0>] syscall_common+0x34/0x58
The root cause is the deletion of kvm_mips_commpage_init() leaves vcpu
->arch.cop0 NULL. So fix it by making cop0 from a pointer to an embedded
object.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
45c7e8af4a5e3f0bea4ac209eea34118dd57ac64 , < cd517f9a9d07d41f4f3593b1da3982261e09d162
(git)
Affected: 45c7e8af4a5e3f0bea4ac209eea34118dd57ac64 , < bd9cf2a5f9e1b2229ad22f21de6f6ad1a9c8858e (git) Affected: 45c7e8af4a5e3f0bea4ac209eea34118dd57ac64 , < 6b9fb255d53759e3ea9b30067cb55091df1caf06 (git) Affected: 45c7e8af4a5e3f0bea4ac209eea34118dd57ac64 , < e4de2057698636c0ee709e545d19b169d2069fa3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/mips/include/asm/kvm_host.h",
"arch/mips/kvm/emulate.c",
"arch/mips/kvm/mips.c",
"arch/mips/kvm/trace.h",
"arch/mips/kvm/vz.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cd517f9a9d07d41f4f3593b1da3982261e09d162",
"status": "affected",
"version": "45c7e8af4a5e3f0bea4ac209eea34118dd57ac64",
"versionType": "git"
},
{
"lessThan": "bd9cf2a5f9e1b2229ad22f21de6f6ad1a9c8858e",
"status": "affected",
"version": "45c7e8af4a5e3f0bea4ac209eea34118dd57ac64",
"versionType": "git"
},
{
"lessThan": "6b9fb255d53759e3ea9b30067cb55091df1caf06",
"status": "affected",
"version": "45c7e8af4a5e3f0bea4ac209eea34118dd57ac64",
"versionType": "git"
},
{
"lessThan": "e4de2057698636c0ee709e545d19b169d2069fa3",
"status": "affected",
"version": "45c7e8af4a5e3f0bea4ac209eea34118dd57ac64",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/mips/include/asm/kvm_host.h",
"arch/mips/kvm/emulate.c",
"arch/mips/kvm/mips.c",
"arch/mips/kvm/trace.h",
"arch/mips/kvm/vz.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: KVM: Fix NULL pointer dereference\n\nAfter commit 45c7e8af4a5e3f0bea4ac209 (\"MIPS: Remove KVM_TE support\") we\nget a NULL pointer dereference when creating a KVM guest:\n\n[ 146.243409] Starting KVM with MIPS VZ extensions\n[ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c\n[ 149.849177] Oops[#1]:\n[ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671\n[ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020\n[ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740\n[ 149.849209] $ 4 : 000000007400cce1 000000007400cce1 0000000000000000 0000000000000000\n[ 149.849221] $ 8 : 000000240058bb36 ffffffff81421ac0 0000000000000000 0000000000400dc0\n[ 149.849233] $12 : 9800000102a07cc8 ffffffff80e40e38 0000000000000001 0000000000400dc0\n[ 149.849245] $16 : 0000000000000000 9800000106cd0000 9800000106cd0000 9800000100cce000\n[ 149.849257] $20 : ffffffffc0632b28 ffffffffc05b31b0 9800000100ccca00 0000000000400000\n[ 149.849269] $24 : 9800000106cd09ce ffffffff802f69d0\n[ 149.849281] $28 : 9800000102a04000 9800000102a07cd0 98000001106a8000 ffffffffc063568c\n[ 149.849293] Hi : 00000335b2111e66\n[ 149.849295] Lo : 6668d90061ae0ae9\n[ 149.849298] epc : ffffffffc06356ec kvm_vz_vcpu_setup+0xc4/0x328 [kvm]\n[ 149.849324] ra : ffffffffc063568c kvm_vz_vcpu_setup+0x64/0x328 [kvm]\n[ 149.849336] Status: 7400cce3 KX SX UX KERNEL EXL IE\n[ 149.849351] Cause : 1000000c (ExcCode 03)\n[ 149.849354] BadVA : 0000000000000300\n[ 149.849357] PrId : 0014c004 (ICT Loongson-3)\n[ 149.849360] Modules linked in: kvm nfnetlink_queue nfnetlink_log nfnetlink fuse sha256_generic libsha256 cfg80211 rfkill binfmt_misc vfat fat snd_hda_codec_hdmi input_leds led_class snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_pcm snd_timer snd serio_raw xhci_pci radeon drm_suballoc_helper drm_display_helper xhci_hcd ip_tables x_tables\n[ 149.849432] Process qemu-system-mip (pid: 2265, threadinfo=00000000ae2982d2, task=0000000038e09ad4, tls=000000ffeba16030)\n[ 149.849439] Stack : 9800000000000003 9800000100ccca00 9800000100ccc000 ffffffffc062cef4\n[ 149.849453] 9800000102a07d18 c89b63a7ab338e00 0000000000000000 ffffffff811a0000\n[ 149.849465] 0000000000000000 9800000106cd0000 ffffffff80e59938 98000001106a8920\n[ 149.849476] ffffffff80e57f30 ffffffffc062854c ffffffff811a0000 9800000102bf4240\n[ 149.849488] ffffffffc05b0000 ffffffff80e3a798 000000ff78000000 000000ff78000010\n[ 149.849500] 0000000000000255 98000001021f7de0 98000001023f0078 ffffffff81434000\n[ 149.849511] 0000000000000000 0000000000000000 9800000102ae0000 980000025e92ae28\n[ 149.849523] 0000000000000000 c89b63a7ab338e00 0000000000000001 ffffffff8119dce0\n[ 149.849535] 000000ff78000010 ffffffff804f3d3c 9800000102a07eb0 0000000000000255\n[ 149.849546] 0000000000000000 ffffffff8049460c 000000ff78000010 0000000000000255\n[ 149.849558] ...\n[ 149.849565] Call Trace:\n[ 149.849567] [\u003cffffffffc06356ec\u003e] kvm_vz_vcpu_setup+0xc4/0x328 [kvm]\n[ 149.849586] [\u003cffffffffc062cef4\u003e] kvm_arch_vcpu_create+0x184/0x228 [kvm]\n[ 149.849605] [\u003cffffffffc062854c\u003e] kvm_vm_ioctl+0x64c/0xf28 [kvm]\n[ 149.849623] [\u003cffffffff805209c0\u003e] sys_ioctl+0xc8/0x118\n[ 149.849631] [\u003cffffffff80219eb0\u003e] syscall_common+0x34/0x58\n\nThe root cause is the deletion of kvm_mips_commpage_init() leaves vcpu\n-\u003earch.cop0 NULL. So fix it by making cop0 from a pointer to an embedded\nobject."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:29.726Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cd517f9a9d07d41f4f3593b1da3982261e09d162"
},
{
"url": "https://git.kernel.org/stable/c/bd9cf2a5f9e1b2229ad22f21de6f6ad1a9c8858e"
},
{
"url": "https://git.kernel.org/stable/c/6b9fb255d53759e3ea9b30067cb55091df1caf06"
},
{
"url": "https://git.kernel.org/stable/c/e4de2057698636c0ee709e545d19b169d2069fa3"
}
],
"title": "MIPS: KVM: Fix NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54241",
"datePublished": "2025-12-30T12:11:29.726Z",
"dateReserved": "2025-12-30T12:06:44.509Z",
"dateUpdated": "2025-12-30T12:11:29.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53995 (GCVE-0-2023-53995)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net: ipv4: fix one memleak in __inet_del_ifa()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipv4: fix one memleak in __inet_del_ifa()
I got the below warning when do fuzzing test:
unregister_netdevice: waiting for bond0 to become free. Usage count = 2
It can be repoduced via:
ip link add bond0 type bond
sysctl -w net.ipv4.conf.bond0.promote_secondaries=1
ip addr add 4.117.174.103/0 scope 0x40 dev bond0
ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0
ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0
ip addr del 4.117.174.103/0 scope 0x40 dev bond0
ip link delete bond0 type bond
In this reproduction test case, an incorrect 'last_prim' is found in
__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40)
is lost. The memory of the secondary address is leaked and the reference of
in_device and net_device is leaked.
Fix this problem:
Look for 'last_prim' starting at location of the deleted IP and inserting
the promoted IP into the location of 'last_prim'.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0ff60a45678e67b2547256a636fd00c1667ce4fa , < 5624f26a3574500ce23929cb2c9976a0dec9920a
(git)
Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < 7c8ddcdab1b900bed69cad6beef477fff116289e (git) Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < 2f1e86014d0cc084886c36a2d77bc620e2d42618 (git) Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < 980f8445479814509a3cd55a8eabaae1c9030a4c (git) Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < 42652af5360d30b43b06057c193739e7dfb18f42 (git) Affected: 0ff60a45678e67b2547256a636fd00c1667ce4fa , < ac28b1ec6135649b5d78b028e47264cb3ebca5ea (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/devinet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5624f26a3574500ce23929cb2c9976a0dec9920a",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "7c8ddcdab1b900bed69cad6beef477fff116289e",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "2f1e86014d0cc084886c36a2d77bc620e2d42618",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "980f8445479814509a3cd55a8eabaae1c9030a4c",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "42652af5360d30b43b06057c193739e7dfb18f42",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
},
{
"lessThan": "ac28b1ec6135649b5d78b028e47264cb3ebca5ea",
"status": "affected",
"version": "0ff60a45678e67b2547256a636fd00c1667ce4fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/devinet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix one memleak in __inet_del_ifa()\n\nI got the below warning when do fuzzing test:\nunregister_netdevice: waiting for bond0 to become free. Usage count = 2\n\nIt can be repoduced via:\n\nip link add bond0 type bond\nsysctl -w net.ipv4.conf.bond0.promote_secondaries=1\nip addr add 4.117.174.103/0 scope 0x40 dev bond0\nip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0\nip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0\nip addr del 4.117.174.103/0 scope 0x40 dev bond0\nip link delete bond0 type bond\n\nIn this reproduction test case, an incorrect \u0027last_prim\u0027 is found in\n__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40)\nis lost. The memory of the secondary address is leaked and the reference of\nin_device and net_device is leaked.\n\nFix this problem:\nLook for \u0027last_prim\u0027 starting at location of the deleted IP and inserting\nthe promoted IP into the location of \u0027last_prim\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:32.713Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5624f26a3574500ce23929cb2c9976a0dec9920a"
},
{
"url": "https://git.kernel.org/stable/c/7c8ddcdab1b900bed69cad6beef477fff116289e"
},
{
"url": "https://git.kernel.org/stable/c/2f1e86014d0cc084886c36a2d77bc620e2d42618"
},
{
"url": "https://git.kernel.org/stable/c/980f8445479814509a3cd55a8eabaae1c9030a4c"
},
{
"url": "https://git.kernel.org/stable/c/42652af5360d30b43b06057c193739e7dfb18f42"
},
{
"url": "https://git.kernel.org/stable/c/ac28b1ec6135649b5d78b028e47264cb3ebca5ea"
}
],
"title": "net: ipv4: fix one memleak in __inet_del_ifa()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53995",
"datePublished": "2025-12-24T10:55:32.713Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:32.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40153 (GCVE-0-2025-40153)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
mm: hugetlb: avoid soft lockup when mprotect to large memory area
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: hugetlb: avoid soft lockup when mprotect to large memory area
When calling mprotect() to a large hugetlb memory area in our customer's
workload (~300GB hugetlb memory), soft lockup was observed:
watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mte_clear_page_tags+0x14/0x24
lr : mte_sync_tags+0x1c0/0x240
sp : ffff80003150bb80
x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
Call trace:
mte_clear_page_tags+0x14/0x24
set_huge_pte_at+0x25c/0x280
hugetlb_change_protection+0x220/0x430
change_protection+0x5c/0x8c
mprotect_fixup+0x10c/0x294
do_mprotect_pkey.constprop.0+0x2e0/0x3d4
__arm64_sys_mprotect+0x24/0x44
invoke_syscall+0x50/0x160
el0_svc_common+0x48/0x144
do_el0_svc+0x30/0xe0
el0_svc+0x30/0xf0
el0t_64_sync_handler+0xc4/0x148
el0t_64_sync+0x1a4/0x1a8
Soft lockup is not triggered with THP or base page because there is
cond_resched() called for each PMD size.
Although the soft lockup was triggered by MTE, it should be not MTE
specific. The other processing which takes long time in the loop may
trigger soft lockup too.
So add cond_resched() for hugetlb to avoid soft lockup.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 30498c44c2a0b20f6833ed7d8fc3df901507f760
(git)
Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 5783485ab2be06be5312b26c8793526edc09123d (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 547e123e9d342a44c756446640ed847a8aeec611 (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859 (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 964598e6f70a1be9fe675280bf16b4f96b0a6809 (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < 4975c975ed9457a77953a26aeef85fdba7cf5498 (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < c6096f3947f68f96defedb8764b3b1ca4cf3469f (git) Affected: 8f860591ffb29738cf5539b6fbf27f50dcdeb380 , < f52ce0ea90c83a28904c7cc203a70e6434adfecb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30498c44c2a0b20f6833ed7d8fc3df901507f760",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "5783485ab2be06be5312b26c8793526edc09123d",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "547e123e9d342a44c756446640ed847a8aeec611",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "964598e6f70a1be9fe675280bf16b4f96b0a6809",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "4975c975ed9457a77953a26aeef85fdba7cf5498",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "c6096f3947f68f96defedb8764b3b1ca4cf3469f",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
},
{
"lessThan": "f52ce0ea90c83a28904c7cc203a70e6434adfecb",
"status": "affected",
"version": "8f860591ffb29738cf5539b6fbf27f50dcdeb380",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.17"
},
{
"lessThan": "2.6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: avoid soft lockup when mprotect to large memory area\n\nWhen calling mprotect() to a large hugetlb memory area in our customer\u0027s\nworkload (~300GB hugetlb memory), soft lockup was observed:\n\nwatchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]\n\nCPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7\nHardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc\u00a0: mte_clear_page_tags+0x14/0x24\nlr\u00a0: mte_sync_tags+0x1c0/0x240\nsp\u00a0: ffff80003150bb80\nx29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000\nx26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458\nx23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000\nx20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c\nx8\u00a0: 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\nx5\u00a0: fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000\nx2\u00a0: 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000\n\nCall trace:\n\u00a0\u00a0mte_clear_page_tags+0x14/0x24\n\u00a0\u00a0set_huge_pte_at+0x25c/0x280\n\u00a0\u00a0hugetlb_change_protection+0x220/0x430\n\u00a0\u00a0change_protection+0x5c/0x8c\n\u00a0\u00a0mprotect_fixup+0x10c/0x294\n\u00a0\u00a0do_mprotect_pkey.constprop.0+0x2e0/0x3d4\n\u00a0\u00a0__arm64_sys_mprotect+0x24/0x44\n\u00a0\u00a0invoke_syscall+0x50/0x160\n\u00a0\u00a0el0_svc_common+0x48/0x144\n\u00a0\u00a0do_el0_svc+0x30/0xe0\n\u00a0\u00a0el0_svc+0x30/0xf0\n\u00a0\u00a0el0t_64_sync_handler+0xc4/0x148\n\u00a0\u00a0el0t_64_sync+0x1a4/0x1a8\n\nSoft lockup is not triggered with THP or base page because there is\ncond_resched() called for each PMD size.\n\nAlthough the soft lockup was triggered by MTE, it should be not MTE\nspecific. The other processing which takes long time in the loop may\ntrigger soft lockup too.\n\nSo add cond_resched() for hugetlb to avoid soft lockup."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:03.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30498c44c2a0b20f6833ed7d8fc3df901507f760"
},
{
"url": "https://git.kernel.org/stable/c/5783485ab2be06be5312b26c8793526edc09123d"
},
{
"url": "https://git.kernel.org/stable/c/547e123e9d342a44c756446640ed847a8aeec611"
},
{
"url": "https://git.kernel.org/stable/c/957faf9582f92bb2be8ebe4ab6aa1c2bc71d9859"
},
{
"url": "https://git.kernel.org/stable/c/964598e6f70a1be9fe675280bf16b4f96b0a6809"
},
{
"url": "https://git.kernel.org/stable/c/4975c975ed9457a77953a26aeef85fdba7cf5498"
},
{
"url": "https://git.kernel.org/stable/c/c6096f3947f68f96defedb8764b3b1ca4cf3469f"
},
{
"url": "https://git.kernel.org/stable/c/f52ce0ea90c83a28904c7cc203a70e6434adfecb"
}
],
"title": "mm: hugetlb: avoid soft lockup when mprotect to large memory area",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40153",
"datePublished": "2025-11-12T10:23:28.201Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:03.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68194 (GCVE-0-2025-68194)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
media: imon: make send_packet() more robust
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: imon: make send_packet() more robust
syzbot is reporting that imon has three problems which result in
hung tasks due to forever holding device lock [1].
First problem is that when usb_rx_callback_intf0() once got -EPROTO error
after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
resubmits urb after printk(), and resubmitted urb causes
usb_rx_callback_intf0() to again get -EPROTO error. This results in
printk() flooding (RCU stalls).
Alan Stern commented [2] that
In theory it's okay to resubmit _if_ the driver has a robust
error-recovery scheme (such as giving up after some fixed limit on the
number of errors or after some fixed time has elapsed, perhaps with a
time delay to prevent a flood of errors). Most drivers don't bother to
do this; they simply give up right away. This makes them more
vulnerable to short-term noise interference during USB transfers, but in
reality such interference is quite rare. There's nothing really wrong
with giving up right away.
but imon has a poor error-recovery scheme which just retries forever;
this behavior should be fixed.
Since I'm not sure whether it is safe for imon users to give up upon any
error code, this patch takes care of only union of error codes chosen from
modules in drivers/media/rc/ directory which handle -EPROTO error (i.e.
ir_toy, mceusb and igorplugusb).
Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
hardware after early callbacks"). Move the ictx->dev_present_intf0 test
introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
until intf configured") to immediately before imon_incoming_packet(), or
the first problem explained above happens without printk() flooding (i.e.
hung task).
Third problem is that when usb_rx_callback_intf0() is not called for some
reason (e.g. flaky hardware; the reproducer for this problem sometimes
prevents usb_rx_callback_intf0() from being called),
wait_for_completion_interruptible() in send_packet() never returns (i.e.
hung task). As a workaround for such situation, change send_packet() to
wait for completion with timeout of 10 seconds.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
21677cfc562a27e099719d413287bc8d1d24deb7 , < 519737af11c03590819a6eec2ad532cfdb87ea63
(git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < f58ab83b7b7133e6baefe03a46846c4f6ce45e2f (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 26f6a1dd5d81ad61a875a747698da6f27abf389b (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 667afd4681781f60a644cd0d2ee6c59cb1c36208 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 8231e80118463be5598daaf266c1c83650f1948b (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 0213e4175abbb9dfcbf7c197e3817d527f459ad5 (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < f7f3ecb4934fff782fa9bb1cd16e2290c041b22d (git) Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < eecd203ada43a4693ce6fdd3a58ae10c7819252c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "519737af11c03590819a6eec2ad532cfdb87ea63",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "f58ab83b7b7133e6baefe03a46846c4f6ce45e2f",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "26f6a1dd5d81ad61a875a747698da6f27abf389b",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "667afd4681781f60a644cd0d2ee6c59cb1c36208",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "8231e80118463be5598daaf266c1c83650f1948b",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "0213e4175abbb9dfcbf7c197e3817d527f459ad5",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "f7f3ecb4934fff782fa9bb1cd16e2290c041b22d",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
},
{
"lessThan": "eecd203ada43a4693ce6fdd3a58ae10c7819252c",
"status": "affected",
"version": "21677cfc562a27e099719d413287bc8d1d24deb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/rc/imon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: make send_packet() more robust\n\nsyzbot is reporting that imon has three problems which result in\nhung tasks due to forever holding device lock [1].\n\nFirst problem is that when usb_rx_callback_intf0() once got -EPROTO error\nafter ictx-\u003edev_present_intf0 became true, usb_rx_callback_intf0()\nresubmits urb after printk(), and resubmitted urb causes\nusb_rx_callback_intf0() to again get -EPROTO error. This results in\nprintk() flooding (RCU stalls).\n\nAlan Stern commented [2] that\n\n In theory it\u0027s okay to resubmit _if_ the driver has a robust\n error-recovery scheme (such as giving up after some fixed limit on the\n number of errors or after some fixed time has elapsed, perhaps with a\n time delay to prevent a flood of errors). Most drivers don\u0027t bother to\n do this; they simply give up right away. This makes them more\n vulnerable to short-term noise interference during USB transfers, but in\n reality such interference is quite rare. There\u0027s nothing really wrong\n with giving up right away.\n\nbut imon has a poor error-recovery scheme which just retries forever;\nthis behavior should be fixed.\n\nSince I\u0027m not sure whether it is safe for imon users to give up upon any\nerror code, this patch takes care of only union of error codes chosen from\nmodules in drivers/media/rc/ directory which handle -EPROTO error (i.e.\nir_toy, mceusb and igorplugusb).\n\nSecond problem is that when usb_rx_callback_intf0() once got -EPROTO error\nbefore ictx-\u003edev_present_intf0 becomes true, usb_rx_callback_intf0() always\nresubmits urb due to commit 8791d63af0cf (\"[media] imon: don\u0027t wedge\nhardware after early callbacks\"). Move the ictx-\u003edev_present_intf0 test\nintroduced by commit 6f6b90c9231a (\"[media] imon: don\u0027t parse scancodes\nuntil intf configured\") to immediately before imon_incoming_packet(), or\nthe first problem explained above happens without printk() flooding (i.e.\nhung task).\n\nThird problem is that when usb_rx_callback_intf0() is not called for some\nreason (e.g. flaky hardware; the reproducer for this problem sometimes\nprevents usb_rx_callback_intf0() from being called),\nwait_for_completion_interruptible() in send_packet() never returns (i.e.\nhung task). As a workaround for such situation, change send_packet() to\nwait for completion with timeout of 10 seconds."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:22.965Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/519737af11c03590819a6eec2ad532cfdb87ea63"
},
{
"url": "https://git.kernel.org/stable/c/f58ab83b7b7133e6baefe03a46846c4f6ce45e2f"
},
{
"url": "https://git.kernel.org/stable/c/26f6a1dd5d81ad61a875a747698da6f27abf389b"
},
{
"url": "https://git.kernel.org/stable/c/667afd4681781f60a644cd0d2ee6c59cb1c36208"
},
{
"url": "https://git.kernel.org/stable/c/8231e80118463be5598daaf266c1c83650f1948b"
},
{
"url": "https://git.kernel.org/stable/c/0213e4175abbb9dfcbf7c197e3817d527f459ad5"
},
{
"url": "https://git.kernel.org/stable/c/f7f3ecb4934fff782fa9bb1cd16e2290c041b22d"
},
{
"url": "https://git.kernel.org/stable/c/eecd203ada43a4693ce6fdd3a58ae10c7819252c"
}
],
"title": "media: imon: make send_packet() more robust",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68194",
"datePublished": "2025-12-16T13:43:20.525Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2026-01-02T15:34:22.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53839 (GCVE-0-2023-53839)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
dccp: fix data-race around dp->dccps_mss_cache
Summary
In the Linux kernel, the following vulnerability has been resolved:
dccp: fix data-race around dp->dccps_mss_cache
dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket.
Same thing in do_dccp_getsockopt().
Add READ_ONCE()/WRITE_ONCE() annotations,
and change dccp_sendmsg() to check again dccps_mss_cache
after socket is locked.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1
(git)
Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 67eebc7a9217f999b779d46fba5312a716f0dc1d (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < 6d701c95ee6463abcbb6da543060d6e444554135 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < f239c9e1d98b313435481b4926e8bdd06197e4d8 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < a6ddc1c774874dc704f96a99d015dc759627bba7 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384 (git) Affected: 7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c , < a47e598fbd8617967e49d85c49c22f9fc642704c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dccp/output.c",
"net/dccp/proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "67eebc7a9217f999b779d46fba5312a716f0dc1d",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "6d701c95ee6463abcbb6da543060d6e444554135",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "f239c9e1d98b313435481b4926e8bdd06197e4d8",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "a6ddc1c774874dc704f96a99d015dc759627bba7",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
},
{
"lessThan": "a47e598fbd8617967e49d85c49c22f9fc642704c",
"status": "affected",
"version": "7c657876b63cb1d8a2ec06f8fc6c37bb8412e66c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dccp/output.c",
"net/dccp/proto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp: fix data-race around dp-\u003edccps_mss_cache\n\ndccp_sendmsg() reads dp-\u003edccps_mss_cache before locking the socket.\nSame thing in do_dccp_getsockopt().\n\nAdd READ_ONCE()/WRITE_ONCE() annotations,\nand change dccp_sendmsg() to check again dccps_mss_cache\nafter socket is locked."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:55.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1"
},
{
"url": "https://git.kernel.org/stable/c/2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817"
},
{
"url": "https://git.kernel.org/stable/c/67eebc7a9217f999b779d46fba5312a716f0dc1d"
},
{
"url": "https://git.kernel.org/stable/c/6d701c95ee6463abcbb6da543060d6e444554135"
},
{
"url": "https://git.kernel.org/stable/c/f239c9e1d98b313435481b4926e8bdd06197e4d8"
},
{
"url": "https://git.kernel.org/stable/c/a6ddc1c774874dc704f96a99d015dc759627bba7"
},
{
"url": "https://git.kernel.org/stable/c/d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384"
},
{
"url": "https://git.kernel.org/stable/c/a47e598fbd8617967e49d85c49c22f9fc642704c"
}
],
"title": "dccp: fix data-race around dp-\u003edccps_mss_cache",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53839",
"datePublished": "2025-12-09T01:29:55.540Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:55.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50747 (GCVE-0-2022-50747)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
hfs: Fix OOB Write in hfs_asc2mac
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: Fix OOB Write in hfs_asc2mac
Syzbot reported a OOB Write bug:
loop0: detected capacity change from 0 to 64
==================================================================
BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0
fs/hfs/trans.c:133
Write of size 1 at addr ffff88801848314e by task syz-executor391/3632
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133
hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28
hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10e6/0x2df0 fs/namei.c:3710
do_filp_open+0x264/0x4f0 fs/namei.c:3740
If in->len is much larger than HFS_NAMELEN(31) which is the maximum
length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In
that case, when the dst reaches the boundary, the srclen is still
greater than 0, which causes a OOB write.
Fix this by adding a check on dstlen in while() before writing to dst
address.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
328b9227865026268261a24a97a578907b280415 , < 8399318b13dc9e0569dee07ba2994098926d4fb2
(git)
Affected: 328b9227865026268261a24a97a578907b280415 , < 95040de81c629cd8d3c6ab5b50a8bd5088068303 (git) Affected: 328b9227865026268261a24a97a578907b280415 , < ba8f0ca386dd15acf5a93cbac932392c7818eab4 (git) Affected: 328b9227865026268261a24a97a578907b280415 , < 6a95b17e4d4cd2d8278559f930b447f8c9c8cff9 (git) Affected: 328b9227865026268261a24a97a578907b280415 , < cff9fefdfbf5744afbb6d70bff2b49ec2065d23d (git) Affected: 328b9227865026268261a24a97a578907b280415 , < 7af9cb8cbb81308ce4b06cc7164267faccbf75dd (git) Affected: 328b9227865026268261a24a97a578907b280415 , < ae21b03f904736eb2aa9bd119d2a14e741f1681f (git) Affected: 328b9227865026268261a24a97a578907b280415 , < 88579c158e026860c61c4192531e8bc42f4bc642 (git) Affected: 328b9227865026268261a24a97a578907b280415 , < c53ed55cb275344086e32a7080a6b19cb183650b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/trans.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8399318b13dc9e0569dee07ba2994098926d4fb2",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
},
{
"lessThan": "95040de81c629cd8d3c6ab5b50a8bd5088068303",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
},
{
"lessThan": "ba8f0ca386dd15acf5a93cbac932392c7818eab4",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
},
{
"lessThan": "6a95b17e4d4cd2d8278559f930b447f8c9c8cff9",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
},
{
"lessThan": "cff9fefdfbf5744afbb6d70bff2b49ec2065d23d",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
},
{
"lessThan": "7af9cb8cbb81308ce4b06cc7164267faccbf75dd",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
},
{
"lessThan": "ae21b03f904736eb2aa9bd119d2a14e741f1681f",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
},
{
"lessThan": "88579c158e026860c61c4192531e8bc42f4bc642",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
},
{
"lessThan": "c53ed55cb275344086e32a7080a6b19cb183650b",
"status": "affected",
"version": "328b9227865026268261a24a97a578907b280415",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/trans.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: Fix OOB Write in hfs_asc2mac\n\nSyzbot reported a OOB Write bug:\n\nloop0: detected capacity change from 0 to 64\n==================================================================\nBUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0\nfs/hfs/trans.c:133\nWrite of size 1 at addr ffff88801848314e by task syz-executor391/3632\n\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n print_address_description+0x74/0x340 mm/kasan/report.c:284\n print_report+0x107/0x1f0 mm/kasan/report.c:395\n kasan_report+0xcd/0x100 mm/kasan/report.c:495\n hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133\n hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28\n hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31\n lookup_open fs/namei.c:3391 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x10e6/0x2df0 fs/namei.c:3710\n do_filp_open+0x264/0x4f0 fs/namei.c:3740\n\nIf in-\u003elen is much larger than HFS_NAMELEN(31) which is the maximum\nlength of an HFS filename, a OOB write could occur in hfs_asc2mac(). In\nthat case, when the dst reaches the boundary, the srclen is still\ngreater than 0, which causes a OOB write.\nFix this by adding a check on dstlen in while() before writing to dst\naddress."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:43.347Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8399318b13dc9e0569dee07ba2994098926d4fb2"
},
{
"url": "https://git.kernel.org/stable/c/95040de81c629cd8d3c6ab5b50a8bd5088068303"
},
{
"url": "https://git.kernel.org/stable/c/ba8f0ca386dd15acf5a93cbac932392c7818eab4"
},
{
"url": "https://git.kernel.org/stable/c/6a95b17e4d4cd2d8278559f930b447f8c9c8cff9"
},
{
"url": "https://git.kernel.org/stable/c/cff9fefdfbf5744afbb6d70bff2b49ec2065d23d"
},
{
"url": "https://git.kernel.org/stable/c/7af9cb8cbb81308ce4b06cc7164267faccbf75dd"
},
{
"url": "https://git.kernel.org/stable/c/ae21b03f904736eb2aa9bd119d2a14e741f1681f"
},
{
"url": "https://git.kernel.org/stable/c/88579c158e026860c61c4192531e8bc42f4bc642"
},
{
"url": "https://git.kernel.org/stable/c/c53ed55cb275344086e32a7080a6b19cb183650b"
}
],
"title": "hfs: Fix OOB Write in hfs_asc2mac",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50747",
"datePublished": "2025-12-24T13:05:43.347Z",
"dateReserved": "2025-12-24T13:02:21.544Z",
"dateUpdated": "2025-12-24T13:05:43.347Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40251 (GCVE-0-2025-40251)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08
VLAI?
EPSS
Title
devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
The function devl_rate_nodes_destroy is documented to "Unset parent for
all rate objects". However, it was only calling the driver-specific
`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing
the parent's refcount, without actually setting the
`devlink_rate->parent` pointer to NULL.
This leaves a dangling pointer in the `devlink_rate` struct, which cause
refcount error in netdevsim[1] and mlx5[2]. In addition, this is
inconsistent with the behavior of `devlink_nl_rate_parent_node_set`,
where the parent pointer is correctly cleared.
This patch fixes the issue by explicitly setting `devlink_rate->parent`
to NULL after notifying the driver, thus fulfilling the function's
documented behavior for all rate objects.
[1]
repro steps:
echo 1 > /sys/bus/netdevsim/new_device
devlink dev eswitch set netdevsim/netdevsim1 mode switchdev
echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs
devlink port function rate add netdevsim/netdevsim1/test_node
devlink port function rate set netdevsim/netdevsim1/128 parent test_node
echo 1 > /sys/bus/netdevsim/del_device
dmesg:
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0x42/0xe0
Call Trace:
<TASK>
devl_rate_leaf_destroy+0x8d/0x90
__nsim_dev_port_del+0x6c/0x70 [netdevsim]
nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]
nsim_drv_remove+0x2b/0xb0 [netdevsim]
device_release_driver_internal+0x194/0x1f0
bus_remove_device+0xc6/0x130
device_del+0x159/0x3c0
device_unregister+0x1a/0x60
del_device_store+0x111/0x170 [netdevsim]
kernfs_fop_write_iter+0x12e/0x1e0
vfs_write+0x215/0x3d0
ksys_write+0x5f/0xd0
do_syscall_64+0x55/0x10f0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[2]
devlink dev eswitch set pci/0000:08:00.0 mode switchdev
devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000
devlink port function rate add pci/0000:08:00.0/group1
devlink port function rate set pci/0000:08:00.0/32768 parent group1
modprobe -r mlx5_ib mlx5_fwctl mlx5_core
dmesg:
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:refcount_warn_saturate+0x42/0xe0
Call Trace:
<TASK>
devl_rate_leaf_destroy+0x8d/0x90
mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]
mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]
mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]
mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]
notifier_call_chain+0x33/0xa0
blocking_notifier_call_chain+0x3b/0x50
mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]
mlx5_eswitch_disable+0x63/0x90 [mlx5_core]
mlx5_unload+0x1d/0x170 [mlx5_core]
mlx5_uninit_one+0xa2/0x130 [mlx5_core]
remove_one+0x78/0xd0 [mlx5_core]
pci_device_remove+0x39/0xa0
device_release_driver_internal+0x194/0x1f0
unbind_store+0x99/0xa0
kernfs_fop_write_iter+0x12e/0x1e0
vfs_write+0x215/0x3d0
ksys_write+0x5f/0xd0
do_syscall_64+0x53/0x1f0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d7555984507822458b32a6405881038241d140be , < 715d9cda646a8a38ea8b2bb5afb679a7464055e2
(git)
Affected: d7555984507822458b32a6405881038241d140be , < c70df6c17d389cc743f0eb30160e2d6bc6910db8 (git) Affected: d7555984507822458b32a6405881038241d140be , < 542f45486f1ce2d2dde75bd85aca0389ef7046c3 (git) Affected: d7555984507822458b32a6405881038241d140be , < f94c1a114ac209977bdf5ca841b98424295ab1f0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/devlink/rate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "715d9cda646a8a38ea8b2bb5afb679a7464055e2",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
},
{
"lessThan": "c70df6c17d389cc743f0eb30160e2d6bc6910db8",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
},
{
"lessThan": "542f45486f1ce2d2dde75bd85aca0389ef7046c3",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
},
{
"lessThan": "f94c1a114ac209977bdf5ca841b98424295ab1f0",
"status": "affected",
"version": "d7555984507822458b32a6405881038241d140be",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/devlink/rate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: rate: Unset parent pointer in devl_rate_nodes_destroy\n\nThe function devl_rate_nodes_destroy is documented to \"Unset parent for\nall rate objects\". However, it was only calling the driver-specific\n`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing\nthe parent\u0027s refcount, without actually setting the\n`devlink_rate-\u003eparent` pointer to NULL.\n\nThis leaves a dangling pointer in the `devlink_rate` struct, which cause\nrefcount error in netdevsim[1] and mlx5[2]. In addition, this is\ninconsistent with the behavior of `devlink_nl_rate_parent_node_set`,\nwhere the parent pointer is correctly cleared.\n\nThis patch fixes the issue by explicitly setting `devlink_rate-\u003eparent`\nto NULL after notifying the driver, thus fulfilling the function\u0027s\ndocumented behavior for all rate objects.\n\n[1]\nrepro steps:\necho 1 \u003e /sys/bus/netdevsim/new_device\ndevlink dev eswitch set netdevsim/netdevsim1 mode switchdev\necho 1 \u003e /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs\ndevlink port function rate add netdevsim/netdevsim1/test_node\ndevlink port function rate set netdevsim/netdevsim1/128 parent test_node\necho 1 \u003e /sys/bus/netdevsim/del_device\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \u003cTASK\u003e\n devl_rate_leaf_destroy+0x8d/0x90\n __nsim_dev_port_del+0x6c/0x70 [netdevsim]\n nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]\n nsim_drv_remove+0x2b/0xb0 [netdevsim]\n device_release_driver_internal+0x194/0x1f0\n bus_remove_device+0xc6/0x130\n device_del+0x159/0x3c0\n device_unregister+0x1a/0x60\n del_device_store+0x111/0x170 [netdevsim]\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x55/0x10f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\ndevlink dev eswitch set pci/0000:08:00.0 mode switchdev\ndevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000\ndevlink port function rate add pci/0000:08:00.0/group1\ndevlink port function rate set pci/0000:08:00.0/32768 parent group1\nmodprobe -r mlx5_ib mlx5_fwctl mlx5_core\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \u003cTASK\u003e\n devl_rate_leaf_destroy+0x8d/0x90\n mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]\n mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]\n mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]\n mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]\n notifier_call_chain+0x33/0xa0\n blocking_notifier_call_chain+0x3b/0x50\n mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]\n mlx5_eswitch_disable+0x63/0x90 [mlx5_core]\n mlx5_unload+0x1d/0x170 [mlx5_core]\n mlx5_uninit_one+0xa2/0x130 [mlx5_core]\n remove_one+0x78/0xd0 [mlx5_core]\n pci_device_remove+0x39/0xa0\n device_release_driver_internal+0x194/0x1f0\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x53/0x1f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T16:08:13.710Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/715d9cda646a8a38ea8b2bb5afb679a7464055e2"
},
{
"url": "https://git.kernel.org/stable/c/c70df6c17d389cc743f0eb30160e2d6bc6910db8"
},
{
"url": "https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3"
},
{
"url": "https://git.kernel.org/stable/c/f94c1a114ac209977bdf5ca841b98424295ab1f0"
}
],
"title": "devlink: rate: Unset parent pointer in devl_rate_nodes_destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40251",
"datePublished": "2025-12-04T16:08:13.710Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T16:08:13.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53795 (GCVE-0-2023-53795)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
iommufd: IOMMUFD_DESTROY should not increase the refcount
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: IOMMUFD_DESTROY should not increase the refcount
syzkaller found a race where IOMMUFD_DESTROY increments the refcount:
obj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY);
if (IS_ERR(obj))
return PTR_ERR(obj);
iommufd_ref_to_users(obj);
/* See iommufd_ref_to_users() */
if (!iommufd_object_destroy_user(ucmd->ictx, obj))
As part of the sequence to join the two existing primitives together.
Allowing the refcount the be elevated without holding the destroy_rwsem
violates the assumption that all temporary refcount elevations are
protected by destroy_rwsem. Racing IOMMUFD_DESTROY with
iommufd_object_destroy_user() will cause spurious failures:
WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478
Modules linked in:
CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477
Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41
RSP: 0018:ffffc90003067e08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff
RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500
R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88
R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe
FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0
Call Trace:
<TASK>
iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline]
iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813
iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The solution is to not increment the refcount on the IOMMUFD_DESTROY path
at all. Instead use the xa_lock to serialize everything. The refcount
check == 1 and xa_erase can be done under a single critical region. This
avoids the need for any refcount incrementing.
It has the downside that if userspace races destroy with other operations
it will get an EBUSY instead of waiting, but this is kind of racing is
already dangerous.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/device.c",
"drivers/iommu/iommufd/iommufd_private.h",
"drivers/iommu/iommufd/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "495b327435b0298e9b3b434f5834d459a93673ce",
"status": "affected",
"version": "2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2",
"versionType": "git"
},
{
"lessThan": "99f98a7c0d6985d5507c8130a981972e4b7b3bdc",
"status": "affected",
"version": "2ff4bed7fee72ba1abfcff5f11ae8f8e570353f2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/device.c",
"drivers/iommu/iommufd/iommufd_private.h",
"drivers/iommu/iommufd/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: IOMMUFD_DESTROY should not increase the refcount\n\nsyzkaller found a race where IOMMUFD_DESTROY increments the refcount:\n\n obj = iommufd_get_object(ucmd-\u003eictx, cmd-\u003eid, IOMMUFD_OBJ_ANY);\n if (IS_ERR(obj))\n return PTR_ERR(obj);\n iommufd_ref_to_users(obj);\n /* See iommufd_ref_to_users() */\n if (!iommufd_object_destroy_user(ucmd-\u003eictx, obj))\n\nAs part of the sequence to join the two existing primitives together.\n\nAllowing the refcount the be elevated without holding the destroy_rwsem\nviolates the assumption that all temporary refcount elevations are\nprotected by destroy_rwsem. Racing IOMMUFD_DESTROY with\niommufd_object_destroy_user() will cause spurious failures:\n\n WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478\n Modules linked in:\n CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023\n RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477\n Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 \u003c0f\u003e 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41\n RSP: 0018:ffffc90003067e08 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff\n RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500\n R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88\n R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe\n FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0\n Call Trace:\n \u003cTASK\u003e\n iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline]\n iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813\n iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe solution is to not increment the refcount on the IOMMUFD_DESTROY path\nat all. Instead use the xa_lock to serialize everything. The refcount\ncheck == 1 and xa_erase can be done under a single critical region. This\navoids the need for any refcount incrementing.\n\nIt has the downside that if userspace races destroy with other operations\nit will get an EBUSY instead of waiting, but this is kind of racing is\nalready dangerous."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:51.992Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/495b327435b0298e9b3b434f5834d459a93673ce"
},
{
"url": "https://git.kernel.org/stable/c/99f98a7c0d6985d5507c8130a981972e4b7b3bdc"
}
],
"title": "iommufd: IOMMUFD_DESTROY should not increase the refcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53795",
"datePublished": "2025-12-09T00:00:51.992Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:51.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54131 (GCVE-0-2023-54131)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
wifi: rt2x00: Fix memory leak when handling surveys
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rt2x00: Fix memory leak when handling surveys
When removing a rt2x00 device, its associated channel surveys
are not freed, causing a memory leak observable with kmemleak:
unreferenced object 0xffff9620f0881a00 (size 512):
comm "systemd-udevd", pid 2290, jiffies 4294906974 (age 33.768s)
hex dump (first 32 bytes):
70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00 pD..............
00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00 ................
backtrace:
[<ffffffffb0ed858b>] __kmalloc+0x4b/0x130
[<ffffffffc1b0f29b>] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib]
[<ffffffffc1a9496e>] rt2800usb_probe_hw+0xe/0x60 [rt2800usb]
[<ffffffffc1ae491a>] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib]
[<ffffffffc1b3b83e>] rt2x00usb_probe+0x1be/0x980 [rt2x00usb]
[<ffffffffc05981e2>] usb_probe_interface+0xe2/0x310 [usbcore]
[<ffffffffb13be2d5>] really_probe+0x1a5/0x410
[<ffffffffb13be5c8>] __driver_probe_device+0x78/0x180
[<ffffffffb13be6fe>] driver_probe_device+0x1e/0x90
[<ffffffffb13be972>] __driver_attach+0xd2/0x1c0
[<ffffffffb13bbc57>] bus_for_each_dev+0x77/0xd0
[<ffffffffb13bd2a2>] bus_add_driver+0x112/0x210
[<ffffffffb13bfc6c>] driver_register+0x5c/0x120
[<ffffffffc0596ae8>] usb_register_driver+0x88/0x150 [usbcore]
[<ffffffffb0c011c4>] do_one_initcall+0x44/0x220
[<ffffffffb0d6134c>] do_init_module+0x4c/0x220
Fix this by freeing the channel surveys on device removal.
Tested with a RT3070 based USB wireless adapter.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5447626910f5b8d964761ed4fa4feaf1a3ac47d0 , < eb77c0c0a17c53d83b5fe8e46490fb0a7ed9e6af
(git)
Affected: 5447626910f5b8d964761ed4fa4feaf1a3ac47d0 , < bea3f8aa999318bdffa2d17753e492f76904f0ce (git) Affected: 5447626910f5b8d964761ed4fa4feaf1a3ac47d0 , < 494064ffd60d044c097d514917c40913d1affbca (git) Affected: 5447626910f5b8d964761ed4fa4feaf1a3ac47d0 , < 0354bce76ed1d775904acdb4cc0bf88c5b9b5b9f (git) Affected: 5447626910f5b8d964761ed4fa4feaf1a3ac47d0 , < cbef9a83c51dfcb07f77cfa6ac26f53a1ea86f49 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ralink/rt2x00/rt2x00dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb77c0c0a17c53d83b5fe8e46490fb0a7ed9e6af",
"status": "affected",
"version": "5447626910f5b8d964761ed4fa4feaf1a3ac47d0",
"versionType": "git"
},
{
"lessThan": "bea3f8aa999318bdffa2d17753e492f76904f0ce",
"status": "affected",
"version": "5447626910f5b8d964761ed4fa4feaf1a3ac47d0",
"versionType": "git"
},
{
"lessThan": "494064ffd60d044c097d514917c40913d1affbca",
"status": "affected",
"version": "5447626910f5b8d964761ed4fa4feaf1a3ac47d0",
"versionType": "git"
},
{
"lessThan": "0354bce76ed1d775904acdb4cc0bf88c5b9b5b9f",
"status": "affected",
"version": "5447626910f5b8d964761ed4fa4feaf1a3ac47d0",
"versionType": "git"
},
{
"lessThan": "cbef9a83c51dfcb07f77cfa6ac26f53a1ea86f49",
"status": "affected",
"version": "5447626910f5b8d964761ed4fa4feaf1a3ac47d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ralink/rt2x00/rt2x00dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00: Fix memory leak when handling surveys\n\nWhen removing a rt2x00 device, its associated channel surveys\nare not freed, causing a memory leak observable with kmemleak:\n\nunreferenced object 0xffff9620f0881a00 (size 512):\n comm \"systemd-udevd\", pid 2290, jiffies 4294906974 (age 33.768s)\n hex dump (first 32 bytes):\n 70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00 pD..............\n 00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffffb0ed858b\u003e] __kmalloc+0x4b/0x130\n [\u003cffffffffc1b0f29b\u003e] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib]\n [\u003cffffffffc1a9496e\u003e] rt2800usb_probe_hw+0xe/0x60 [rt2800usb]\n [\u003cffffffffc1ae491a\u003e] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib]\n [\u003cffffffffc1b3b83e\u003e] rt2x00usb_probe+0x1be/0x980 [rt2x00usb]\n [\u003cffffffffc05981e2\u003e] usb_probe_interface+0xe2/0x310 [usbcore]\n [\u003cffffffffb13be2d5\u003e] really_probe+0x1a5/0x410\n [\u003cffffffffb13be5c8\u003e] __driver_probe_device+0x78/0x180\n [\u003cffffffffb13be6fe\u003e] driver_probe_device+0x1e/0x90\n [\u003cffffffffb13be972\u003e] __driver_attach+0xd2/0x1c0\n [\u003cffffffffb13bbc57\u003e] bus_for_each_dev+0x77/0xd0\n [\u003cffffffffb13bd2a2\u003e] bus_add_driver+0x112/0x210\n [\u003cffffffffb13bfc6c\u003e] driver_register+0x5c/0x120\n [\u003cffffffffc0596ae8\u003e] usb_register_driver+0x88/0x150 [usbcore]\n [\u003cffffffffb0c011c4\u003e] do_one_initcall+0x44/0x220\n [\u003cffffffffb0d6134c\u003e] do_init_module+0x4c/0x220\n\nFix this by freeing the channel surveys on device removal.\n\nTested with a RT3070 based USB wireless adapter."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:48.227Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb77c0c0a17c53d83b5fe8e46490fb0a7ed9e6af"
},
{
"url": "https://git.kernel.org/stable/c/bea3f8aa999318bdffa2d17753e492f76904f0ce"
},
{
"url": "https://git.kernel.org/stable/c/494064ffd60d044c097d514917c40913d1affbca"
},
{
"url": "https://git.kernel.org/stable/c/0354bce76ed1d775904acdb4cc0bf88c5b9b5b9f"
},
{
"url": "https://git.kernel.org/stable/c/cbef9a83c51dfcb07f77cfa6ac26f53a1ea86f49"
}
],
"title": "wifi: rt2x00: Fix memory leak when handling surveys",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54131",
"datePublished": "2025-12-24T13:06:48.227Z",
"dateReserved": "2025-12-24T13:02:52.521Z",
"dateUpdated": "2025-12-24T13:06:48.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53748 (GCVE-0-2023-53748)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup
variable *nplanes is provided by user via system call argument. The
possible value of q_data->fmt->num_planes is 1-3, while the value
of *nplanes can be 1-8. The array access by index i can cause array
out-of-bounds.
Fix this bug by checking *nplanes against the array size.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
590577a4e5257ac3ed72999a94666ad6ba8f24bc , < 48e4e06e2c5fe1fda283d499f91492eda2248bb9
(git)
Affected: 590577a4e5257ac3ed72999a94666ad6ba8f24bc , < b8e19bf3b4aebd855be01b64674187dcf6d1db51 (git) Affected: 590577a4e5257ac3ed72999a94666ad6ba8f24bc , < 8fbcf730cb89c3647f3365226fe7014118fa93c7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "48e4e06e2c5fe1fda283d499f91492eda2248bb9",
"status": "affected",
"version": "590577a4e5257ac3ed72999a94666ad6ba8f24bc",
"versionType": "git"
},
{
"lessThan": "b8e19bf3b4aebd855be01b64674187dcf6d1db51",
"status": "affected",
"version": "590577a4e5257ac3ed72999a94666ad6ba8f24bc",
"versionType": "git"
},
{
"lessThan": "8fbcf730cb89c3647f3365226fe7014118fa93c7",
"status": "affected",
"version": "590577a4e5257ac3ed72999a94666ad6ba8f24bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/mtk_vcodec_dec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup\n\nvariable *nplanes is provided by user via system call argument. The\npossible value of q_data-\u003efmt-\u003enum_planes is 1-3, while the value\nof *nplanes can be 1-8. The array access by index i can cause array\nout-of-bounds.\n\nFix this bug by checking *nplanes against the array size."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:38.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/48e4e06e2c5fe1fda283d499f91492eda2248bb9"
},
{
"url": "https://git.kernel.org/stable/c/b8e19bf3b4aebd855be01b64674187dcf6d1db51"
},
{
"url": "https://git.kernel.org/stable/c/8fbcf730cb89c3647f3365226fe7014118fa93c7"
}
],
"title": "media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53748",
"datePublished": "2025-12-08T01:19:07.318Z",
"dateReserved": "2025-12-08T01:18:04.279Z",
"dateUpdated": "2026-01-05T10:32:38.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53858 (GCVE-0-2023-53858)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
Summary
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
If clk_get_rate() fails, the clk that has just been allocated needs to be
freed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 755289d67eb9a74ae71bb624902e979c66859444
(git)
Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < f47e6631a8fcc6fe05b8644aa4222a60f3b0a927 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 30962268fa1a7466413b3d83037688129021d470 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < a49e5a05121c8bc471a57b4916c5393749c24de5 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 073dbbe5743779faf24f233cc95459b47c7198dd (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 34f5b826dd509b76644f83094b4af7e7668a6a38 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < 1694fc8ad734e2909a9e40d2be03cc4423e0bee6 (git) Affected: 5f5a7a5578c5885201cf9c85856f023fe8b81765 , < a9c09546e903f1068acfa38e1ee18bded7114b37 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "755289d67eb9a74ae71bb624902e979c66859444",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "f47e6631a8fcc6fe05b8644aa4222a60f3b0a927",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "30962268fa1a7466413b3d83037688129021d470",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "a49e5a05121c8bc471a57b4916c5393749c24de5",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "073dbbe5743779faf24f233cc95459b47c7198dd",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "34f5b826dd509b76644f83094b4af7e7668a6a38",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "1694fc8ad734e2909a9e40d2be03cc4423e0bee6",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
},
{
"lessThan": "a9c09546e903f1068acfa38e1ee18bded7114b37",
"status": "affected",
"version": "5f5a7a5578c5885201cf9c85856f023fe8b81765",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/samsung_tty.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error\n\nIf clk_get_rate() fails, the clk that has just been allocated needs to be\nfreed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:24.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/755289d67eb9a74ae71bb624902e979c66859444"
},
{
"url": "https://git.kernel.org/stable/c/f47e6631a8fcc6fe05b8644aa4222a60f3b0a927"
},
{
"url": "https://git.kernel.org/stable/c/30962268fa1a7466413b3d83037688129021d470"
},
{
"url": "https://git.kernel.org/stable/c/a49e5a05121c8bc471a57b4916c5393749c24de5"
},
{
"url": "https://git.kernel.org/stable/c/073dbbe5743779faf24f233cc95459b47c7198dd"
},
{
"url": "https://git.kernel.org/stable/c/34f5b826dd509b76644f83094b4af7e7668a6a38"
},
{
"url": "https://git.kernel.org/stable/c/1694fc8ad734e2909a9e40d2be03cc4423e0bee6"
},
{
"url": "https://git.kernel.org/stable/c/a9c09546e903f1068acfa38e1ee18bded7114b37"
}
],
"title": "tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53858",
"datePublished": "2025-12-09T01:30:24.886Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:24.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50700 (GCVE-0-2022-50700)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03
VLAI?
EPSS
Title
wifi: ath10k: Delay the unmapping of the buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: Delay the unmapping of the buffer
On WCN3990, we are seeing a rare scenario where copy engine hardware is
sending a copy complete interrupt to the host driver while still
processing the buffer that the driver has sent, this is leading into an
SMMU fault triggering kernel panic. This is happening on copy engine
channel 3 (CE3) where the driver normally enqueues WMI commands to the
firmware. Upon receiving a copy complete interrupt, host driver will
immediately unmap and frees the buffer presuming that hardware has
processed the buffer. In the issue case, upon receiving copy complete
interrupt, host driver will unmap and free the buffer but since hardware
is still accessing the buffer (which in this case got unmapped in
parallel), SMMU hardware will trigger an SMMU fault resulting in a
kernel panic.
In order to avoid this, as a work around, add a delay before unmapping
the copy engine source DMA buffer. This is conditionally done for
WCN3990 and only for the CE3 channel where issue is seen.
Below is the crash signature:
wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled
context fault: fsr=0x402, iova=0x7fdfd8ac0,
fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled
context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,
cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error
received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:
cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149
remoteproc remoteproc0: crash detected in
4080000.remoteproc: type fatal error <3> remoteproc remoteproc0:
handling crash #1 in 4080000.remoteproc
pc : __arm_lpae_unmap+0x500/0x514
lr : __arm_lpae_unmap+0x4bc/0x514
sp : ffffffc011ffb530
x29: ffffffc011ffb590 x28: 0000000000000000
x27: 0000000000000000 x26: 0000000000000004
x25: 0000000000000003 x24: ffffffc011ffb890
x23: ffffffa762ef9be0 x22: ffffffa77244ef00
x21: 0000000000000009 x20: 00000007fff7c000
x19: 0000000000000003 x18: 0000000000000000
x17: 0000000000000004 x16: ffffffd7a357d9f0
x15: 0000000000000000 x14: 00fd5d4fa7ffffff
x13: 000000000000000e x12: 0000000000000000
x11: 00000000ffffffff x10: 00000000fffffe00
x9 : 000000000000017c x8 : 000000000000000c
x7 : 0000000000000000 x6 : ffffffa762ef9000
x5 : 0000000000000003 x4 : 0000000000000004
x3 : 0000000000001000 x2 : 00000007fff7c000
x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:
__arm_lpae_unmap+0x500/0x514
__arm_lpae_unmap+0x4bc/0x514
__arm_lpae_unmap+0x4bc/0x514
arm_lpae_unmap_pages+0x78/0xa4
arm_smmu_unmap_pages+0x78/0x104
__iommu_unmap+0xc8/0x1e4
iommu_unmap_fast+0x38/0x48
__iommu_dma_unmap+0x84/0x104
iommu_dma_free+0x34/0x50
dma_free_attrs+0xa4/0xd0
ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c
[ath10k_core]
ath10k_halt+0x11c/0x180 [ath10k_core]
ath10k_stop+0x54/0x94 [ath10k_core]
drv_stop+0x48/0x1c8 [mac80211]
ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c
[mac80211]
__dev_open+0xb4/0x174
__dev_change_flags+0xc4/0x1dc
dev_change_flags+0x3c/0x7c
devinet_ioctl+0x2b4/0x580
inet_ioctl+0xb0/0x1b4
sock_do_ioctl+0x4c/0x16c
compat_ifreq_ioctl+0x1cc/0x35c
compat_sock_ioctl+0x110/0x2ac
__arm64_compat_sys_ioctl+0xf4/0x3e0
el0_svc_common+0xb4/0x17c
el0_svc_compat_handler+0x2c/0x58
el0_svc_compat+0x8/0x2c
Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d390509bdf501c9c8c6e61248e4bc9314c86d854 , < c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a
(git)
Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < 79a124b588aadb5a22695542778de14366ff3219 (git) Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < acd4324e5f1f11351630234297f95076f0ac9a2f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/core.c",
"drivers/net/wireless/ath/ath10k/htc.c",
"drivers/net/wireless/ath/ath10k/hw.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a",
"status": "affected",
"version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
"versionType": "git"
},
{
"lessThan": "79a124b588aadb5a22695542778de14366ff3219",
"status": "affected",
"version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
"versionType": "git"
},
{
"lessThan": "acd4324e5f1f11351630234297f95076f0ac9a2f",
"status": "affected",
"version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/core.c",
"drivers/net/wireless/ath/ath10k/htc.c",
"drivers/net/wireless/ath/ath10k/hw.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: Delay the unmapping of the buffer\n\nOn WCN3990, we are seeing a rare scenario where copy engine hardware is\nsending a copy complete interrupt to the host driver while still\nprocessing the buffer that the driver has sent, this is leading into an\nSMMU fault triggering kernel panic. This is happening on copy engine\nchannel 3 (CE3) where the driver normally enqueues WMI commands to the\nfirmware. Upon receiving a copy complete interrupt, host driver will\nimmediately unmap and frees the buffer presuming that hardware has\nprocessed the buffer. In the issue case, upon receiving copy complete\ninterrupt, host driver will unmap and free the buffer but since hardware\nis still accessing the buffer (which in this case got unmapped in\nparallel), SMMU hardware will trigger an SMMU fault resulting in a\nkernel panic.\n\nIn order to avoid this, as a work around, add a delay before unmapping\nthe copy engine source DMA buffer. This is conditionally done for\nWCN3990 and only for the CE3 channel where issue is seen.\n\nBelow is the crash signature:\n\nwifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled\ncontext fault: fsr=0x402, iova=0x7fdfd8ac0,\nfsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled\ncontext fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,\ncbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error\nreceived: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:\ncmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149\nremoteproc remoteproc0: crash detected in\n4080000.remoteproc: type fatal error \u003c3\u003e remoteproc remoteproc0:\nhandling crash #1 in 4080000.remoteproc\n\npc : __arm_lpae_unmap+0x500/0x514\nlr : __arm_lpae_unmap+0x4bc/0x514\nsp : ffffffc011ffb530\nx29: ffffffc011ffb590 x28: 0000000000000000\nx27: 0000000000000000 x26: 0000000000000004\nx25: 0000000000000003 x24: ffffffc011ffb890\nx23: ffffffa762ef9be0 x22: ffffffa77244ef00\nx21: 0000000000000009 x20: 00000007fff7c000\nx19: 0000000000000003 x18: 0000000000000000\nx17: 0000000000000004 x16: ffffffd7a357d9f0\nx15: 0000000000000000 x14: 00fd5d4fa7ffffff\nx13: 000000000000000e x12: 0000000000000000\nx11: 00000000ffffffff x10: 00000000fffffe00\nx9 : 000000000000017c x8 : 000000000000000c\nx7 : 0000000000000000 x6 : ffffffa762ef9000\nx5 : 0000000000000003 x4 : 0000000000000004\nx3 : 0000000000001000 x2 : 00000007fff7c000\nx1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:\n__arm_lpae_unmap+0x500/0x514\n__arm_lpae_unmap+0x4bc/0x514\n__arm_lpae_unmap+0x4bc/0x514\narm_lpae_unmap_pages+0x78/0xa4\narm_smmu_unmap_pages+0x78/0x104\n__iommu_unmap+0xc8/0x1e4\niommu_unmap_fast+0x38/0x48\n__iommu_dma_unmap+0x84/0x104\niommu_dma_free+0x34/0x50\ndma_free_attrs+0xa4/0xd0\nath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c\n[ath10k_core]\nath10k_halt+0x11c/0x180 [ath10k_core]\nath10k_stop+0x54/0x94 [ath10k_core]\ndrv_stop+0x48/0x1c8 [mac80211]\nieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c\n[mac80211]\n__dev_open+0xb4/0x174\n__dev_change_flags+0xc4/0x1dc\ndev_change_flags+0x3c/0x7c\ndevinet_ioctl+0x2b4/0x580\ninet_ioctl+0xb0/0x1b4\nsock_do_ioctl+0x4c/0x16c\ncompat_ifreq_ioctl+0x1cc/0x35c\ncompat_sock_ioctl+0x110/0x2ac\n__arm64_compat_sys_ioctl+0xf4/0x3e0\nel0_svc_common+0xb4/0x17c\nel0_svc_compat_handler+0x2c/0x58\nel0_svc_compat+0x8/0x2c\n\nTested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:03:55.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a"
},
{
"url": "https://git.kernel.org/stable/c/79a124b588aadb5a22695542778de14366ff3219"
},
{
"url": "https://git.kernel.org/stable/c/acd4324e5f1f11351630234297f95076f0ac9a2f"
}
],
"title": "wifi: ath10k: Delay the unmapping of the buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50700",
"datePublished": "2025-12-24T10:55:16.257Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2026-01-02T15:03:55.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50715 (GCVE-0-2022-50715)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
md/raid1: stop mdx_raid1 thread when raid1 array run failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid1: stop mdx_raid1 thread when raid1 array run failed
fail run raid1 array when we assemble array with the inactive disk only,
but the mdx_raid1 thread were not stop, Even if the associated resources
have been released. it will caused a NULL dereference when we do poweroff.
This causes the following Oops:
[ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070
[ 287.594762] #PF: supervisor read access in kernel mode
[ 287.599912] #PF: error_code(0x0000) - not-present page
[ 287.605061] PGD 0 P4D 0
[ 287.607612] Oops: 0000 [#1] SMP NOPTI
[ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0
[ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022
[ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod]
[ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ......
[ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202
[ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000
[ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800
[ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff
[ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800
[ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500
[ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000
[ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0
[ 287.713033] Call Trace:
[ 287.715498] raid1d+0x6c/0xbbb [raid1]
[ 287.719256] ? __schedule+0x1ff/0x760
[ 287.722930] ? schedule+0x3b/0xb0
[ 287.726260] ? schedule_timeout+0x1ed/0x290
[ 287.730456] ? __switch_to+0x11f/0x400
[ 287.734219] md_thread+0xe9/0x140 [md_mod]
[ 287.738328] ? md_thread+0xe9/0x140 [md_mod]
[ 287.742601] ? wait_woken+0x80/0x80
[ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod]
[ 287.751064] kthread+0x11a/0x140
[ 287.754300] ? kthread_park+0x90/0x90
[ 287.757974] ret_from_fork+0x1f/0x30
In fact, when raid1 array run fail, we need to do
md_unregister_thread() before raid1_free().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
5bad5054ecd83c866502f0370edfc9aa55dc9aa7 , < d684ceb77311410aeaf5189d321f9f564838c49a
(git)
Affected: 440c3706f1d1835d24ba5b4bbe6515e0a97e886c , < 110f14a7b2eb5b8aa9df5af2d629524f2a07d543 (git) Affected: f1db75622996af402deea9c018deb8e869ce7548 , < 0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c (git) Affected: 07f1a6850c5d5a65c917c3165692b5179ac4cb6b , < 19d5a0e17aba92b10d895e40ec782768cf00da23 (git) Affected: 07f1a6850c5d5a65c917c3165692b5179ac4cb6b , < 10d713532ffc67b13df61ed9c138a8ce0a186236 (git) Affected: 07f1a6850c5d5a65c917c3165692b5179ac4cb6b , < a3cc41e05e8af340a2a759b168c29fffdb9194eb (git) Affected: 07f1a6850c5d5a65c917c3165692b5179ac4cb6b , < 22be44212cad8be96860346882d8e694b0b437b6 (git) Affected: 07f1a6850c5d5a65c917c3165692b5179ac4cb6b , < d26364596db8f8b55277b2afb3952e05a4057a21 (git) Affected: 07f1a6850c5d5a65c917c3165692b5179ac4cb6b , < b611ad14006e5be2170d9e8e611bf49dff288911 (git) Affected: b8c11e01be7f7fcbda697e8cf9aa1f4ec65816f6 (git) Affected: 18a00f37f418838fbe2036f425a1ea04f93c473c (git) Affected: d6092a9624ce32491e298f6b248b6ab31b2bbc5a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d684ceb77311410aeaf5189d321f9f564838c49a",
"status": "affected",
"version": "5bad5054ecd83c866502f0370edfc9aa55dc9aa7",
"versionType": "git"
},
{
"lessThan": "110f14a7b2eb5b8aa9df5af2d629524f2a07d543",
"status": "affected",
"version": "440c3706f1d1835d24ba5b4bbe6515e0a97e886c",
"versionType": "git"
},
{
"lessThan": "0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c",
"status": "affected",
"version": "f1db75622996af402deea9c018deb8e869ce7548",
"versionType": "git"
},
{
"lessThan": "19d5a0e17aba92b10d895e40ec782768cf00da23",
"status": "affected",
"version": "07f1a6850c5d5a65c917c3165692b5179ac4cb6b",
"versionType": "git"
},
{
"lessThan": "10d713532ffc67b13df61ed9c138a8ce0a186236",
"status": "affected",
"version": "07f1a6850c5d5a65c917c3165692b5179ac4cb6b",
"versionType": "git"
},
{
"lessThan": "a3cc41e05e8af340a2a759b168c29fffdb9194eb",
"status": "affected",
"version": "07f1a6850c5d5a65c917c3165692b5179ac4cb6b",
"versionType": "git"
},
{
"lessThan": "22be44212cad8be96860346882d8e694b0b437b6",
"status": "affected",
"version": "07f1a6850c5d5a65c917c3165692b5179ac4cb6b",
"versionType": "git"
},
{
"lessThan": "d26364596db8f8b55277b2afb3952e05a4057a21",
"status": "affected",
"version": "07f1a6850c5d5a65c917c3165692b5179ac4cb6b",
"versionType": "git"
},
{
"lessThan": "b611ad14006e5be2170d9e8e611bf49dff288911",
"status": "affected",
"version": "07f1a6850c5d5a65c917c3165692b5179ac4cb6b",
"versionType": "git"
},
{
"status": "affected",
"version": "b8c11e01be7f7fcbda697e8cf9aa1f4ec65816f6",
"versionType": "git"
},
{
"status": "affected",
"version": "18a00f37f418838fbe2036f425a1ea04f93c473c",
"versionType": "git"
},
{
"status": "affected",
"version": "d6092a9624ce32491e298f6b248b6ab31b2bbc5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.147",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid1: stop mdx_raid1 thread when raid1 array run failed\n\nfail run raid1 array when we assemble array with the inactive disk only,\nbut the mdx_raid1 thread were not stop, Even if the associated resources\nhave been released. it will caused a NULL dereference when we do poweroff.\n\nThis causes the following Oops:\n [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070\n [ 287.594762] #PF: supervisor read access in kernel mode\n [ 287.599912] #PF: error_code(0x0000) - not-present page\n [ 287.605061] PGD 0 P4D 0\n [ 287.607612] Oops: 0000 [#1] SMP NOPTI\n [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0\n [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022\n [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod]\n [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ......\n [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202\n [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000\n [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800\n [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff\n [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800\n [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500\n [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000\n [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0\n [ 287.713033] Call Trace:\n [ 287.715498] raid1d+0x6c/0xbbb [raid1]\n [ 287.719256] ? __schedule+0x1ff/0x760\n [ 287.722930] ? schedule+0x3b/0xb0\n [ 287.726260] ? schedule_timeout+0x1ed/0x290\n [ 287.730456] ? __switch_to+0x11f/0x400\n [ 287.734219] md_thread+0xe9/0x140 [md_mod]\n [ 287.738328] ? md_thread+0xe9/0x140 [md_mod]\n [ 287.742601] ? wait_woken+0x80/0x80\n [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod]\n [ 287.751064] kthread+0x11a/0x140\n [ 287.754300] ? kthread_park+0x90/0x90\n [ 287.757974] ret_from_fork+0x1f/0x30\n\nIn fact, when raid1 array run fail, we need to do\nmd_unregister_thread() before raid1_free()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:00.951Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d684ceb77311410aeaf5189d321f9f564838c49a"
},
{
"url": "https://git.kernel.org/stable/c/110f14a7b2eb5b8aa9df5af2d629524f2a07d543"
},
{
"url": "https://git.kernel.org/stable/c/0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c"
},
{
"url": "https://git.kernel.org/stable/c/19d5a0e17aba92b10d895e40ec782768cf00da23"
},
{
"url": "https://git.kernel.org/stable/c/10d713532ffc67b13df61ed9c138a8ce0a186236"
},
{
"url": "https://git.kernel.org/stable/c/a3cc41e05e8af340a2a759b168c29fffdb9194eb"
},
{
"url": "https://git.kernel.org/stable/c/22be44212cad8be96860346882d8e694b0b437b6"
},
{
"url": "https://git.kernel.org/stable/c/d26364596db8f8b55277b2afb3952e05a4057a21"
},
{
"url": "https://git.kernel.org/stable/c/b611ad14006e5be2170d9e8e611bf49dff288911"
}
],
"title": "md/raid1: stop mdx_raid1 thread when raid1 array run failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50715",
"datePublished": "2025-12-24T12:22:39.763Z",
"dateReserved": "2025-12-24T12:20:40.329Z",
"dateUpdated": "2026-01-02T15:04:00.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50641 (GCVE-0-2022-50641)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
HSI: omap_ssi: Fix refcount leak in ssi_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
HSI: omap_ssi: Fix refcount leak in ssi_probe
When returning or breaking early from a
for_each_available_child_of_node() loop, we need to explicitly call
of_node_put() on the child node to possibly release the node.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b209e047bc743247f74ce79e8827ae1ed556bae0 , < 20fbaff6699ea5553c67550e867d6f90b7085447
(git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 18e199a5541aad6dc5cf51bc3f712247b2d17894 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < e8a218c17d7c5c42d5609ef92d339b47f3d11d02 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < aa9c0598b10960ad1198044da1e277a89b4e3af6 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 962f22e7f7698f7718d95bd9b63e41fb8cca01a9 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 691f23a8475f04c988f7e98066b084e996b40fa0 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < e25f56f8bdf66126a54b5a88bc021c82bfb50b75 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4 (git) Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 9a2ea132df860177b33c9fd421b26c4e9a0a9396 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hsi/controllers/omap_ssi_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20fbaff6699ea5553c67550e867d6f90b7085447",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "18e199a5541aad6dc5cf51bc3f712247b2d17894",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "e8a218c17d7c5c42d5609ef92d339b47f3d11d02",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "aa9c0598b10960ad1198044da1e277a89b4e3af6",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "962f22e7f7698f7718d95bd9b63e41fb8cca01a9",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "691f23a8475f04c988f7e98066b084e996b40fa0",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "e25f56f8bdf66126a54b5a88bc021c82bfb50b75",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
},
{
"lessThan": "9a2ea132df860177b33c9fd421b26c4e9a0a9396",
"status": "affected",
"version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hsi/controllers/omap_ssi_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: omap_ssi: Fix refcount leak in ssi_probe\n\nWhen returning or breaking early from a\nfor_each_available_child_of_node() loop, we need to explicitly call\nof_node_put() on the child node to possibly release the node."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:15.268Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20fbaff6699ea5553c67550e867d6f90b7085447"
},
{
"url": "https://git.kernel.org/stable/c/18e199a5541aad6dc5cf51bc3f712247b2d17894"
},
{
"url": "https://git.kernel.org/stable/c/e8a218c17d7c5c42d5609ef92d339b47f3d11d02"
},
{
"url": "https://git.kernel.org/stable/c/aa9c0598b10960ad1198044da1e277a89b4e3af6"
},
{
"url": "https://git.kernel.org/stable/c/962f22e7f7698f7718d95bd9b63e41fb8cca01a9"
},
{
"url": "https://git.kernel.org/stable/c/691f23a8475f04c988f7e98066b084e996b40fa0"
},
{
"url": "https://git.kernel.org/stable/c/e25f56f8bdf66126a54b5a88bc021c82bfb50b75"
},
{
"url": "https://git.kernel.org/stable/c/0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4"
},
{
"url": "https://git.kernel.org/stable/c/9a2ea132df860177b33c9fd421b26c4e9a0a9396"
}
],
"title": "HSI: omap_ssi: Fix refcount leak in ssi_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50641",
"datePublished": "2025-12-09T00:00:15.268Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:15.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50668 (GCVE-0-2022-50668)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
ext4: fix deadlock due to mbcache entry corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix deadlock due to mbcache entry corruption
When manipulating xattr blocks, we can deadlock infinitely looping
inside ext4_xattr_block_set() where we constantly keep finding xattr
block for reuse in mbcache but we are unable to reuse it because its
reference count is too big. This happens because cache entry for the
xattr block is marked as reusable (e_reusable set) although its
reference count is too big. When this inconsistency happens, this
inconsistent state is kept indefinitely and so ext4_xattr_block_set()
keeps retrying indefinitely.
The inconsistent state is caused by non-atomic update of e_reusable bit.
e_reusable is part of a bitfield and e_reusable update can race with
update of e_referenced bit in the same bitfield resulting in loss of one
of the updates. Fix the problem by using atomic bitops instead.
This bug has been around for many years, but it became *much* easier
to hit after commit 65f8b80053a1 ("ext4: fix race when reusing xattr
blocks").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6048c64b26097a0ffbd966866b599f990e674e9b , < efaa0ca678f56d47316a08030b2515678cebbc50
(git)
Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < af53065276376750dfac35a7248af18806404c5d (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 1be16a0c2f10186df505e28b0cc92d7f3366e2a8 (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 5bc0b2fda4b47c86278f7c6d30c211f425bf51cf (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 127b80cefb941a81255c72f11081123f3a705369 (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < cc1538c693d25e282bed8c54b65c914a04023a78 (git) Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c",
"fs/mbcache.c",
"include/linux/mbcache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "efaa0ca678f56d47316a08030b2515678cebbc50",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "af53065276376750dfac35a7248af18806404c5d",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "1be16a0c2f10186df505e28b0cc92d7f3366e2a8",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "5bc0b2fda4b47c86278f7c6d30c211f425bf51cf",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "127b80cefb941a81255c72f11081123f3a705369",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "cc1538c693d25e282bed8c54b65c914a04023a78",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
},
{
"lessThan": "a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd",
"status": "affected",
"version": "6048c64b26097a0ffbd966866b599f990e674e9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c",
"fs/mbcache.c",
"include/linux/mbcache.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix deadlock due to mbcache entry corruption\n\nWhen manipulating xattr blocks, we can deadlock infinitely looping\ninside ext4_xattr_block_set() where we constantly keep finding xattr\nblock for reuse in mbcache but we are unable to reuse it because its\nreference count is too big. This happens because cache entry for the\nxattr block is marked as reusable (e_reusable set) although its\nreference count is too big. When this inconsistency happens, this\ninconsistent state is kept indefinitely and so ext4_xattr_block_set()\nkeeps retrying indefinitely.\n\nThe inconsistent state is caused by non-atomic update of e_reusable bit.\ne_reusable is part of a bitfield and e_reusable update can race with\nupdate of e_referenced bit in the same bitfield resulting in loss of one\nof the updates. Fix the problem by using atomic bitops instead.\n\nThis bug has been around for many years, but it became *much* easier\nto hit after commit 65f8b80053a1 (\"ext4: fix race when reusing xattr\nblocks\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:19.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/efaa0ca678f56d47316a08030b2515678cebbc50"
},
{
"url": "https://git.kernel.org/stable/c/af53065276376750dfac35a7248af18806404c5d"
},
{
"url": "https://git.kernel.org/stable/c/1be16a0c2f10186df505e28b0cc92d7f3366e2a8"
},
{
"url": "https://git.kernel.org/stable/c/5bc0b2fda4b47c86278f7c6d30c211f425bf51cf"
},
{
"url": "https://git.kernel.org/stable/c/127b80cefb941a81255c72f11081123f3a705369"
},
{
"url": "https://git.kernel.org/stable/c/cc1538c693d25e282bed8c54b65c914a04023a78"
},
{
"url": "https://git.kernel.org/stable/c/a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd"
}
],
"title": "ext4: fix deadlock due to mbcache entry corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50668",
"datePublished": "2025-12-09T01:29:19.526Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:19.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53856 (GCVE-0-2023-53856)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
of: overlay: Call of_changeset_init() early
Summary
In the Linux kernel, the following vulnerability has been resolved:
of: overlay: Call of_changeset_init() early
When of_overlay_fdt_apply() fails, the changeset may be partially
applied, and the caller is still expected to call of_overlay_remove() to
clean up this partial state.
However, of_overlay_apply() calls of_resolve_phandles() before
init_overlay_changeset(). Hence if the overlay fails to apply due to an
unresolved symbol, the overlay_changeset.cset.entries list is still
uninitialized, and cleanup will crash with a NULL-pointer dereference in
overlay_removal_is_ok().
Fix this by moving the call to of_changeset_init() from
init_overlay_changeset() to of_overlay_fdt_apply(), where all other
early initialization is done.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f948d6d8b792bb90041edc12eac35faf83030994 , < 01bb96ad38089f5cc6de7746dac13437d35eb1dc
(git)
Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < 3fb210cd521c9efcb211e9f5ce40fc907200bf13 (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < be86241bf5d1efd16d8a7231c13b33459c5d755d (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < c403c81b577a67fe9ec6a2e89d143256487be50f (git) Affected: f948d6d8b792bb90041edc12eac35faf83030994 , < a9515ff4fb142b690a0d2b58782b15903b990dba (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/overlay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01bb96ad38089f5cc6de7746dac13437d35eb1dc",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "3fb210cd521c9efcb211e9f5ce40fc907200bf13",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "be86241bf5d1efd16d8a7231c13b33459c5d755d",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "c403c81b577a67fe9ec6a2e89d143256487be50f",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
},
{
"lessThan": "a9515ff4fb142b690a0d2b58782b15903b990dba",
"status": "affected",
"version": "f948d6d8b792bb90041edc12eac35faf83030994",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/overlay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: overlay: Call of_changeset_init() early\n\nWhen of_overlay_fdt_apply() fails, the changeset may be partially\napplied, and the caller is still expected to call of_overlay_remove() to\nclean up this partial state.\n\nHowever, of_overlay_apply() calls of_resolve_phandles() before\ninit_overlay_changeset(). Hence if the overlay fails to apply due to an\nunresolved symbol, the overlay_changeset.cset.entries list is still\nuninitialized, and cleanup will crash with a NULL-pointer dereference in\noverlay_removal_is_ok().\n\nFix this by moving the call to of_changeset_init() from\ninit_overlay_changeset() to of_overlay_fdt_apply(), where all other\nearly initialization is done."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:22.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01bb96ad38089f5cc6de7746dac13437d35eb1dc"
},
{
"url": "https://git.kernel.org/stable/c/3fb210cd521c9efcb211e9f5ce40fc907200bf13"
},
{
"url": "https://git.kernel.org/stable/c/be86241bf5d1efd16d8a7231c13b33459c5d755d"
},
{
"url": "https://git.kernel.org/stable/c/c403c81b577a67fe9ec6a2e89d143256487be50f"
},
{
"url": "https://git.kernel.org/stable/c/a9515ff4fb142b690a0d2b58782b15903b990dba"
}
],
"title": "of: overlay: Call of_changeset_init() early",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53856",
"datePublished": "2025-12-09T01:30:22.012Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:22.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40297 (GCVE-0-2025-40297)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
net: bridge: fix use-after-free due to MST port state bypass
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bridge: fix use-after-free due to MST port state bypass
syzbot reported[1] a use-after-free when deleting an expired fdb. It is
due to a race condition between learning still happening and a port being
deleted, after all its fdbs have been flushed. The port's state has been
toggled to disabled so no learning should happen at that time, but if we
have MST enabled, it will bypass the port's state, that together with VLAN
filtering disabled can lead to fdb learning at a time when it shouldn't
happen while the port is being deleted. VLAN filtering must be disabled
because we flush the port VLANs when it's being deleted which will stop
learning. This fix adds a check for the port's vlan group which is
initialized to NULL when the port is getting deleted, that avoids the port
state bypass. When MST is enabled there would be a minimal new overhead
in the fast-path because the port's vlan group pointer is cache-hot.
[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec7328b59176227216c461601c6bd0e922232a9b , < e19085b2a86addccff33ab8536fc67ebd9d52198
(git)
Affected: ec7328b59176227216c461601c6bd0e922232a9b , < 3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8 (git) Affected: ec7328b59176227216c461601c6bd0e922232a9b , < bf3843183bc3158e5821b46f330c438ae9bd6ddb (git) Affected: ec7328b59176227216c461601c6bd0e922232a9b , < 991fbe1680cd41a5f97c92cd3a3496315df36e4b (git) Affected: ec7328b59176227216c461601c6bd0e922232a9b , < 8dca36978aa80bab9d4da130c211db75c9e00048 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_forward.c",
"net/bridge/br_input.c",
"net/bridge/br_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e19085b2a86addccff33ab8536fc67ebd9d52198",
"status": "affected",
"version": "ec7328b59176227216c461601c6bd0e922232a9b",
"versionType": "git"
},
{
"lessThan": "3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8",
"status": "affected",
"version": "ec7328b59176227216c461601c6bd0e922232a9b",
"versionType": "git"
},
{
"lessThan": "bf3843183bc3158e5821b46f330c438ae9bd6ddb",
"status": "affected",
"version": "ec7328b59176227216c461601c6bd0e922232a9b",
"versionType": "git"
},
{
"lessThan": "991fbe1680cd41a5f97c92cd3a3496315df36e4b",
"status": "affected",
"version": "ec7328b59176227216c461601c6bd0e922232a9b",
"versionType": "git"
},
{
"lessThan": "8dca36978aa80bab9d4da130c211db75c9e00048",
"status": "affected",
"version": "ec7328b59176227216c461601c6bd0e922232a9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_forward.c",
"net/bridge/br_input.c",
"net/bridge/br_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix use-after-free due to MST port state bypass\n\nsyzbot reported[1] a use-after-free when deleting an expired fdb. It is\ndue to a race condition between learning still happening and a port being\ndeleted, after all its fdbs have been flushed. The port\u0027s state has been\ntoggled to disabled so no learning should happen at that time, but if we\nhave MST enabled, it will bypass the port\u0027s state, that together with VLAN\nfiltering disabled can lead to fdb learning at a time when it shouldn\u0027t\nhappen while the port is being deleted. VLAN filtering must be disabled\nbecause we flush the port VLANs when it\u0027s being deleted which will stop\nlearning. This fix adds a check for the port\u0027s vlan group which is\ninitialized to NULL when the port is getting deleted, that avoids the port\nstate bypass. When MST is enabled there would be a minimal new overhead\nin the fast-path because the port\u0027s vlan group pointer is cache-hot.\n\n[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:21.112Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e19085b2a86addccff33ab8536fc67ebd9d52198"
},
{
"url": "https://git.kernel.org/stable/c/3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8"
},
{
"url": "https://git.kernel.org/stable/c/bf3843183bc3158e5821b46f330c438ae9bd6ddb"
},
{
"url": "https://git.kernel.org/stable/c/991fbe1680cd41a5f97c92cd3a3496315df36e4b"
},
{
"url": "https://git.kernel.org/stable/c/8dca36978aa80bab9d4da130c211db75c9e00048"
}
],
"title": "net: bridge: fix use-after-free due to MST port state bypass",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40297",
"datePublished": "2025-12-08T00:46:21.112Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:21.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50722 (GCVE-0-2022-50722)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
media: ipu3-imgu: Fix NULL pointer dereference in active selection access
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: ipu3-imgu: Fix NULL pointer dereference in active selection access
What the IMGU driver did was that it first acquired the pointers to active
and try V4L2 subdev state, and only then figured out which one to use.
The problem with that approach and a later patch (see Fixes: tag) is that
as sd_state argument to v4l2_subdev_get_try_crop() et al is NULL, there is
now an attempt to dereference that.
Fix this.
Also rewrap lines a little.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < 5265cc1202a31f7097691c3483a0d60d624424a5
(git)
Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < 740717b756c17190dc2d2ad4c6de1e63f214e0c9 (git) Affected: 0d346d2a6f54f06f36b224fd27cd6eafe8c83be9 , < b9eb3ab6f30bf32f7326909f17949ccb11bab514 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/ipu3/ipu3-v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5265cc1202a31f7097691c3483a0d60d624424a5",
"status": "affected",
"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
"versionType": "git"
},
{
"lessThan": "740717b756c17190dc2d2ad4c6de1e63f214e0c9",
"status": "affected",
"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
"versionType": "git"
},
{
"lessThan": "b9eb3ab6f30bf32f7326909f17949ccb11bab514",
"status": "affected",
"version": "0d346d2a6f54f06f36b224fd27cd6eafe8c83be9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/media/ipu3/ipu3-v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ipu3-imgu: Fix NULL pointer dereference in active selection access\n\nWhat the IMGU driver did was that it first acquired the pointers to active\nand try V4L2 subdev state, and only then figured out which one to use.\n\nThe problem with that approach and a later patch (see Fixes: tag) is that\nas sd_state argument to v4l2_subdev_get_try_crop() et al is NULL, there is\nnow an attempt to dereference that.\n\nFix this.\n\nAlso rewrap lines a little."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:44.765Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5265cc1202a31f7097691c3483a0d60d624424a5"
},
{
"url": "https://git.kernel.org/stable/c/740717b756c17190dc2d2ad4c6de1e63f214e0c9"
},
{
"url": "https://git.kernel.org/stable/c/b9eb3ab6f30bf32f7326909f17949ccb11bab514"
}
],
"title": "media: ipu3-imgu: Fix NULL pointer dereference in active selection access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50722",
"datePublished": "2025-12-24T12:22:44.765Z",
"dateReserved": "2025-12-24T12:20:40.330Z",
"dateUpdated": "2025-12-24T12:22:44.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40306 (GCVE-0-2025-40306)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
orangefs: fix xattr related buffer overflow...
Summary
In the Linux kernel, the following vulnerability has been resolved:
orangefs: fix xattr related buffer overflow...
Willy Tarreau <w@1wt.eu> forwarded me a message from
Disclosure <disclosure@aisle.com> with the following
warning:
> The helper `xattr_key()` uses the pointer variable in the loop condition
> rather than dereferencing it. As `key` is incremented, it remains non-NULL
> (until it runs into unmapped memory), so the loop does not terminate on
> valid C strings and will walk memory indefinitely, consuming CPU or hanging
> the thread.
I easily reproduced this with setfattr and getfattr, causing a kernel
oops, hung user processes and corrupted orangefs files. Disclosure
sent along a diff (not a patch) with a suggested fix, which I based
this patch on.
After xattr_key started working right, xfstest generic/069 exposed an
xattr related memory leak that lead to OOM. xattr_key returns
a hashed key. When adding xattrs to the orangefs xattr cache, orangefs
used hash_add, a kernel hashing macro. hash_add also hashes the key using
hash_log which resulted in additions to the xattr cache going to the wrong
hash bucket. generic/069 tortures a single file and orangefs does a
getattr for the xattr "security.capability" every time. Orangefs
negative caches on xattrs which includes a kmalloc. Since adds to the
xattr cache were going to the wrong bucket, every getattr for
"security.capability" resulted in another kmalloc, none of which were
ever freed.
I changed the two uses of hash_add to hlist_add_head instead
and the memory leak ceased and generic/069 quit throwing furniture.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < c6564ff6b53c9a8dc786b6f1c51ae7688273f931
(git)
Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < ef892d2bf4f3fa2c8de1677dd307e678bdd3d865 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 15afebb9597449c444801d1ff0b8d8b311f950ab (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < bc812574de633cf9a9ad6974490e45f6a4bb5126 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < e09a096104fc65859422817fb2211f35855983fe (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 9127d1e90c90e5960c8bc72a4ce2c209691a7021 (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < c2ca015ac109fd743fdde27933d59dc5ad46658e (git) Affected: f7ab093f74bf638ed98fd1115f3efa17e308bb7f , < 025e880759c279ec64d0f754fe65bf45961da864 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/orangefs/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6564ff6b53c9a8dc786b6f1c51ae7688273f931",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "ef892d2bf4f3fa2c8de1677dd307e678bdd3d865",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "15afebb9597449c444801d1ff0b8d8b311f950ab",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "bc812574de633cf9a9ad6974490e45f6a4bb5126",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "e09a096104fc65859422817fb2211f35855983fe",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "9127d1e90c90e5960c8bc72a4ce2c209691a7021",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "c2ca015ac109fd743fdde27933d59dc5ad46658e",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
},
{
"lessThan": "025e880759c279ec64d0f754fe65bf45961da864",
"status": "affected",
"version": "f7ab093f74bf638ed98fd1115f3efa17e308bb7f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/orangefs/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: fix xattr related buffer overflow...\n\nWilly Tarreau \u003cw@1wt.eu\u003e forwarded me a message from\nDisclosure \u003cdisclosure@aisle.com\u003e with the following\nwarning:\n\n\u003e The helper `xattr_key()` uses the pointer variable in the loop condition\n\u003e rather than dereferencing it. As `key` is incremented, it remains non-NULL\n\u003e (until it runs into unmapped memory), so the loop does not terminate on\n\u003e valid C strings and will walk memory indefinitely, consuming CPU or hanging\n\u003e the thread.\n\nI easily reproduced this with setfattr and getfattr, causing a kernel\noops, hung user processes and corrupted orangefs files. Disclosure\nsent along a diff (not a patch) with a suggested fix, which I based\nthis patch on.\n\nAfter xattr_key started working right, xfstest generic/069 exposed an\nxattr related memory leak that lead to OOM. xattr_key returns\na hashed key. When adding xattrs to the orangefs xattr cache, orangefs\nused hash_add, a kernel hashing macro. hash_add also hashes the key using\nhash_log which resulted in additions to the xattr cache going to the wrong\nhash bucket. generic/069 tortures a single file and orangefs does a\ngetattr for the xattr \"security.capability\" every time. Orangefs\nnegative caches on xattrs which includes a kmalloc. Since adds to the\nxattr cache were going to the wrong bucket, every getattr for\n\"security.capability\" resulted in another kmalloc, none of which were\never freed.\n\nI changed the two uses of hash_add to hlist_add_head instead\nand the memory leak ceased and generic/069 quit throwing furniture."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:57.401Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931"
},
{
"url": "https://git.kernel.org/stable/c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865"
},
{
"url": "https://git.kernel.org/stable/c/15afebb9597449c444801d1ff0b8d8b311f950ab"
},
{
"url": "https://git.kernel.org/stable/c/bc812574de633cf9a9ad6974490e45f6a4bb5126"
},
{
"url": "https://git.kernel.org/stable/c/e09a096104fc65859422817fb2211f35855983fe"
},
{
"url": "https://git.kernel.org/stable/c/9127d1e90c90e5960c8bc72a4ce2c209691a7021"
},
{
"url": "https://git.kernel.org/stable/c/c2ca015ac109fd743fdde27933d59dc5ad46658e"
},
{
"url": "https://git.kernel.org/stable/c/025e880759c279ec64d0f754fe65bf45961da864"
}
],
"title": "orangefs: fix xattr related buffer overflow...",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40306",
"datePublished": "2025-12-08T00:46:31.514Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:51:57.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53176 (GCVE-0-2023-53176)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:04 – Updated: 2026-01-05 10:18
VLAI?
EPSS
Title
serial: 8250: Reinit port->pm on port specific driver unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250: Reinit port->pm on port specific driver unbind
When we unbind a serial port hardware specific 8250 driver, the generic
serial8250 driver takes over the port. After that we see an oops about 10
seconds later. This can produce the following at least on some TI SoCs:
Unhandled fault: imprecise external abort (0x1406)
Internal error: : 1406 [#1] SMP ARM
Turns out that we may still have the serial port hardware specific driver
port->pm in use, and serial8250_pm() tries to call it after the port
specific driver is gone:
serial8250_pm [8250_base] from uart_change_pm+0x54/0x8c [serial_base]
uart_change_pm [serial_base] from uart_hangup+0x154/0x198 [serial_base]
uart_hangup [serial_base] from __tty_hangup.part.0+0x328/0x37c
__tty_hangup.part.0 from disassociate_ctty+0x154/0x20c
disassociate_ctty from do_exit+0x744/0xaac
do_exit from do_group_exit+0x40/0x8c
do_group_exit from __wake_up_parent+0x0/0x1c
Let's fix the issue by calling serial8250_set_defaults() in
serial8250_unregister_port(). This will set the port back to using
the serial8250 default functions, and sets the port->pm to point to
serial8250_pm.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c161afe9759ddcc174d08e7c4f683d08ac9ba86f , < 490bf37eaabb0a857ed1ae8e75d8854e41662f1c
(git)
Affected: c161afe9759ddcc174d08e7c4f683d08ac9ba86f , < c9e080c3005fd183c56ff8f4d75edb5da0765d2c (git) Affected: c161afe9759ddcc174d08e7c4f683d08ac9ba86f , < d5cd2928d31042a7c0a01464f9a8d95be736421d (git) Affected: c161afe9759ddcc174d08e7c4f683d08ac9ba86f , < 2c86a1305c1406f45ea780d06953c484ea1d9e6e (git) Affected: c161afe9759ddcc174d08e7c4f683d08ac9ba86f , < 1ba5594739d858e524ff0f398ee1ebfe0a8b9d41 (git) Affected: c161afe9759ddcc174d08e7c4f683d08ac9ba86f , < af4d6dbb1a92ea424ad1ba1d0c88c7fa2345d872 (git) Affected: c161afe9759ddcc174d08e7c4f683d08ac9ba86f , < 8e596aed5f2f98cf3e6e98d6fe1d689f4a319308 (git) Affected: c161afe9759ddcc174d08e7c4f683d08ac9ba86f , < 04e82793f068d2f0ffe62fcea03d007a8cdc16a7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "490bf37eaabb0a857ed1ae8e75d8854e41662f1c",
"status": "affected",
"version": "c161afe9759ddcc174d08e7c4f683d08ac9ba86f",
"versionType": "git"
},
{
"lessThan": "c9e080c3005fd183c56ff8f4d75edb5da0765d2c",
"status": "affected",
"version": "c161afe9759ddcc174d08e7c4f683d08ac9ba86f",
"versionType": "git"
},
{
"lessThan": "d5cd2928d31042a7c0a01464f9a8d95be736421d",
"status": "affected",
"version": "c161afe9759ddcc174d08e7c4f683d08ac9ba86f",
"versionType": "git"
},
{
"lessThan": "2c86a1305c1406f45ea780d06953c484ea1d9e6e",
"status": "affected",
"version": "c161afe9759ddcc174d08e7c4f683d08ac9ba86f",
"versionType": "git"
},
{
"lessThan": "1ba5594739d858e524ff0f398ee1ebfe0a8b9d41",
"status": "affected",
"version": "c161afe9759ddcc174d08e7c4f683d08ac9ba86f",
"versionType": "git"
},
{
"lessThan": "af4d6dbb1a92ea424ad1ba1d0c88c7fa2345d872",
"status": "affected",
"version": "c161afe9759ddcc174d08e7c4f683d08ac9ba86f",
"versionType": "git"
},
{
"lessThan": "8e596aed5f2f98cf3e6e98d6fe1d689f4a319308",
"status": "affected",
"version": "c161afe9759ddcc174d08e7c4f683d08ac9ba86f",
"versionType": "git"
},
{
"lessThan": "04e82793f068d2f0ffe62fcea03d007a8cdc16a7",
"status": "affected",
"version": "c161afe9759ddcc174d08e7c4f683d08ac9ba86f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: Reinit port-\u003epm on port specific driver unbind\n\nWhen we unbind a serial port hardware specific 8250 driver, the generic\nserial8250 driver takes over the port. After that we see an oops about 10\nseconds later. This can produce the following at least on some TI SoCs:\n\nUnhandled fault: imprecise external abort (0x1406)\nInternal error: : 1406 [#1] SMP ARM\n\nTurns out that we may still have the serial port hardware specific driver\nport-\u003epm in use, and serial8250_pm() tries to call it after the port\nspecific driver is gone:\n\nserial8250_pm [8250_base] from uart_change_pm+0x54/0x8c [serial_base]\nuart_change_pm [serial_base] from uart_hangup+0x154/0x198 [serial_base]\nuart_hangup [serial_base] from __tty_hangup.part.0+0x328/0x37c\n__tty_hangup.part.0 from disassociate_ctty+0x154/0x20c\ndisassociate_ctty from do_exit+0x744/0xaac\ndo_exit from do_group_exit+0x40/0x8c\ndo_group_exit from __wake_up_parent+0x0/0x1c\n\nLet\u0027s fix the issue by calling serial8250_set_defaults() in\nserial8250_unregister_port(). This will set the port back to using\nthe serial8250 default functions, and sets the port-\u003epm to point to\nserial8250_pm."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:18:37.435Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/490bf37eaabb0a857ed1ae8e75d8854e41662f1c"
},
{
"url": "https://git.kernel.org/stable/c/c9e080c3005fd183c56ff8f4d75edb5da0765d2c"
},
{
"url": "https://git.kernel.org/stable/c/d5cd2928d31042a7c0a01464f9a8d95be736421d"
},
{
"url": "https://git.kernel.org/stable/c/2c86a1305c1406f45ea780d06953c484ea1d9e6e"
},
{
"url": "https://git.kernel.org/stable/c/1ba5594739d858e524ff0f398ee1ebfe0a8b9d41"
},
{
"url": "https://git.kernel.org/stable/c/af4d6dbb1a92ea424ad1ba1d0c88c7fa2345d872"
},
{
"url": "https://git.kernel.org/stable/c/8e596aed5f2f98cf3e6e98d6fe1d689f4a319308"
},
{
"url": "https://git.kernel.org/stable/c/04e82793f068d2f0ffe62fcea03d007a8cdc16a7"
}
],
"title": "serial: 8250: Reinit port-\u003epm on port specific driver unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53176",
"datePublished": "2025-09-15T14:04:16.360Z",
"dateReserved": "2025-09-15T13:59:19.064Z",
"dateUpdated": "2026-01-05T10:18:37.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40288 (GCVE-0-2025-40288)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices
Previously, APU platforms (and other scenarios with uninitialized VRAM managers)
triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root
cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL,
but that `man->bdev` (the backing device pointer within the manager) remains
uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully
set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to
acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to
a kernel OOPS.
1. **amdgpu_cs.c**: Extend the existing bandwidth control check in
`amdgpu_cs_get_threshold_for_moves()` to include a check for
`ttm_resource_manager_used()`. If the manager is not used (uninitialized
`bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific
logic that would trigger the NULL dereference.
2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info
reporting to use a conditional: if the manager is used, return the real VRAM
usage; otherwise, return 0. This avoids accessing `man->bdev` when it is
NULL.
3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function)
data write path. Use `ttm_resource_manager_used()` to check validity: if the
manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set
`fb_usage` to 0 (APUs have no discrete framebuffer to report).
This approach is more robust than APU-specific checks because it:
- Works for all scenarios where the VRAM manager is uninitialized (not just APUs),
- Aligns with TTM's design by using its native helper function,
- Preserves correct behavior for discrete GPUs (which have fully initialized
`man->bdev` and pass the `ttm_resource_manager_used()` check).
v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < e70113b741ba253886cd71dbadfe3ea444bb2f5c
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 1243e396148a65bb6c42a2b70fe43e50c16c494f (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 43aa61c18a3a45042b098b7a1186ffb29364002c (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 070bdce18fb12a49eb9c421e57df17d2ad29bf5f (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 883f309add55060233bf11c1ea6947140372920f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e70113b741ba253886cd71dbadfe3ea444bb2f5c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "1243e396148a65bb6c42a2b70fe43e50c16c494f",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "43aa61c18a3a45042b098b7a1186ffb29364002c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "070bdce18fb12a49eb9c421e57df17d2ad29bf5f",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "883f309add55060233bf11c1ea6947140372920f",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c",
"drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices\n\nPreviously, APU platforms (and other scenarios with uninitialized VRAM managers)\ntriggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root\ncause is not that the `struct ttm_resource_manager *man` pointer itself is NULL,\nbut that `man-\u003ebdev` (the backing device pointer within the manager) remains\nuninitialized (NULL) on APUs\u2014since APUs lack dedicated VRAM and do not fully\nset up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to\nacquire `man-\u003ebdev-\u003elru_lock`, it dereferences the NULL `man-\u003ebdev`, leading to\na kernel OOPS.\n\n1. **amdgpu_cs.c**: Extend the existing bandwidth control check in\n `amdgpu_cs_get_threshold_for_moves()` to include a check for\n `ttm_resource_manager_used()`. If the manager is not used (uninitialized\n `bdev`), return 0 for migration thresholds immediately\u2014skipping VRAM-specific\n logic that would trigger the NULL dereference.\n\n2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info\n reporting to use a conditional: if the manager is used, return the real VRAM\n usage; otherwise, return 0. This avoids accessing `man-\u003ebdev` when it is\n NULL.\n\n3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function)\n data write path. Use `ttm_resource_manager_used()` to check validity: if the\n manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set\n `fb_usage` to 0 (APUs have no discrete framebuffer to report).\n\nThis approach is more robust than APU-specific checks because it:\n- Works for all scenarios where the VRAM manager is uninitialized (not just APUs),\n- Aligns with TTM\u0027s design by using its native helper function,\n- Preserves correct behavior for discrete GPUs (which have fully initialized\n `man-\u003ebdev` and pass the `ttm_resource_manager_used()` check).\n\nv4: use ttm_resource_manager_used(\u0026adev-\u003emman.vram_mgr.manager) instead of checking the adev-\u003egmc.is_app_apu flag (Christian)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:55.021Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e70113b741ba253886cd71dbadfe3ea444bb2f5c"
},
{
"url": "https://git.kernel.org/stable/c/1243e396148a65bb6c42a2b70fe43e50c16c494f"
},
{
"url": "https://git.kernel.org/stable/c/43aa61c18a3a45042b098b7a1186ffb29364002c"
},
{
"url": "https://git.kernel.org/stable/c/070bdce18fb12a49eb9c421e57df17d2ad29bf5f"
},
{
"url": "https://git.kernel.org/stable/c/883f309add55060233bf11c1ea6947140372920f"
}
],
"title": "drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40288",
"datePublished": "2025-12-06T21:51:14.440Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-20T08:51:55.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68346 (GCVE-0-2025-68346)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
ALSA: dice: fix buffer overflow in detect_stream_formats()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: dice: fix buffer overflow in detect_stream_formats()
The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.
Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < d6280a5b00cad37d9a9a875849e5bf7ed2fe4950
(git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 3cf854cec0eb371da47ff5fe56eab189d7fa623a (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 932aa1e80b022419cf9710e970739b7a8794f27c (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9 (git) Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 324f3e03e8a85931ce0880654e3c3eb38b0f0bba (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d6280a5b00cad37d9a9a875849e5bf7ed2fe4950",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "3cf854cec0eb371da47ff5fe56eab189d7fa623a",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "932aa1e80b022419cf9710e970739b7a8794f27c",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
},
{
"lessThan": "324f3e03e8a85931ce0880654e3c3eb38b0f0bba",
"status": "affected",
"version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/firewire/dice/dice-extension.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: dice: fix buffer overflow in detect_stream_formats()\n\nThe function detect_stream_formats() reads the stream_count value directly\nfrom a FireWire device without validating it. This can lead to\nout-of-bounds writes when a malicious device provides a stream_count value\ngreater than MAX_STREAMS.\n\nFix by applying the same validation to both TX and RX stream counts in\ndetect_stream_formats()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:24.929Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d6280a5b00cad37d9a9a875849e5bf7ed2fe4950"
},
{
"url": "https://git.kernel.org/stable/c/3cf854cec0eb371da47ff5fe56eab189d7fa623a"
},
{
"url": "https://git.kernel.org/stable/c/4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4"
},
{
"url": "https://git.kernel.org/stable/c/dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0"
},
{
"url": "https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6"
},
{
"url": "https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c"
},
{
"url": "https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9"
},
{
"url": "https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba"
}
],
"title": "ALSA: dice: fix buffer overflow in detect_stream_formats()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68346",
"datePublished": "2025-12-24T10:32:39.101Z",
"dateReserved": "2025-12-16T14:48:05.299Z",
"dateUpdated": "2026-01-19T12:18:24.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53754 (GCVE-0-2023-53754)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()
When if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4)
returns false, drbl_regs_memmap_p is not remapped. This passes a NULL
pointer to iounmap(), which can trigger a WARN() on certain arches.
When if_type equals six and pci_resource_start(pdev, PCI_64BIT_BAR4)
returns true, drbl_regs_memmap_p may has been remapped and
ctrl_regs_memmap_p is not remapped. This is a resource leak and passes a
NULL pointer to iounmap().
To fix these issues, we need to add null checks before iounmap(), and
change some goto labels.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1351e69fc6db30e186295f1c9495d03cef6a01a2 , < 74d90f92eafe8ccd12827228236a28a94eda6bcc
(git)
Affected: 1351e69fc6db30e186295f1c9495d03cef6a01a2 , < bab8dc38b1a0a12bc064fc064269033bdcf5b88e (git) Affected: 1351e69fc6db30e186295f1c9495d03cef6a01a2 , < fd8c83d8375b9dac1949f2753485a5c055ebfad0 (git) Affected: 1351e69fc6db30e186295f1c9495d03cef6a01a2 , < e6f1ef4a53856ed000b0f7265d7e16dcb00f4243 (git) Affected: 1351e69fc6db30e186295f1c9495d03cef6a01a2 , < 631d0fab143bef85ea0813596f1dda36e2b9724c (git) Affected: 1351e69fc6db30e186295f1c9495d03cef6a01a2 , < 7e5a54d1f00725a739dcd20f616d82eff4f764bd (git) Affected: 1351e69fc6db30e186295f1c9495d03cef6a01a2 , < 91a0c0c1413239d0548b5aac4c82f38f6d53a91e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74d90f92eafe8ccd12827228236a28a94eda6bcc",
"status": "affected",
"version": "1351e69fc6db30e186295f1c9495d03cef6a01a2",
"versionType": "git"
},
{
"lessThan": "bab8dc38b1a0a12bc064fc064269033bdcf5b88e",
"status": "affected",
"version": "1351e69fc6db30e186295f1c9495d03cef6a01a2",
"versionType": "git"
},
{
"lessThan": "fd8c83d8375b9dac1949f2753485a5c055ebfad0",
"status": "affected",
"version": "1351e69fc6db30e186295f1c9495d03cef6a01a2",
"versionType": "git"
},
{
"lessThan": "e6f1ef4a53856ed000b0f7265d7e16dcb00f4243",
"status": "affected",
"version": "1351e69fc6db30e186295f1c9495d03cef6a01a2",
"versionType": "git"
},
{
"lessThan": "631d0fab143bef85ea0813596f1dda36e2b9724c",
"status": "affected",
"version": "1351e69fc6db30e186295f1c9495d03cef6a01a2",
"versionType": "git"
},
{
"lessThan": "7e5a54d1f00725a739dcd20f616d82eff4f764bd",
"status": "affected",
"version": "1351e69fc6db30e186295f1c9495d03cef6a01a2",
"versionType": "git"
},
{
"lessThan": "91a0c0c1413239d0548b5aac4c82f38f6d53a91e",
"status": "affected",
"version": "1351e69fc6db30e186295f1c9495d03cef6a01a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()\n\nWhen if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4)\nreturns false, drbl_regs_memmap_p is not remapped. This passes a NULL\npointer to iounmap(), which can trigger a WARN() on certain arches.\n\nWhen if_type equals six and pci_resource_start(pdev, PCI_64BIT_BAR4)\nreturns true, drbl_regs_memmap_p may has been remapped and\nctrl_regs_memmap_p is not remapped. This is a resource leak and passes a\nNULL pointer to iounmap().\n\nTo fix these issues, we need to add null checks before iounmap(), and\nchange some goto labels."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:14.821Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74d90f92eafe8ccd12827228236a28a94eda6bcc"
},
{
"url": "https://git.kernel.org/stable/c/bab8dc38b1a0a12bc064fc064269033bdcf5b88e"
},
{
"url": "https://git.kernel.org/stable/c/fd8c83d8375b9dac1949f2753485a5c055ebfad0"
},
{
"url": "https://git.kernel.org/stable/c/e6f1ef4a53856ed000b0f7265d7e16dcb00f4243"
},
{
"url": "https://git.kernel.org/stable/c/631d0fab143bef85ea0813596f1dda36e2b9724c"
},
{
"url": "https://git.kernel.org/stable/c/7e5a54d1f00725a739dcd20f616d82eff4f764bd"
},
{
"url": "https://git.kernel.org/stable/c/91a0c0c1413239d0548b5aac4c82f38f6d53a91e"
}
],
"title": "scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53754",
"datePublished": "2025-12-08T01:19:14.821Z",
"dateReserved": "2025-12-08T01:18:04.280Z",
"dateUpdated": "2025-12-08T01:19:14.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53778 (GCVE-0-2023-53778)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
accel/qaic: Clean up integer overflow checking in map_user_pages()
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/qaic: Clean up integer overflow checking in map_user_pages()
The encode_dma() function has some validation on in_trans->size but it
would be more clear to move those checks to find_and_map_user_pages().
The encode_dma() had two checks:
if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size)
return -EINVAL;
The in_trans->addr variable is the starting address. The in_trans->size
variable is the total size of the transfer. The transfer can occur in
parts and the resources->xferred_dma_size tracks how many bytes we have
already transferred.
This patch introduces a new variable "remaining" which represents the
amount we want to transfer (in_trans->size) minus the amount we have
already transferred (resources->xferred_dma_size).
I have modified the check for if in_trans->size is zero to instead check
if in_trans->size is less than resources->xferred_dma_size. If we have
already transferred more bytes than in_trans->size then there are negative
bytes remaining which doesn't make sense. If there are zero bytes
remaining to be copied, just return success.
The check in encode_dma() checked that "addr + size" could not overflow
and barring a driver bug that should work, but it's easier to check if
we do this in parts. First check that "in_trans->addr +
resources->xferred_dma_size" is safe. Then check that "xfer_start_addr +
remaining" is safe.
My final concern was that we are dealing with u64 values but on 32bit
systems the kmalloc() function will truncate the sizes to 32 bits. So
I calculated "total = in_trans->size + offset_in_page(xfer_start_addr);"
and returned -EINVAL if it were >= SIZE_MAX. This will not affect 64bit
systems.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
},
{
"lessThan": "96d3c1cadedb6ae2e8965e19cd12caa244afbd9c",
"status": "affected",
"version": "129776ac2e38231fa9c02ce20e116c99de291666",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/qaic/qaic_control.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Clean up integer overflow checking in map_user_pages()\n\nThe encode_dma() function has some validation on in_trans-\u003esize but it\nwould be more clear to move those checks to find_and_map_user_pages().\n\nThe encode_dma() had two checks:\n\n\tif (in_trans-\u003eaddr + in_trans-\u003esize \u003c in_trans-\u003eaddr || !in_trans-\u003esize)\n\t\treturn -EINVAL;\n\nThe in_trans-\u003eaddr variable is the starting address. The in_trans-\u003esize\nvariable is the total size of the transfer. The transfer can occur in\nparts and the resources-\u003exferred_dma_size tracks how many bytes we have\nalready transferred.\n\nThis patch introduces a new variable \"remaining\" which represents the\namount we want to transfer (in_trans-\u003esize) minus the amount we have\nalready transferred (resources-\u003exferred_dma_size).\n\nI have modified the check for if in_trans-\u003esize is zero to instead check\nif in_trans-\u003esize is less than resources-\u003exferred_dma_size. If we have\nalready transferred more bytes than in_trans-\u003esize then there are negative\nbytes remaining which doesn\u0027t make sense. If there are zero bytes\nremaining to be copied, just return success.\n\nThe check in encode_dma() checked that \"addr + size\" could not overflow\nand barring a driver bug that should work, but it\u0027s easier to check if\nwe do this in parts. First check that \"in_trans-\u003eaddr +\nresources-\u003exferred_dma_size\" is safe. Then check that \"xfer_start_addr +\nremaining\" is safe.\n\nMy final concern was that we are dealing with u64 values but on 32bit\nsystems the kmalloc() function will truncate the sizes to 32 bits. So\nI calculated \"total = in_trans-\u003esize + offset_in_page(xfer_start_addr);\"\nand returned -EINVAL if it were \u003e= SIZE_MAX. This will not affect 64bit\nsystems."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:34.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3"
},
{
"url": "https://git.kernel.org/stable/c/96d3c1cadedb6ae2e8965e19cd12caa244afbd9c"
}
],
"title": "accel/qaic: Clean up integer overflow checking in map_user_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53778",
"datePublished": "2025-12-09T00:00:34.074Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-09T00:00:34.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68331 (GCVE-0-2025-68331)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14
VLAI?
EPSS
Title
usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
When a UAS device is unplugged during data transfer, there is
a probability of a system panic occurring. The root cause is
an access to an invalid memory address during URB callback handling.
Specifically, this happens when the dma_direct_unmap_sg() function
is called within the usb_hcd_unmap_urb_for_dma() interface, but the
sg->dma_address field is 0 and the sg data structure has already been
freed.
The SCSI driver sends transfer commands by invoking uas_queuecommand_lck()
in uas.c, using the uas_submit_urbs() function to submit requests to USB.
Within the uas_submit_urbs() implementation, three URBs (sense_urb,
data_urb, and cmd_urb) are sequentially submitted. Device removal may
occur at any point during uas_submit_urbs execution, which may result
in URB submission failure. However, some URBs might have been successfully
submitted before the failure, and uas_submit_urbs will return the -ENODEV
error code in this case. The current error handling directly calls
scsi_done(). In the SCSI driver, this eventually triggers scsi_complete()
to invoke scsi_end_request() for releasing the sgtable. The successfully
submitted URBs, when being unlinked to giveback, call
usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg
unmapping operations since the sg data structure has already been freed.
This patch modifies the error condition check in the uas_submit_urbs()
function. When a UAS device is removed but one or more URBs have already
been successfully submitted to USB, it avoids immediately invoking
scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully
submitted URBs is completed before devinfo->resetting being set, then
the scsi_done() function will be called within uas_try_complete() after
all pending URB operations are finalized. Otherwise, the scsi_done()
function will be called within uas_zap_pending(), which is executed after
usb_kill_anchored_urbs().
The error handling only takes effect when uas_queuecommand_lck() calls
uas_submit_urbs() and returns the error value -ENODEV . In this case,
the device is disconnected, and the flow proceeds to uas_disconnect(),
where uas_zap_pending() is invoked to call uas_try_complete().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 6289fc489e94c9beb6be2b502ccc263663733d72
(git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 75f8e2643085db4f7e136fc6b368eb114dd80a64 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < e3a55221f4de080cb7a91ba10f01c4f708603f8d (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 2b90a8131c83f6f2be69397d2b7d14d217d95d2f (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 426edbfc88b22601ea34a441a469092e7b301c52 (git) Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 26d56a9fcb2014b99e654127960aa0a48a391e3c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/uas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6289fc489e94c9beb6be2b502ccc263663733d72",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "75f8e2643085db4f7e136fc6b368eb114dd80a64",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "e3a55221f4de080cb7a91ba10f01c4f708603f8d",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "2b90a8131c83f6f2be69397d2b7d14d217d95d2f",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "426edbfc88b22601ea34a441a469092e7b301c52",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
},
{
"lessThan": "26d56a9fcb2014b99e654127960aa0a48a391e3c",
"status": "affected",
"version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/storage/uas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer\n\nWhen a UAS device is unplugged during data transfer, there is\na probability of a system panic occurring. The root cause is\nan access to an invalid memory address during URB callback handling.\nSpecifically, this happens when the dma_direct_unmap_sg() function\nis called within the usb_hcd_unmap_urb_for_dma() interface, but the\nsg-\u003edma_address field is 0 and the sg data structure has already been\nfreed.\n\nThe SCSI driver sends transfer commands by invoking uas_queuecommand_lck()\nin uas.c, using the uas_submit_urbs() function to submit requests to USB.\nWithin the uas_submit_urbs() implementation, three URBs (sense_urb,\ndata_urb, and cmd_urb) are sequentially submitted. Device removal may\noccur at any point during uas_submit_urbs execution, which may result\nin URB submission failure. However, some URBs might have been successfully\nsubmitted before the failure, and uas_submit_urbs will return the -ENODEV\nerror code in this case. The current error handling directly calls\nscsi_done(). In the SCSI driver, this eventually triggers scsi_complete()\nto invoke scsi_end_request() for releasing the sgtable. The successfully\nsubmitted URBs, when being unlinked to giveback, call\nusb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg\nunmapping operations since the sg data structure has already been freed.\n\nThis patch modifies the error condition check in the uas_submit_urbs()\nfunction. When a UAS device is removed but one or more URBs have already\nbeen successfully submitted to USB, it avoids immediately invoking\nscsi_done() and save the cmnd to devinfo-\u003ecmnd array. If the successfully\nsubmitted URBs is completed before devinfo-\u003eresetting being set, then\nthe scsi_done() function will be called within uas_try_complete() after\nall pending URB operations are finalized. Otherwise, the scsi_done()\nfunction will be called within uas_zap_pending(), which is executed after\nusb_kill_anchored_urbs().\n\nThe error handling only takes effect when uas_queuecommand_lck() calls\nuas_submit_urbs() and returns the error value -ENODEV . In this case,\nthe device is disconnected, and the flow proceeds to uas_disconnect(),\nwhere uas_zap_pending() is invoked to call uas_try_complete()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T16:14:09.243Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72"
},
{
"url": "https://git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17"
},
{
"url": "https://git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64"
},
{
"url": "https://git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8d"
},
{
"url": "https://git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2f"
},
{
"url": "https://git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52"
},
{
"url": "https://git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3c"
}
],
"title": "usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68331",
"datePublished": "2025-12-22T16:12:24.607Z",
"dateReserved": "2025-12-16T14:48:05.296Z",
"dateUpdated": "2025-12-22T16:14:09.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54201 (GCVE-0-2023-54201)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:09 – Updated: 2025-12-30 12:09
VLAI?
EPSS
Title
RDMA/efa: Fix wrong resources deallocation order
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/efa: Fix wrong resources deallocation order
When trying to destroy QP or CQ, we first decrease the refcount and
potentially free memory regions allocated for the object and then
request the device to destroy the object. If the device fails, the
object isn't fully destroyed so the user/IB core can try to destroy the
object again which will lead to underflow when trying to decrease an
already zeroed refcount.
Deallocate resources in reverse order of allocating them to safely free
them.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ff6629f88c529b07d9704c656c64dae76910e3e9 , < cf38960386f3cc4abf395e556af915e4babcafd2
(git)
Affected: ff6629f88c529b07d9704c656c64dae76910e3e9 , < e79db2f51a564fd4daa3e508b987df5e81c34b20 (git) Affected: ff6629f88c529b07d9704c656c64dae76910e3e9 , < 24f9884971f9b34915b67baacf7350a3f6f19ea4 (git) Affected: ff6629f88c529b07d9704c656c64dae76910e3e9 , < dc202c57e9a1423aed528e4b8dc949509cd32191 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/efa/efa_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf38960386f3cc4abf395e556af915e4babcafd2",
"status": "affected",
"version": "ff6629f88c529b07d9704c656c64dae76910e3e9",
"versionType": "git"
},
{
"lessThan": "e79db2f51a564fd4daa3e508b987df5e81c34b20",
"status": "affected",
"version": "ff6629f88c529b07d9704c656c64dae76910e3e9",
"versionType": "git"
},
{
"lessThan": "24f9884971f9b34915b67baacf7350a3f6f19ea4",
"status": "affected",
"version": "ff6629f88c529b07d9704c656c64dae76910e3e9",
"versionType": "git"
},
{
"lessThan": "dc202c57e9a1423aed528e4b8dc949509cd32191",
"status": "affected",
"version": "ff6629f88c529b07d9704c656c64dae76910e3e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/efa/efa_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/efa: Fix wrong resources deallocation order\n\nWhen trying to destroy QP or CQ, we first decrease the refcount and\npotentially free memory regions allocated for the object and then\nrequest the device to destroy the object. If the device fails, the\nobject isn\u0027t fully destroyed so the user/IB core can try to destroy the\nobject again which will lead to underflow when trying to decrease an\nalready zeroed refcount.\n\nDeallocate resources in reverse order of allocating them to safely free\nthem."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:09:06.211Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf38960386f3cc4abf395e556af915e4babcafd2"
},
{
"url": "https://git.kernel.org/stable/c/e79db2f51a564fd4daa3e508b987df5e81c34b20"
},
{
"url": "https://git.kernel.org/stable/c/24f9884971f9b34915b67baacf7350a3f6f19ea4"
},
{
"url": "https://git.kernel.org/stable/c/dc202c57e9a1423aed528e4b8dc949509cd32191"
}
],
"title": "RDMA/efa: Fix wrong resources deallocation order",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54201",
"datePublished": "2025-12-30T12:09:06.211Z",
"dateReserved": "2025-12-30T12:06:44.499Z",
"dateUpdated": "2025-12-30T12:09:06.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68237 (GCVE-0-2025-68237)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08
VLAI?
EPSS
Title
mtdchar: fix integer overflow in read/write ioctls
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtdchar: fix integer overflow in read/write ioctls
The "req.start" and "req.len" variables are u64 values that come from the
user at the start of the function. We mask away the high 32 bits of
"req.len" so that's capped at U32_MAX but the "req.start" variable can go
up to U64_MAX which means that the addition can still integer overflow.
Use check_add_overflow() to fix this bug.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < f37efdd97fd1ec3e0d0f1eec279c8279e28f981e
(git)
Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < 457376c6fbf0c69326a9bf1f72416225f681192b (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < eb9361484814fb12f3b7544b33835ea67d7a6a97 (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < 37944f4f8199cd153fef74e95ca268020162f212 (git) Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < e4185bed738da755b191aa3f2e16e8b48450e1b8 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdchar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f37efdd97fd1ec3e0d0f1eec279c8279e28f981e",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "457376c6fbf0c69326a9bf1f72416225f681192b",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "eb9361484814fb12f3b7544b33835ea67d7a6a97",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "37944f4f8199cd153fef74e95ca268020162f212",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
},
{
"lessThan": "e4185bed738da755b191aa3f2e16e8b48450e1b8",
"status": "affected",
"version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/mtdchar.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtdchar: fix integer overflow in read/write ioctls\n\nThe \"req.start\" and \"req.len\" variables are u64 values that come from the\nuser at the start of the function. We mask away the high 32 bits of\n\"req.len\" so that\u0027s capped at U32_MAX but the \"req.start\" variable can go\nup to U64_MAX which means that the addition can still integer overflow.\n\nUse check_add_overflow() to fix this bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:08:30.940Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981e"
},
{
"url": "https://git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192b"
},
{
"url": "https://git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97"
},
{
"url": "https://git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212"
},
{
"url": "https://git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8"
}
],
"title": "mtdchar: fix integer overflow in read/write ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68237",
"datePublished": "2025-12-16T14:08:30.940Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T14:08:30.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50838 (GCVE-0-2022-50838)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10
VLAI?
EPSS
Title
net: stream: purge sk_error_queue in sk_stream_kill_queues()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stream: purge sk_error_queue in sk_stream_kill_queues()
Changheon Lee reported TCP socket leaks, with a nice repro.
It seems we leak TCP sockets with the following sequence:
1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket.
Each ACK will cook an skb put in error queue, from __skb_tstamp_tx().
__skb_tstamp_tx() is using skb_clone(), unless
SOF_TIMESTAMPING_OPT_TSONLY was also requested.
2) If the application is also using MSG_ZEROCOPY, then we put in the
error queue cloned skbs that had a struct ubuf_info attached to them.
Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc()
does a sock_hold().
As long as the cloned skbs are still in sk_error_queue,
socket refcount is kept elevated.
3) Application closes the socket, while error queue is not empty.
Since tcp_close() no longer purges the socket error queue,
we might end up with a TCP socket with at least one skb in
error queue keeping the socket alive forever.
This bug can be (ab)used to consume all kernel memory
and freeze the host.
We need to purge the error queue, with proper synchronization
against concurrent writers.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7737b104c211fa843de268b897d601e070292a72 , < c8c1eec578a9ae2dc8f14a1846942a0b7bf29d1d
(git)
Affected: 89be5c357de34718eaaaefed80737f432c5ab86f , < bab542cf56fc174c8447c00b73be99ffd66d2d39 (git) Affected: 8b8b3d738e450d2c2ccdc75f0ab5a951746c2a96 , < 6f00bd0402a1e3d2d556afba57c045bd7931e4d3 (git) Affected: b631c603b5fb98d2bd709c35d384901965a3dd51 , < 4f1d37ff4226eb99d6b69e9f4518e279e1a851bf (git) Affected: daf15fa1fd997749e881aedd9f03f73a11240e82 , < 9062493811676ee0efe6c74d98f00ca38c4e17d4 (git) Affected: 3988164fe9ddf98ebf5b5cdede91ac38c5f08a7e , < 9da204cd67c4fe97e8aa465d10d5c2e7076f7f42 (git) Affected: 24bcbe1cc69fa52dc4f7b5b2456678ed464724d8 , < 8c330c36b3970d0917f48827fa6c7a9c75aa4602 (git) Affected: 24bcbe1cc69fa52dc4f7b5b2456678ed464724d8 , < b458d349f8753f666233828ebd30df6f100cf7d5 (git) Affected: 24bcbe1cc69fa52dc4f7b5b2456678ed464724d8 , < e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 (git) Affected: 6ba975e14f5ebb87143d737c493adf4031409a68 (git) Affected: 4437f3ead9e85c35fe0e3adfb98c0b97eaa267eb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8c1eec578a9ae2dc8f14a1846942a0b7bf29d1d",
"status": "affected",
"version": "7737b104c211fa843de268b897d601e070292a72",
"versionType": "git"
},
{
"lessThan": "bab542cf56fc174c8447c00b73be99ffd66d2d39",
"status": "affected",
"version": "89be5c357de34718eaaaefed80737f432c5ab86f",
"versionType": "git"
},
{
"lessThan": "6f00bd0402a1e3d2d556afba57c045bd7931e4d3",
"status": "affected",
"version": "8b8b3d738e450d2c2ccdc75f0ab5a951746c2a96",
"versionType": "git"
},
{
"lessThan": "4f1d37ff4226eb99d6b69e9f4518e279e1a851bf",
"status": "affected",
"version": "b631c603b5fb98d2bd709c35d384901965a3dd51",
"versionType": "git"
},
{
"lessThan": "9062493811676ee0efe6c74d98f00ca38c4e17d4",
"status": "affected",
"version": "daf15fa1fd997749e881aedd9f03f73a11240e82",
"versionType": "git"
},
{
"lessThan": "9da204cd67c4fe97e8aa465d10d5c2e7076f7f42",
"status": "affected",
"version": "3988164fe9ddf98ebf5b5cdede91ac38c5f08a7e",
"versionType": "git"
},
{
"lessThan": "8c330c36b3970d0917f48827fa6c7a9c75aa4602",
"status": "affected",
"version": "24bcbe1cc69fa52dc4f7b5b2456678ed464724d8",
"versionType": "git"
},
{
"lessThan": "b458d349f8753f666233828ebd30df6f100cf7d5",
"status": "affected",
"version": "24bcbe1cc69fa52dc4f7b5b2456678ed464724d8",
"versionType": "git"
},
{
"lessThan": "e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3",
"status": "affected",
"version": "24bcbe1cc69fa52dc4f7b5b2456678ed464724d8",
"versionType": "git"
},
{
"status": "affected",
"version": "6ba975e14f5ebb87143d737c493adf4031409a68",
"versionType": "git"
},
{
"status": "affected",
"version": "4437f3ead9e85c35fe0e3adfb98c0b97eaa267eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.218",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.15.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stream: purge sk_error_queue in sk_stream_kill_queues()\n\nChangheon Lee reported TCP socket leaks, with a nice repro.\n\nIt seems we leak TCP sockets with the following sequence:\n\n1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket.\n\n Each ACK will cook an skb put in error queue, from __skb_tstamp_tx().\n __skb_tstamp_tx() is using skb_clone(), unless\n SOF_TIMESTAMPING_OPT_TSONLY was also requested.\n\n2) If the application is also using MSG_ZEROCOPY, then we put in the\n error queue cloned skbs that had a struct ubuf_info attached to them.\n\n Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc()\n does a sock_hold().\n\n As long as the cloned skbs are still in sk_error_queue,\n socket refcount is kept elevated.\n\n3) Application closes the socket, while error queue is not empty.\n\nSince tcp_close() no longer purges the socket error queue,\nwe might end up with a TCP socket with at least one skb in\nerror queue keeping the socket alive forever.\n\nThis bug can be (ab)used to consume all kernel memory\nand freeze the host.\n\nWe need to purge the error queue, with proper synchronization\nagainst concurrent writers."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:57.721Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8c1eec578a9ae2dc8f14a1846942a0b7bf29d1d"
},
{
"url": "https://git.kernel.org/stable/c/bab542cf56fc174c8447c00b73be99ffd66d2d39"
},
{
"url": "https://git.kernel.org/stable/c/6f00bd0402a1e3d2d556afba57c045bd7931e4d3"
},
{
"url": "https://git.kernel.org/stable/c/4f1d37ff4226eb99d6b69e9f4518e279e1a851bf"
},
{
"url": "https://git.kernel.org/stable/c/9062493811676ee0efe6c74d98f00ca38c4e17d4"
},
{
"url": "https://git.kernel.org/stable/c/9da204cd67c4fe97e8aa465d10d5c2e7076f7f42"
},
{
"url": "https://git.kernel.org/stable/c/8c330c36b3970d0917f48827fa6c7a9c75aa4602"
},
{
"url": "https://git.kernel.org/stable/c/b458d349f8753f666233828ebd30df6f100cf7d5"
},
{
"url": "https://git.kernel.org/stable/c/e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3"
}
],
"title": "net: stream: purge sk_error_queue in sk_stream_kill_queues()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50838",
"datePublished": "2025-12-30T12:10:57.721Z",
"dateReserved": "2025-12-30T12:06:07.133Z",
"dateUpdated": "2025-12-30T12:10:57.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68351 (GCVE-0-2025-68351)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-30 09:48
VLAI?
EPSS
Title
exfat: fix refcount leak in exfat_find
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix refcount leak in exfat_find
Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.
Function `exfat_get_dentry_set` would increase the reference counter of
`es->bh` on success. Therefore, `exfat_put_dentry_set` must be called
after `exfat_get_dentry_set` to ensure refcount consistency. This patch
relocate two checks to avoid possible leaks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
92075758782c5edb4c67d0da9e47586a624c22f7 , < fc9ce762525e73438d31b613f18bca92a4d3d578
(git)
Affected: 13940cef95491472760ca261b6713692ece9b946 , < d009ff8959d28d2a33aeb96a5f7e7161c421d78f (git) Affected: 13940cef95491472760ca261b6713692ece9b946 , < 9aee8de970f18c2aaaa348e3de86c38e2d956c1d (git) Affected: 0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d (git) Affected: 6c627bcc1896ba62ec793d0c00da74f3c93ce3ad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc9ce762525e73438d31b613f18bca92a4d3d578",
"status": "affected",
"version": "92075758782c5edb4c67d0da9e47586a624c22f7",
"versionType": "git"
},
{
"lessThan": "d009ff8959d28d2a33aeb96a5f7e7161c421d78f",
"status": "affected",
"version": "13940cef95491472760ca261b6713692ece9b946",
"versionType": "git"
},
{
"lessThan": "9aee8de970f18c2aaaa348e3de86c38e2d956c1d",
"status": "affected",
"version": "13940cef95491472760ca261b6713692ece9b946",
"versionType": "git"
},
{
"status": "affected",
"version": "0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d",
"versionType": "git"
},
{
"status": "affected",
"version": "6c627bcc1896ba62ec793d0c00da74f3c93ce3ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "6.12.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix refcount leak in exfat_find\n\nFix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.\n\nFunction `exfat_get_dentry_set` would increase the reference counter of\n`es-\u003ebh` on success. Therefore, `exfat_put_dentry_set` must be called\nafter `exfat_get_dentry_set` to ensure refcount consistency. This patch\nrelocate two checks to avoid possible leaks."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T09:48:43.726Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc9ce762525e73438d31b613f18bca92a4d3d578"
},
{
"url": "https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f"
},
{
"url": "https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d"
}
],
"title": "exfat: fix refcount leak in exfat_find",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68351",
"datePublished": "2025-12-24T10:32:42.683Z",
"dateReserved": "2025-12-16T14:48:05.300Z",
"dateUpdated": "2026-01-30T09:48:43.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50870 (GCVE-0-2022-50870)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
powerpc/rtas: avoid device tree lookups in rtas_os_term()
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/rtas: avoid device tree lookups in rtas_os_term()
rtas_os_term() is called during panic. Its behavior depends on a couple
of conditions in the /rtas node of the device tree, the traversal of
which entails locking and local IRQ state changes. If the kernel panics
while devtree_lock is held, rtas_os_term() as currently written could
hang.
Instead of discovering the relevant characteristics at panic time,
cache them in file-static variables at boot. Note the lookup for
"ibm,extended-os-term" is converted to of_property_read_bool() since it
is a boolean property, not an RTAS function token.
[mpe: Incorporate suggested change from Nick]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
088186ded490ced80758200cf8f906ed741df306 , < e23822c7381c59d9e42e65771b6e17c71ed30ea7
(git)
Affected: 088186ded490ced80758200cf8f906ed741df306 , < 06a07fbb32b3a23eec20a42b1e64474da0a3b33e (git) Affected: 088186ded490ced80758200cf8f906ed741df306 , < c2fa91abf22a705cf02f886cd99cff41f4ceda60 (git) Affected: 088186ded490ced80758200cf8f906ed741df306 , < f2167f10fcca68ab9ae3f8d94d2c704c5541ac69 (git) Affected: 088186ded490ced80758200cf8f906ed741df306 , < d8939315b7342860df143afe0adda6212cdd3193 (git) Affected: 088186ded490ced80758200cf8f906ed741df306 , < 698e682c849e356fb47a8be47ca8baa817cf31e0 (git) Affected: 088186ded490ced80758200cf8f906ed741df306 , < 464d10e8d797454e16a173ef1292a446b2adf21c (git) Affected: 088186ded490ced80758200cf8f906ed741df306 , < ed2213bfb192ab51f09f12e9b49b5d482c6493f3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/rtas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e23822c7381c59d9e42e65771b6e17c71ed30ea7",
"status": "affected",
"version": "088186ded490ced80758200cf8f906ed741df306",
"versionType": "git"
},
{
"lessThan": "06a07fbb32b3a23eec20a42b1e64474da0a3b33e",
"status": "affected",
"version": "088186ded490ced80758200cf8f906ed741df306",
"versionType": "git"
},
{
"lessThan": "c2fa91abf22a705cf02f886cd99cff41f4ceda60",
"status": "affected",
"version": "088186ded490ced80758200cf8f906ed741df306",
"versionType": "git"
},
{
"lessThan": "f2167f10fcca68ab9ae3f8d94d2c704c5541ac69",
"status": "affected",
"version": "088186ded490ced80758200cf8f906ed741df306",
"versionType": "git"
},
{
"lessThan": "d8939315b7342860df143afe0adda6212cdd3193",
"status": "affected",
"version": "088186ded490ced80758200cf8f906ed741df306",
"versionType": "git"
},
{
"lessThan": "698e682c849e356fb47a8be47ca8baa817cf31e0",
"status": "affected",
"version": "088186ded490ced80758200cf8f906ed741df306",
"versionType": "git"
},
{
"lessThan": "464d10e8d797454e16a173ef1292a446b2adf21c",
"status": "affected",
"version": "088186ded490ced80758200cf8f906ed741df306",
"versionType": "git"
},
{
"lessThan": "ed2213bfb192ab51f09f12e9b49b5d482c6493f3",
"status": "affected",
"version": "088186ded490ced80758200cf8f906ed741df306",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/rtas.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.3",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: avoid device tree lookups in rtas_os_term()\n\nrtas_os_term() is called during panic. Its behavior depends on a couple\nof conditions in the /rtas node of the device tree, the traversal of\nwhich entails locking and local IRQ state changes. If the kernel panics\nwhile devtree_lock is held, rtas_os_term() as currently written could\nhang.\n\nInstead of discovering the relevant characteristics at panic time,\ncache them in file-static variables at boot. Note the lookup for\n\"ibm,extended-os-term\" is converted to of_property_read_bool() since it\nis a boolean property, not an RTAS function token.\n\n[mpe: Incorporate suggested change from Nick]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:07.299Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e23822c7381c59d9e42e65771b6e17c71ed30ea7"
},
{
"url": "https://git.kernel.org/stable/c/06a07fbb32b3a23eec20a42b1e64474da0a3b33e"
},
{
"url": "https://git.kernel.org/stable/c/c2fa91abf22a705cf02f886cd99cff41f4ceda60"
},
{
"url": "https://git.kernel.org/stable/c/f2167f10fcca68ab9ae3f8d94d2c704c5541ac69"
},
{
"url": "https://git.kernel.org/stable/c/d8939315b7342860df143afe0adda6212cdd3193"
},
{
"url": "https://git.kernel.org/stable/c/698e682c849e356fb47a8be47ca8baa817cf31e0"
},
{
"url": "https://git.kernel.org/stable/c/464d10e8d797454e16a173ef1292a446b2adf21c"
},
{
"url": "https://git.kernel.org/stable/c/ed2213bfb192ab51f09f12e9b49b5d482c6493f3"
}
],
"title": "powerpc/rtas: avoid device tree lookups in rtas_os_term()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50870",
"datePublished": "2025-12-30T12:15:40.718Z",
"dateReserved": "2025-12-30T12:06:07.136Z",
"dateUpdated": "2026-01-02T15:05:07.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50675 (GCVE-0-2022-50675)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE
is untagged"), mte_sync_tags() was only called for pte_tagged() entries
(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use
test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently
setting PG_mte_tagged on an untagged page.
The above commit was required as guests may enable MTE without any
control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.
However, the side-effect was that any page with a PTE that looked like
swap (or migration) was getting PG_mte_tagged set automatically. A
subsequent page copy (e.g. migration) copied the tags to the destination
page even if the tags were owned by KASAN.
This issue was masked by the page_kasan_tag_reset() call introduced in
commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags").
When this commit was reverted (20794545c146), KASAN started reporting
access faults because the overriding tags in a page did not match the
original page->flags (with CONFIG_KASAN_HW_TAGS=y):
BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26
Read at addr f5ff000017f2e000 by task syz-executor.1/2218
Pointer tag: [f5], memory tag: [f2]
Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual
place where tags are cleared (mte_sync_page_tags()) or restored
(mte_restore_tags()).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
69e3b846d8a753f9f279f29531ca56b0f7563ad0 , < 918002bdbe4328c8c0164a22e8ebf2384b80dc23
(git)
Affected: 69e3b846d8a753f9f279f29531ca56b0f7563ad0 , < 749e9fc18b1e1a3f93a9512e91bd7f93002d2821 (git) Affected: 69e3b846d8a753f9f279f29531ca56b0f7563ad0 , < a8e5e5146ad08d794c58252bab00b261045ef16d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/mte.c",
"arch/arm64/mm/mteswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "918002bdbe4328c8c0164a22e8ebf2384b80dc23",
"status": "affected",
"version": "69e3b846d8a753f9f279f29531ca56b0f7563ad0",
"versionType": "git"
},
{
"lessThan": "749e9fc18b1e1a3f93a9512e91bd7f93002d2821",
"status": "affected",
"version": "69e3b846d8a753f9f279f29531ca56b0f7563ad0",
"versionType": "git"
},
{
"lessThan": "a8e5e5146ad08d794c58252bab00b261045ef16d",
"status": "affected",
"version": "69e3b846d8a753f9f279f29531ca56b0f7563ad0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/mte.c",
"arch/arm64/mm/mteswap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.82",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored\n\nPrior to commit 69e3b846d8a7 (\"arm64: mte: Sync tags for pages where PTE\nis untagged\"), mte_sync_tags() was only called for pte_tagged() entries\n(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use\ntest_and_set_bit(PG_mte_tagged, \u0026page-\u003eflags) without inadvertently\nsetting PG_mte_tagged on an untagged page.\n\nThe above commit was required as guests may enable MTE without any\ncontrol at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.\nHowever, the side-effect was that any page with a PTE that looked like\nswap (or migration) was getting PG_mte_tagged set automatically. A\nsubsequent page copy (e.g. migration) copied the tags to the destination\npage even if the tags were owned by KASAN.\n\nThis issue was masked by the page_kasan_tag_reset() call introduced in\ncommit e5b8d9218951 (\"arm64: mte: reset the page tag in page-\u003eflags\").\nWhen this commit was reverted (20794545c146), KASAN started reporting\naccess faults because the overriding tags in a page did not match the\noriginal page-\u003eflags (with CONFIG_KASAN_HW_TAGS=y):\n\n BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26\n Read at addr f5ff000017f2e000 by task syz-executor.1/2218\n Pointer tag: [f5], memory tag: [f2]\n\nMove the PG_mte_tagged bit setting from mte_sync_tags() to the actual\nplace where tags are cleared (mte_sync_page_tags()) or restored\n(mte_restore_tags())."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:27.926Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/918002bdbe4328c8c0164a22e8ebf2384b80dc23"
},
{
"url": "https://git.kernel.org/stable/c/749e9fc18b1e1a3f93a9512e91bd7f93002d2821"
},
{
"url": "https://git.kernel.org/stable/c/a8e5e5146ad08d794c58252bab00b261045ef16d"
}
],
"title": "arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50675",
"datePublished": "2025-12-09T01:29:27.926Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:27.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68302 (GCVE-0-2025-68302)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
net: sxgbe: fix potential NULL dereference in sxgbe_rx()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sxgbe: fix potential NULL dereference in sxgbe_rx()
Currently, when skb is null, the driver prints an error and then
dereferences skb on the next line.
To fix this, let's add a 'break' after the error message to switch
to sxgbe_rx_refill(), which is similar to the approach taken by the
other drivers in this particular case, e.g. calxeda with xgmac_rx().
Found during a code review.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1edb9ca69e8a7988900fc0283e10550b5592164d , < ac171c3c755499c9f87fe30b920602255f8b5648
(git)
Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 18ef3ad1bb57dcf1a9ee61736039aedccf670b21 (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 46e5332126596a2ca791140feab18ce1fc1a3c86 (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 7fd789d6ea4915034eb6bcb72f6883c8151083e5 (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 88f46c0be77bfe45830ac33102c75be7c34ac3f3 (git) Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < f5bce28f6b9125502abec4a67d68eabcd24b3b17 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac171c3c755499c9f87fe30b920602255f8b5648",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "18ef3ad1bb57dcf1a9ee61736039aedccf670b21",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "46e5332126596a2ca791140feab18ce1fc1a3c86",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "7fd789d6ea4915034eb6bcb72f6883c8151083e5",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "88f46c0be77bfe45830ac33102c75be7c34ac3f3",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
},
{
"lessThan": "f5bce28f6b9125502abec4a67d68eabcd24b3b17",
"status": "affected",
"version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sxgbe: fix potential NULL dereference in sxgbe_rx()\n\nCurrently, when skb is null, the driver prints an error and then\ndereferences skb on the next line.\n\nTo fix this, let\u0027s add a \u0027break\u0027 after the error message to switch\nto sxgbe_rx_refill(), which is similar to the approach taken by the\nother drivers in this particular case, e.g. calxeda with xgmac_rx().\n\nFound during a code review."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:20.420Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac171c3c755499c9f87fe30b920602255f8b5648"
},
{
"url": "https://git.kernel.org/stable/c/18ef3ad1bb57dcf1a9ee61736039aedccf670b21"
},
{
"url": "https://git.kernel.org/stable/c/46e5332126596a2ca791140feab18ce1fc1a3c86"
},
{
"url": "https://git.kernel.org/stable/c/7fd789d6ea4915034eb6bcb72f6883c8151083e5"
},
{
"url": "https://git.kernel.org/stable/c/45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc"
},
{
"url": "https://git.kernel.org/stable/c/88f46c0be77bfe45830ac33102c75be7c34ac3f3"
},
{
"url": "https://git.kernel.org/stable/c/f5bce28f6b9125502abec4a67d68eabcd24b3b17"
}
],
"title": "net: sxgbe: fix potential NULL dereference in sxgbe_rx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68302",
"datePublished": "2025-12-16T15:06:20.420Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:20.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68180 (GCVE-0-2025-68180)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42
VLAI?
EPSS
Title
drm/amd/display: Fix NULL deref in debugfs odm_combine_segments
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix NULL deref in debugfs odm_combine_segments
When a connector is connected but inactive (e.g., disabled by desktop
environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading
odm_combine_segments causes kernel NULL pointer dereference.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6
Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025
RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]
Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00>
RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286
RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8
RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0
R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08
R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001
FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0
PKRU: 55555554
Call Trace:
<TASK>
seq_read_iter+0x125/0x490
? __alloc_frozen_pages_noprof+0x18f/0x350
seq_read+0x12c/0x170
full_proxy_read+0x51/0x80
vfs_read+0xbc/0x390
? __handle_mm_fault+0xa46/0xef0
? do_syscall_64+0x71/0x900
ksys_read+0x73/0xf0
do_syscall_64+0x71/0x900
? count_memcg_events+0xc2/0x190
? handle_mm_fault+0x1d7/0x2d0
? do_user_addr_fault+0x21a/0x690
? exc_page_fault+0x7e/0x1a0
entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7f44d4031687
Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00>
RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687
RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003
RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000
R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000
</TASK>
Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x>
snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn>
platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp>
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]
Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00>
RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286
RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8
RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0
R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08
R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001
FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0
PKRU: 55555554
Fix this by checking pipe_ctx->
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < d990c7f180aa7c6ffd2c1b3c77160e50672039ce
(git)
Affected: 07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < c05fe5d47baac212a3a74b279239f495be101629 (git) Affected: 07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < 6dd97ceb645c08aca9fc871a3006e47fe699f0ac (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d990c7f180aa7c6ffd2c1b3c77160e50672039ce",
"status": "affected",
"version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
"versionType": "git"
},
{
"lessThan": "c05fe5d47baac212a3a74b279239f495be101629",
"status": "affected",
"version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
"versionType": "git"
},
{
"lessThan": "6dd97ceb645c08aca9fc871a3006e47fe699f0ac",
"status": "affected",
"version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL deref in debugfs odm_combine_segments\n\nWhen a connector is connected but inactive (e.g., disabled by desktop\nenvironments), pipe_ctx-\u003estream_res.tg will be destroyed. Then, reading\nodm_combine_segments causes kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6\n Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025\n RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]\n Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 \u003c48\u003e 8b 07 48 8b 80 08 02 00\u003e\n RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286\n RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8\n RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0\n R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08\n R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001\n FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n seq_read_iter+0x125/0x490\n ? __alloc_frozen_pages_noprof+0x18f/0x350\n seq_read+0x12c/0x170\n full_proxy_read+0x51/0x80\n vfs_read+0xbc/0x390\n ? __handle_mm_fault+0xa46/0xef0\n ? do_syscall_64+0x71/0x900\n ksys_read+0x73/0xf0\n do_syscall_64+0x71/0x900\n ? count_memcg_events+0xc2/0x190\n ? handle_mm_fault+0x1d7/0x2d0\n ? do_user_addr_fault+0x21a/0x690\n ? exc_page_fault+0x7e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x6c/0x74\n RIP: 0033:0x7f44d4031687\n Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00\u003e\n RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000\n RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687\n RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003\n RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000\n \u003c/TASK\u003e\n Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x\u003e\n snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn\u003e\n platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp\u003e\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]\n Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 \u003c48\u003e 8b 07 48 8b 80 08 02 00\u003e\n RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286\n RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8\n RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0\n R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08\n R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001\n FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0\n PKRU: 55555554\n\nFix this by checking pipe_ctx-\u003e\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:42:58.687Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d990c7f180aa7c6ffd2c1b3c77160e50672039ce"
},
{
"url": "https://git.kernel.org/stable/c/c05fe5d47baac212a3a74b279239f495be101629"
},
{
"url": "https://git.kernel.org/stable/c/6dd97ceb645c08aca9fc871a3006e47fe699f0ac"
}
],
"title": "drm/amd/display: Fix NULL deref in debugfs odm_combine_segments",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68180",
"datePublished": "2025-12-16T13:42:58.687Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2025-12-16T13:42:58.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54322 (GCVE-0-2023-54322)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
arm64: set __exception_irq_entry with __irq_entry as a default
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: set __exception_irq_entry with __irq_entry as a default
filter_irq_stacks() is supposed to cut entries which are related irq entries
from its call stack.
And in_irqentry_text() which is called by filter_irq_stacks()
uses __irqentry_text_start/end symbol to find irq entries in callstack.
But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER",
arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq
between __irqentry_text_start and __irqentry_text_end as we discussed in below link.
https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t
This problem can makes unintentional deep call stack entries especially
in KASAN enabled situation as below.
[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity
[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c
[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c
[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c
[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0
[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000
[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd
[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040
[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000
[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20
[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8
[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800
[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8
[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c
[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022
[ 2479.386231]I[0:launcher-loader: 1719] Call trace:
[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c
[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70
[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138
[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24
[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170
[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20
[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c
[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28
[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0
[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80
[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98
[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c
[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0
[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300
[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c
[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4
[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0
[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300
[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c
[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304
[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160
[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194
[ 2479.386833]I
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f , < c71d6934c6ac40a97146a410e0320768c7b1bb3c
(git)
Affected: 9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f , < 0bd309f22663f3ee749bea0b6d70642c31a1c0a5 (git) Affected: 9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f , < d3b219e504fc5c5a25fa7c04c8589ff34baef9a8 (git) Affected: 9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f , < f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/exception.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c71d6934c6ac40a97146a410e0320768c7b1bb3c",
"status": "affected",
"version": "9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f",
"versionType": "git"
},
{
"lessThan": "0bd309f22663f3ee749bea0b6d70642c31a1c0a5",
"status": "affected",
"version": "9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f",
"versionType": "git"
},
{
"lessThan": "d3b219e504fc5c5a25fa7c04c8589ff34baef9a8",
"status": "affected",
"version": "9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f",
"versionType": "git"
},
{
"lessThan": "f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3",
"status": "affected",
"version": "9a5ad7d0e3e1c6c0c11df89fbc5376f8aaf7a90f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/exception.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.150",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: set __exception_irq_entry with __irq_entry as a default\n\nfilter_irq_stacks() is supposed to cut entries which are related irq entries\nfrom its call stack.\nAnd in_irqentry_text() which is called by filter_irq_stacks()\nuses __irqentry_text_start/end symbol to find irq entries in callstack.\n\nBut it doesn\u0027t work correctly as without \"CONFIG_FUNCTION_GRAPH_TRACER\",\narm64 kernel doesn\u0027t include gic_handle_irq which is entry point of arm64 irq\nbetween __irqentry_text_start and __irqentry_text_end as we discussed in below link.\nhttps://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t\n\nThis problem can makes unintentional deep call stack entries especially\nin KASAN enabled situation as below.\n\n[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity\n[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c\n[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c\n[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c\n[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0\n[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000\n[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd\n[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040\n[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000\n[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20\n[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8\n[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800\n[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8\n[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c\n[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022\n[ 2479.386231]I[0:launcher-loader: 1719] Call trace:\n[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c\n[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70\n[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138\n[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24\n[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170\n[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20\n[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c\n[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28\n[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0\n[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80\n[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98\n[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c\n[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0\n[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300\n[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c\n[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4\n[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0\n[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300\n[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c\n[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304\n[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160\n[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194\n[ 2479.386833]I\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:26.117Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c71d6934c6ac40a97146a410e0320768c7b1bb3c"
},
{
"url": "https://git.kernel.org/stable/c/0bd309f22663f3ee749bea0b6d70642c31a1c0a5"
},
{
"url": "https://git.kernel.org/stable/c/d3b219e504fc5c5a25fa7c04c8589ff34baef9a8"
},
{
"url": "https://git.kernel.org/stable/c/f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3"
}
],
"title": "arm64: set __exception_irq_entry with __irq_entry as a default",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54322",
"datePublished": "2025-12-30T12:34:15.446Z",
"dateReserved": "2025-12-30T12:28:53.860Z",
"dateUpdated": "2026-01-05T11:37:26.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50633 (GCVE-0-2022-50633)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
of_icc_get() alloc resources for path handle, we should release it when not
need anymore. Like the release in dwc3_qcom_interconnect_exit() function.
Add icc_put() in error handling to fix this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bea46b9815154ac47baf16b64022d791a4471375 , < f9089b95548f0272e02a89989c511e235561d051
(git)
Affected: bea46b9815154ac47baf16b64022d791a4471375 , < 56f6de394f0f57928cd401255a5c7866b68a77e3 (git) Affected: bea46b9815154ac47baf16b64022d791a4471375 , < 8c39c8d23ff9fb1beb6e16cf0ae929c764538625 (git) Affected: bea46b9815154ac47baf16b64022d791a4471375 , < 2f3b51189f7a7be5d822fb8c537d778c57eb9821 (git) Affected: bea46b9815154ac47baf16b64022d791a4471375 , < 97a48da1619ba6bd42a0e5da0a03aa490a9496b1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/dwc3-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9089b95548f0272e02a89989c511e235561d051",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
},
{
"lessThan": "56f6de394f0f57928cd401255a5c7866b68a77e3",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
},
{
"lessThan": "8c39c8d23ff9fb1beb6e16cf0ae929c764538625",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
},
{
"lessThan": "2f3b51189f7a7be5d822fb8c537d778c57eb9821",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
},
{
"lessThan": "97a48da1619ba6bd42a0e5da0a03aa490a9496b1",
"status": "affected",
"version": "bea46b9815154ac47baf16b64022d791a4471375",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/dwc3-qcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init\n\nof_icc_get() alloc resources for path handle, we should release it when not\nneed anymore. Like the release in dwc3_qcom_interconnect_exit() function.\nAdd icc_put() in error handling to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:00.771Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9089b95548f0272e02a89989c511e235561d051"
},
{
"url": "https://git.kernel.org/stable/c/56f6de394f0f57928cd401255a5c7866b68a77e3"
},
{
"url": "https://git.kernel.org/stable/c/8c39c8d23ff9fb1beb6e16cf0ae929c764538625"
},
{
"url": "https://git.kernel.org/stable/c/2f3b51189f7a7be5d822fb8c537d778c57eb9821"
},
{
"url": "https://git.kernel.org/stable/c/97a48da1619ba6bd42a0e5da0a03aa490a9496b1"
}
],
"title": "usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50633",
"datePublished": "2025-12-09T00:00:00.771Z",
"dateReserved": "2025-12-08T23:57:43.369Z",
"dateUpdated": "2025-12-09T00:00:00.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40272 (GCVE-0-2025-40272)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50
VLAI?
EPSS
Title
mm/secretmem: fix use-after-free race in fault handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/secretmem: fix use-after-free race in fault handler
When a page fault occurs in a secret memory file created with
`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the
underlying page as not-present in the direct map, and add it to the file
mapping.
If two tasks cause a fault in the same page concurrently, both could end
up allocating a folio and removing the page from the direct map, but only
one would succeed in adding the folio to the file mapping. The task that
failed undoes the effects of its attempt by (a) freeing the folio again
and (b) putting the page back into the direct map. However, by doing
these two operations in this order, the page becomes available to the
allocator again before it is placed back in the direct mapping.
If another task attempts to allocate the page between (a) and (b), and the
kernel tries to access it via the direct map, it would result in a
supervisor not-present page fault.
Fix the ordering to restore the direct map before the folio is freed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < bb1c19636aedae39360e6fdbcaef4f2bcff25785
(git)
Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 1e4643d6628edf9c0047b1f8f5bc574665025acb (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 42d486d35a4143cc37fc72ee66edc99d942dd367 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 4444767e625da46009fc94a453fd1967b80ba047 (git) Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 6f86d0534fddfbd08687fa0f01479d4226bc3c3d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/secretmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb1c19636aedae39360e6fdbcaef4f2bcff25785",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "1e4643d6628edf9c0047b1f8f5bc574665025acb",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "42d486d35a4143cc37fc72ee66edc99d942dd367",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "4444767e625da46009fc94a453fd1967b80ba047",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
},
{
"lessThan": "6f86d0534fddfbd08687fa0f01479d4226bc3c3d",
"status": "affected",
"version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/secretmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix use-after-free race in fault handler\n\nWhen a page fault occurs in a secret memory file created with\n`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the\nunderlying page as not-present in the direct map, and add it to the file\nmapping.\n\nIf two tasks cause a fault in the same page concurrently, both could end\nup allocating a folio and removing the page from the direct map, but only\none would succeed in adding the folio to the file mapping. The task that\nfailed undoes the effects of its attempt by (a) freeing the folio again\nand (b) putting the page back into the direct map. However, by doing\nthese two operations in this order, the page becomes available to the\nallocator again before it is placed back in the direct mapping.\n\nIf another task attempts to allocate the page between (a) and (b), and the\nkernel tries to access it via the direct map, it would result in a\nsupervisor not-present page fault.\n\nFix the ordering to restore the direct map before the folio is freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:54.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785"
},
{
"url": "https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb"
},
{
"url": "https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367"
},
{
"url": "https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649"
},
{
"url": "https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047"
},
{
"url": "https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d"
}
],
"title": "mm/secretmem: fix use-after-free race in fault handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40272",
"datePublished": "2025-12-06T21:50:54.629Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2025-12-06T21:50:54.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50885 (GCVE-0-2022-50885)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
EPSS
Title
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
There is a null-ptr-deref when mount.cifs over rdma:
BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]
Read of size 8 at addr 0000000000000018 by task mount.cifs/3046
CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
kasan_report+0xad/0x130
rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]
execute_in_process_context+0x25/0x90
__rxe_cleanup+0x101/0x1d0 [rdma_rxe]
rxe_create_qp+0x16a/0x180 [rdma_rxe]
create_qp.part.0+0x27d/0x340
ib_create_qp_kernel+0x73/0x160
rdma_create_qp+0x100/0x230
_smbd_get_connection+0x752/0x20f0
smbd_get_connection+0x21/0x40
cifs_get_tcp_session+0x8ef/0xda0
mount_get_conns+0x60/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The root cause of the issue is the socket create failed in
rxe_qp_init_req().
So move the reset rxe_qp_do_cleanup() after the NULL ptr check.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8700e3e7c4857d28ebaa824509934556da0b3e76 , < ee24de095569935eba600f7735e8e8ddea5b418e
(git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 7340ca9f782be6fbe3f64a134dc112772764f766 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bd7106a6004f1077a365ca7f5a99c7a708e20714 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 6bb5a62bfd624039b05157745c234068508393a9 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f64f08b9e6fb305a25dd75329e06ae342b9ce336 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 5b924632d84a60bc0c7fe6e9bbbce99d03908957 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 821f9a18210f6b9fd6792471714c799607b25db4 (git) Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f67376d801499f4fa0838c18c1efcad8840e550d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee24de095569935eba600f7735e8e8ddea5b418e",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "7340ca9f782be6fbe3f64a134dc112772764f766",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "bd7106a6004f1077a365ca7f5a99c7a708e20714",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "6bb5a62bfd624039b05157745c234068508393a9",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "f64f08b9e6fb305a25dd75329e06ae342b9ce336",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "5b924632d84a60bc0c7fe6e9bbbce99d03908957",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "821f9a18210f6b9fd6792471714c799607b25db4",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
},
{
"lessThan": "f67376d801499f4fa0838c18c1efcad8840e550d",
"status": "affected",
"version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed\n\nThere is a null-ptr-deref when mount.cifs over rdma:\n\n BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\n Read of size 8 at addr 0000000000000018 by task mount.cifs/3046\n\n CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n kasan_report+0xad/0x130\n rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\n execute_in_process_context+0x25/0x90\n __rxe_cleanup+0x101/0x1d0 [rdma_rxe]\n rxe_create_qp+0x16a/0x180 [rdma_rxe]\n create_qp.part.0+0x27d/0x340\n ib_create_qp_kernel+0x73/0x160\n rdma_create_qp+0x100/0x230\n _smbd_get_connection+0x752/0x20f0\n smbd_get_connection+0x21/0x40\n cifs_get_tcp_session+0x8ef/0xda0\n mount_get_conns+0x60/0x750\n cifs_mount+0x103/0xd00\n cifs_smb3_do_mount+0x1dd/0xcb0\n smb3_get_tree+0x1d5/0x300\n vfs_get_tree+0x41/0xf0\n path_mount+0x9b3/0xdd0\n __x64_sys_mount+0x190/0x1d0\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe root cause of the issue is the socket create failed in\nrxe_qp_init_req().\n\nSo move the reset rxe_qp_do_cleanup() after the NULL ptr check."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:34:12.093Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee24de095569935eba600f7735e8e8ddea5b418e"
},
{
"url": "https://git.kernel.org/stable/c/7340ca9f782be6fbe3f64a134dc112772764f766"
},
{
"url": "https://git.kernel.org/stable/c/bd7106a6004f1077a365ca7f5a99c7a708e20714"
},
{
"url": "https://git.kernel.org/stable/c/6bb5a62bfd624039b05157745c234068508393a9"
},
{
"url": "https://git.kernel.org/stable/c/f64f08b9e6fb305a25dd75329e06ae342b9ce336"
},
{
"url": "https://git.kernel.org/stable/c/5b924632d84a60bc0c7fe6e9bbbce99d03908957"
},
{
"url": "https://git.kernel.org/stable/c/821f9a18210f6b9fd6792471714c799607b25db4"
},
{
"url": "https://git.kernel.org/stable/c/f67376d801499f4fa0838c18c1efcad8840e550d"
}
],
"title": "RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50885",
"datePublished": "2025-12-30T12:34:12.093Z",
"dateReserved": "2025-12-30T12:26:05.425Z",
"dateUpdated": "2025-12-30T12:34:12.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50818 (GCVE-0-2022-50818)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
scsi: pm8001: Fix running_req for internal abort commands
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix running_req for internal abort commands
Disabling the remote phy for a SATA disk causes a hang:
root@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols
sata
root@(none)$ echo 0 > sys/class/sas_phy/phy-0:0:8/enable
root@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed
[ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache
[ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK
[ 67.935094] sd 0:0:2:0: [sdc] Stopping disk
[ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK
...
[ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds.
[ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218
[ 124.012049] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008
[ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker
[ 124.034319] Call trace:
[ 124.036758] __switch_to+0x128/0x278
[ 124.040333] __schedule+0x434/0xa58
[ 124.043820] schedule+0x94/0x138
[ 124.047045] schedule_timeout+0x2fc/0x368
[ 124.051052] wait_for_completion+0xdc/0x200
[ 124.055234] __flush_workqueue+0x1a8/0x708
[ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0
[ 124.063858] sas_port_event_worker+0x60/0x98
[ 124.068126] process_one_work+0x3f8/0x660
[ 124.072134] worker_thread+0x70/0x700
[ 124.075793] kthread+0x1a4/0x1b8
[ 124.079014] ret_from_fork+0x10/0x20
The issue is that the per-device running_req read in
pm8001_dev_gone_notify() never goes to zero and we never make progress.
This is caused by missing accounting for running_req for when an internal
abort command completes.
In commit 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support")
we started to send internal abort commands as a proper sas_task. In this
when we deliver a sas_task to HW the per-device running_req is incremented
in pm8001_queue_command(). However it is never decremented for internal
abort commnds, so decrement in pm8001_mpi_task_abort_resp().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2cbbf489778eb9dde51392ec5f74ae2868e4b857 , < 4e750e0d8e486569fcb7f4ba6f6471673ce7d8a2
(git)
Affected: 2cbbf489778eb9dde51392ec5f74ae2868e4b857 , < a62b9fc9775fbc8e666bb328f6e53c168054d6fe (git) Affected: 2cbbf489778eb9dde51392ec5f74ae2868e4b857 , < d8c22c4697c11ed28062afe3c2b377025be11a23 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e750e0d8e486569fcb7f4ba6f6471673ce7d8a2",
"status": "affected",
"version": "2cbbf489778eb9dde51392ec5f74ae2868e4b857",
"versionType": "git"
},
{
"lessThan": "a62b9fc9775fbc8e666bb328f6e53c168054d6fe",
"status": "affected",
"version": "2cbbf489778eb9dde51392ec5f74ae2868e4b857",
"versionType": "git"
},
{
"lessThan": "d8c22c4697c11ed28062afe3c2b377025be11a23",
"status": "affected",
"version": "2cbbf489778eb9dde51392ec5f74ae2868e4b857",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/pm8001/pm8001_hwi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix running_req for internal abort commands\n\nDisabling the remote phy for a SATA disk causes a hang:\n\nroot@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols\nsata\nroot@(none)$ echo 0 \u003e sys/class/sas_phy/phy-0:0:8/enable\nroot@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed\n[ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache\n[ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK\n[ 67.935094] sd 0:0:2:0: [sdc] Stopping disk\n[ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK\n...\n[ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds.\n[ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218\n[ 124.012049] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008\n[ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker\n[ 124.034319] Call trace:\n[ 124.036758] __switch_to+0x128/0x278\n[ 124.040333] __schedule+0x434/0xa58\n[ 124.043820] schedule+0x94/0x138\n[ 124.047045] schedule_timeout+0x2fc/0x368\n[ 124.051052] wait_for_completion+0xdc/0x200\n[ 124.055234] __flush_workqueue+0x1a8/0x708\n[ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0\n[ 124.063858] sas_port_event_worker+0x60/0x98\n[ 124.068126] process_one_work+0x3f8/0x660\n[ 124.072134] worker_thread+0x70/0x700\n[ 124.075793] kthread+0x1a4/0x1b8\n[ 124.079014] ret_from_fork+0x10/0x20\n\nThe issue is that the per-device running_req read in\npm8001_dev_gone_notify() never goes to zero and we never make progress.\nThis is caused by missing accounting for running_req for when an internal\nabort command completes.\n\nIn commit 2cbbf489778e (\"scsi: pm8001: Use libsas internal abort support\")\nwe started to send internal abort commands as a proper sas_task. In this\nwhen we deliver a sas_task to HW the per-device running_req is incremented\nin pm8001_queue_command(). However it is never decremented for internal\nabort commnds, so decrement in pm8001_mpi_task_abort_resp()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:33.548Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e750e0d8e486569fcb7f4ba6f6471673ce7d8a2"
},
{
"url": "https://git.kernel.org/stable/c/a62b9fc9775fbc8e666bb328f6e53c168054d6fe"
},
{
"url": "https://git.kernel.org/stable/c/d8c22c4697c11ed28062afe3c2b377025be11a23"
}
],
"title": "scsi: pm8001: Fix running_req for internal abort commands",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50818",
"datePublished": "2025-12-30T12:08:33.548Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2025-12-30T12:08:33.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53254 (GCVE-0-2023-53254)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:46 – Updated: 2026-01-14 18:02
VLAI?
EPSS
Title
cacheinfo: Fix shared_cpu_map to handle shared caches at different levels
Summary
In the Linux kernel, the following vulnerability has been resolved:
cacheinfo: Fix shared_cpu_map to handle shared caches at different levels
The cacheinfo sets up the shared_cpu_map by checking whether the caches
with the same index are shared between CPUs. However, this will trigger
slab-out-of-bounds access if the CPUs do not have the same cache hierarchy.
Another problem is the mismatched shared_cpu_map when the shared cache does
not have the same index between CPUs.
CPU0 I D L3
index 0 1 2 x
^ ^ ^ ^
index 0 1 2 3
CPU1 I D L2 L3
This patch checks each cache is shared with all caches on other CPUs.
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
246246cbde5e840012f853e27630ebb59f409486 , < 2f588d0345d69a35e451077afed428fd057a5e34
(git)
Affected: 246246cbde5e840012f853e27630ebb59f409486 , < dea49f2993f57d8a2df2cacb0bf649ef49b28879 (git) Affected: 246246cbde5e840012f853e27630ebb59f409486 , < 198102c9103fc78d8478495971947af77edb05c1 (git) |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:01:14.729698Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:02:52.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/cacheinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f588d0345d69a35e451077afed428fd057a5e34",
"status": "affected",
"version": "246246cbde5e840012f853e27630ebb59f409486",
"versionType": "git"
},
{
"lessThan": "dea49f2993f57d8a2df2cacb0bf649ef49b28879",
"status": "affected",
"version": "246246cbde5e840012f853e27630ebb59f409486",
"versionType": "git"
},
{
"lessThan": "198102c9103fc78d8478495971947af77edb05c1",
"status": "affected",
"version": "246246cbde5e840012f853e27630ebb59f409486",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/cacheinfo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncacheinfo: Fix shared_cpu_map to handle shared caches at different levels\n\nThe cacheinfo sets up the shared_cpu_map by checking whether the caches\nwith the same index are shared between CPUs. However, this will trigger\nslab-out-of-bounds access if the CPUs do not have the same cache hierarchy.\nAnother problem is the mismatched shared_cpu_map when the shared cache does\nnot have the same index between CPUs.\n\nCPU0\tI\tD\tL3\nindex\t0\t1\t2\tx\n\t^\t^\t^\t^\nindex\t0\t1\t2\t3\nCPU1\tI\tD\tL2\tL3\n\nThis patch checks each cache is shared with all caches on other CPUs."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:18:59.952Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f588d0345d69a35e451077afed428fd057a5e34"
},
{
"url": "https://git.kernel.org/stable/c/dea49f2993f57d8a2df2cacb0bf649ef49b28879"
},
{
"url": "https://git.kernel.org/stable/c/198102c9103fc78d8478495971947af77edb05c1"
}
],
"title": "cacheinfo: Fix shared_cpu_map to handle shared caches at different levels",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53254",
"datePublished": "2025-09-15T14:46:24.670Z",
"dateReserved": "2025-09-15T14:19:21.849Z",
"dateUpdated": "2026-01-14T18:02:52.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40252 (GCVE-0-2025-40252)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()
The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate
over 'cqe->len_list[]' using only a zero-length terminator as
the stopping condition. If the terminator was missing or
malformed, the loop could run past the end of the fixed-size array.
Add an explicit bound check using ARRAY_SIZE() in both loops to prevent
a potential out-of-bounds access.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
55482edc25f0606851de42e73618f813f310d009 , < ecbb12caf399d7cf364b7553ed5aebeaa2f255bc
(git)
Affected: 55482edc25f0606851de42e73618f813f310d009 , < a778912b4a53587ea07d85526d152f85d109cbfe (git) Affected: 55482edc25f0606851de42e73618f813f310d009 , < f0923011c1261b33a2ac1de349256d39cb750dd0 (git) Affected: 55482edc25f0606851de42e73618f813f310d009 , < 917a9d02182ac8b4f25eb47dc02f3ec679608c24 (git) Affected: 55482edc25f0606851de42e73618f813f310d009 , < e441db07f208184e0466abf44b389a81d70c340e (git) Affected: 55482edc25f0606851de42e73618f813f310d009 , < 896f1a2493b59beb2b5ccdf990503dbb16cb2256 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qede/qede_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecbb12caf399d7cf364b7553ed5aebeaa2f255bc",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "a778912b4a53587ea07d85526d152f85d109cbfe",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "f0923011c1261b33a2ac1de349256d39cb750dd0",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "917a9d02182ac8b4f25eb47dc02f3ec679608c24",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "e441db07f208184e0466abf44b389a81d70c340e",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
},
{
"lessThan": "896f1a2493b59beb2b5ccdf990503dbb16cb2256",
"status": "affected",
"version": "55482edc25f0606851de42e73618f813f310d009",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/qlogic/qede/qede_fp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()\n\nThe loops in \u0027qede_tpa_cont()\u0027 and \u0027qede_tpa_end()\u0027, iterate\nover \u0027cqe-\u003elen_list[]\u0027 using only a zero-length terminator as\nthe stopping condition. If the terminator was missing or\nmalformed, the loop could run past the end of the fixed-size array.\n\nAdd an explicit bound check using ARRAY_SIZE() in both loops to prevent\na potential out-of-bounds access.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:48.403Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecbb12caf399d7cf364b7553ed5aebeaa2f255bc"
},
{
"url": "https://git.kernel.org/stable/c/a778912b4a53587ea07d85526d152f85d109cbfe"
},
{
"url": "https://git.kernel.org/stable/c/f0923011c1261b33a2ac1de349256d39cb750dd0"
},
{
"url": "https://git.kernel.org/stable/c/917a9d02182ac8b4f25eb47dc02f3ec679608c24"
},
{
"url": "https://git.kernel.org/stable/c/e441db07f208184e0466abf44b389a81d70c340e"
},
{
"url": "https://git.kernel.org/stable/c/896f1a2493b59beb2b5ccdf990503dbb16cb2256"
}
],
"title": "net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40252",
"datePublished": "2025-12-04T16:08:14.393Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:48.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53454 (GCVE-0-2023-53454)
Vulnerability from cvelistv5 – Published: 2025-10-01 11:42 – Updated: 2025-10-01 11:42
VLAI?
EPSS
Title
HID: multitouch: Correct devm device reference for hidinput input_dev name
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Correct devm device reference for hidinput input_dev name
Reference the HID device rather than the input device for the devm
allocation of the input_dev name. Referencing the input_dev would lead to a
use-after-free when the input_dev was unregistered and subsequently fires a
uevent that depends on the name. At the point of firing the uevent, the
name would be freed by devres management.
Use devm_kasprintf to simplify the logic for allocating memory and
formatting the input_dev name string.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c08d46aa805ba46d501f610c2448d07bea979780 , < ac0d389402a6ff9ad92cea02c2d8c711483b91ab
(git)
Affected: c08d46aa805ba46d501f610c2448d07bea979780 , < 39c70c19456e50dcb3abfe53539220dff0490f1d (git) Affected: c08d46aa805ba46d501f610c2448d07bea979780 , < df7ca43fe090e1a56c216c8ebc106ef5fd49afc6 (git) Affected: c08d46aa805ba46d501f610c2448d07bea979780 , < 15ec7cb55e7d88755aa01d44a7a1015a42bfce86 (git) Affected: c08d46aa805ba46d501f610c2448d07bea979780 , < dde88ab4e45beb60b217026207aa9c14c88d71ab (git) Affected: c08d46aa805ba46d501f610c2448d07bea979780 , < 2763732ec1e68910719c75b6b896e11b6d3d622b (git) Affected: c08d46aa805ba46d501f610c2448d07bea979780 , < 1d7833db9fd118415dace2ca157bfa603dec9c8c (git) Affected: c08d46aa805ba46d501f610c2448d07bea979780 , < b70ac7849248ec8128fa12f86e3655ba38838f29 (git) Affected: c08d46aa805ba46d501f610c2448d07bea979780 , < 4794394635293a3e74591351fff469cea7ad15a2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac0d389402a6ff9ad92cea02c2d8c711483b91ab",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "39c70c19456e50dcb3abfe53539220dff0490f1d",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "df7ca43fe090e1a56c216c8ebc106ef5fd49afc6",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "15ec7cb55e7d88755aa01d44a7a1015a42bfce86",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "dde88ab4e45beb60b217026207aa9c14c88d71ab",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "2763732ec1e68910719c75b6b896e11b6d3d622b",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "1d7833db9fd118415dace2ca157bfa603dec9c8c",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "b70ac7849248ec8128fa12f86e3655ba38838f29",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
},
{
"lessThan": "4794394635293a3e74591351fff469cea7ad15a2",
"status": "affected",
"version": "c08d46aa805ba46d501f610c2448d07bea979780",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: Correct devm device reference for hidinput input_dev name\n\nReference the HID device rather than the input device for the devm\nallocation of the input_dev name. Referencing the input_dev would lead to a\nuse-after-free when the input_dev was unregistered and subsequently fires a\nuevent that depends on the name. At the point of firing the uevent, the\nname would be freed by devres management.\n\nUse devm_kasprintf to simplify the logic for allocating memory and\nformatting the input_dev name string."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T11:42:25.760Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac0d389402a6ff9ad92cea02c2d8c711483b91ab"
},
{
"url": "https://git.kernel.org/stable/c/39c70c19456e50dcb3abfe53539220dff0490f1d"
},
{
"url": "https://git.kernel.org/stable/c/df7ca43fe090e1a56c216c8ebc106ef5fd49afc6"
},
{
"url": "https://git.kernel.org/stable/c/15ec7cb55e7d88755aa01d44a7a1015a42bfce86"
},
{
"url": "https://git.kernel.org/stable/c/dde88ab4e45beb60b217026207aa9c14c88d71ab"
},
{
"url": "https://git.kernel.org/stable/c/2763732ec1e68910719c75b6b896e11b6d3d622b"
},
{
"url": "https://git.kernel.org/stable/c/1d7833db9fd118415dace2ca157bfa603dec9c8c"
},
{
"url": "https://git.kernel.org/stable/c/b70ac7849248ec8128fa12f86e3655ba38838f29"
},
{
"url": "https://git.kernel.org/stable/c/4794394635293a3e74591351fff469cea7ad15a2"
}
],
"title": "HID: multitouch: Correct devm device reference for hidinput input_dev name",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53454",
"datePublished": "2025-10-01T11:42:25.760Z",
"dateReserved": "2025-09-17T14:54:09.754Z",
"dateUpdated": "2025-10-01T11:42:25.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-54134 (GCVE-0-2023-54134)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
autofs: fix memory leak of waitqueues in autofs_catatonic_mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
autofs: fix memory leak of waitqueues in autofs_catatonic_mode
Syzkaller reports a memory leak:
BUG: memory leak
unreferenced object 0xffff88810b279e00 (size 96):
comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'.....
08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'.............
backtrace:
[<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046
[<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline]
[<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378
[<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593
[<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619
[<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897
[<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910
[<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline]
[<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline]
[<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856
[<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
autofs_wait_queue structs should be freed if their wait_ctr becomes zero.
Otherwise they will be lost.
In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new
waitqueue struct is allocated in autofs_wait(), its initial wait_ctr
equals 2. After that wait_event_killable() is interrupted (it returns
-ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not
satisfied. Actually, this condition can be satisfied when
autofs_wait_release() or autofs_catatonic_mode() is called and, what is
also important, wait_ctr is decremented in those places. Upon the exit of
autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process
begins: kill_sb calls autofs_catatonic_mode(), which should have freed the
waitqueues, but it only decrements its usage counter to zero which is not
a correct behaviour.
edit:imk
This description is of course not correct. The umount performed as a result
of an expire is a umount of a mount that has been automounted, it's not the
autofs mount itself. They happen independently, usually after everything
mounted within the autofs file system has been expired away. If everything
hasn't been expired away the automount daemon can still exit leaving mounts
in place. But expires done in both cases will result in a notification that
calls autofs_wait_release() with a result status. The problem case is the
summary execution of of the automount daemon. In this case any waiting
processes won't be woken up until either they are terminated or the mount
is umounted.
end edit: imk
So in catatonic mode we should free waitqueues which counter becomes zero.
edit: imk
Initially I was concerned that the calling of autofs_wait_release() and
autofs_catatonic_mode() was not mutually exclusive but that can't be the
case (obviously) because the queue entry (or entries) is removed from the
list when either of these two functions are called. Consequently the wait
entry will be freed by only one of these functions or by the woken process
in autofs_wait() depending on the order of the calls.
end edit: imk
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
296f7bf78bc5c7a4d772aea580ce800d14040d1a , < 1985e8eae8627f02e3364690c5fed7af1c46be55
(git)
Affected: 296f7bf78bc5c7a4d772aea580ce800d14040d1a , < 976abbdc120a97049b9133e60fa7b29627d11de4 (git) Affected: 296f7bf78bc5c7a4d772aea580ce800d14040d1a , < 6079dc77c6f32936e8a6766ee8334ae3c99f4504 (git) Affected: 296f7bf78bc5c7a4d772aea580ce800d14040d1a , < 69ddafc7a7afd8401bab53eff5af813fa0d368a2 (git) Affected: 296f7bf78bc5c7a4d772aea580ce800d14040d1a , < 71eeddcad7342292c19042c290c477697acaccab (git) Affected: 296f7bf78bc5c7a4d772aea580ce800d14040d1a , < 726deae613bc1b6096ad3b61cc1e63e33330fbc2 (git) Affected: 296f7bf78bc5c7a4d772aea580ce800d14040d1a , < 696b625f3f85d80fca48c24d2948fbc451e74366 (git) Affected: 296f7bf78bc5c7a4d772aea580ce800d14040d1a , < ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/autofs/waitq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1985e8eae8627f02e3364690c5fed7af1c46be55",
"status": "affected",
"version": "296f7bf78bc5c7a4d772aea580ce800d14040d1a",
"versionType": "git"
},
{
"lessThan": "976abbdc120a97049b9133e60fa7b29627d11de4",
"status": "affected",
"version": "296f7bf78bc5c7a4d772aea580ce800d14040d1a",
"versionType": "git"
},
{
"lessThan": "6079dc77c6f32936e8a6766ee8334ae3c99f4504",
"status": "affected",
"version": "296f7bf78bc5c7a4d772aea580ce800d14040d1a",
"versionType": "git"
},
{
"lessThan": "69ddafc7a7afd8401bab53eff5af813fa0d368a2",
"status": "affected",
"version": "296f7bf78bc5c7a4d772aea580ce800d14040d1a",
"versionType": "git"
},
{
"lessThan": "71eeddcad7342292c19042c290c477697acaccab",
"status": "affected",
"version": "296f7bf78bc5c7a4d772aea580ce800d14040d1a",
"versionType": "git"
},
{
"lessThan": "726deae613bc1b6096ad3b61cc1e63e33330fbc2",
"status": "affected",
"version": "296f7bf78bc5c7a4d772aea580ce800d14040d1a",
"versionType": "git"
},
{
"lessThan": "696b625f3f85d80fca48c24d2948fbc451e74366",
"status": "affected",
"version": "296f7bf78bc5c7a4d772aea580ce800d14040d1a",
"versionType": "git"
},
{
"lessThan": "ccbe77f7e45dfb4420f7f531b650c00c6e9c7507",
"status": "affected",
"version": "296f7bf78bc5c7a4d772aea580ce800d14040d1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/autofs/waitq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nautofs: fix memory leak of waitqueues in autofs_catatonic_mode\n\nSyzkaller reports a memory leak:\n\nBUG: memory leak\nunreferenced object 0xffff88810b279e00 (size 96):\n comm \"syz-executor399\", pid 3631, jiffies 4294964921 (age 23.870s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........\u0027.....\n 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..\u0027.............\n backtrace:\n [\u003cffffffff814cfc90\u003e] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046\n [\u003cffffffff81bb75ca\u003e] kmalloc include/linux/slab.h:576 [inline]\n [\u003cffffffff81bb75ca\u003e] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378\n [\u003cffffffff81bb88a7\u003e] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593\n [\u003cffffffff81bb8c33\u003e] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619\n [\u003cffffffff81bb6972\u003e] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897\n [\u003cffffffff81bb6a95\u003e] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910\n [\u003cffffffff81602a9c\u003e] vfs_ioctl fs/ioctl.c:51 [inline]\n [\u003cffffffff81602a9c\u003e] __do_sys_ioctl fs/ioctl.c:870 [inline]\n [\u003cffffffff81602a9c\u003e] __se_sys_ioctl fs/ioctl.c:856 [inline]\n [\u003cffffffff81602a9c\u003e] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856\n [\u003cffffffff84608225\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [\u003cffffffff84608225\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n [\u003cffffffff84800087\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nautofs_wait_queue structs should be freed if their wait_ctr becomes zero.\nOtherwise they will be lost.\n\nIn this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new\nwaitqueue struct is allocated in autofs_wait(), its initial wait_ctr\nequals 2. After that wait_event_killable() is interrupted (it returns\n-ERESTARTSYS), so that \u0027wq-\u003ename.name == NULL\u0027 condition may be not\nsatisfied. Actually, this condition can be satisfied when\nautofs_wait_release() or autofs_catatonic_mode() is called and, what is\nalso important, wait_ctr is decremented in those places. Upon the exit of\nautofs_wait(), wait_ctr is decremented to 1. Then the unmounting process\nbegins: kill_sb calls autofs_catatonic_mode(), which should have freed the\nwaitqueues, but it only decrements its usage counter to zero which is not\na correct behaviour.\n\nedit:imk\nThis description is of course not correct. The umount performed as a result\nof an expire is a umount of a mount that has been automounted, it\u0027s not the\nautofs mount itself. They happen independently, usually after everything\nmounted within the autofs file system has been expired away. If everything\nhasn\u0027t been expired away the automount daemon can still exit leaving mounts\nin place. But expires done in both cases will result in a notification that\ncalls autofs_wait_release() with a result status. The problem case is the\nsummary execution of of the automount daemon. In this case any waiting\nprocesses won\u0027t be woken up until either they are terminated or the mount\nis umounted.\nend edit: imk\n\nSo in catatonic mode we should free waitqueues which counter becomes zero.\n\nedit: imk\nInitially I was concerned that the calling of autofs_wait_release() and\nautofs_catatonic_mode() was not mutually exclusive but that can\u0027t be the\ncase (obviously) because the queue entry (or entries) is removed from the\nlist when either of these two functions are called. Consequently the wait\nentry will be freed by only one of these functions or by the woken process\nin autofs_wait() depending on the order of the calls.\nend edit: imk"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:59.041Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1985e8eae8627f02e3364690c5fed7af1c46be55"
},
{
"url": "https://git.kernel.org/stable/c/976abbdc120a97049b9133e60fa7b29627d11de4"
},
{
"url": "https://git.kernel.org/stable/c/6079dc77c6f32936e8a6766ee8334ae3c99f4504"
},
{
"url": "https://git.kernel.org/stable/c/69ddafc7a7afd8401bab53eff5af813fa0d368a2"
},
{
"url": "https://git.kernel.org/stable/c/71eeddcad7342292c19042c290c477697acaccab"
},
{
"url": "https://git.kernel.org/stable/c/726deae613bc1b6096ad3b61cc1e63e33330fbc2"
},
{
"url": "https://git.kernel.org/stable/c/696b625f3f85d80fca48c24d2948fbc451e74366"
},
{
"url": "https://git.kernel.org/stable/c/ccbe77f7e45dfb4420f7f531b650c00c6e9c7507"
}
],
"title": "autofs: fix memory leak of waitqueues in autofs_catatonic_mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54134",
"datePublished": "2025-12-24T13:06:50.627Z",
"dateReserved": "2025-12-24T13:02:52.522Z",
"dateUpdated": "2026-01-05T10:33:59.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56590 (GCVE-0-2024-56590)
Vulnerability from cvelistv5 – Published: 2024-12-27 14:50 – Updated: 2026-01-05 10:55
VLAI?
EPSS
Title
Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet
This fixes not checking if skb really contains an ACL header otherwise
the code may attempt to access some uninitilized/invalid memory past the
valid skb->data.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 219960a48771b35a3857a491b955c31d6c33d581
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 559b1c7ac2e212a23b3833d3baf3bd957771d02e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5e50d12cc6e95e1fde08f5db6992b616f714b0fb (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 93a6160dc198ffe5786da8bd8588cfd17f53b29a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3fe288a8214e7dd784d1f9b7c9e448244d316b47 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:50:14.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "219960a48771b35a3857a491b955c31d6c33d581",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "559b1c7ac2e212a23b3833d3baf3bd957771d02e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5e50d12cc6e95e1fde08f5db6992b616f714b0fb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "93a6160dc198ffe5786da8bd8588cfd17f53b29a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3fe288a8214e7dd784d1f9b7c9e448244d316b47",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.13",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.174",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.120",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.66",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix not checking skb length on hci_acldata_packet\n\nThis fixes not checking if skb really contains an ACL header otherwise\nthe code may attempt to access some uninitilized/invalid memory past the\nvalid skb-\u003edata."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:55:53.485Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/219960a48771b35a3857a491b955c31d6c33d581"
},
{
"url": "https://git.kernel.org/stable/c/559b1c7ac2e212a23b3833d3baf3bd957771d02e"
},
{
"url": "https://git.kernel.org/stable/c/5e50d12cc6e95e1fde08f5db6992b616f714b0fb"
},
{
"url": "https://git.kernel.org/stable/c/93a6160dc198ffe5786da8bd8588cfd17f53b29a"
},
{
"url": "https://git.kernel.org/stable/c/3fe288a8214e7dd784d1f9b7c9e448244d316b47"
}
],
"title": "Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-56590",
"datePublished": "2024-12-27T14:50:57.854Z",
"dateReserved": "2024-12-27T14:03:06.002Z",
"dateUpdated": "2026-01-05T10:55:53.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68238 (GCVE-0-2025-68238)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08
VLAI?
EPSS
Title
mtd: rawnand: cadence: fix DMA device NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: cadence: fix DMA device NULL pointer dereference
The DMA device pointer `dma_dev` was being dereferenced before ensuring
that `cdns_ctrl->dmac` is properly initialized.
Move the assignment of `dma_dev` after successfully acquiring the DMA
channel to ensure the pointer is valid before use.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0cae7c285f4771a9927ef592899234d307aea5d4 , < 2178b0255eae108bb10e5e99658b28641bc06f43
(git)
Affected: 099a316518508be7c57de4134ef919b2dea948ce , < 9c58c64ec41290c12490ca7e1df45013fbbb41fd (git) Affected: e630d32162a8aab92d4aaebae0a8d93039257593 , < e282a4fdf3c6ee842a720010a8b5f7d77bedd126 (git) Affected: ad9393467fbd788ac2b8a01e492e45ab1b68a1b1 , < b146e0b085d9d6bfe838e0a15481cba7d093c67f (git) Affected: 0ce5416863965ddd86e066484a306867cf1e01a8 , < 0c635241a62f2f5da1b48bfffae226d1f86a76ef (git) Affected: d76d22b5096c5b05208fd982b153b3f182350b19 , < 0c2a43cb43786011b48eeab6093db14888258c6b (git) Affected: d76d22b5096c5b05208fd982b153b3f182350b19 , < 5c56bf214af85ca042bf97f8584aab2151035840 (git) Affected: a33c7492dcdf804b705b6c21018a481414d48038 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2178b0255eae108bb10e5e99658b28641bc06f43",
"status": "affected",
"version": "0cae7c285f4771a9927ef592899234d307aea5d4",
"versionType": "git"
},
{
"lessThan": "9c58c64ec41290c12490ca7e1df45013fbbb41fd",
"status": "affected",
"version": "099a316518508be7c57de4134ef919b2dea948ce",
"versionType": "git"
},
{
"lessThan": "e282a4fdf3c6ee842a720010a8b5f7d77bedd126",
"status": "affected",
"version": "e630d32162a8aab92d4aaebae0a8d93039257593",
"versionType": "git"
},
{
"lessThan": "b146e0b085d9d6bfe838e0a15481cba7d093c67f",
"status": "affected",
"version": "ad9393467fbd788ac2b8a01e492e45ab1b68a1b1",
"versionType": "git"
},
{
"lessThan": "0c635241a62f2f5da1b48bfffae226d1f86a76ef",
"status": "affected",
"version": "0ce5416863965ddd86e066484a306867cf1e01a8",
"versionType": "git"
},
{
"lessThan": "0c2a43cb43786011b48eeab6093db14888258c6b",
"status": "affected",
"version": "d76d22b5096c5b05208fd982b153b3f182350b19",
"versionType": "git"
},
{
"lessThan": "5c56bf214af85ca042bf97f8584aab2151035840",
"status": "affected",
"version": "d76d22b5096c5b05208fd982b153b3f182350b19",
"versionType": "git"
},
{
"status": "affected",
"version": "a33c7492dcdf804b705b6c21018a481414d48038",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/cadence-nand-controller.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.6.80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.12.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: cadence: fix DMA device NULL pointer dereference\n\nThe DMA device pointer `dma_dev` was being dereferenced before ensuring\nthat `cdns_ctrl-\u003edmac` is properly initialized.\n\nMove the assignment of `dma_dev` after successfully acquiring the DMA\nchannel to ensure the pointer is valid before use."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:08:31.672Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2178b0255eae108bb10e5e99658b28641bc06f43"
},
{
"url": "https://git.kernel.org/stable/c/9c58c64ec41290c12490ca7e1df45013fbbb41fd"
},
{
"url": "https://git.kernel.org/stable/c/e282a4fdf3c6ee842a720010a8b5f7d77bedd126"
},
{
"url": "https://git.kernel.org/stable/c/b146e0b085d9d6bfe838e0a15481cba7d093c67f"
},
{
"url": "https://git.kernel.org/stable/c/0c635241a62f2f5da1b48bfffae226d1f86a76ef"
},
{
"url": "https://git.kernel.org/stable/c/0c2a43cb43786011b48eeab6093db14888258c6b"
},
{
"url": "https://git.kernel.org/stable/c/5c56bf214af85ca042bf97f8584aab2151035840"
}
],
"title": "mtd: rawnand: cadence: fix DMA device NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68238",
"datePublished": "2025-12-16T14:08:31.672Z",
"dateReserved": "2025-12-16T13:41:40.263Z",
"dateUpdated": "2025-12-16T14:08:31.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53866 (GCVE-0-2023-53866)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
ASoC: soc-compress: Reposition and add pcm_mutex
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-compress: Reposition and add pcm_mutex
If panic_on_warn is set and compress stream(DPCM) is started,
then kernel panic occurred because card->pcm_mutex isn't held appropriately.
In the following functions, warning were issued at this line
"snd_soc_dpcm_mutex_assert_held".
static int dpcm_be_connect(struct snd_soc_pcm_runtime *fe,
struct snd_soc_pcm_runtime *be, int stream)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
void dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
void snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd,
int stream, int action)
{
...
snd_soc_dpcm_mutex_assert_held(rtd);
...
}
int dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir,
int event)
{
...
snd_soc_dpcm_mutex_assert_held(fe);
...
}
These functions are called by soc_compr_set_params_fe, soc_compr_open_fe
and soc_compr_free_fe
without pcm_mutex locking. And this is call stack.
[ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750
[ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750
[ 414.527945][ T2179] Call trace:
[ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750
[ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc
[ 414.527972][ T2179] snd_compr_open+0x180/0x248
[ 414.527981][ T2179] snd_open+0x15c/0x194
[ 414.528003][ T2179] chrdev_open+0x1b0/0x220
[ 414.528023][ T2179] do_dentry_open+0x30c/0x594
[ 414.528045][ T2179] vfs_open+0x34/0x44
[ 414.528053][ T2179] path_openat+0x914/0xb08
[ 414.528062][ T2179] do_filp_open+0xc0/0x170
[ 414.528068][ T2179] do_sys_openat2+0x94/0x18c
[ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4
[ 414.528084][ T2179] invoke_syscall+0x48/0x10c
[ 414.528094][ T2179] el0_svc_common+0xbc/0x104
[ 414.528099][ T2179] do_el0_svc+0x34/0xd8
[ 414.528103][ T2179] el0_svc+0x34/0xc4
[ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc
[ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4
[ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ...
So, I reposition and add pcm_mutex to resolve lockdep error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b7898396f4bbe160f546d0c5e9fa17cca9a7d153 , < 9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651
(git)
Affected: b7898396f4bbe160f546d0c5e9fa17cca9a7d153 , < 37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d (git) Affected: b7898396f4bbe160f546d0c5e9fa17cca9a7d153 , < aa9ff6a4955fdba02b54fbc4386db876603703b7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651",
"status": "affected",
"version": "b7898396f4bbe160f546d0c5e9fa17cca9a7d153",
"versionType": "git"
},
{
"lessThan": "37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d",
"status": "affected",
"version": "b7898396f4bbe160f546d0c5e9fa17cca9a7d153",
"versionType": "git"
},
{
"lessThan": "aa9ff6a4955fdba02b54fbc4386db876603703b7",
"status": "affected",
"version": "b7898396f4bbe160f546d0c5e9fa17cca9a7d153",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-compress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-compress: Reposition and add pcm_mutex\n\nIf panic_on_warn is set and compress stream(DPCM) is started,\nthen kernel panic occurred because card-\u003epcm_mutex isn\u0027t held appropriately.\nIn the following functions, warning were issued at this line\n\"snd_soc_dpcm_mutex_assert_held\".\n\nstatic int dpcm_be_connect(struct snd_soc_pcm_runtime *fe,\n\t\tstruct snd_soc_pcm_runtime *be, int stream)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nvoid dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nvoid snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd,\n\t\t\t int stream, int action)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(rtd);\n\t...\n}\n\nint dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir,\n\tint event)\n{\n\t...\n\tsnd_soc_dpcm_mutex_assert_held(fe);\n\t...\n}\n\nThese functions are called by soc_compr_set_params_fe, soc_compr_open_fe\nand soc_compr_free_fe\nwithout pcm_mutex locking. And this is call stack.\n\n[ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750\n[ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750\n[ 414.527945][ T2179] Call trace:\n[ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750\n[ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc\n[ 414.527972][ T2179] snd_compr_open+0x180/0x248\n[ 414.527981][ T2179] snd_open+0x15c/0x194\n[ 414.528003][ T2179] chrdev_open+0x1b0/0x220\n[ 414.528023][ T2179] do_dentry_open+0x30c/0x594\n[ 414.528045][ T2179] vfs_open+0x34/0x44\n[ 414.528053][ T2179] path_openat+0x914/0xb08\n[ 414.528062][ T2179] do_filp_open+0xc0/0x170\n[ 414.528068][ T2179] do_sys_openat2+0x94/0x18c\n[ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4\n[ 414.528084][ T2179] invoke_syscall+0x48/0x10c\n[ 414.528094][ T2179] el0_svc_common+0xbc/0x104\n[ 414.528099][ T2179] do_el0_svc+0x34/0xd8\n[ 414.528103][ T2179] el0_svc+0x34/0xc4\n[ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc\n[ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4\n[ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ...\n\nSo, I reposition and add pcm_mutex to resolve lockdep error."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:13.160Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651"
},
{
"url": "https://git.kernel.org/stable/c/37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d"
},
{
"url": "https://git.kernel.org/stable/c/aa9ff6a4955fdba02b54fbc4386db876603703b7"
}
],
"title": "ASoC: soc-compress: Reposition and add pcm_mutex",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53866",
"datePublished": "2025-12-09T01:30:35.817Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2026-01-05T10:33:13.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54291 (GCVE-0-2023-54291)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
vduse: fix NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
vduse: fix NULL pointer dereference
vduse_vdpa_set_vq_affinity callback can be called
with NULL value as cpu_mask when deleting the vduse
device.
This patch resets virtqueue's IRQ affinity mask value
to set all CPUs instead of dereferencing NULL cpu_mask.
[ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 4760.959110] #PF: supervisor read access in kernel mode
[ 4760.964247] #PF: error_code(0x0000) - not-present page
[ 4760.969385] PGD 0 P4D 0
[ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI
[ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4
[ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020
[ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130
[ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66
[ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246
[ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400
[ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898
[ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000
[ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000
[ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10
[ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000
[ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0
[ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4761.088909] PKRU: 55555554
[ 4761.091620] Call Trace:
[ 4761.094074] <TASK>
[ 4761.096180] ? __die+0x1f/0x70
[ 4761.099238] ? page_fault_oops+0x171/0x4f0
[ 4761.103340] ? exc_page_fault+0x7b/0x180
[ 4761.107265] ? asm_exc_page_fault+0x22/0x30
[ 4761.111460] ? memcpy_orig+0xc5/0x130
[ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse]
[ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net]
[ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net]
[ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net]
[ 4761.136580] virtio_dev_remove+0x3a/0x90
[ 4761.140509] device_release_driver_internal+0x19b/0x200
[ 4761.145742] bus_remove_device+0xc2/0x130
[ 4761.149755] device_del+0x158/0x3e0
[ 4761.153245] ? kernfs_find_ns+0x35/0xc0
[ 4761.157086] device_unregister+0x13/0x60
[ 4761.161010] unregister_virtio_device+0x11/0x20
[ 4761.165543] device_release_driver_internal+0x19b/0x200
[ 4761.170770] bus_remove_device+0xc2/0x130
[ 4761.174782] device_del+0x158/0x3e0
[ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa]
[ 4761.183336] device_unregister+0x13/0x60
[ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa_user/vduse_dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9d46429de2a251e1e4962e1bf86c344d6336562",
"status": "affected",
"version": "28f6288eb63d5979fa6758e64f52e4d55cf184a8",
"versionType": "git"
},
{
"lessThan": "f06cf1e1a503169280467d12d2ec89bf2c30ace7",
"status": "affected",
"version": "28f6288eb63d5979fa6758e64f52e4d55cf184a8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/vdpa_user/vduse_dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: fix NULL pointer dereference\n\nvduse_vdpa_set_vq_affinity callback can be called\nwith NULL value as cpu_mask when deleting the vduse\ndevice.\n\nThis patch resets virtqueue\u0027s IRQ affinity mask value\nto set all CPUs instead of dereferencing NULL cpu_mask.\n\n[ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 4760.959110] #PF: supervisor read access in kernel mode\n[ 4760.964247] #PF: error_code(0x0000) - not-present page\n[ 4760.969385] PGD 0 P4D 0\n[ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4\n[ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020\n[ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130\n[ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b \u003c4c\u003e 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66\n[ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246\n[ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400\n[ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898\n[ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000\n[ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000\n[ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10\n[ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000\n[ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0\n[ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4761.088909] PKRU: 55555554\n[ 4761.091620] Call Trace:\n[ 4761.094074] \u003cTASK\u003e\n[ 4761.096180] ? __die+0x1f/0x70\n[ 4761.099238] ? page_fault_oops+0x171/0x4f0\n[ 4761.103340] ? exc_page_fault+0x7b/0x180\n[ 4761.107265] ? asm_exc_page_fault+0x22/0x30\n[ 4761.111460] ? memcpy_orig+0xc5/0x130\n[ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse]\n[ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net]\n[ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net]\n[ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net]\n[ 4761.136580] virtio_dev_remove+0x3a/0x90\n[ 4761.140509] device_release_driver_internal+0x19b/0x200\n[ 4761.145742] bus_remove_device+0xc2/0x130\n[ 4761.149755] device_del+0x158/0x3e0\n[ 4761.153245] ? kernfs_find_ns+0x35/0xc0\n[ 4761.157086] device_unregister+0x13/0x60\n[ 4761.161010] unregister_virtio_device+0x11/0x20\n[ 4761.165543] device_release_driver_internal+0x19b/0x200\n[ 4761.170770] bus_remove_device+0xc2/0x130\n[ 4761.174782] device_del+0x158/0x3e0\n[ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa]\n[ 4761.183336] device_unregister+0x13/0x60\n[ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:29.754Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9d46429de2a251e1e4962e1bf86c344d6336562"
},
{
"url": "https://git.kernel.org/stable/c/f06cf1e1a503169280467d12d2ec89bf2c30ace7"
}
],
"title": "vduse: fix NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54291",
"datePublished": "2025-12-30T12:23:29.754Z",
"dateReserved": "2025-12-30T12:06:44.527Z",
"dateUpdated": "2025-12-30T12:23:29.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54190 (GCVE-0-2023-54190)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
leds: led-core: Fix refcount leak in of_led_get()
Summary
In the Linux kernel, the following vulnerability has been resolved:
leds: led-core: Fix refcount leak in of_led_get()
class_find_device_by_of_node() calls class_find_device(), it will take
the reference, use the put_device() to drop the reference when not need
anymore.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
699a8c7c4bd376aee4808e6272188319e900c8af , < 1d6101d9222e1ca8c01b3fa9ebf0dcf7bcd82564
(git)
Affected: 699a8c7c4bd376aee4808e6272188319e900c8af , < 690efcb5827c3bacbf1de90cd14907b91bf8cb7b (git) Affected: 699a8c7c4bd376aee4808e6272188319e900c8af , < d880981b82223f9bf128dfdd2424abb0c658f345 (git) Affected: 699a8c7c4bd376aee4808e6272188319e900c8af , < ddf3e82164afd9381b1d52c9f00b3878f7b6d308 (git) Affected: 699a8c7c4bd376aee4808e6272188319e900c8af , < da1afe8e6099980fe1e2fd7436dca284af9d3f29 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/leds/led-class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d6101d9222e1ca8c01b3fa9ebf0dcf7bcd82564",
"status": "affected",
"version": "699a8c7c4bd376aee4808e6272188319e900c8af",
"versionType": "git"
},
{
"lessThan": "690efcb5827c3bacbf1de90cd14907b91bf8cb7b",
"status": "affected",
"version": "699a8c7c4bd376aee4808e6272188319e900c8af",
"versionType": "git"
},
{
"lessThan": "d880981b82223f9bf128dfdd2424abb0c658f345",
"status": "affected",
"version": "699a8c7c4bd376aee4808e6272188319e900c8af",
"versionType": "git"
},
{
"lessThan": "ddf3e82164afd9381b1d52c9f00b3878f7b6d308",
"status": "affected",
"version": "699a8c7c4bd376aee4808e6272188319e900c8af",
"versionType": "git"
},
{
"lessThan": "da1afe8e6099980fe1e2fd7436dca284af9d3f29",
"status": "affected",
"version": "699a8c7c4bd376aee4808e6272188319e900c8af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/leds/led-class.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nleds: led-core: Fix refcount leak in of_led_get()\n\nclass_find_device_by_of_node() calls class_find_device(), it will take\nthe reference, use the put_device() to drop the reference when not need\nanymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:58.605Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d6101d9222e1ca8c01b3fa9ebf0dcf7bcd82564"
},
{
"url": "https://git.kernel.org/stable/c/690efcb5827c3bacbf1de90cd14907b91bf8cb7b"
},
{
"url": "https://git.kernel.org/stable/c/d880981b82223f9bf128dfdd2424abb0c658f345"
},
{
"url": "https://git.kernel.org/stable/c/ddf3e82164afd9381b1d52c9f00b3878f7b6d308"
},
{
"url": "https://git.kernel.org/stable/c/da1afe8e6099980fe1e2fd7436dca284af9d3f29"
}
],
"title": "leds: led-core: Fix refcount leak in of_led_get()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54190",
"datePublished": "2025-12-30T12:08:58.605Z",
"dateReserved": "2025-12-30T12:06:44.498Z",
"dateUpdated": "2025-12-30T12:08:58.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53768 (GCVE-0-2023-53768)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
regmap-irq: Fix out-of-bounds access when allocating config buffers
Summary
In the Linux kernel, the following vulnerability has been resolved:
regmap-irq: Fix out-of-bounds access when allocating config buffers
When allocating the 2D array for handling IRQ type registers in
regmap_add_irq_chip_fwnode(), the intent is to allocate a matrix
with num_config_bases rows and num_config_regs columns.
This is currently handled by allocating a buffer to hold a pointer for
each row (i.e. num_config_bases). After that, the logic attempts to
allocate the memory required to hold the register configuration for
each row. However, instead of doing this allocation for each row
(i.e. num_config_bases allocations), the logic erroneously does this
allocation num_config_regs number of times.
This scenario can lead to out-of-bounds accesses when num_config_regs
is greater than num_config_bases. Fix this by updating the terminating
condition of the loop that allocates the memory for holding the register
configuration to allocate memory only for each row in the matrix.
Amit Pundir reported a crash that was occurring on his db845c device
due to memory corruption (see "Closes" tag for Amit's report). The KASAN
report below helped narrow it down to this issue:
[ 14.033877][ T1] ==================================================================
[ 14.042507][ T1] BUG: KASAN: invalid-access in regmap_add_irq_chip_fwnode+0x594/0x1364
[ 14.050796][ T1] Write of size 8 at addr 06ffff8081021850 by task init/1
[ 14.242004][ T1] The buggy address belongs to the object at ffffff8081021850
[ 14.242004][ T1] which belongs to the cache kmalloc-8 of size 8
[ 14.255669][ T1] The buggy address is located 0 bytes inside of
[ 14.255669][ T1] 8-byte region [ffffff8081021850, ffffff8081021858)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
faa87ce9196dbb074d75bd4aecb8bacf18f19b4e , < b1a726ad33e585e3d9fa70712df31ae105e4532c
(git)
Affected: faa87ce9196dbb074d75bd4aecb8bacf18f19b4e , < 6e7b2337ecd028bd888a1a0be4115b8a88faf838 (git) Affected: faa87ce9196dbb074d75bd4aecb8bacf18f19b4e , < 963b54df82b6d6206d7def273390bf3f7af558e1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1a726ad33e585e3d9fa70712df31ae105e4532c",
"status": "affected",
"version": "faa87ce9196dbb074d75bd4aecb8bacf18f19b4e",
"versionType": "git"
},
{
"lessThan": "6e7b2337ecd028bd888a1a0be4115b8a88faf838",
"status": "affected",
"version": "faa87ce9196dbb074d75bd4aecb8bacf18f19b4e",
"versionType": "git"
},
{
"lessThan": "963b54df82b6d6206d7def273390bf3f7af558e1",
"status": "affected",
"version": "faa87ce9196dbb074d75bd4aecb8bacf18f19b4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/regmap/regmap-irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap-irq: Fix out-of-bounds access when allocating config buffers\n\nWhen allocating the 2D array for handling IRQ type registers in\nregmap_add_irq_chip_fwnode(), the intent is to allocate a matrix\nwith num_config_bases rows and num_config_regs columns.\n\nThis is currently handled by allocating a buffer to hold a pointer for\neach row (i.e. num_config_bases). After that, the logic attempts to\nallocate the memory required to hold the register configuration for\neach row. However, instead of doing this allocation for each row\n(i.e. num_config_bases allocations), the logic erroneously does this\nallocation num_config_regs number of times.\n\nThis scenario can lead to out-of-bounds accesses when num_config_regs\nis greater than num_config_bases. Fix this by updating the terminating\ncondition of the loop that allocates the memory for holding the register\nconfiguration to allocate memory only for each row in the matrix.\n\nAmit Pundir reported a crash that was occurring on his db845c device\ndue to memory corruption (see \"Closes\" tag for Amit\u0027s report). The KASAN\nreport below helped narrow it down to this issue:\n\n[ 14.033877][ T1] ==================================================================\n[ 14.042507][ T1] BUG: KASAN: invalid-access in regmap_add_irq_chip_fwnode+0x594/0x1364\n[ 14.050796][ T1] Write of size 8 at addr 06ffff8081021850 by task init/1\n\n[ 14.242004][ T1] The buggy address belongs to the object at ffffff8081021850\n[ 14.242004][ T1] which belongs to the cache kmalloc-8 of size 8\n[ 14.255669][ T1] The buggy address is located 0 bytes inside of\n[ 14.255669][ T1] 8-byte region [ffffff8081021850, ffffff8081021858)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:31.353Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1a726ad33e585e3d9fa70712df31ae105e4532c"
},
{
"url": "https://git.kernel.org/stable/c/6e7b2337ecd028bd888a1a0be4115b8a88faf838"
},
{
"url": "https://git.kernel.org/stable/c/963b54df82b6d6206d7def273390bf3f7af558e1"
}
],
"title": "regmap-irq: Fix out-of-bounds access when allocating config buffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53768",
"datePublished": "2025-12-08T01:19:31.353Z",
"dateReserved": "2025-12-08T01:18:04.281Z",
"dateUpdated": "2025-12-08T01:19:31.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54173 (GCVE-0-2023-54173)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
bpf: Disable preemption in bpf_event_output
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Disable preemption in bpf_event_output
We received report [1] of kernel crash, which is caused by
using nesting protection without disabled preemption.
The bpf_event_output can be called by programs executed by
bpf_prog_run_array_cg function that disabled migration but
keeps preemption enabled.
This can cause task to be preempted by another one inside the
nesting protection and lead eventually to two tasks using same
perf_sample_data buffer and cause crashes like:
BUG: kernel NULL pointer dereference, address: 0000000000000001
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
...
? perf_output_sample+0x12a/0x9a0
? finish_task_switch.isra.0+0x81/0x280
? perf_event_output+0x66/0xa0
? bpf_event_output+0x13a/0x190
? bpf_event_output_data+0x22/0x40
? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb
? xa_load+0x87/0xe0
? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0
? release_sock+0x3e/0x90
? sk_setsockopt+0x1a1/0x12f0
? udp_pre_connect+0x36/0x50
? inet_dgram_connect+0x93/0xa0
? __sys_connect+0xb4/0xe0
? udp_setsockopt+0x27/0x40
? __pfx_udp_push_pending_frames+0x10/0x10
? __sys_setsockopt+0xdf/0x1a0
? __x64_sys_connect+0xf/0x20
? do_syscall_64+0x3a/0x90
? entry_SYSCALL_64_after_hwframe+0x72/0xdc
Fixing this by disabling preemption in bpf_event_output.
[1] https://github.com/cilium/cilium/issues/26756
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2a916f2f546ca1c1e3323e2a4269307f6d9890eb , < 3048cb0dc0cc9dc74ed93690dffef00733bcad5b
(git)
Affected: 2a916f2f546ca1c1e3323e2a4269307f6d9890eb , < c81bdf8f9f2b002d217c3d5357cdea9f2b82ff90 (git) Affected: 2a916f2f546ca1c1e3323e2a4269307f6d9890eb , < 36dd8ca330b76585640ed32255a3c99f901e1502 (git) Affected: 2a916f2f546ca1c1e3323e2a4269307f6d9890eb , < 063c9ce8e74e07bf94f99cd13146f42867875e8b (git) Affected: 2a916f2f546ca1c1e3323e2a4269307f6d9890eb , < d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/bpf_trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3048cb0dc0cc9dc74ed93690dffef00733bcad5b",
"status": "affected",
"version": "2a916f2f546ca1c1e3323e2a4269307f6d9890eb",
"versionType": "git"
},
{
"lessThan": "c81bdf8f9f2b002d217c3d5357cdea9f2b82ff90",
"status": "affected",
"version": "2a916f2f546ca1c1e3323e2a4269307f6d9890eb",
"versionType": "git"
},
{
"lessThan": "36dd8ca330b76585640ed32255a3c99f901e1502",
"status": "affected",
"version": "2a916f2f546ca1c1e3323e2a4269307f6d9890eb",
"versionType": "git"
},
{
"lessThan": "063c9ce8e74e07bf94f99cd13146f42867875e8b",
"status": "affected",
"version": "2a916f2f546ca1c1e3323e2a4269307f6d9890eb",
"versionType": "git"
},
{
"lessThan": "d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32",
"status": "affected",
"version": "2a916f2f546ca1c1e3323e2a4269307f6d9890eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/bpf_trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Disable preemption in bpf_event_output\n\nWe received report [1] of kernel crash, which is caused by\nusing nesting protection without disabled preemption.\n\nThe bpf_event_output can be called by programs executed by\nbpf_prog_run_array_cg function that disabled migration but\nkeeps preemption enabled.\n\nThis can cause task to be preempted by another one inside the\nnesting protection and lead eventually to two tasks using same\nperf_sample_data buffer and cause crashes like:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000001\n #PF: supervisor instruction fetch in kernel mode\n #PF: error_code(0x0010) - not-present page\n ...\n ? perf_output_sample+0x12a/0x9a0\n ? finish_task_switch.isra.0+0x81/0x280\n ? perf_event_output+0x66/0xa0\n ? bpf_event_output+0x13a/0x190\n ? bpf_event_output_data+0x22/0x40\n ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb\n ? xa_load+0x87/0xe0\n ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0\n ? release_sock+0x3e/0x90\n ? sk_setsockopt+0x1a1/0x12f0\n ? udp_pre_connect+0x36/0x50\n ? inet_dgram_connect+0x93/0xa0\n ? __sys_connect+0xb4/0xe0\n ? udp_setsockopt+0x27/0x40\n ? __pfx_udp_push_pending_frames+0x10/0x10\n ? __sys_setsockopt+0xdf/0x1a0\n ? __x64_sys_connect+0xf/0x20\n ? do_syscall_64+0x3a/0x90\n ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nFixing this by disabling preemption in bpf_event_output.\n\n[1] https://github.com/cilium/cilium/issues/26756"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:46.842Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3048cb0dc0cc9dc74ed93690dffef00733bcad5b"
},
{
"url": "https://git.kernel.org/stable/c/c81bdf8f9f2b002d217c3d5357cdea9f2b82ff90"
},
{
"url": "https://git.kernel.org/stable/c/36dd8ca330b76585640ed32255a3c99f901e1502"
},
{
"url": "https://git.kernel.org/stable/c/063c9ce8e74e07bf94f99cd13146f42867875e8b"
},
{
"url": "https://git.kernel.org/stable/c/d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32"
}
],
"title": "bpf: Disable preemption in bpf_event_output",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54173",
"datePublished": "2025-12-30T12:08:46.842Z",
"dateReserved": "2025-12-30T12:06:44.496Z",
"dateUpdated": "2025-12-30T12:08:46.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53750 (GCVE-0-2023-53750)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
pinctrl: freescale: Fix a memory out of bounds when num_configs is 1
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: freescale: Fix a memory out of bounds when num_configs is 1
The config passed in by pad wakeup is 1, when num_configs is 1,
Configuration [1] should not be fetched, which will be detected
by KASAN as a memory out of bounds condition. Modify to get
configs[1] when num_configs is 2.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f60c9eac54af28d7b5651fe49944bfd5098550e6 , < f85d3cb10f4df5ae3bdb9a9357315c28d781651f
(git)
Affected: f60c9eac54af28d7b5651fe49944bfd5098550e6 , < 27d9a7585b594bb2f9bb1f65e0003814fcc69c75 (git) Affected: f60c9eac54af28d7b5651fe49944bfd5098550e6 , < 9063777ca1e2e895c5fdd493ee0c3f18fa710ed4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/freescale/pinctrl-scu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f85d3cb10f4df5ae3bdb9a9357315c28d781651f",
"status": "affected",
"version": "f60c9eac54af28d7b5651fe49944bfd5098550e6",
"versionType": "git"
},
{
"lessThan": "27d9a7585b594bb2f9bb1f65e0003814fcc69c75",
"status": "affected",
"version": "f60c9eac54af28d7b5651fe49944bfd5098550e6",
"versionType": "git"
},
{
"lessThan": "9063777ca1e2e895c5fdd493ee0c3f18fa710ed4",
"status": "affected",
"version": "f60c9eac54af28d7b5651fe49944bfd5098550e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/freescale/pinctrl-scu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: freescale: Fix a memory out of bounds when num_configs is 1\n\nThe config passed in by pad wakeup is 1, when num_configs is 1,\nConfiguration [1] should not be fetched, which will be detected\nby KASAN as a memory out of bounds condition. Modify to get\nconfigs[1] when num_configs is 2."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:09.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f85d3cb10f4df5ae3bdb9a9357315c28d781651f"
},
{
"url": "https://git.kernel.org/stable/c/27d9a7585b594bb2f9bb1f65e0003814fcc69c75"
},
{
"url": "https://git.kernel.org/stable/c/9063777ca1e2e895c5fdd493ee0c3f18fa710ed4"
}
],
"title": "pinctrl: freescale: Fix a memory out of bounds when num_configs is 1",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53750",
"datePublished": "2025-12-08T01:19:09.919Z",
"dateReserved": "2025-12-08T01:18:04.279Z",
"dateUpdated": "2025-12-08T01:19:09.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40263 (GCVE-0-2025-40263)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
Input: cros_ec_keyb - fix an invalid memory access
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: cros_ec_keyb - fix an invalid memory access
If cros_ec_keyb_register_matrix() isn't called (due to
`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains
NULL. An invalid memory access is observed in cros_ec_keyb_process()
when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()
in such case.
Unable to handle kernel read from unreadable memory at virtual address 0000000000000028
...
x3 : 0000000000000000 x2 : 0000000000000000
x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
input_event
cros_ec_keyb_work
blocking_notifier_call_chain
ec_irq_thread
It's still unknown about why the kernel receives such malformed event,
in any cases, the kernel shouldn't access `ckdev->idev` and friends if
the driver doesn't intend to initialize them.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < d74864291cb8bd784d44d1d02e87109cf88666bb
(git)
Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 9cf59f4724a9ee06ebb06c76b8678ac322e850b7 (git) Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 6d81068685154535af06163eb585d6d9663ec7ec (git) Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 2d251c15c27e2dd16d6318425d2f7260cbd47d39 (git) Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < e08969c4d65ac31297fcb4d31d4808c789152f68 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/cros_ec_keyb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d74864291cb8bd784d44d1d02e87109cf88666bb",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "9cf59f4724a9ee06ebb06c76b8678ac322e850b7",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "6d81068685154535af06163eb585d6d9663ec7ec",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "2d251c15c27e2dd16d6318425d2f7260cbd47d39",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
},
{
"lessThan": "e08969c4d65ac31297fcb4d31d4808c789152f68",
"status": "affected",
"version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/keyboard/cros_ec_keyb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cros_ec_keyb - fix an invalid memory access\n\nIf cros_ec_keyb_register_matrix() isn\u0027t called (due to\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev-\u003eidev` remains\nNULL. An invalid memory access is observed in cros_ec_keyb_process()\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\nin such case.\n\n Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\n ...\n x3 : 0000000000000000 x2 : 0000000000000000\n x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n input_event\n cros_ec_keyb_work\n blocking_notifier_call_chain\n ec_irq_thread\n\nIt\u0027s still unknown about why the kernel receives such malformed event,\nin any cases, the kernel shouldn\u0027t access `ckdev-\u003eidev` and friends if\nthe driver doesn\u0027t intend to initialize them."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:17.342Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb"
},
{
"url": "https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7"
},
{
"url": "https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec"
},
{
"url": "https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39"
},
{
"url": "https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68"
}
],
"title": "Input: cros_ec_keyb - fix an invalid memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40263",
"datePublished": "2025-12-04T16:08:23.327Z",
"dateReserved": "2025-04-16T07:20:57.182Z",
"dateUpdated": "2026-01-02T15:33:17.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50781 (GCVE-0-2022-50781)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
Summary
In the Linux kernel, the following vulnerability has been resolved:
amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
In the PP_OD_EDIT_VDDC_CURVE case the "input_index" variable is capped at
2 but not checked for negative values so it results in an out of bounds
read. This value comes from the user via sysfs.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d5bf26539494d16dfabbbea0854a47d202ea15c0 , < 4d3dc0de9c46d9f73be6bac026e40b893e37ea21
(git)
Affected: d5bf26539494d16dfabbbea0854a47d202ea15c0 , < 85273b4a7076ed5328c8ace02234e4e7e10972d5 (git) Affected: d5bf26539494d16dfabbbea0854a47d202ea15c0 , < f289a38df0da4cfe4b50d04b1b9c3bc646fecd57 (git) Affected: d5bf26539494d16dfabbbea0854a47d202ea15c0 , < a03625ad11b50429930f4c491d6c97e70f2ba89a (git) Affected: d5bf26539494d16dfabbbea0854a47d202ea15c0 , < 8084bd0a64e278314b733993f388d83a86aa1183 (git) Affected: d5bf26539494d16dfabbbea0854a47d202ea15c0 , < d27252b5706e51188aed7647126e44dcf9e940c1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4d3dc0de9c46d9f73be6bac026e40b893e37ea21",
"status": "affected",
"version": "d5bf26539494d16dfabbbea0854a47d202ea15c0",
"versionType": "git"
},
{
"lessThan": "85273b4a7076ed5328c8ace02234e4e7e10972d5",
"status": "affected",
"version": "d5bf26539494d16dfabbbea0854a47d202ea15c0",
"versionType": "git"
},
{
"lessThan": "f289a38df0da4cfe4b50d04b1b9c3bc646fecd57",
"status": "affected",
"version": "d5bf26539494d16dfabbbea0854a47d202ea15c0",
"versionType": "git"
},
{
"lessThan": "a03625ad11b50429930f4c491d6c97e70f2ba89a",
"status": "affected",
"version": "d5bf26539494d16dfabbbea0854a47d202ea15c0",
"versionType": "git"
},
{
"lessThan": "8084bd0a64e278314b733993f388d83a86aa1183",
"status": "affected",
"version": "d5bf26539494d16dfabbbea0854a47d202ea15c0",
"versionType": "git"
},
{
"lessThan": "d27252b5706e51188aed7647126e44dcf9e940c1",
"status": "affected",
"version": "d5bf26539494d16dfabbbea0854a47d202ea15c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\namdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()\n\nIn the PP_OD_EDIT_VDDC_CURVE case the \"input_index\" variable is capped at\n2 but not checked for negative values so it results in an out of bounds\nread. This value comes from the user via sysfs."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:09.238Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4d3dc0de9c46d9f73be6bac026e40b893e37ea21"
},
{
"url": "https://git.kernel.org/stable/c/85273b4a7076ed5328c8ace02234e4e7e10972d5"
},
{
"url": "https://git.kernel.org/stable/c/f289a38df0da4cfe4b50d04b1b9c3bc646fecd57"
},
{
"url": "https://git.kernel.org/stable/c/a03625ad11b50429930f4c491d6c97e70f2ba89a"
},
{
"url": "https://git.kernel.org/stable/c/8084bd0a64e278314b733993f388d83a86aa1183"
},
{
"url": "https://git.kernel.org/stable/c/d27252b5706e51188aed7647126e44dcf9e940c1"
}
],
"title": "amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50781",
"datePublished": "2025-12-24T13:06:09.238Z",
"dateReserved": "2025-12-24T13:02:21.548Z",
"dateUpdated": "2025-12-24T13:06:09.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50827 (GCVE-0-2022-50827)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
scsi: lpfc: Fix memory leak in lpfc_create_port()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Fix memory leak in lpfc_create_port()
Commit 5e633302ace1 ("scsi: lpfc: vmid: Add support for VMID in mailbox
command") introduced allocations for the VMID resources in
lpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the
VMID allocations, the new code would branch to the 'out' label, which
returns NULL without unwinding anything, thus skipping the call to
scsi_host_put().
Fix the problem by creating a separate label 'out_free_vmid' to unwind the
VMID resources and make the 'out_put_shost' label call only
scsi_host_put(), as was done before the introduction of allocations for
VMID.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e633302ace1f61f8ea5a3ce21e19a4d79126cca , < 9749595feb33a1a2b848800192224ffeed5346b4
(git)
Affected: 5e633302ace1f61f8ea5a3ce21e19a4d79126cca , < 5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b (git) Affected: 5e633302ace1f61f8ea5a3ce21e19a4d79126cca , < dc8e483f684a24cc06e1d5fa958b54db58855093 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9749595feb33a1a2b848800192224ffeed5346b4",
"status": "affected",
"version": "5e633302ace1f61f8ea5a3ce21e19a4d79126cca",
"versionType": "git"
},
{
"lessThan": "5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b",
"status": "affected",
"version": "5e633302ace1f61f8ea5a3ce21e19a4d79126cca",
"versionType": "git"
},
{
"lessThan": "dc8e483f684a24cc06e1d5fa958b54db58855093",
"status": "affected",
"version": "5e633302ace1f61f8ea5a3ce21e19a4d79126cca",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix memory leak in lpfc_create_port()\n\nCommit 5e633302ace1 (\"scsi: lpfc: vmid: Add support for VMID in mailbox\ncommand\") introduced allocations for the VMID resources in\nlpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the\nVMID allocations, the new code would branch to the \u0027out\u0027 label, which\nreturns NULL without unwinding anything, thus skipping the call to\nscsi_host_put().\n\nFix the problem by creating a separate label \u0027out_free_vmid\u0027 to unwind the\nVMID resources and make the \u0027out_put_shost\u0027 label call only\nscsi_host_put(), as was done before the introduction of allocations for\nVMID."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:39.669Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9749595feb33a1a2b848800192224ffeed5346b4"
},
{
"url": "https://git.kernel.org/stable/c/5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b"
},
{
"url": "https://git.kernel.org/stable/c/dc8e483f684a24cc06e1d5fa958b54db58855093"
}
],
"title": "scsi: lpfc: Fix memory leak in lpfc_create_port()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50827",
"datePublished": "2025-12-30T12:08:39.669Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2025-12-30T12:08:39.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40240 (GCVE-0-2025-40240)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
sctp: avoid NULL dereference when chunk data buffer is missing
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: avoid NULL dereference when chunk data buffer is missing
chunk->skb pointer is dereferenced in the if-block where it's supposed
to be NULL only.
chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list
instead and do it just before replacing chunk->skb. We're sure that
otherwise chunk->skb is non-NULL because of outer if() condition.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
90017accff61ae89283ad9a51f9ac46ca01633fb , < 61cda2777b07d27459f5cac5a047c3edf9c8a1a9
(git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 08165c296597075763130919f2aae59b5822f016 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < cb9055ba30306ede4ad920002233d0659982f1cb (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 7a832b0f99be19df608cb75c023f8027b1789bd1 (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 89b465b54227c245ddc7cc9ed822231af21123ef (git) Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 441f0647f7673e0e64d4910ef61a5fb8f16bfb82 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61cda2777b07d27459f5cac5a047c3edf9c8a1a9",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "08165c296597075763130919f2aae59b5822f016",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "cb9055ba30306ede4ad920002233d0659982f1cb",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "7a832b0f99be19df608cb75c023f8027b1789bd1",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "89b465b54227c245ddc7cc9ed822231af21123ef",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
},
{
"lessThan": "441f0647f7673e0e64d4910ef61a5fb8f16bfb82",
"status": "affected",
"version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/inqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\nto be NULL only.\n\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\notherwise chunk-\u003eskb is non-NULL because of outer if() condition."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:29.715Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"
},
{
"url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"
},
{
"url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"
},
{
"url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"
},
{
"url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"
},
{
"url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"
},
{
"url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"
},
{
"url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"
}
],
"title": "sctp: avoid NULL dereference when chunk data buffer is missing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40240",
"datePublished": "2025-12-04T15:31:29.715Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-04T15:31:29.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54008 (GCVE-0-2023-54008)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
virtio_vdpa: build affinity masks conditionally
Summary
In the Linux kernel, the following vulnerability has been resolved:
virtio_vdpa: build affinity masks conditionally
We try to build affinity mask via create_affinity_masks()
unconditionally which may lead several issues:
- the affinity mask is not used for parent without affinity support
(only VDUSE support the affinity now)
- the logic of create_affinity_masks() might not work for devices
other than block. For example it's not rare in the networking device
where the number of queues could exceed the number of CPUs. Such
case breaks the current affinity logic which is based on
group_cpus_evenly() who assumes the number of CPUs are not less than
the number of groups. This can trigger a warning[1]:
if (ret >= 0)
WARN_ON(nr_present + nr_others < numgrps);
Fixing this by only build the affinity masks only when
- Driver passes affinity descriptor, driver like virtio-blk can make
sure to limit the number of queues when it exceeds the number of CPUs
- Parent support affinity setting config ops
This help to avoid the warning. More optimizations could be done on
top.
[1]
[ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0
[ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79
[ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0
[ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 <0f> 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc
[ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293
[ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000
[ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030
[ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0
[ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800
[ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041
[ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000
[ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0
[ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 682.146701] Call Trace:
[ 682.146703] <TASK>
[ 682.146705] ? __warn+0x7b/0x130
[ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0
[ 682.146712] ? report_bug+0x1c8/0x1e0
[ 682.146717] ? handle_bug+0x3c/0x70
[ 682.146721] ? exc_invalid_op+0x14/0x70
[ 682.146723] ? asm_exc_invalid_op+0x16/0x20
[ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0
[ 682.146729] ? group_cpus_evenly+0x15c/0x1c0
[ 682.146731] create_affinity_masks+0xaf/0x1a0
[ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0
[ 682.146738] ? __pfx_default_calc_sets+0x10/0x10
[ 682.146742] virtnet_find_vqs+0x1f0/0x370
[ 682.146747] virtnet_probe+0x501/0xcd0
[ 682.146749] ? vp_modern_get_status+0x12/0x20
[ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0
[ 682.146754] virtio_dev_probe+0x1af/0x260
[ 682.146759] really_probe+0x1a5/0x410
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3dad56823b5332ffdbe1867b2d7b50fbacea124a , < 5f2592243ccd5bb5341f59be409ccfdd586841f3
(git)
Affected: 3dad56823b5332ffdbe1867b2d7b50fbacea124a , < 628b53fc66ca1910a3cb53c3c7e44e59750c3668 (git) Affected: 3dad56823b5332ffdbe1867b2d7b50fbacea124a , < ae15aceaa98ad9499763923f7890e345d9f46b60 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f2592243ccd5bb5341f59be409ccfdd586841f3",
"status": "affected",
"version": "3dad56823b5332ffdbe1867b2d7b50fbacea124a",
"versionType": "git"
},
{
"lessThan": "628b53fc66ca1910a3cb53c3c7e44e59750c3668",
"status": "affected",
"version": "3dad56823b5332ffdbe1867b2d7b50fbacea124a",
"versionType": "git"
},
{
"lessThan": "ae15aceaa98ad9499763923f7890e345d9f46b60",
"status": "affected",
"version": "3dad56823b5332ffdbe1867b2d7b50fbacea124a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/virtio/virtio_vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_vdpa: build affinity masks conditionally\n\nWe try to build affinity mask via create_affinity_masks()\nunconditionally which may lead several issues:\n\n- the affinity mask is not used for parent without affinity support\n (only VDUSE support the affinity now)\n- the logic of create_affinity_masks() might not work for devices\n other than block. For example it\u0027s not rare in the networking device\n where the number of queues could exceed the number of CPUs. Such\n case breaks the current affinity logic which is based on\n group_cpus_evenly() who assumes the number of CPUs are not less than\n the number of groups. This can trigger a warning[1]:\n\n\tif (ret \u003e= 0)\n\t\tWARN_ON(nr_present + nr_others \u003c numgrps);\n\nFixing this by only build the affinity masks only when\n\n- Driver passes affinity descriptor, driver like virtio-blk can make\n sure to limit the number of queues when it exceeds the number of CPUs\n- Parent support affinity setting config ops\n\nThis help to avoid the warning. More optimizations could be done on\ntop.\n\n[1]\n[ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0\n[ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79\n[ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n[ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0\n[ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 \u003c0f\u003e 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc\n[ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293\n[ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000\n[ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030\n[ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0\n[ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800\n[ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041\n[ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000\n[ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0\n[ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 682.146701] Call Trace:\n[ 682.146703] \u003cTASK\u003e\n[ 682.146705] ? __warn+0x7b/0x130\n[ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0\n[ 682.146712] ? report_bug+0x1c8/0x1e0\n[ 682.146717] ? handle_bug+0x3c/0x70\n[ 682.146721] ? exc_invalid_op+0x14/0x70\n[ 682.146723] ? asm_exc_invalid_op+0x16/0x20\n[ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0\n[ 682.146729] ? group_cpus_evenly+0x15c/0x1c0\n[ 682.146731] create_affinity_masks+0xaf/0x1a0\n[ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0\n[ 682.146738] ? __pfx_default_calc_sets+0x10/0x10\n[ 682.146742] virtnet_find_vqs+0x1f0/0x370\n[ 682.146747] virtnet_probe+0x501/0xcd0\n[ 682.146749] ? vp_modern_get_status+0x12/0x20\n[ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0\n[ 682.146754] virtio_dev_probe+0x1af/0x260\n[ 682.146759] really_probe+0x1a5/0x410"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:41.982Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f2592243ccd5bb5341f59be409ccfdd586841f3"
},
{
"url": "https://git.kernel.org/stable/c/628b53fc66ca1910a3cb53c3c7e44e59750c3668"
},
{
"url": "https://git.kernel.org/stable/c/ae15aceaa98ad9499763923f7890e345d9f46b60"
}
],
"title": "virtio_vdpa: build affinity masks conditionally",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54008",
"datePublished": "2025-12-24T10:55:41.982Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:41.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68249 (GCVE-0-2025-68249)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:32 – Updated: 2025-12-16 14:32
VLAI?
EPSS
Title
most: usb: hdm_probe: Fix calling put_device() before device initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: hdm_probe: Fix calling put_device() before device initialization
The early error path in hdm_probe() can jump to err_free_mdev before
&mdev->dev has been initialized with device_initialize(). Calling
put_device(&mdev->dev) there triggers a device core WARN and ends up
invoking kref_put(&kobj->kref, kobject_release) on an uninitialized
kobject.
In this path the private struct was only kmalloc'ed and the intended
release is effectively kfree(mdev) anyway, so free it directly instead
of calling put_device() on an uninitialized device.
This removes the WARNING and fixes the pre-initialization error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 3509c748e79435d09e730673c8c100b7f0ebc87c
(git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < ad2be44882716dc3589fbc5572cc13f88ead6b24 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < c400410fe0580dd6118ae8d60287ac9ce71a65fd (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 7d851f746067b8ee5bac9c262f326ace0a6ea253 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 4af0eedbdb4df7936bf43a28e31af232744d2620 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < a8cc9e5fcb0e2eef21513a4fec888f5712cb8162 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3509c748e79435d09e730673c8c100b7f0ebc87c",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "ad2be44882716dc3589fbc5572cc13f88ead6b24",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "c400410fe0580dd6118ae8d60287ac9ce71a65fd",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "7d851f746067b8ee5bac9c262f326ace0a6ea253",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "4af0eedbdb4df7936bf43a28e31af232744d2620",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "a8cc9e5fcb0e2eef21513a4fec888f5712cb8162",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: hdm_probe: Fix calling put_device() before device initialization\n\nThe early error path in hdm_probe() can jump to err_free_mdev before\n\u0026mdev-\u003edev has been initialized with device_initialize(). Calling\nput_device(\u0026mdev-\u003edev) there triggers a device core WARN and ends up\ninvoking kref_put(\u0026kobj-\u003ekref, kobject_release) on an uninitialized\nkobject.\n\nIn this path the private struct was only kmalloc\u0027ed and the intended\nrelease is effectively kfree(mdev) anyway, so free it directly instead\nof calling put_device() on an uninitialized device.\n\nThis removes the WARNING and fixes the pre-initialization error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:32:16.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3509c748e79435d09e730673c8c100b7f0ebc87c"
},
{
"url": "https://git.kernel.org/stable/c/ad2be44882716dc3589fbc5572cc13f88ead6b24"
},
{
"url": "https://git.kernel.org/stable/c/c400410fe0580dd6118ae8d60287ac9ce71a65fd"
},
{
"url": "https://git.kernel.org/stable/c/6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95"
},
{
"url": "https://git.kernel.org/stable/c/7d851f746067b8ee5bac9c262f326ace0a6ea253"
},
{
"url": "https://git.kernel.org/stable/c/4af0eedbdb4df7936bf43a28e31af232744d2620"
},
{
"url": "https://git.kernel.org/stable/c/a8cc9e5fcb0e2eef21513a4fec888f5712cb8162"
}
],
"title": "most: usb: hdm_probe: Fix calling put_device() before device initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68249",
"datePublished": "2025-12-16T14:32:16.370Z",
"dateReserved": "2025-12-16T13:41:40.266Z",
"dateUpdated": "2025-12-16T14:32:16.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50752 (GCVE-0-2022-50752)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()
When running chunk-sized reads on disks with badblocks duplicate bio
free/puts are observed:
=============================================================================
BUG bio-200 (Not tainted): Object already free
-----------------------------------------------------------------------------
Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504
__slab_alloc.constprop.0+0x5a/0xb0
kmem_cache_alloc+0x31e/0x330
mempool_alloc_slab+0x17/0x20
mempool_alloc+0x100/0x2b0
bio_alloc_bioset+0x181/0x460
do_mpage_readpage+0x776/0xd00
mpage_readahead+0x166/0x320
blkdev_readahead+0x15/0x20
read_pages+0x13f/0x5f0
page_cache_ra_unbounded+0x18d/0x220
force_page_cache_ra+0x181/0x1c0
page_cache_sync_ra+0x65/0xb0
filemap_get_pages+0x1df/0xaf0
filemap_read+0x1e1/0x700
blkdev_read_iter+0x1e5/0x330
vfs_read+0x42a/0x570
Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504
kmem_cache_free+0x46d/0x490
mempool_free_slab+0x17/0x20
mempool_free+0x66/0x190
bio_free+0x78/0x90
bio_put+0x100/0x1a0
raid5_make_request+0x2259/0x2450
md_handle_request+0x402/0x600
md_submit_bio+0xd9/0x120
__submit_bio+0x11f/0x1b0
submit_bio_noacct_nocheck+0x204/0x480
submit_bio_noacct+0x32e/0xc70
submit_bio+0x98/0x1a0
mpage_readahead+0x250/0x320
blkdev_readahead+0x15/0x20
read_pages+0x13f/0x5f0
page_cache_ra_unbounded+0x18d/0x220
Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff)
CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: raid5wq raid5_do_work
Call Trace:
<TASK>
dump_stack_lvl+0x5a/0x78
dump_stack+0x10/0x16
print_trailer+0x158/0x165
object_err+0x35/0x50
free_debug_processing.cold+0xb7/0xbe
__slab_free+0x1ae/0x330
kmem_cache_free+0x46d/0x490
mempool_free_slab+0x17/0x20
mempool_free+0x66/0x190
bio_free+0x78/0x90
bio_put+0x100/0x1a0
mpage_end_io+0x36/0x150
bio_endio+0x2fd/0x360
md_end_io_acct+0x7e/0x90
bio_endio+0x2fd/0x360
handle_failed_stripe+0x960/0xb80
handle_stripe+0x1348/0x3760
handle_active_stripes.constprop.0+0x72a/0xaf0
raid5_do_work+0x177/0x330
process_one_work+0x616/0xb20
worker_thread+0x2bd/0x6f0
kthread+0x179/0x1b0
ret_from_fork+0x22/0x30
</TASK>
The double free is caused by an unnecessary bio_put() in the
if(is_badblock(...)) error path in raid5_read_one_chunk().
The error path was moved ahead of bio_alloc_clone() in c82aa1b76787c
("md/raid5: move checking badblock before clone bio in
raid5_read_one_chunk"). The previous code checked and freed align_bio
which required a bio_put. After the move that is no longer needed as
raid_bio is returned to the control of the common io path which
performs its own endio resulting in a double free on bad device blocks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c82aa1b76787c34fd02374e519b6f52cdeb2f54b , < 7a37c58ee72e1fadd22c4ee990cb74c2ca2280e7
(git)
Affected: c82aa1b76787c34fd02374e519b6f52cdeb2f54b , < c0fd5d4d8fd7b1a50306d7a23c720cf808f41fdf (git) Affected: c82aa1b76787c34fd02374e519b6f52cdeb2f54b , < 21a9c7354aa59e97e26ece5f0a609c8bfa43020d (git) Affected: c82aa1b76787c34fd02374e519b6f52cdeb2f54b , < c66a6f41e09ad386fd2cce22b9cded837bbbc704 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7a37c58ee72e1fadd22c4ee990cb74c2ca2280e7",
"status": "affected",
"version": "c82aa1b76787c34fd02374e519b6f52cdeb2f54b",
"versionType": "git"
},
{
"lessThan": "c0fd5d4d8fd7b1a50306d7a23c720cf808f41fdf",
"status": "affected",
"version": "c82aa1b76787c34fd02374e519b6f52cdeb2f54b",
"versionType": "git"
},
{
"lessThan": "21a9c7354aa59e97e26ece5f0a609c8bfa43020d",
"status": "affected",
"version": "c82aa1b76787c34fd02374e519b6f52cdeb2f54b",
"versionType": "git"
},
{
"lessThan": "c66a6f41e09ad386fd2cce22b9cded837bbbc704",
"status": "affected",
"version": "c82aa1b76787c34fd02374e519b6f52cdeb2f54b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()\n\nWhen running chunk-sized reads on disks with badblocks duplicate bio\nfree/puts are observed:\n\n =============================================================================\n BUG bio-200 (Not tainted): Object already free\n -----------------------------------------------------------------------------\n Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504\n __slab_alloc.constprop.0+0x5a/0xb0\n kmem_cache_alloc+0x31e/0x330\n mempool_alloc_slab+0x17/0x20\n mempool_alloc+0x100/0x2b0\n bio_alloc_bioset+0x181/0x460\n do_mpage_readpage+0x776/0xd00\n mpage_readahead+0x166/0x320\n blkdev_readahead+0x15/0x20\n read_pages+0x13f/0x5f0\n page_cache_ra_unbounded+0x18d/0x220\n force_page_cache_ra+0x181/0x1c0\n page_cache_sync_ra+0x65/0xb0\n filemap_get_pages+0x1df/0xaf0\n filemap_read+0x1e1/0x700\n blkdev_read_iter+0x1e5/0x330\n vfs_read+0x42a/0x570\n Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504\n kmem_cache_free+0x46d/0x490\n mempool_free_slab+0x17/0x20\n mempool_free+0x66/0x190\n bio_free+0x78/0x90\n bio_put+0x100/0x1a0\n raid5_make_request+0x2259/0x2450\n md_handle_request+0x402/0x600\n md_submit_bio+0xd9/0x120\n __submit_bio+0x11f/0x1b0\n submit_bio_noacct_nocheck+0x204/0x480\n submit_bio_noacct+0x32e/0xc70\n submit_bio+0x98/0x1a0\n mpage_readahead+0x250/0x320\n blkdev_readahead+0x15/0x20\n read_pages+0x13f/0x5f0\n page_cache_ra_unbounded+0x18d/0x220\n Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Workqueue: raid5wq raid5_do_work\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5a/0x78\n dump_stack+0x10/0x16\n print_trailer+0x158/0x165\n object_err+0x35/0x50\n free_debug_processing.cold+0xb7/0xbe\n __slab_free+0x1ae/0x330\n kmem_cache_free+0x46d/0x490\n mempool_free_slab+0x17/0x20\n mempool_free+0x66/0x190\n bio_free+0x78/0x90\n bio_put+0x100/0x1a0\n mpage_end_io+0x36/0x150\n bio_endio+0x2fd/0x360\n md_end_io_acct+0x7e/0x90\n bio_endio+0x2fd/0x360\n handle_failed_stripe+0x960/0xb80\n handle_stripe+0x1348/0x3760\n handle_active_stripes.constprop.0+0x72a/0xaf0\n raid5_do_work+0x177/0x330\n process_one_work+0x616/0xb20\n worker_thread+0x2bd/0x6f0\n kthread+0x179/0x1b0\n ret_from_fork+0x22/0x30\n \u003c/TASK\u003e\n\nThe double free is caused by an unnecessary bio_put() in the\nif(is_badblock(...)) error path in raid5_read_one_chunk().\n\nThe error path was moved ahead of bio_alloc_clone() in c82aa1b76787c\n(\"md/raid5: move checking badblock before clone bio in\nraid5_read_one_chunk\"). The previous code checked and freed align_bio\nwhich required a bio_put. After the move that is no longer needed as\nraid_bio is returned to the control of the common io path which\nperforms its own endio resulting in a double free on bad device blocks."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:46.881Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7a37c58ee72e1fadd22c4ee990cb74c2ca2280e7"
},
{
"url": "https://git.kernel.org/stable/c/c0fd5d4d8fd7b1a50306d7a23c720cf808f41fdf"
},
{
"url": "https://git.kernel.org/stable/c/21a9c7354aa59e97e26ece5f0a609c8bfa43020d"
},
{
"url": "https://git.kernel.org/stable/c/c66a6f41e09ad386fd2cce22b9cded837bbbc704"
}
],
"title": "md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50752",
"datePublished": "2025-12-24T13:05:46.881Z",
"dateReserved": "2025-12-24T13:02:21.544Z",
"dateUpdated": "2025-12-24T13:05:46.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68744 (GCVE-0-2025-68744)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-11 16:30
VLAI?
EPSS
Title
bpf: Free special fields when update [lru_,]percpu_hash maps
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Free special fields when update [lru_,]percpu_hash maps
As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing
calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the
memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the
map gets freed.
Fix this by calling 'bpf_obj_free_fields()' after
'copy_map_value[,_long]()' in 'pcpu_copy_value()'.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 994d6303ed0b84cbc795bb5becf7ed6de40d3f3c
(git)
Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 3bf1378747e251571e0de15e7e0a6bf2919044e7 (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 96a5cb7072cabbac5c66ac9318242c3bdceebb68 (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 4a03d69cece145e4fb527464be29c3806aa3221e (git) Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 6af6e49a76c9af7d42eb923703e7648cb2bf401a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "994d6303ed0b84cbc795bb5becf7ed6de40d3f3c",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "3bf1378747e251571e0de15e7e0a6bf2919044e7",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "96a5cb7072cabbac5c66ac9318242c3bdceebb68",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "4a03d69cece145e4fb527464be29c3806aa3221e",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
},
{
"lessThan": "6af6e49a76c9af7d42eb923703e7648cb2bf401a",
"status": "affected",
"version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/hashtab.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free special fields when update [lru_,]percpu_hash maps\n\nAs [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing\ncalls to \u0027bpf_obj_free_fields()\u0027 in \u0027pcpu_copy_value()\u0027 could cause the\nmemory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the\nmap gets freed.\n\nFix this by calling \u0027bpf_obj_free_fields()\u0027 after\n\u0027copy_map_value[,_long]()\u0027 in \u0027pcpu_copy_value()\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-11T16:30:22.161Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/994d6303ed0b84cbc795bb5becf7ed6de40d3f3c"
},
{
"url": "https://git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7"
},
{
"url": "https://git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68"
},
{
"url": "https://git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e"
},
{
"url": "https://git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a"
}
],
"title": "bpf: Free special fields when update [lru_,]percpu_hash maps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68744",
"datePublished": "2025-12-24T12:09:40.839Z",
"dateReserved": "2025-12-24T10:30:51.031Z",
"dateUpdated": "2026-01-11T16:30:22.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54000 (GCVE-0-2023-54000)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net: hns3: fix deadlock issue when externel_lb and reset are executed together
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns3: fix deadlock issue when externel_lb and reset are executed together
When externel_lb and reset are executed together, a deadlock may
occur:
[ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds.
[ 3147.230483] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008
[ 3147.248045] Workqueue: hclge hclge_service_task [hclge]
[ 3147.253957] Call trace:
[ 3147.257093] __switch_to+0x7c/0xbc
[ 3147.261183] __schedule+0x338/0x6f0
[ 3147.265357] schedule+0x50/0xe0
[ 3147.269185] schedule_preempt_disabled+0x18/0x24
[ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc
[ 3147.279880] __mutex_lock_slowpath+0x1c/0x30
[ 3147.284839] mutex_lock+0x50/0x60
[ 3147.288841] rtnl_lock+0x20/0x2c
[ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge]
[ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge]
[ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge]
[ 3147.309718] hclge_service_task+0x2c/0x70 [hclge]
[ 3147.315109] process_one_work+0x1d0/0x490
[ 3147.319805] worker_thread+0x158/0x3d0
[ 3147.324240] kthread+0x108/0x13c
[ 3147.328154] ret_from_fork+0x10/0x18
In externel_lb process, the hns3 driver call napi_disable()
first, then the reset happen, then the restore process of the
externel_lb will fail, and will not call napi_enable(). When
doing externel_lb again, napi_disable() will be double call,
cause a deadlock of rtnl_lock().
This patch use the HNS3_NIC_STATE_DOWN state to protect the
calling of napi_disable() and napi_enable() in externel_lb
process, just as the usage in ndo_stop() and ndo_start().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
85fc1d802edf36123ae1bd0a13892bb3772c197f , < d9f609cb50ebab4aa6341112f406bf9d3928ac81
(git)
Affected: 04b6ba143521f4485b7f2c36c655b262a79dae97 , < 743f7c1762e098048ede8cdf8c89a118f8d12391 (git) Affected: 04b6ba143521f4485b7f2c36c655b262a79dae97 , < ef2d6bf9695669d31ece9f2ef39dec84874a87c7 (git) Affected: 04b6ba143521f4485b7f2c36c655b262a79dae97 , < ac6257a3ae5db5193b1f19c268e4f72d274ddb88 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d9f609cb50ebab4aa6341112f406bf9d3928ac81",
"status": "affected",
"version": "85fc1d802edf36123ae1bd0a13892bb3772c197f",
"versionType": "git"
},
{
"lessThan": "743f7c1762e098048ede8cdf8c89a118f8d12391",
"status": "affected",
"version": "04b6ba143521f4485b7f2c36c655b262a79dae97",
"versionType": "git"
},
{
"lessThan": "ef2d6bf9695669d31ece9f2ef39dec84874a87c7",
"status": "affected",
"version": "04b6ba143521f4485b7f2c36c655b262a79dae97",
"versionType": "git"
},
{
"lessThan": "ac6257a3ae5db5193b1f19c268e4f72d274ddb88",
"status": "affected",
"version": "04b6ba143521f4485b7f2c36c655b262a79dae97",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns3/hns3_enet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix deadlock issue when externel_lb and reset are executed together\n\nWhen externel_lb and reset are executed together, a deadlock may\noccur:\n[ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds.\n[ 3147.230483] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008\n[ 3147.248045] Workqueue: hclge hclge_service_task [hclge]\n[ 3147.253957] Call trace:\n[ 3147.257093] __switch_to+0x7c/0xbc\n[ 3147.261183] __schedule+0x338/0x6f0\n[ 3147.265357] schedule+0x50/0xe0\n[ 3147.269185] schedule_preempt_disabled+0x18/0x24\n[ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc\n[ 3147.279880] __mutex_lock_slowpath+0x1c/0x30\n[ 3147.284839] mutex_lock+0x50/0x60\n[ 3147.288841] rtnl_lock+0x20/0x2c\n[ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge]\n[ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge]\n[ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge]\n[ 3147.309718] hclge_service_task+0x2c/0x70 [hclge]\n[ 3147.315109] process_one_work+0x1d0/0x490\n[ 3147.319805] worker_thread+0x158/0x3d0\n[ 3147.324240] kthread+0x108/0x13c\n[ 3147.328154] ret_from_fork+0x10/0x18\n\nIn externel_lb process, the hns3 driver call napi_disable()\nfirst, then the reset happen, then the restore process of the\nexternel_lb will fail, and will not call napi_enable(). When\ndoing externel_lb again, napi_disable() will be double call,\ncause a deadlock of rtnl_lock().\n\nThis patch use the HNS3_NIC_STATE_DOWN state to protect the\ncalling of napi_disable() and napi_enable() in externel_lb\nprocess, just as the usage in ndo_stop() and ndo_start()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:36.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d9f609cb50ebab4aa6341112f406bf9d3928ac81"
},
{
"url": "https://git.kernel.org/stable/c/743f7c1762e098048ede8cdf8c89a118f8d12391"
},
{
"url": "https://git.kernel.org/stable/c/ef2d6bf9695669d31ece9f2ef39dec84874a87c7"
},
{
"url": "https://git.kernel.org/stable/c/ac6257a3ae5db5193b1f19c268e4f72d274ddb88"
}
],
"title": "net: hns3: fix deadlock issue when externel_lb and reset are executed together",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54000",
"datePublished": "2025-12-24T10:55:36.216Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:36.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54118 (GCVE-0-2023-54118)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
serial: sc16is7xx: setup GPIO controller later in probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: sc16is7xx: setup GPIO controller later in probe
The GPIO controller component of the sc16is7xx driver is setup too
early, which can result in a race condition where another device tries
to utilise the GPIO lines before the sc16is7xx device has finished
initialising.
This issue manifests itself as an Oops when the GPIO lines are configured:
Unable to handle kernel read from unreadable memory at virtual address
...
pc : sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx]
lr : sc16is7xx_gpio_direction_output+0x4c/0x108 [sc16is7xx]
...
Call trace:
sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx]
gpiod_direction_output_raw_commit+0x64/0x318
gpiod_direction_output+0xb0/0x170
create_gpio_led+0xec/0x198
gpio_led_probe+0x16c/0x4f0
platform_drv_probe+0x5c/0xb0
really_probe+0xe8/0x448
driver_probe_device+0xe8/0x138
__device_attach_driver+0x94/0x118
bus_for_each_drv+0x8c/0xe0
__device_attach+0x100/0x1b8
device_initial_probe+0x28/0x38
bus_probe_device+0xa4/0xb0
deferred_probe_work_func+0x90/0xe0
process_one_work+0x1c4/0x480
worker_thread+0x54/0x430
kthread+0x138/0x150
ret_from_fork+0x10/0x1c
This patch moves the setup of the GPIO controller functions to later in the
probe function, ensuring the sc16is7xx device has already finished
initialising by the time other devices try to make use of the GPIO lines.
The error handling has also been reordered to reflect the new
initialisation order.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dfeae619d781dee61666d5551b93ba3be755a86b , < 17b96b5c19bec791b433890549e44ca523dc82aa
(git)
Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < 49b326ce8a686428d8cbb82ed74fc88ed3f95a51 (git) Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < f57c2164d082a36d177ab7fbf54c18970df89c22 (git) Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < b71ff206707855ce73c04794c76f7b678b2d4f72 (git) Affected: dfeae619d781dee61666d5551b93ba3be755a86b , < c8f71b49ee4d28930c4a6798d1969fa91dc4ef3e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/sc16is7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17b96b5c19bec791b433890549e44ca523dc82aa",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "49b326ce8a686428d8cbb82ed74fc88ed3f95a51",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "f57c2164d082a36d177ab7fbf54c18970df89c22",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "b71ff206707855ce73c04794c76f7b678b2d4f72",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
},
{
"lessThan": "c8f71b49ee4d28930c4a6798d1969fa91dc4ef3e",
"status": "affected",
"version": "dfeae619d781dee61666d5551b93ba3be755a86b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/sc16is7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: setup GPIO controller later in probe\n\nThe GPIO controller component of the sc16is7xx driver is setup too\nearly, which can result in a race condition where another device tries\nto utilise the GPIO lines before the sc16is7xx device has finished\ninitialising.\n\nThis issue manifests itself as an Oops when the GPIO lines are configured:\n\n Unable to handle kernel read from unreadable memory at virtual address\n ...\n pc : sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx]\n lr : sc16is7xx_gpio_direction_output+0x4c/0x108 [sc16is7xx]\n ...\n Call trace:\n sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx]\n gpiod_direction_output_raw_commit+0x64/0x318\n gpiod_direction_output+0xb0/0x170\n create_gpio_led+0xec/0x198\n gpio_led_probe+0x16c/0x4f0\n platform_drv_probe+0x5c/0xb0\n really_probe+0xe8/0x448\n driver_probe_device+0xe8/0x138\n __device_attach_driver+0x94/0x118\n bus_for_each_drv+0x8c/0xe0\n __device_attach+0x100/0x1b8\n device_initial_probe+0x28/0x38\n bus_probe_device+0xa4/0xb0\n deferred_probe_work_func+0x90/0xe0\n process_one_work+0x1c4/0x480\n worker_thread+0x54/0x430\n kthread+0x138/0x150\n ret_from_fork+0x10/0x1c\n\nThis patch moves the setup of the GPIO controller functions to later in the\nprobe function, ensuring the sc16is7xx device has already finished\ninitialising by the time other devices try to make use of the GPIO lines.\nThe error handling has also been reordered to reflect the new\ninitialisation order."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:51.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17b96b5c19bec791b433890549e44ca523dc82aa"
},
{
"url": "https://git.kernel.org/stable/c/49b326ce8a686428d8cbb82ed74fc88ed3f95a51"
},
{
"url": "https://git.kernel.org/stable/c/f57c2164d082a36d177ab7fbf54c18970df89c22"
},
{
"url": "https://git.kernel.org/stable/c/b71ff206707855ce73c04794c76f7b678b2d4f72"
},
{
"url": "https://git.kernel.org/stable/c/c8f71b49ee4d28930c4a6798d1969fa91dc4ef3e"
}
],
"title": "serial: sc16is7xx: setup GPIO controller later in probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54118",
"datePublished": "2025-12-24T13:06:38.998Z",
"dateReserved": "2025-12-24T13:02:52.520Z",
"dateUpdated": "2026-01-05T10:33:51.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54143 (GCVE-0-2023-54143)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init()
If we encounter any error in the vdec_msg_queue_init() then we need
to set "msg_queue->wdma_addr.size = 0;". Normally, this is done
inside the vdec_msg_queue_deinit() function. However, if the
first call to allocate &msg_queue->wdma_addr fails, then the
vdec_msg_queue_deinit() function is a no-op. For that situation, just
set the size to zero explicitly and return.
There were two other error paths which did not clean up before returning.
Change those error paths to goto mem_alloc_err.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b199fe46f35c57a415acd4d5295b0f4e35048c11 , < 858322c409e0aba8f70810d23f35c482744f007c
(git)
Affected: b199fe46f35c57a415acd4d5295b0f4e35048c11 , < b7dbc27301f560c3b915235c53383155b3512083 (git) Affected: b199fe46f35c57a415acd4d5295b0f4e35048c11 , < 451dc187cadd47771e5d9434fe220fad7be84057 (git) Affected: b199fe46f35c57a415acd4d5295b0f4e35048c11 , < cf10b0bb503c974ba049d6f888b21178be20a962 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "858322c409e0aba8f70810d23f35c482744f007c",
"status": "affected",
"version": "b199fe46f35c57a415acd4d5295b0f4e35048c11",
"versionType": "git"
},
{
"lessThan": "b7dbc27301f560c3b915235c53383155b3512083",
"status": "affected",
"version": "b199fe46f35c57a415acd4d5295b0f4e35048c11",
"versionType": "git"
},
{
"lessThan": "451dc187cadd47771e5d9434fe220fad7be84057",
"status": "affected",
"version": "b199fe46f35c57a415acd4d5295b0f4e35048c11",
"versionType": "git"
},
{
"lessThan": "cf10b0bb503c974ba049d6f888b21178be20a962",
"status": "affected",
"version": "b199fe46f35c57a415acd4d5295b0f4e35048c11",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init()\n\nIf we encounter any error in the vdec_msg_queue_init() then we need\nto set \"msg_queue-\u003ewdma_addr.size = 0;\". Normally, this is done\ninside the vdec_msg_queue_deinit() function. However, if the\nfirst call to allocate \u0026msg_queue-\u003ewdma_addr fails, then the\nvdec_msg_queue_deinit() function is a no-op. For that situation, just\nset the size to zero explicitly and return.\n\nThere were two other error paths which did not clean up before returning.\nChange those error paths to goto mem_alloc_err."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:56.869Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/858322c409e0aba8f70810d23f35c482744f007c"
},
{
"url": "https://git.kernel.org/stable/c/b7dbc27301f560c3b915235c53383155b3512083"
},
{
"url": "https://git.kernel.org/stable/c/451dc187cadd47771e5d9434fe220fad7be84057"
},
{
"url": "https://git.kernel.org/stable/c/cf10b0bb503c974ba049d6f888b21178be20a962"
}
],
"title": "media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54143",
"datePublished": "2025-12-24T13:06:56.869Z",
"dateReserved": "2025-12-24T13:02:52.523Z",
"dateUpdated": "2025-12-24T13:06:56.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54177 (GCVE-0-2023-54177)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2026-01-05 11:36
VLAI?
EPSS
Title
quota: fix warning in dqgrab()
Summary
In the Linux kernel, the following vulnerability has been resolved:
quota: fix warning in dqgrab()
There's issue as follows when do fault injection:
WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0
Modules linked in:
CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541
RIP: 0010:dquot_disable+0x13b7/0x18c0
RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980
RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002
RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000
R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130
R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118
FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
dquot_load_quota_sb+0xd53/0x1060
dquot_resume+0x172/0x230
ext4_reconfigure+0x1dc6/0x27b0
reconfigure_super+0x515/0xa90
__x64_sys_fsconfig+0xb19/0xd20
do_syscall_64+0x39/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Above issue may happens as follows:
ProcessA ProcessB ProcessC
sys_fsconfig
vfs_fsconfig_locked
reconfigure_super
ext4_remount
dquot_suspend -> suspend all type quota
sys_fsconfig
vfs_fsconfig_locked
reconfigure_super
ext4_remount
dquot_resume
ret = dquot_load_quota_sb
add_dquot_ref
do_open -> open file O_RDWR
vfs_open
do_dentry_open
get_write_access
atomic_inc_unless_negative(&inode->i_writecount)
ext4_file_open
dquot_file_open
dquot_initialize
__dquot_initialize
dqget
atomic_inc(&dquot->dq_count);
__dquot_initialize
__dquot_initialize
dqget
if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags))
ext4_acquire_dquot
-> Return error DQ_ACTIVE_B flag isn't set
dquot_disable
invalidate_dquots
if (atomic_read(&dquot->dq_count))
dqgrab
WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags))
-> Trigger warning
In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when
dqgrab().
To solve above issue just replace the dqgrab() use in invalidate_dquots() with
atomic_inc(&dquot->dq_count).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9f985cb6c45bc3f8b7e161c9658d409d051d576f , < 6478eabc92274efae6269da7c515ba2b4c8e88d8
(git)
Affected: 9f985cb6c45bc3f8b7e161c9658d409d051d576f , < 965bad2bf1afef64ec16249da676dc7310cca32e (git) Affected: 9f985cb6c45bc3f8b7e161c9658d409d051d576f , < 3f378783c47b5749317ea008d8c931d6d3986d8f (git) Affected: 9f985cb6c45bc3f8b7e161c9658d409d051d576f , < cbaebbba722cb9738c55903efce11f51cdd97bee (git) Affected: 9f985cb6c45bc3f8b7e161c9658d409d051d576f , < 579d814de87c3cac69c9b261efa165d07cde3357 (git) Affected: 9f985cb6c45bc3f8b7e161c9658d409d051d576f , < 6432843debe1ec7d76c5b2f76c67f9c5df22436e (git) Affected: 9f985cb6c45bc3f8b7e161c9658d409d051d576f , < 6f4e543d277a12dfeff027e6ab24a170e1bfc160 (git) Affected: 9f985cb6c45bc3f8b7e161c9658d409d051d576f , < d6a95db3c7ad160bc16b89e36449705309b52bcb (git) Affected: b5258061a2a8f657aa5900dd3c1ded9e868e3544 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6478eabc92274efae6269da7c515ba2b4c8e88d8",
"status": "affected",
"version": "9f985cb6c45bc3f8b7e161c9658d409d051d576f",
"versionType": "git"
},
{
"lessThan": "965bad2bf1afef64ec16249da676dc7310cca32e",
"status": "affected",
"version": "9f985cb6c45bc3f8b7e161c9658d409d051d576f",
"versionType": "git"
},
{
"lessThan": "3f378783c47b5749317ea008d8c931d6d3986d8f",
"status": "affected",
"version": "9f985cb6c45bc3f8b7e161c9658d409d051d576f",
"versionType": "git"
},
{
"lessThan": "cbaebbba722cb9738c55903efce11f51cdd97bee",
"status": "affected",
"version": "9f985cb6c45bc3f8b7e161c9658d409d051d576f",
"versionType": "git"
},
{
"lessThan": "579d814de87c3cac69c9b261efa165d07cde3357",
"status": "affected",
"version": "9f985cb6c45bc3f8b7e161c9658d409d051d576f",
"versionType": "git"
},
{
"lessThan": "6432843debe1ec7d76c5b2f76c67f9c5df22436e",
"status": "affected",
"version": "9f985cb6c45bc3f8b7e161c9658d409d051d576f",
"versionType": "git"
},
{
"lessThan": "6f4e543d277a12dfeff027e6ab24a170e1bfc160",
"status": "affected",
"version": "9f985cb6c45bc3f8b7e161c9658d409d051d576f",
"versionType": "git"
},
{
"lessThan": "d6a95db3c7ad160bc16b89e36449705309b52bcb",
"status": "affected",
"version": "9f985cb6c45bc3f8b7e161c9658d409d051d576f",
"versionType": "git"
},
{
"status": "affected",
"version": "b5258061a2a8f657aa5900dd3c1ded9e868e3544",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/quota/dquot.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix warning in dqgrab()\n\nThere\u0027s issue as follows when do fault injection:\nWARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0\nModules linked in:\nCPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541\nRIP: 0010:dquot_disable+0x13b7/0x18c0\nRSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980\nRDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002\nRBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000\nR10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130\nR13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118\nFS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n dquot_load_quota_sb+0xd53/0x1060\n dquot_resume+0x172/0x230\n ext4_reconfigure+0x1dc6/0x27b0\n reconfigure_super+0x515/0xa90\n __x64_sys_fsconfig+0xb19/0xd20\n do_syscall_64+0x39/0xb0\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAbove issue may happens as follows:\nProcessA ProcessB ProcessC\nsys_fsconfig\n vfs_fsconfig_locked\n reconfigure_super\n ext4_remount\n dquot_suspend -\u003e suspend all type quota\n\n sys_fsconfig\n vfs_fsconfig_locked\n reconfigure_super\n ext4_remount\n dquot_resume\n ret = dquot_load_quota_sb\n add_dquot_ref\n do_open -\u003e open file O_RDWR\n vfs_open\n do_dentry_open\n get_write_access\n atomic_inc_unless_negative(\u0026inode-\u003ei_writecount)\n ext4_file_open\n dquot_file_open\n dquot_initialize\n __dquot_initialize\n dqget\n\t\t\t\t\t\t atomic_inc(\u0026dquot-\u003edq_count);\n\n __dquot_initialize\n __dquot_initialize\n dqget\n if (!test_bit(DQ_ACTIVE_B, \u0026dquot-\u003edq_flags))\n ext4_acquire_dquot\n\t\t\t -\u003e Return error DQ_ACTIVE_B flag isn\u0027t set\n dquot_disable\n\t\t\t invalidate_dquots\n\t\t\t if (atomic_read(\u0026dquot-\u003edq_count))\n\t dqgrab\n\t\t\t WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, \u0026dquot-\u003edq_flags))\n\t -\u003e Trigger warning\n\nIn the above scenario, \u0027dquot-\u003edq_flags\u0027 has no DQ_ACTIVE_B is normal when\ndqgrab().\nTo solve above issue just replace the dqgrab() use in invalidate_dquots() with\natomic_inc(\u0026dquot-\u003edq_count)."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:36:48.949Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6478eabc92274efae6269da7c515ba2b4c8e88d8"
},
{
"url": "https://git.kernel.org/stable/c/965bad2bf1afef64ec16249da676dc7310cca32e"
},
{
"url": "https://git.kernel.org/stable/c/3f378783c47b5749317ea008d8c931d6d3986d8f"
},
{
"url": "https://git.kernel.org/stable/c/cbaebbba722cb9738c55903efce11f51cdd97bee"
},
{
"url": "https://git.kernel.org/stable/c/579d814de87c3cac69c9b261efa165d07cde3357"
},
{
"url": "https://git.kernel.org/stable/c/6432843debe1ec7d76c5b2f76c67f9c5df22436e"
},
{
"url": "https://git.kernel.org/stable/c/6f4e543d277a12dfeff027e6ab24a170e1bfc160"
},
{
"url": "https://git.kernel.org/stable/c/d6a95db3c7ad160bc16b89e36449705309b52bcb"
}
],
"title": "quota: fix warning in dqgrab()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54177",
"datePublished": "2025-12-30T12:08:49.588Z",
"dateReserved": "2025-12-30T12:06:44.496Z",
"dateUpdated": "2026-01-05T11:36:48.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54015 (GCVE-0-2023-54015)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
In case devcom allocation is failed, mlx5 is always freeing the priv.
However, this priv might have been allocated by a different thread,
and freeing it might lead to use-after-free bugs.
Fix it by freeing the priv only in case it was allocated by the
running thread.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fadd59fc50d010145f251db583c7ccef37393d19 , < 3dfc1004d9afbf689087ae1eafd88f55481984c7
(git)
Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < d4d10a6df1529b3f446cdada5c25e065f4712756 (git) Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < 1e755065368000205e6683fa924b2654e99f573b (git) Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < eaa365c10459052cbe3e44caa4ad760cb93bd435 (git) Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < a3a516caef2c5be2f4d171890a8b3415bfab4e5e (git) Affected: fadd59fc50d010145f251db583c7ccef37393d19 , < af87194352cad882d787d06fb7efa714acd95427 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3dfc1004d9afbf689087ae1eafd88f55481984c7",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "d4d10a6df1529b3f446cdada5c25e065f4712756",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "1e755065368000205e6683fa924b2654e99f573b",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "eaa365c10459052cbe3e44caa4ad760cb93bd435",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "a3a516caef2c5be2f4d171890a8b3415bfab4e5e",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
},
{
"lessThan": "af87194352cad882d787d06fb7efa714acd95427",
"status": "affected",
"version": "fadd59fc50d010145f251db583c7ccef37393d19",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.114",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Devcom, fix error flow in mlx5_devcom_register_device\n\nIn case devcom allocation is failed, mlx5 is always freeing the priv.\nHowever, this priv might have been allocated by a different thread,\nand freeing it might lead to use-after-free bugs.\nFix it by freeing the priv only in case it was allocated by the\nrunning thread."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:47.030Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3dfc1004d9afbf689087ae1eafd88f55481984c7"
},
{
"url": "https://git.kernel.org/stable/c/d4d10a6df1529b3f446cdada5c25e065f4712756"
},
{
"url": "https://git.kernel.org/stable/c/1e755065368000205e6683fa924b2654e99f573b"
},
{
"url": "https://git.kernel.org/stable/c/eaa365c10459052cbe3e44caa4ad760cb93bd435"
},
{
"url": "https://git.kernel.org/stable/c/a3a516caef2c5be2f4d171890a8b3415bfab4e5e"
},
{
"url": "https://git.kernel.org/stable/c/af87194352cad882d787d06fb7efa714acd95427"
}
],
"title": "net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54015",
"datePublished": "2025-12-24T10:55:47.030Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2025-12-24T10:55:47.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54038 (GCVE-0-2023-54038)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
hci_connect_sco currently returns NULL when there is no link (i.e. when
hci_conn_link() returns NULL).
sco_connect() expects an ERR_PTR in case of any error (see line 266 in
sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which
tries to get hcon->hdev, resulting in dereferencing a NULL pointer as
reported by syzkaller.
The same issue exists for iso_connect_cis() calling hci_connect_cis().
Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR
instead of NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "357ab53c83a5322437fa434e9a9e3e0bafe6b383",
"status": "affected",
"version": "06149746e7203d5ffe2d6faf9799ee36203aa8b8",
"versionType": "git"
},
{
"lessThan": "b4066eb04bb67e7ff66e5aaab0db4a753f37eaad",
"status": "affected",
"version": "06149746e7203d5ffe2d6faf9799ee36203aa8b8",
"versionType": "git"
},
{
"status": "affected",
"version": "f72fc94a17d45be98aecfd59c39b5b24a6a342e2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link\n\nhci_connect_sco currently returns NULL when there is no link (i.e. when\nhci_conn_link() returns NULL).\n\nsco_connect() expects an ERR_PTR in case of any error (see line 266 in\nsco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which\ntries to get hcon-\u003ehdev, resulting in dereferencing a NULL pointer as\nreported by syzkaller.\n\nThe same issue exists for iso_connect_cis() calling hci_connect_cis().\n\nThus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR\ninstead of NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:04.623Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/357ab53c83a5322437fa434e9a9e3e0bafe6b383"
},
{
"url": "https://git.kernel.org/stable/c/b4066eb04bb67e7ff66e5aaab0db4a753f37eaad"
}
],
"title": "Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54038",
"datePublished": "2025-12-24T10:56:04.623Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:04.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54312 (GCVE-0-2023-54312)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
samples/bpf: Fix buffer overflow in tcp_basertt
Summary
In the Linux kernel, the following vulnerability has been resolved:
samples/bpf: Fix buffer overflow in tcp_basertt
Using sizeof(nv) or strlen(nv)+1 is correct.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c890063e440456e75c2e70f6bcec3797f1771eb6 , < cf7514fedc25675e68b74941df28a883951e70fd
(git)
Affected: c890063e440456e75c2e70f6bcec3797f1771eb6 , < f394d204d64095d72ad9f03ff98f3f3743bf743a (git) Affected: c890063e440456e75c2e70f6bcec3797f1771eb6 , < bd3e880dce27d225598730d2bbb3dc05b443af22 (git) Affected: c890063e440456e75c2e70f6bcec3797f1771eb6 , < e92f61e0701ea780e57e1be8dbd1fbec5f42c09e (git) Affected: c890063e440456e75c2e70f6bcec3797f1771eb6 , < 56c25f2763a16db4fa1b486e6a21dc246cd992bd (git) Affected: c890063e440456e75c2e70f6bcec3797f1771eb6 , < dfc004688518d24159606289c74d0c4e123e6436 (git) Affected: c890063e440456e75c2e70f6bcec3797f1771eb6 , < 7c08d1b0d1f75117cf82aeaef49ba9f861b3fb59 (git) Affected: c890063e440456e75c2e70f6bcec3797f1771eb6 , < f4dea9689c5fea3d07170c2cb0703e216f1a0922 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"samples/bpf/tcp_basertt_kern.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf7514fedc25675e68b74941df28a883951e70fd",
"status": "affected",
"version": "c890063e440456e75c2e70f6bcec3797f1771eb6",
"versionType": "git"
},
{
"lessThan": "f394d204d64095d72ad9f03ff98f3f3743bf743a",
"status": "affected",
"version": "c890063e440456e75c2e70f6bcec3797f1771eb6",
"versionType": "git"
},
{
"lessThan": "bd3e880dce27d225598730d2bbb3dc05b443af22",
"status": "affected",
"version": "c890063e440456e75c2e70f6bcec3797f1771eb6",
"versionType": "git"
},
{
"lessThan": "e92f61e0701ea780e57e1be8dbd1fbec5f42c09e",
"status": "affected",
"version": "c890063e440456e75c2e70f6bcec3797f1771eb6",
"versionType": "git"
},
{
"lessThan": "56c25f2763a16db4fa1b486e6a21dc246cd992bd",
"status": "affected",
"version": "c890063e440456e75c2e70f6bcec3797f1771eb6",
"versionType": "git"
},
{
"lessThan": "dfc004688518d24159606289c74d0c4e123e6436",
"status": "affected",
"version": "c890063e440456e75c2e70f6bcec3797f1771eb6",
"versionType": "git"
},
{
"lessThan": "7c08d1b0d1f75117cf82aeaef49ba9f861b3fb59",
"status": "affected",
"version": "c890063e440456e75c2e70f6bcec3797f1771eb6",
"versionType": "git"
},
{
"lessThan": "f4dea9689c5fea3d07170c2cb0703e216f1a0922",
"status": "affected",
"version": "c890063e440456e75c2e70f6bcec3797f1771eb6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"samples/bpf/tcp_basertt_kern.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsamples/bpf: Fix buffer overflow in tcp_basertt\n\nUsing sizeof(nv) or strlen(nv)+1 is correct."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:43.828Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf7514fedc25675e68b74941df28a883951e70fd"
},
{
"url": "https://git.kernel.org/stable/c/f394d204d64095d72ad9f03ff98f3f3743bf743a"
},
{
"url": "https://git.kernel.org/stable/c/bd3e880dce27d225598730d2bbb3dc05b443af22"
},
{
"url": "https://git.kernel.org/stable/c/e92f61e0701ea780e57e1be8dbd1fbec5f42c09e"
},
{
"url": "https://git.kernel.org/stable/c/56c25f2763a16db4fa1b486e6a21dc246cd992bd"
},
{
"url": "https://git.kernel.org/stable/c/dfc004688518d24159606289c74d0c4e123e6436"
},
{
"url": "https://git.kernel.org/stable/c/7c08d1b0d1f75117cf82aeaef49ba9f861b3fb59"
},
{
"url": "https://git.kernel.org/stable/c/f4dea9689c5fea3d07170c2cb0703e216f1a0922"
}
],
"title": "samples/bpf: Fix buffer overflow in tcp_basertt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54312",
"datePublished": "2025-12-30T12:23:43.828Z",
"dateReserved": "2025-12-30T12:06:44.530Z",
"dateUpdated": "2025-12-30T12:23:43.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40006 (GCVE-0-2025-40006)
Vulnerability from cvelistv5 – Published: 2025-10-20 15:26 – Updated: 2025-10-20 15:26
VLAI?
EPSS
Title
mm/hugetlb: fix folio is still mapped when deleted
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix folio is still mapped when deleted
Migration may be raced with fallocating hole. remove_inode_single_folio
will unmap the folio if the folio is still mapped. However, it's called
without folio lock. If the folio is migrated and the mapped pte has been
converted to migration entry, folio_mapped() returns false, and won't
unmap it. Due to extra refcount held by remove_inode_single_folio,
migration fails, restores migration entry to normal pte, and the folio is
mapped again. As a result, we triggered BUG in filemap_unaccount_folio.
The log is as follows:
BUG: Bad page cache in process hugetlb pfn:156c00
page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00
head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0
aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file"
flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: f4(hugetlb)
page dumped because: still mapped when deleted
CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x70
filemap_unaccount_folio+0xc4/0x1c0
__filemap_remove_folio+0x38/0x1c0
filemap_remove_folio+0x41/0xd0
remove_inode_hugepages+0x142/0x250
hugetlbfs_fallocate+0x471/0x5a0
vfs_fallocate+0x149/0x380
Hold folio lock before checking if the folio is mapped to avold race with
migration.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4aae8d1c051ea00b456da6811bc36d1f69de5445 , < bc1c9ce8aeff45318332035dbef9713fb9e982d7
(git)
Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 91f548e920fbf8be3f285bfa3fa045ae017e836d (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 3e851448078f5b01f6264915df3cfef75e323a12 (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39 (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < c9c2a51f91aea70e89b496cac360cd795a2b3c26 (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 910d7749346c4b0acdc6e4adfdc4a9984281a206 (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 21ee79ce938127f88fe07e409c1817f477dbe7ea (git) Affected: 4aae8d1c051ea00b456da6811bc36d1f69de5445 , < 7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc1c9ce8aeff45318332035dbef9713fb9e982d7",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "91f548e920fbf8be3f285bfa3fa045ae017e836d",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "3e851448078f5b01f6264915df3cfef75e323a12",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "c9c2a51f91aea70e89b496cac360cd795a2b3c26",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "910d7749346c4b0acdc6e4adfdc4a9984281a206",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "21ee79ce938127f88fe07e409c1817f477dbe7ea",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
},
{
"lessThan": "7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7",
"status": "affected",
"version": "4aae8d1c051ea00b456da6811bc36d1f69de5445",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix folio is still mapped when deleted\n\nMigration may be raced with fallocating hole. remove_inode_single_folio\nwill unmap the folio if the folio is still mapped. However, it\u0027s called\nwithout folio lock. If the folio is migrated and the mapped pte has been\nconverted to migration entry, folio_mapped() returns false, and won\u0027t\nunmap it. Due to extra refcount held by remove_inode_single_folio,\nmigration fails, restores migration entry to normal pte, and the folio is\nmapped again. As a result, we triggered BUG in filemap_unaccount_folio.\n\nThe log is as follows:\n BUG: Bad page cache in process hugetlb pfn:156c00\n page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00\n head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0\n aops:hugetlbfs_aops ino:dcc dentry name(?):\"my_hugepage_file\"\n flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: f4(hugetlb)\n page dumped because: still mapped when deleted\n CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x4f/0x70\n filemap_unaccount_folio+0xc4/0x1c0\n __filemap_remove_folio+0x38/0x1c0\n filemap_remove_folio+0x41/0xd0\n remove_inode_hugepages+0x142/0x250\n hugetlbfs_fallocate+0x471/0x5a0\n vfs_fallocate+0x149/0x380\n\nHold folio lock before checking if the folio is mapped to avold race with\nmigration."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T15:26:53.097Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc1c9ce8aeff45318332035dbef9713fb9e982d7"
},
{
"url": "https://git.kernel.org/stable/c/91f548e920fbf8be3f285bfa3fa045ae017e836d"
},
{
"url": "https://git.kernel.org/stable/c/3e851448078f5b01f6264915df3cfef75e323a12"
},
{
"url": "https://git.kernel.org/stable/c/c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39"
},
{
"url": "https://git.kernel.org/stable/c/c9c2a51f91aea70e89b496cac360cd795a2b3c26"
},
{
"url": "https://git.kernel.org/stable/c/910d7749346c4b0acdc6e4adfdc4a9984281a206"
},
{
"url": "https://git.kernel.org/stable/c/21ee79ce938127f88fe07e409c1817f477dbe7ea"
},
{
"url": "https://git.kernel.org/stable/c/7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7"
}
],
"title": "mm/hugetlb: fix folio is still mapped when deleted",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40006",
"datePublished": "2025-10-20T15:26:53.097Z",
"dateReserved": "2025-04-16T07:20:57.151Z",
"dateUpdated": "2025-10-20T15:26:53.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53792 (GCVE-0-2023-53792)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
nvme-core: fix memory leak in dhchap_ctrl_secret
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-core: fix memory leak in dhchap_ctrl_secret
Free dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we
return when nvme_auth_generate_key() returns error.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 43d0724d756a13694f612a8a151f835ad6425b93
(git)
Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 39b90fc75943406d2bd60fd1ea041aca2559cc5f (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8 (git) Affected: f50fff73d620cd6e8f48bc58d4f1c944615a3fea , < 99c2dcc8ffc24e210a3aa05c204d92f3ef460b05 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43d0724d756a13694f612a8a151f835ad6425b93",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "39b90fc75943406d2bd60fd1ea041aca2559cc5f",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
},
{
"lessThan": "99c2dcc8ffc24e210a3aa05c204d92f3ef460b05",
"status": "affected",
"version": "f50fff73d620cd6e8f48bc58d4f1c944615a3fea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-core: fix memory leak in dhchap_ctrl_secret\n\nFree dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we\nreturn when nvme_auth_generate_key() returns error."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:49.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43d0724d756a13694f612a8a151f835ad6425b93"
},
{
"url": "https://git.kernel.org/stable/c/39b90fc75943406d2bd60fd1ea041aca2559cc5f"
},
{
"url": "https://git.kernel.org/stable/c/6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8"
},
{
"url": "https://git.kernel.org/stable/c/99c2dcc8ffc24e210a3aa05c204d92f3ef460b05"
}
],
"title": "nvme-core: fix memory leak in dhchap_ctrl_secret",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53792",
"datePublished": "2025-12-09T00:00:49.221Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:49.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50653 (GCVE-0-2022-50653)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
mmc: atmel-mci: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: atmel-mci: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
So fix this by checking the return value and calling mmc_free_host()
in the error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d2be0749a59096a334c94dc48f43294193cb8ed , < 99a6cdfa2cf05028b52f6d8ee85ccc5f8b71b4a2
(git)
Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 6bb26abb92f25e582a0976091a10b539fe3796db (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 00ac0f5f95920f003cd6ece53cdc759549b69118 (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 1925472dec31ec061d57412b3a65a056ea24f340 (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < cc8bb436f3c842a86b9082d97933582120d180e2 (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 85946ceb0fac20ab39cdb85333086daf0291a553 (git) Affected: 7d2be0749a59096a334c94dc48f43294193cb8ed , < 9e6e8c43726673ca2abcaac87640b9215fd72f4c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/atmel-mci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99a6cdfa2cf05028b52f6d8ee85ccc5f8b71b4a2",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "6bb26abb92f25e582a0976091a10b539fe3796db",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "00ac0f5f95920f003cd6ece53cdc759549b69118",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "1925472dec31ec061d57412b3a65a056ea24f340",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "cc8bb436f3c842a86b9082d97933582120d180e2",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "85946ceb0fac20ab39cdb85333086daf0291a553",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
},
{
"lessThan": "9e6e8c43726673ca2abcaac87640b9215fd72f4c",
"status": "affected",
"version": "7d2be0749a59096a334c94dc48f43294193cb8ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/atmel-mci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: atmel-mci: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it\u0027s not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nSo fix this by checking the return value and calling mmc_free_host()\nin the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:27.592Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99a6cdfa2cf05028b52f6d8ee85ccc5f8b71b4a2"
},
{
"url": "https://git.kernel.org/stable/c/6bb26abb92f25e582a0976091a10b539fe3796db"
},
{
"url": "https://git.kernel.org/stable/c/00ac0f5f95920f003cd6ece53cdc759549b69118"
},
{
"url": "https://git.kernel.org/stable/c/1925472dec31ec061d57412b3a65a056ea24f340"
},
{
"url": "https://git.kernel.org/stable/c/cc8bb436f3c842a86b9082d97933582120d180e2"
},
{
"url": "https://git.kernel.org/stable/c/85946ceb0fac20ab39cdb85333086daf0291a553"
},
{
"url": "https://git.kernel.org/stable/c/9e6e8c43726673ca2abcaac87640b9215fd72f4c"
}
],
"title": "mmc: atmel-mci: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50653",
"datePublished": "2025-12-09T00:00:27.592Z",
"dateReserved": "2025-12-08T23:57:43.372Z",
"dateUpdated": "2025-12-09T00:00:27.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54301 (GCVE-0-2023-54301)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
serial: 8250_bcm7271: fix leak in `brcmuart_probe`
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250_bcm7271: fix leak in `brcmuart_probe`
Smatch reports:
drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn:
'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032.
The issue is fixed by using a managed clock.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
41a469482de257ea8db43cf74b6311bd055de030 , < 5258395e67fee6929fb8e50c8239f8de51b8cb2d
(git)
Affected: 41a469482de257ea8db43cf74b6311bd055de030 , < 2a3e5f428fc4315be6144524912eaefac16f43a9 (git) Affected: 41a469482de257ea8db43cf74b6311bd055de030 , < 56a81445b8e4b8906d557518c5dae3ddbb447d1e (git) Affected: 41a469482de257ea8db43cf74b6311bd055de030 , < f264f2f6f4788dc031cef60a0cf2881902736709 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_bcm7271.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5258395e67fee6929fb8e50c8239f8de51b8cb2d",
"status": "affected",
"version": "41a469482de257ea8db43cf74b6311bd055de030",
"versionType": "git"
},
{
"lessThan": "2a3e5f428fc4315be6144524912eaefac16f43a9",
"status": "affected",
"version": "41a469482de257ea8db43cf74b6311bd055de030",
"versionType": "git"
},
{
"lessThan": "56a81445b8e4b8906d557518c5dae3ddbb447d1e",
"status": "affected",
"version": "41a469482de257ea8db43cf74b6311bd055de030",
"versionType": "git"
},
{
"lessThan": "f264f2f6f4788dc031cef60a0cf2881902736709",
"status": "affected",
"version": "41a469482de257ea8db43cf74b6311bd055de030",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_bcm7271.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250_bcm7271: fix leak in `brcmuart_probe`\n\nSmatch reports:\ndrivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn:\n\u0027baud_mux_clk\u0027 from clk_prepare_enable() not released on lines: 1032.\n\nThe issue is fixed by using a managed clock."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:36.502Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5258395e67fee6929fb8e50c8239f8de51b8cb2d"
},
{
"url": "https://git.kernel.org/stable/c/2a3e5f428fc4315be6144524912eaefac16f43a9"
},
{
"url": "https://git.kernel.org/stable/c/56a81445b8e4b8906d557518c5dae3ddbb447d1e"
},
{
"url": "https://git.kernel.org/stable/c/f264f2f6f4788dc031cef60a0cf2881902736709"
}
],
"title": "serial: 8250_bcm7271: fix leak in `brcmuart_probe`",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54301",
"datePublished": "2025-12-30T12:23:36.502Z",
"dateReserved": "2025-12-30T12:06:44.528Z",
"dateUpdated": "2025-12-30T12:23:36.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54302 (GCVE-0-2023-54302)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
RDMA/irdma: Fix data race on CQP completion stats
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix data race on CQP completion stats
CQP completion statistics is read lockesly in irdma_wait_event and
irdma_check_cqp_progress while it can be updated in the completion
thread irdma_sc_ccq_get_cqe_info on another CPU as KCSAN reports.
Make completion statistics an atomic variable to reflect coherent updates
to it. This will also avoid load/store tearing logic bug potentially
possible by compiler optimizations.
[77346.170861] BUG: KCSAN: data-race in irdma_handle_cqp_op [irdma] / irdma_sc_ccq_get_cqe_info [irdma]
[77346.171383] write to 0xffff8a3250b108e0 of 8 bytes by task 9544 on cpu 4:
[77346.171483] irdma_sc_ccq_get_cqe_info+0x27a/0x370 [irdma]
[77346.171658] irdma_cqp_ce_handler+0x164/0x270 [irdma]
[77346.171835] cqp_compl_worker+0x1b/0x20 [irdma]
[77346.172009] process_one_work+0x4d1/0xa40
[77346.172024] worker_thread+0x319/0x700
[77346.172037] kthread+0x180/0x1b0
[77346.172054] ret_from_fork+0x22/0x30
[77346.172136] read to 0xffff8a3250b108e0 of 8 bytes by task 9838 on cpu 2:
[77346.172234] irdma_handle_cqp_op+0xf4/0x4b0 [irdma]
[77346.172413] irdma_cqp_aeq_cmd+0x75/0xa0 [irdma]
[77346.172592] irdma_create_aeq+0x390/0x45a [irdma]
[77346.172769] irdma_rt_init_hw.cold+0x212/0x85d [irdma]
[77346.172944] irdma_probe+0x54f/0x620 [irdma]
[77346.173122] auxiliary_bus_probe+0x66/0xa0
[77346.173137] really_probe+0x140/0x540
[77346.173154] __driver_probe_device+0xc7/0x220
[77346.173173] driver_probe_device+0x5f/0x140
[77346.173190] __driver_attach+0xf0/0x2c0
[77346.173208] bus_for_each_dev+0xa8/0xf0
[77346.173225] driver_attach+0x29/0x30
[77346.173240] bus_add_driver+0x29c/0x2f0
[77346.173255] driver_register+0x10f/0x1a0
[77346.173272] __auxiliary_driver_register+0xbc/0x140
[77346.173287] irdma_init_module+0x55/0x1000 [irdma]
[77346.173460] do_one_initcall+0x7d/0x410
[77346.173475] do_init_module+0x81/0x2c0
[77346.173491] load_module+0x1232/0x12c0
[77346.173506] __do_sys_finit_module+0x101/0x180
[77346.173522] __x64_sys_finit_module+0x3c/0x50
[77346.173538] do_syscall_64+0x39/0x90
[77346.173553] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[77346.173634] value changed: 0x0000000000000094 -> 0x0000000000000095
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < bf0f9f65b7fe36ea9d2e23263dcefc90255d7b1f
(git)
Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < 4e1a5842a359ee18d5a9e75097d7cf4d93e233bb (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < 2623ca92cd8f9668edabe9e4f4a3cf77fd7115f2 (git) Affected: 915cc7ac0f8e2a23675ee896e87f17c7d3c47089 , < f2c3037811381f9149243828c7eb9a1631df9f9c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/ctrl.c",
"drivers/infiniband/hw/irdma/defs.h",
"drivers/infiniband/hw/irdma/type.h",
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bf0f9f65b7fe36ea9d2e23263dcefc90255d7b1f",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "4e1a5842a359ee18d5a9e75097d7cf4d93e233bb",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "2623ca92cd8f9668edabe9e4f4a3cf77fd7115f2",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
},
{
"lessThan": "f2c3037811381f9149243828c7eb9a1631df9f9c",
"status": "affected",
"version": "915cc7ac0f8e2a23675ee896e87f17c7d3c47089",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/ctrl.c",
"drivers/infiniband/hw/irdma/defs.h",
"drivers/infiniband/hw/irdma/type.h",
"drivers/infiniband/hw/irdma/utils.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix data race on CQP completion stats\n\nCQP completion statistics is read lockesly in irdma_wait_event and\nirdma_check_cqp_progress while it can be updated in the completion\nthread irdma_sc_ccq_get_cqe_info on another CPU as KCSAN reports.\n\nMake completion statistics an atomic variable to reflect coherent updates\nto it. This will also avoid load/store tearing logic bug potentially\npossible by compiler optimizations.\n\n[77346.170861] BUG: KCSAN: data-race in irdma_handle_cqp_op [irdma] / irdma_sc_ccq_get_cqe_info [irdma]\n\n[77346.171383] write to 0xffff8a3250b108e0 of 8 bytes by task 9544 on cpu 4:\n[77346.171483] irdma_sc_ccq_get_cqe_info+0x27a/0x370 [irdma]\n[77346.171658] irdma_cqp_ce_handler+0x164/0x270 [irdma]\n[77346.171835] cqp_compl_worker+0x1b/0x20 [irdma]\n[77346.172009] process_one_work+0x4d1/0xa40\n[77346.172024] worker_thread+0x319/0x700\n[77346.172037] kthread+0x180/0x1b0\n[77346.172054] ret_from_fork+0x22/0x30\n\n[77346.172136] read to 0xffff8a3250b108e0 of 8 bytes by task 9838 on cpu 2:\n[77346.172234] irdma_handle_cqp_op+0xf4/0x4b0 [irdma]\n[77346.172413] irdma_cqp_aeq_cmd+0x75/0xa0 [irdma]\n[77346.172592] irdma_create_aeq+0x390/0x45a [irdma]\n[77346.172769] irdma_rt_init_hw.cold+0x212/0x85d [irdma]\n[77346.172944] irdma_probe+0x54f/0x620 [irdma]\n[77346.173122] auxiliary_bus_probe+0x66/0xa0\n[77346.173137] really_probe+0x140/0x540\n[77346.173154] __driver_probe_device+0xc7/0x220\n[77346.173173] driver_probe_device+0x5f/0x140\n[77346.173190] __driver_attach+0xf0/0x2c0\n[77346.173208] bus_for_each_dev+0xa8/0xf0\n[77346.173225] driver_attach+0x29/0x30\n[77346.173240] bus_add_driver+0x29c/0x2f0\n[77346.173255] driver_register+0x10f/0x1a0\n[77346.173272] __auxiliary_driver_register+0xbc/0x140\n[77346.173287] irdma_init_module+0x55/0x1000 [irdma]\n[77346.173460] do_one_initcall+0x7d/0x410\n[77346.173475] do_init_module+0x81/0x2c0\n[77346.173491] load_module+0x1232/0x12c0\n[77346.173506] __do_sys_finit_module+0x101/0x180\n[77346.173522] __x64_sys_finit_module+0x3c/0x50\n[77346.173538] do_syscall_64+0x39/0x90\n[77346.173553] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\n[77346.173634] value changed: 0x0000000000000094 -\u003e 0x0000000000000095"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:37.165Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bf0f9f65b7fe36ea9d2e23263dcefc90255d7b1f"
},
{
"url": "https://git.kernel.org/stable/c/4e1a5842a359ee18d5a9e75097d7cf4d93e233bb"
},
{
"url": "https://git.kernel.org/stable/c/2623ca92cd8f9668edabe9e4f4a3cf77fd7115f2"
},
{
"url": "https://git.kernel.org/stable/c/f2c3037811381f9149243828c7eb9a1631df9f9c"
}
],
"title": "RDMA/irdma: Fix data race on CQP completion stats",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54302",
"datePublished": "2025-12-30T12:23:37.165Z",
"dateReserved": "2025-12-30T12:06:44.529Z",
"dateUpdated": "2025-12-30T12:23:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54246 (GCVE-0-2023-54246)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle()
The rcuscale.holdoff module parameter can be used to delay the start
of rcu_scale_writer() kthread. However, the hung-task timeout will
trigger when the timeout specified by rcuscale.holdoff is greater than
hung_task_timeout_secs:
runqemu kvm nographic slirp qemuparams="-smp 4 -m 2048M"
bootparams="rcuscale.shutdown=0 rcuscale.holdoff=300"
[ 247.071753] INFO: task rcu_scale_write:59 blocked for more than 122 seconds.
[ 247.072529] Not tainted 6.4.0-rc1-00134-gb9ed6de8d4ff #7
[ 247.073400] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 247.074331] task:rcu_scale_write state:D stack:30144 pid:59 ppid:2 flags:0x00004000
[ 247.075346] Call Trace:
[ 247.075660] <TASK>
[ 247.075965] __schedule+0x635/0x1280
[ 247.076448] ? __pfx___schedule+0x10/0x10
[ 247.076967] ? schedule_timeout+0x2dc/0x4d0
[ 247.077471] ? __pfx_lock_release+0x10/0x10
[ 247.078018] ? enqueue_timer+0xe2/0x220
[ 247.078522] schedule+0x84/0x120
[ 247.078957] schedule_timeout+0x2e1/0x4d0
[ 247.079447] ? __pfx_schedule_timeout+0x10/0x10
[ 247.080032] ? __pfx_rcu_scale_writer+0x10/0x10
[ 247.080591] ? __pfx_process_timeout+0x10/0x10
[ 247.081163] ? __pfx_sched_set_fifo_low+0x10/0x10
[ 247.081760] ? __pfx_rcu_scale_writer+0x10/0x10
[ 247.082287] rcu_scale_writer+0x6b1/0x7f0
[ 247.082773] ? mark_held_locks+0x29/0xa0
[ 247.083252] ? __pfx_rcu_scale_writer+0x10/0x10
[ 247.083865] ? __pfx_rcu_scale_writer+0x10/0x10
[ 247.084412] kthread+0x179/0x1c0
[ 247.084759] ? __pfx_kthread+0x10/0x10
[ 247.085098] ret_from_fork+0x2c/0x50
[ 247.085433] </TASK>
This commit therefore replaces schedule_timeout_uninterruptible() with
schedule_timeout_idle().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
df37e66bfdbb57e8cae7dbf39a0c66b1b8701338 , < 55887adc76e19aec9763186e2c1d0a3481d20e96
(git)
Affected: df37e66bfdbb57e8cae7dbf39a0c66b1b8701338 , < 4f03fba096bfded90e0d71eba8839a46922164d1 (git) Affected: df37e66bfdbb57e8cae7dbf39a0c66b1b8701338 , < 83ed0cdb6ae0383dd14b02375c353773836884ed (git) Affected: df37e66bfdbb57e8cae7dbf39a0c66b1b8701338 , < 9416dccb31fdb190d25d57e97674f232651f6560 (git) Affected: df37e66bfdbb57e8cae7dbf39a0c66b1b8701338 , < e60c122a1614b4f65b29a7bef9d83b9fd30e937a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/rcu/rcuscale.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "55887adc76e19aec9763186e2c1d0a3481d20e96",
"status": "affected",
"version": "df37e66bfdbb57e8cae7dbf39a0c66b1b8701338",
"versionType": "git"
},
{
"lessThan": "4f03fba096bfded90e0d71eba8839a46922164d1",
"status": "affected",
"version": "df37e66bfdbb57e8cae7dbf39a0c66b1b8701338",
"versionType": "git"
},
{
"lessThan": "83ed0cdb6ae0383dd14b02375c353773836884ed",
"status": "affected",
"version": "df37e66bfdbb57e8cae7dbf39a0c66b1b8701338",
"versionType": "git"
},
{
"lessThan": "9416dccb31fdb190d25d57e97674f232651f6560",
"status": "affected",
"version": "df37e66bfdbb57e8cae7dbf39a0c66b1b8701338",
"versionType": "git"
},
{
"lessThan": "e60c122a1614b4f65b29a7bef9d83b9fd30e937a",
"status": "affected",
"version": "df37e66bfdbb57e8cae7dbf39a0c66b1b8701338",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/rcu/rcuscale.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle()\n\nThe rcuscale.holdoff module parameter can be used to delay the start\nof rcu_scale_writer() kthread. However, the hung-task timeout will\ntrigger when the timeout specified by rcuscale.holdoff is greater than\nhung_task_timeout_secs:\n\nrunqemu kvm nographic slirp qemuparams=\"-smp 4 -m 2048M\"\nbootparams=\"rcuscale.shutdown=0 rcuscale.holdoff=300\"\n\n[ 247.071753] INFO: task rcu_scale_write:59 blocked for more than 122 seconds.\n[ 247.072529] Not tainted 6.4.0-rc1-00134-gb9ed6de8d4ff #7\n[ 247.073400] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n[ 247.074331] task:rcu_scale_write state:D stack:30144 pid:59 ppid:2 flags:0x00004000\n[ 247.075346] Call Trace:\n[ 247.075660] \u003cTASK\u003e\n[ 247.075965] __schedule+0x635/0x1280\n[ 247.076448] ? __pfx___schedule+0x10/0x10\n[ 247.076967] ? schedule_timeout+0x2dc/0x4d0\n[ 247.077471] ? __pfx_lock_release+0x10/0x10\n[ 247.078018] ? enqueue_timer+0xe2/0x220\n[ 247.078522] schedule+0x84/0x120\n[ 247.078957] schedule_timeout+0x2e1/0x4d0\n[ 247.079447] ? __pfx_schedule_timeout+0x10/0x10\n[ 247.080032] ? __pfx_rcu_scale_writer+0x10/0x10\n[ 247.080591] ? __pfx_process_timeout+0x10/0x10\n[ 247.081163] ? __pfx_sched_set_fifo_low+0x10/0x10\n[ 247.081760] ? __pfx_rcu_scale_writer+0x10/0x10\n[ 247.082287] rcu_scale_writer+0x6b1/0x7f0\n[ 247.082773] ? mark_held_locks+0x29/0xa0\n[ 247.083252] ? __pfx_rcu_scale_writer+0x10/0x10\n[ 247.083865] ? __pfx_rcu_scale_writer+0x10/0x10\n[ 247.084412] kthread+0x179/0x1c0\n[ 247.084759] ? __pfx_kthread+0x10/0x10\n[ 247.085098] ret_from_fork+0x2c/0x50\n[ 247.085433] \u003c/TASK\u003e\n\nThis commit therefore replaces schedule_timeout_uninterruptible() with\nschedule_timeout_idle()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:02.311Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/55887adc76e19aec9763186e2c1d0a3481d20e96"
},
{
"url": "https://git.kernel.org/stable/c/4f03fba096bfded90e0d71eba8839a46922164d1"
},
{
"url": "https://git.kernel.org/stable/c/83ed0cdb6ae0383dd14b02375c353773836884ed"
},
{
"url": "https://git.kernel.org/stable/c/9416dccb31fdb190d25d57e97674f232651f6560"
},
{
"url": "https://git.kernel.org/stable/c/e60c122a1614b4f65b29a7bef9d83b9fd30e937a"
}
],
"title": "rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54246",
"datePublished": "2025-12-30T12:15:44.729Z",
"dateReserved": "2025-12-30T12:06:44.513Z",
"dateUpdated": "2026-01-05T11:37:02.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40110 (GCVE-0-2025-40110)
Vulnerability from cvelistv5 – Published: 2025-11-12 01:07 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Check that the resource which is converted to a surface exists before
trying to use the cursor snooper on it.
vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers
because some svga commands accept SVGA3D_INVALID_ID to mean "no surface",
unfortunately functions that accept the actual surfaces as objects might
(and in case of the cursor snooper, do not) be able to handle null
objects. Make sure that we validate not only the identifier (via the
vmw_cmd_res_check) but also check that the actual resource exists before
trying to do something with it.
Fixes unchecked null-ptr reference in the snooping code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 3332212e93d0f6e24f8fe79f975e077c4e68ca39
(git)
Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 86aae7053d2da3fdfde7b2e84d86e4af50490505 (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < af9d88cbf0fce52f465978360542ef679713491f (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 299cfb5a7deabdf9ecd30071755672af0aced5eb (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 13c9e4ed125e19484234c960efe5ac9c55119523 (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < b6fca0a07989f361ceda27cb2d09c555d4d4a964 (git) Affected: c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1 , < 5ac2c0279053a2c5265d46903432fb26ae2d0da2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3332212e93d0f6e24f8fe79f975e077c4e68ca39",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "86aae7053d2da3fdfde7b2e84d86e4af50490505",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "af9d88cbf0fce52f465978360542ef679713491f",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "299cfb5a7deabdf9ecd30071755672af0aced5eb",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "13c9e4ed125e19484234c960efe5ac9c55119523",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "b6fca0a07989f361ceda27cb2d09c555d4d4a964",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
},
{
"lessThan": "5ac2c0279053a2c5265d46903432fb26ae2d0da2",
"status": "affected",
"version": "c0951b797e7d0f2c6b0df2c0e18185c72d0cf1a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix a null-ptr access in the cursor snooper\n\nCheck that the resource which is converted to a surface exists before\ntrying to use the cursor snooper on it.\n\nvmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers\nbecause some svga commands accept SVGA3D_INVALID_ID to mean \"no surface\",\nunfortunately functions that accept the actual surfaces as objects might\n(and in case of the cursor snooper, do not) be able to handle null\nobjects. Make sure that we validate not only the identifier (via the\nvmw_cmd_res_check) but also check that the actual resource exists before\ntrying to do something with it.\n\nFixes unchecked null-ptr reference in the snooping code."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:04.465Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3332212e93d0f6e24f8fe79f975e077c4e68ca39"
},
{
"url": "https://git.kernel.org/stable/c/86aae7053d2da3fdfde7b2e84d86e4af50490505"
},
{
"url": "https://git.kernel.org/stable/c/af9d88cbf0fce52f465978360542ef679713491f"
},
{
"url": "https://git.kernel.org/stable/c/299cfb5a7deabdf9ecd30071755672af0aced5eb"
},
{
"url": "https://git.kernel.org/stable/c/13c9e4ed125e19484234c960efe5ac9c55119523"
},
{
"url": "https://git.kernel.org/stable/c/b6fca0a07989f361ceda27cb2d09c555d4d4a964"
},
{
"url": "https://git.kernel.org/stable/c/5ac2c0279053a2c5265d46903432fb26ae2d0da2"
}
],
"title": "drm/vmwgfx: Fix a null-ptr access in the cursor snooper",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40110",
"datePublished": "2025-11-12T01:07:24.739Z",
"dateReserved": "2025-04-16T07:20:57.167Z",
"dateUpdated": "2026-01-19T12:18:04.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40287 (GCVE-0-2025-40287)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-01-26 16:17
VLAI?
EPSS
Title
exfat: fix improper check of dentry.stream.valid_size
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: fix improper check of dentry.stream.valid_size
We found an infinite loop bug in the exFAT file system that can lead to a
Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is
malformed, the following system calls — SYS_openat, SYS_ftruncate, and
SYS_pwrite64 — can cause the kernel to hang.
Root cause analysis shows that the size validation code in exfat_find()
does not check whether dentry.stream.valid_size is negative. As a result,
the system calls mentioned above can succeed and eventually trigger the DoS
issue.
This patch adds a check for negative dentry.stream.valid_size to prevent
this vulnerability.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 6c627bcc1896ba62ec793d0c00da74f3c93ce3ad
(git)
Affected: 11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 204b1b02ee018ba52ad2ece21fe3a8643d66a1b2 (git) Affected: 11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 82ebecdc74ff555daf70b811d854b1f32a296bea (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c627bcc1896ba62ec793d0c00da74f3c93ce3ad",
"status": "affected",
"version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
"versionType": "git"
},
{
"lessThan": "204b1b02ee018ba52ad2ece21fe3a8643d66a1b2",
"status": "affected",
"version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
"versionType": "git"
},
{
"lessThan": "82ebecdc74ff555daf70b811d854b1f32a296bea",
"status": "affected",
"version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix improper check of dentry.stream.valid_size\n\nWe found an infinite loop bug in the exFAT file system that can lead to a\nDenial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is\nmalformed, the following system calls \u2014 SYS_openat, SYS_ftruncate, and\nSYS_pwrite64 \u2014 can cause the kernel to hang.\n\nRoot cause analysis shows that the size validation code in exfat_find()\ndoes not check whether dentry.stream.valid_size is negative. As a result,\nthe system calls mentioned above can succeed and eventually trigger the DoS\nissue.\n\nThis patch adds a check for negative dentry.stream.valid_size to prevent\nthis vulnerability."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:46.365Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c627bcc1896ba62ec793d0c00da74f3c93ce3ad"
},
{
"url": "https://git.kernel.org/stable/c/204b1b02ee018ba52ad2ece21fe3a8643d66a1b2"
},
{
"url": "https://git.kernel.org/stable/c/82ebecdc74ff555daf70b811d854b1f32a296bea"
}
],
"title": "exfat: fix improper check of dentry.stream.valid_size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40287",
"datePublished": "2025-12-06T21:51:13.328Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2026-01-26T16:17:46.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38554 (GCVE-0-2025-38554)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-09-29 05:53
VLAI?
EPSS
Title
mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped
By inducing delays in the right places, Jann Horn created a reproducer for
a hard to hit UAF issue that became possible after VMAs were allowed to be
recycled by adding SLAB_TYPESAFE_BY_RCU to their cache.
Race description is borrowed from Jann's discovery report:
lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under
rcu_read_lock(). At that point, the VMA may be concurrently freed, and it
can be recycled by another process. vma_start_read() then increments the
vma->vm_refcnt (if it is in an acceptable range), and if this succeeds,
vma_start_read() can return a recycled VMA.
In this scenario where the VMA has been recycled, lock_vma_under_rcu()
will then detect the mismatching ->vm_mm pointer and drop the VMA through
vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops
the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm.
This is wrong: It implicitly assumes that the caller is keeping the VMA's
mm alive, but in this scenario the caller has no relation to the VMA's mm,
so the rcuwait_wake_up() can cause UAF.
The diagram depicting the race:
T1 T2 T3
== == ==
lock_vma_under_rcu
mas_walk
<VMA gets removed from mm>
mmap
<the same VMA is reallocated>
vma_start_read
__refcount_inc_not_zero_limited_acquire
munmap
__vma_enter_locked
refcount_add_not_zero
vma_end_read
vma_refcount_put
__refcount_dec_and_test
rcuwait_wait_event
<finish operation>
rcuwait_wake_up [UAF]
Note that rcuwait_wait_event() in T3 does not block because refcount was
already dropped by T1. At this point T3 can exit and free the mm causing
UAF in T1.
To avoid this we move vma->vm_mm verification into vma_start_read() and
grab vma->vm_mm to stabilize it before vma_refcount_put() operation.
[surenb@google.com: v3]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3104138517fc66aad21f4a2487bb572e9fc2e3ec , < 6e88fe54721dee17d3496bc998f0c7d243896348
(git)
Affected: 3104138517fc66aad21f4a2487bb572e9fc2e3ec , < 1bcd236a2536a451e385f8d6d2bb589689ec812f (git) Affected: 3104138517fc66aad21f4a2487bb572e9fc2e3ec , < 9bbffee67ffd16360179327b57f3b1245579ef08 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/mmap_lock.h",
"mm/mmap_lock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e88fe54721dee17d3496bc998f0c7d243896348",
"status": "affected",
"version": "3104138517fc66aad21f4a2487bb572e9fc2e3ec",
"versionType": "git"
},
{
"lessThan": "1bcd236a2536a451e385f8d6d2bb589689ec812f",
"status": "affected",
"version": "3104138517fc66aad21f4a2487bb572e9fc2e3ec",
"versionType": "git"
},
{
"lessThan": "9bbffee67ffd16360179327b57f3b1245579ef08",
"status": "affected",
"version": "3104138517fc66aad21f4a2487bb572e9fc2e3ec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/mmap_lock.h",
"mm/mmap_lock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix a UAF when vma-\u003emm is freed after vma-\u003evm_refcnt got dropped\n\nBy inducing delays in the right places, Jann Horn created a reproducer for\na hard to hit UAF issue that became possible after VMAs were allowed to be\nrecycled by adding SLAB_TYPESAFE_BY_RCU to their cache.\n\nRace description is borrowed from Jann\u0027s discovery report:\nlock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under\nrcu_read_lock(). At that point, the VMA may be concurrently freed, and it\ncan be recycled by another process. vma_start_read() then increments the\nvma-\u003evm_refcnt (if it is in an acceptable range), and if this succeeds,\nvma_start_read() can return a recycled VMA.\n\nIn this scenario where the VMA has been recycled, lock_vma_under_rcu()\nwill then detect the mismatching -\u003evm_mm pointer and drop the VMA through\nvma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops\nthe refcount and then calls rcuwait_wake_up() using a copy of vma-\u003evm_mm. \nThis is wrong: It implicitly assumes that the caller is keeping the VMA\u0027s\nmm alive, but in this scenario the caller has no relation to the VMA\u0027s mm,\nso the rcuwait_wake_up() can cause UAF.\n\nThe diagram depicting the race:\nT1 T2 T3\n== == ==\nlock_vma_under_rcu\n mas_walk\n \u003cVMA gets removed from mm\u003e\n mmap\n \u003cthe same VMA is reallocated\u003e\n vma_start_read\n __refcount_inc_not_zero_limited_acquire\n munmap\n __vma_enter_locked\n refcount_add_not_zero\n vma_end_read\n vma_refcount_put\n __refcount_dec_and_test\n rcuwait_wait_event\n \u003cfinish operation\u003e\n rcuwait_wake_up [UAF]\n\nNote that rcuwait_wait_event() in T3 does not block because refcount was\nalready dropped by T1. At this point T3 can exit and free the mm causing\nUAF in T1.\n\nTo avoid this we move vma-\u003evm_mm verification into vma_start_read() and\ngrab vma-\u003evm_mm to stabilize it before vma_refcount_put() operation.\n\n[surenb@google.com: v3]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:53:41.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e88fe54721dee17d3496bc998f0c7d243896348"
},
{
"url": "https://git.kernel.org/stable/c/1bcd236a2536a451e385f8d6d2bb589689ec812f"
},
{
"url": "https://git.kernel.org/stable/c/9bbffee67ffd16360179327b57f3b1245579ef08"
}
],
"title": "mm: fix a UAF when vma-\u003emm is freed after vma-\u003evm_refcnt got dropped",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38554",
"datePublished": "2025-08-19T17:02:33.315Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-09-29T05:53:41.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40319 (GCVE-0-2025-40319)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
bpf: Sync pending IRQ work before freeing ring buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Sync pending IRQ work before freeing ring buffer
Fix a race where irq_work can be queued in bpf_ringbuf_commit()
but the ring buffer is freed before the work executes.
In the syzbot reproducer, a BPF program attached to sched_switch
triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer
is freed before this work executes, the irq_work thread may accesses
freed memory.
Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work
complete before freeing the buffer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
457f44363a8894135c85b7a9afd2bd8196db24ab , < 47626748a2a00068dbbd5836d19076637b4e235b
(git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < de2ce6b14bc3e565708a39bdba3ef9162aeffc72 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < e1828c7a8d8135e21ff6adaaa9458c32aae13b11 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 6451141103547f4efd774e912418a3b4318046c6 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 10ca3b2eec384628bc9f5d8190aed9427ad2dde6 (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 430e15544f11f8de26b2b5109c7152f71b78295e (git) Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47626748a2a00068dbbd5836d19076637b4e235b",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "de2ce6b14bc3e565708a39bdba3ef9162aeffc72",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "e1828c7a8d8135e21ff6adaaa9458c32aae13b11",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "6451141103547f4efd774e912418a3b4318046c6",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "10ca3b2eec384628bc9f5d8190aed9427ad2dde6",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "430e15544f11f8de26b2b5109c7152f71b78295e",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
},
{
"lessThan": "4e9077638301816a7d73fa1e1b4c1db4a7e3b59c",
"status": "affected",
"version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/ringbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Sync pending IRQ work before freeing ring buffer\n\nFix a race where irq_work can be queued in bpf_ringbuf_commit()\nbut the ring buffer is freed before the work executes.\nIn the syzbot reproducer, a BPF program attached to sched_switch\ntriggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer\nis freed before this work executes, the irq_work thread may accesses\nfreed memory.\nCalling `irq_work_sync(\u0026rb-\u003ework)` ensures that all pending irq_work\ncomplete before freeing the buffer."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:46.448Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47626748a2a00068dbbd5836d19076637b4e235b"
},
{
"url": "https://git.kernel.org/stable/c/de2ce6b14bc3e565708a39bdba3ef9162aeffc72"
},
{
"url": "https://git.kernel.org/stable/c/e1828c7a8d8135e21ff6adaaa9458c32aae13b11"
},
{
"url": "https://git.kernel.org/stable/c/6451141103547f4efd774e912418a3b4318046c6"
},
{
"url": "https://git.kernel.org/stable/c/10ca3b2eec384628bc9f5d8190aed9427ad2dde6"
},
{
"url": "https://git.kernel.org/stable/c/430e15544f11f8de26b2b5109c7152f71b78295e"
},
{
"url": "https://git.kernel.org/stable/c/4e9077638301816a7d73fa1e1b4c1db4a7e3b59c"
}
],
"title": "bpf: Sync pending IRQ work before freeing ring buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40319",
"datePublished": "2025-12-08T00:46:46.448Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:46.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54119 (GCVE-0-2023-54119)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
inotify: Avoid reporting event with invalid wd
Summary
In the Linux kernel, the following vulnerability has been resolved:
inotify: Avoid reporting event with invalid wd
When inotify_freeing_mark() races with inotify_handle_inode_event() it
can happen that inotify_handle_inode_event() sees that i_mark->wd got
already reset to -1 and reports this value to userspace which can
confuse the inotify listener. Avoid the problem by validating that wd is
sensible (and pretend the mark got removed before the event got
generated otherwise).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e790dd5fc937bc8d2400c30a05e32a9e9eef276 , < 8fb33166aed888769ea63d6af49515893f8a1f14
(git)
Affected: 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 , < 2d65c97777e5b4a845637800d5d7b648f5772106 (git) Affected: 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 , < 17ad86d8c12220de97e80d88b5b4c934a40e1812 (git) Affected: 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 , < 145f54ea336b06cf4f92eeee996f2ffca939ea43 (git) Affected: 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 , < fb3294998489d39835006240e9c6e6b2ac62022e (git) Affected: 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 , < a48bacee05860c6089c3482bcdc80720b0ee5732 (git) Affected: 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 , < c915d8f5918bea7c3962b09b8884ca128bfd9b0c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/notify/inotify/inotify_fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fb33166aed888769ea63d6af49515893f8a1f14",
"status": "affected",
"version": "7e790dd5fc937bc8d2400c30a05e32a9e9eef276",
"versionType": "git"
},
{
"lessThan": "2d65c97777e5b4a845637800d5d7b648f5772106",
"status": "affected",
"version": "7e790dd5fc937bc8d2400c30a05e32a9e9eef276",
"versionType": "git"
},
{
"lessThan": "17ad86d8c12220de97e80d88b5b4c934a40e1812",
"status": "affected",
"version": "7e790dd5fc937bc8d2400c30a05e32a9e9eef276",
"versionType": "git"
},
{
"lessThan": "145f54ea336b06cf4f92eeee996f2ffca939ea43",
"status": "affected",
"version": "7e790dd5fc937bc8d2400c30a05e32a9e9eef276",
"versionType": "git"
},
{
"lessThan": "fb3294998489d39835006240e9c6e6b2ac62022e",
"status": "affected",
"version": "7e790dd5fc937bc8d2400c30a05e32a9e9eef276",
"versionType": "git"
},
{
"lessThan": "a48bacee05860c6089c3482bcdc80720b0ee5732",
"status": "affected",
"version": "7e790dd5fc937bc8d2400c30a05e32a9e9eef276",
"versionType": "git"
},
{
"lessThan": "c915d8f5918bea7c3962b09b8884ca128bfd9b0c",
"status": "affected",
"version": "7e790dd5fc937bc8d2400c30a05e32a9e9eef276",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/notify/inotify/inotify_fsnotify.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninotify: Avoid reporting event with invalid wd\n\nWhen inotify_freeing_mark() races with inotify_handle_inode_event() it\ncan happen that inotify_handle_inode_event() sees that i_mark-\u003ewd got\nalready reset to -1 and reports this value to userspace which can\nconfuse the inotify listener. Avoid the problem by validating that wd is\nsensible (and pretend the mark got removed before the event got\ngenerated otherwise)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:39.692Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fb33166aed888769ea63d6af49515893f8a1f14"
},
{
"url": "https://git.kernel.org/stable/c/2d65c97777e5b4a845637800d5d7b648f5772106"
},
{
"url": "https://git.kernel.org/stable/c/17ad86d8c12220de97e80d88b5b4c934a40e1812"
},
{
"url": "https://git.kernel.org/stable/c/145f54ea336b06cf4f92eeee996f2ffca939ea43"
},
{
"url": "https://git.kernel.org/stable/c/fb3294998489d39835006240e9c6e6b2ac62022e"
},
{
"url": "https://git.kernel.org/stable/c/a48bacee05860c6089c3482bcdc80720b0ee5732"
},
{
"url": "https://git.kernel.org/stable/c/c915d8f5918bea7c3962b09b8884ca128bfd9b0c"
}
],
"title": "inotify: Avoid reporting event with invalid wd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54119",
"datePublished": "2025-12-24T13:06:39.692Z",
"dateReserved": "2025-12-24T13:02:52.520Z",
"dateUpdated": "2025-12-24T13:06:39.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53833 (GCVE-0-2023-53833)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
drm/i915: Fix NULL ptr deref by checking new_crtc_state
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix NULL ptr deref by checking new_crtc_state
intel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn't
obtained previously with intel_atomic_get_crtc_state, so we must check it
for NULLness here, just as in many other places, where we can't guarantee
that intel_atomic_get_crtc_state was called.
We are currently getting NULL ptr deref because of that, so this fix was
confirmed to help.
(cherry picked from commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
74a75dc908692dd0548209004e53832c02433c0c , < dbf25cc21beff4fd2e730573845a266504b21bb2
(git)
Affected: 74a75dc908692dd0548209004e53832c02433c0c , < 8b3c0d2d1685ba40b0af4ee1f8d8824a73870f88 (git) Affected: 74a75dc908692dd0548209004e53832c02433c0c , < a41d985902c153c31c616fe183cf2ee331e95ecb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_atomic_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf25cc21beff4fd2e730573845a266504b21bb2",
"status": "affected",
"version": "74a75dc908692dd0548209004e53832c02433c0c",
"versionType": "git"
},
{
"lessThan": "8b3c0d2d1685ba40b0af4ee1f8d8824a73870f88",
"status": "affected",
"version": "74a75dc908692dd0548209004e53832c02433c0c",
"versionType": "git"
},
{
"lessThan": "a41d985902c153c31c616fe183cf2ee331e95ecb",
"status": "affected",
"version": "74a75dc908692dd0548209004e53832c02433c0c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_atomic_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix NULL ptr deref by checking new_crtc_state\n\nintel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn\u0027t\nobtained previously with intel_atomic_get_crtc_state, so we must check it\nfor NULLness here, just as in many other places, where we can\u0027t guarantee\nthat intel_atomic_get_crtc_state was called.\nWe are currently getting NULL ptr deref because of that, so this fix was\nconfirmed to help.\n\n(cherry picked from commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:48.637Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf25cc21beff4fd2e730573845a266504b21bb2"
},
{
"url": "https://git.kernel.org/stable/c/8b3c0d2d1685ba40b0af4ee1f8d8824a73870f88"
},
{
"url": "https://git.kernel.org/stable/c/a41d985902c153c31c616fe183cf2ee331e95ecb"
}
],
"title": "drm/i915: Fix NULL ptr deref by checking new_crtc_state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53833",
"datePublished": "2025-12-09T01:29:48.637Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:48.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40019 (GCVE-0-2025-40019)
Vulnerability from cvelistv5 – Published: 2025-10-24 11:44 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
crypto: essiv - Check ssize for decryption and in-place encryption
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: essiv - Check ssize for decryption and in-place encryption
Move the ssize check to the start in essiv_aead_crypt so that
it's also checked for decryption and in-place encryption.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 29294dd6f1e7acf527255fb136ffde6602c3a129
(git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 71f03f8f72d9c70ffba76980e78b38c180e61589 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < df58651968f82344a0ed2afdafd20ecfc55ff548 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 248ff2797ff52a8cbf86507f9583437443bf7685 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < f37e7860dc5e94c70b4a3e38a5809181310ea9ac (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < dc4c854a5e7453c465fa73b153eba4ef2a240abe (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < da7afb01ba05577ba3629f7f4824205550644986 (git) Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 6bb73db6948c2de23e407fe1b7ef94bf02b7529f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/essiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29294dd6f1e7acf527255fb136ffde6602c3a129",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "71f03f8f72d9c70ffba76980e78b38c180e61589",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "df58651968f82344a0ed2afdafd20ecfc55ff548",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "248ff2797ff52a8cbf86507f9583437443bf7685",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "f37e7860dc5e94c70b4a3e38a5809181310ea9ac",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "dc4c854a5e7453c465fa73b153eba4ef2a240abe",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "da7afb01ba05577ba3629f7f4824205550644986",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
},
{
"lessThan": "6bb73db6948c2de23e407fe1b7ef94bf02b7529f",
"status": "affected",
"version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/essiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: essiv - Check ssize for decryption and in-place encryption\n\nMove the ssize check to the start in essiv_aead_crypt so that\nit\u0027s also checked for decryption and in-place encryption."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:25.443Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29294dd6f1e7acf527255fb136ffde6602c3a129"
},
{
"url": "https://git.kernel.org/stable/c/71f03f8f72d9c70ffba76980e78b38c180e61589"
},
{
"url": "https://git.kernel.org/stable/c/df58651968f82344a0ed2afdafd20ecfc55ff548"
},
{
"url": "https://git.kernel.org/stable/c/248ff2797ff52a8cbf86507f9583437443bf7685"
},
{
"url": "https://git.kernel.org/stable/c/f37e7860dc5e94c70b4a3e38a5809181310ea9ac"
},
{
"url": "https://git.kernel.org/stable/c/dc4c854a5e7453c465fa73b153eba4ef2a240abe"
},
{
"url": "https://git.kernel.org/stable/c/da7afb01ba05577ba3629f7f4824205550644986"
},
{
"url": "https://git.kernel.org/stable/c/6bb73db6948c2de23e407fe1b7ef94bf02b7529f"
}
],
"title": "crypto: essiv - Check ssize for decryption and in-place encryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40019",
"datePublished": "2025-10-24T11:44:29.864Z",
"dateReserved": "2025-04-16T07:20:57.152Z",
"dateUpdated": "2025-12-01T06:16:25.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40158 (GCVE-0-2025-40158)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ipv6: use RCU in ip6_output()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: use RCU in ip6_output()
Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent
possible UAF.
We can remove rcu_read_lock()/rcu_read_unlock() pairs
from ip6_finish_output2().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0393f85c3241c19ba8550f04a812e7d19f6b3082",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "11709573cc4e48dc34c80fc7ab9ce5b159e29695",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: use RCU in ip6_output()\n\nUse RCU in ip6_output() in order to use dst_dev_rcu() to prevent\npossible UAF.\n\nWe can remove rcu_read_lock()/rcu_read_unlock() pairs\nfrom ip6_finish_output2()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:09.483Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0393f85c3241c19ba8550f04a812e7d19f6b3082"
},
{
"url": "https://git.kernel.org/stable/c/11709573cc4e48dc34c80fc7ab9ce5b159e29695"
}
],
"title": "ipv6: use RCU in ip6_output()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40158",
"datePublished": "2025-11-12T10:23:29.516Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-12-01T06:19:09.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40307 (GCVE-0-2025-40307)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
exfat: validate cluster allocation bits of the allocation bitmap
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: validate cluster allocation bits of the allocation bitmap
syzbot created an exfat image with cluster bits not set for the allocation
bitmap. exfat-fs reads and uses the allocation bitmap without checking
this. The problem is that if the start cluster of the allocation bitmap
is 6, cluster 6 can be allocated when creating a directory with mkdir.
exfat zeros out this cluster in exfat_mkdir, which can delete existing
entries. This can reallocate the allocated entries. In addition,
the allocation bitmap is also zeroed out, so cluster 6 can be reallocated.
This patch adds exfat_test_bitmap_range to validate that clusters used for
the allocation bitmap are correctly marked as in-use.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 6bc58b4c53795ab5fe00648344aa7d9d61175f90
(git)
Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf (git) Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 79c1587b6cda74deb0c86fc7ba194b92958c793c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6bc58b4c53795ab5fe00648344aa7d9d61175f90",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
},
{
"lessThan": "79c1587b6cda74deb0c86fc7ba194b92958c793c",
"status": "affected",
"version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: validate cluster allocation bits of the allocation bitmap\n\nsyzbot created an exfat image with cluster bits not set for the allocation\nbitmap. exfat-fs reads and uses the allocation bitmap without checking\nthis. The problem is that if the start cluster of the allocation bitmap\nis 6, cluster 6 can be allocated when creating a directory with mkdir.\nexfat zeros out this cluster in exfat_mkdir, which can delete existing\nentries. This can reallocate the allocated entries. In addition,\nthe allocation bitmap is also zeroed out, so cluster 6 can be reallocated.\nThis patch adds exfat_test_bitmap_range to validate that clusters used for\nthe allocation bitmap are correctly marked as in-use."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:58.576Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bc58b4c53795ab5fe00648344aa7d9d61175f90"
},
{
"url": "https://git.kernel.org/stable/c/13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf"
},
{
"url": "https://git.kernel.org/stable/c/79c1587b6cda74deb0c86fc7ba194b92958c793c"
}
],
"title": "exfat: validate cluster allocation bits of the allocation bitmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40307",
"datePublished": "2025-12-08T00:46:32.659Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:51:58.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54295 (GCVE-0-2023-54295)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type
spi_nor_set_erase_type() was used either to set or to mask out an erase
type. When we used it to mask out an erase type a shift-out-of-bounds
was hit:
UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24
shift exponent 4294967295 is too large for 32-bit type 'int'
The setting of the size_{shift, mask} and of the opcode are unnecessary
when the erase size is zero, as throughout the code just the erase size
is considered to determine whether an erase type is supported or not.
Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF
is an unused opcode. Thus when masking out an erase type, just set the
erase size to zero. This will fix the shift-out-of-bounds.
[ta: refine changes, new commit message, fix compilation error]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5390a8df769ec9ba9c995191bb0867430f602ebb , < e6409208c13f7c56adc12dd795abf4141e3d5e64
(git)
Affected: 5390a8df769ec9ba9c995191bb0867430f602ebb , < 61d44a4db2f54dbac7d22c2541574ea5755e0468 (git) Affected: 5390a8df769ec9ba9c995191bb0867430f602ebb , < 53b2916ebde741c657a857fa1936c0d9fcb59170 (git) Affected: 5390a8df769ec9ba9c995191bb0867430f602ebb , < 99341b8aee7b5b4255b339345bbcaa35867dfd0c (git) Affected: 5390a8df769ec9ba9c995191bb0867430f602ebb , < f0f0cfdc3a024e21161714f2e05f0df3b84d42ad (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/spi-nor/core.c",
"drivers/mtd/spi-nor/core.h",
"drivers/mtd/spi-nor/sfdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6409208c13f7c56adc12dd795abf4141e3d5e64",
"status": "affected",
"version": "5390a8df769ec9ba9c995191bb0867430f602ebb",
"versionType": "git"
},
{
"lessThan": "61d44a4db2f54dbac7d22c2541574ea5755e0468",
"status": "affected",
"version": "5390a8df769ec9ba9c995191bb0867430f602ebb",
"versionType": "git"
},
{
"lessThan": "53b2916ebde741c657a857fa1936c0d9fcb59170",
"status": "affected",
"version": "5390a8df769ec9ba9c995191bb0867430f602ebb",
"versionType": "git"
},
{
"lessThan": "99341b8aee7b5b4255b339345bbcaa35867dfd0c",
"status": "affected",
"version": "5390a8df769ec9ba9c995191bb0867430f602ebb",
"versionType": "git"
},
{
"lessThan": "f0f0cfdc3a024e21161714f2e05f0df3b84d42ad",
"status": "affected",
"version": "5390a8df769ec9ba9c995191bb0867430f602ebb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/spi-nor/core.c",
"drivers/mtd/spi-nor/core.h",
"drivers/mtd/spi-nor/sfdp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type\n\nspi_nor_set_erase_type() was used either to set or to mask out an erase\ntype. When we used it to mask out an erase type a shift-out-of-bounds\nwas hit:\nUBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24\nshift exponent 4294967295 is too large for 32-bit type \u0027int\u0027\n\nThe setting of the size_{shift, mask} and of the opcode are unnecessary\nwhen the erase size is zero, as throughout the code just the erase size\nis considered to determine whether an erase type is supported or not.\nSetting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF\nis an unused opcode. Thus when masking out an erase type, just set the\nerase size to zero. This will fix the shift-out-of-bounds.\n\n[ta: refine changes, new commit message, fix compilation error]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:32.458Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6409208c13f7c56adc12dd795abf4141e3d5e64"
},
{
"url": "https://git.kernel.org/stable/c/61d44a4db2f54dbac7d22c2541574ea5755e0468"
},
{
"url": "https://git.kernel.org/stable/c/53b2916ebde741c657a857fa1936c0d9fcb59170"
},
{
"url": "https://git.kernel.org/stable/c/99341b8aee7b5b4255b339345bbcaa35867dfd0c"
},
{
"url": "https://git.kernel.org/stable/c/f0f0cfdc3a024e21161714f2e05f0df3b84d42ad"
}
],
"title": "mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54295",
"datePublished": "2025-12-30T12:23:32.458Z",
"dateReserved": "2025-12-30T12:06:44.527Z",
"dateUpdated": "2025-12-30T12:23:32.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50652 (GCVE-0-2022-50652)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
Summary
In the Linux kernel, the following vulnerability has been resolved:
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in
uio_dmem_genirq_irqcontrol()") started calling disable_irq() without
holding the spinlock because it can sleep. However, that fix introduced
another bug: if interrupt is already disabled and a new disable request
comes in, then the spinlock is not unlocked:
root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002
[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]
[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21
[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 14.855664] Call Trace:
[ 14.855861] <TASK>
[ 14.856025] dump_stack_lvl+0x4d/0x67
[ 14.856325] dump_stack+0x14/0x1a
[ 14.856583] __schedule_bug.cold+0x4b/0x5c
[ 14.856915] __schedule+0xe81/0x13d0
[ 14.857199] ? idr_find+0x13/0x20
[ 14.857456] ? get_work_pool+0x2d/0x50
[ 14.857756] ? __flush_work+0x233/0x280
[ 14.858068] ? __schedule+0xa95/0x13d0
[ 14.858307] ? idr_find+0x13/0x20
[ 14.858519] ? get_work_pool+0x2d/0x50
[ 14.858798] schedule+0x6c/0x100
[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110
[ 14.859335] ? tty_write_room+0x1f/0x30
[ 14.859598] ? n_tty_poll+0x1ec/0x220
[ 14.859830] ? tty_ldisc_deref+0x1a/0x20
[ 14.860090] schedule_hrtimeout_range+0x17/0x20
[ 14.860373] do_select+0x596/0x840
[ 14.860627] ? __kernel_text_address+0x16/0x50
[ 14.860954] ? poll_freewait+0xb0/0xb0
[ 14.861235] ? poll_freewait+0xb0/0xb0
[ 14.861517] ? rpm_resume+0x49d/0x780
[ 14.861798] ? common_interrupt+0x59/0xa0
[ 14.862127] ? asm_common_interrupt+0x2b/0x40
[ 14.862511] ? __uart_start.isra.0+0x61/0x70
[ 14.862902] ? __check_object_size+0x61/0x280
[ 14.863255] core_sys_select+0x1c6/0x400
[ 14.863575] ? vfs_write+0x1c9/0x3d0
[ 14.863853] ? vfs_write+0x1c9/0x3d0
[ 14.864121] ? _copy_from_user+0x45/0x70
[ 14.864526] do_pselect.constprop.0+0xb3/0xf0
[ 14.864893] ? do_syscall_64+0x6d/0x90
[ 14.865228] ? do_syscall_64+0x6d/0x90
[ 14.865556] __x64_sys_pselect6+0x76/0xa0
[ 14.865906] do_syscall_64+0x60/0x90
[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50
[ 14.866640] ? do_syscall_64+0x6d/0x90
[ 14.866972] ? do_syscall_64+0x6d/0x90
[ 14.867286] ? do_syscall_64+0x6d/0x90
[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...] stripped
[ 14.872959] </TASK>
('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this)
The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and
it is used in a similar manner to the "uio_pdrv_genirq" driver with respect
to interrupt configuration and handling. At the time "uio_dmem_genirq" was
introduced, both had the same implementation of the 'uio_info' handlers
irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency
issue"), which was only applied to "uio_pdrv_genirq", ended up making them
a little different. That commit, among other things, changed disable_irq()
to disable_irq_nosync() in the implementation of irqcontrol(). The
motivation there was to avoid a deadlock between irqcontrol() and
handler(), since it added a spinlock in the irq handler, and disable_irq()
waits for the completion of the irq handler.
By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also
avoid the sleeping-whil
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b77fa964ecb1d72a671234f5bea95b41f77c233a , < 9977cb7af5a8f4738198b020436e2e56c5cd721e
(git)
Affected: 0151b03f43f2d295a6949454434074b34a262e06 , < a323d24a0183be730d2398b11b3a91e5c2e222a0 (git) Affected: ea6b7b1d58790ffb36bace723f6e62a1c8595c77 , < ac5585bb06a2e82177269bee93e59887ce591106 (git) Affected: 750a95d63746458e86c6d92dfad48a05c64d0ecd , < eca77a25a7cb3201738f4b55b9b8fa1089d7d002 (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < 9bf7a0b2b15cd12e15f7858072bd89933746de67 (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < 79a4bdb6b9920134af1a4738a1fa36a0438cd905 (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < 030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < ee180e867ce4b2f744799247b81050b3e5dd62cd (git) Affected: b74351287d4bd90636c3f48bc188c2f53824c2d4 , < 9de255c461d1b3f0242b3ad1450c3323a3e00b34 (git) Affected: 4a117a1c581623d04bf09aa7455d8e7b66e8bb85 (git) Affected: 1d52cd8b52876145b0f6344be95fc750e30d9ecb (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_dmem_genirq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9977cb7af5a8f4738198b020436e2e56c5cd721e",
"status": "affected",
"version": "b77fa964ecb1d72a671234f5bea95b41f77c233a",
"versionType": "git"
},
{
"lessThan": "a323d24a0183be730d2398b11b3a91e5c2e222a0",
"status": "affected",
"version": "0151b03f43f2d295a6949454434074b34a262e06",
"versionType": "git"
},
{
"lessThan": "ac5585bb06a2e82177269bee93e59887ce591106",
"status": "affected",
"version": "ea6b7b1d58790ffb36bace723f6e62a1c8595c77",
"versionType": "git"
},
{
"lessThan": "eca77a25a7cb3201738f4b55b9b8fa1089d7d002",
"status": "affected",
"version": "750a95d63746458e86c6d92dfad48a05c64d0ecd",
"versionType": "git"
},
{
"lessThan": "9bf7a0b2b15cd12e15f7858072bd89933746de67",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"lessThan": "79a4bdb6b9920134af1a4738a1fa36a0438cd905",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"lessThan": "030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"lessThan": "ee180e867ce4b2f744799247b81050b3e5dd62cd",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"lessThan": "9de255c461d1b3f0242b3ad1450c3323a3e00b34",
"status": "affected",
"version": "b74351287d4bd90636c3f48bc188c2f53824c2d4",
"versionType": "git"
},
{
"status": "affected",
"version": "4a117a1c581623d04bf09aa7455d8e7b66e8bb85",
"versionType": "git"
},
{
"status": "affected",
"version": "1d52cd8b52876145b0f6344be95fc750e30d9ecb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/uio/uio_dmem_genirq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9.215",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.106",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.215",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuio: uio_dmem_genirq: Fix missing unlock in irq configuration\n\nCommit b74351287d4b (\"uio: fix a sleep-in-atomic-context bug in\nuio_dmem_genirq_irqcontrol()\") started calling disable_irq() without\nholding the spinlock because it can sleep. However, that fix introduced\nanother bug: if interrupt is already disabled and a new disable request\ncomes in, then the spinlock is not unlocked:\n\nroot@localhost:~# printf \u0027\\x00\\x00\\x00\\x00\u0027 \u003e /dev/uio0\nroot@localhost:~# printf \u0027\\x00\\x00\\x00\\x00\u0027 \u003e /dev/uio0\nroot@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002\n[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]\n[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21\n[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 14.855664] Call Trace:\n[ 14.855861] \u003cTASK\u003e\n[ 14.856025] dump_stack_lvl+0x4d/0x67\n[ 14.856325] dump_stack+0x14/0x1a\n[ 14.856583] __schedule_bug.cold+0x4b/0x5c\n[ 14.856915] __schedule+0xe81/0x13d0\n[ 14.857199] ? idr_find+0x13/0x20\n[ 14.857456] ? get_work_pool+0x2d/0x50\n[ 14.857756] ? __flush_work+0x233/0x280\n[ 14.858068] ? __schedule+0xa95/0x13d0\n[ 14.858307] ? idr_find+0x13/0x20\n[ 14.858519] ? get_work_pool+0x2d/0x50\n[ 14.858798] schedule+0x6c/0x100\n[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110\n[ 14.859335] ? tty_write_room+0x1f/0x30\n[ 14.859598] ? n_tty_poll+0x1ec/0x220\n[ 14.859830] ? tty_ldisc_deref+0x1a/0x20\n[ 14.860090] schedule_hrtimeout_range+0x17/0x20\n[ 14.860373] do_select+0x596/0x840\n[ 14.860627] ? __kernel_text_address+0x16/0x50\n[ 14.860954] ? poll_freewait+0xb0/0xb0\n[ 14.861235] ? poll_freewait+0xb0/0xb0\n[ 14.861517] ? rpm_resume+0x49d/0x780\n[ 14.861798] ? common_interrupt+0x59/0xa0\n[ 14.862127] ? asm_common_interrupt+0x2b/0x40\n[ 14.862511] ? __uart_start.isra.0+0x61/0x70\n[ 14.862902] ? __check_object_size+0x61/0x280\n[ 14.863255] core_sys_select+0x1c6/0x400\n[ 14.863575] ? vfs_write+0x1c9/0x3d0\n[ 14.863853] ? vfs_write+0x1c9/0x3d0\n[ 14.864121] ? _copy_from_user+0x45/0x70\n[ 14.864526] do_pselect.constprop.0+0xb3/0xf0\n[ 14.864893] ? do_syscall_64+0x6d/0x90\n[ 14.865228] ? do_syscall_64+0x6d/0x90\n[ 14.865556] __x64_sys_pselect6+0x76/0xa0\n[ 14.865906] do_syscall_64+0x60/0x90\n[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50\n[ 14.866640] ? do_syscall_64+0x6d/0x90\n[ 14.866972] ? do_syscall_64+0x6d/0x90\n[ 14.867286] ? do_syscall_64+0x6d/0x90\n[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...] stripped\n[ 14.872959] \u003c/TASK\u003e\n\n(\u0027myfpga\u0027 is a simple \u0027uio_dmem_genirq\u0027 driver I wrote to test this)\n\nThe implementation of \"uio_dmem_genirq\" was based on \"uio_pdrv_genirq\" and\nit is used in a similar manner to the \"uio_pdrv_genirq\" driver with respect\nto interrupt configuration and handling. At the time \"uio_dmem_genirq\" was\nintroduced, both had the same implementation of the \u0027uio_info\u0027 handlers\nirqcontrol() and handler(). Then commit 34cb27528398 (\"UIO: Fix concurrency\nissue\"), which was only applied to \"uio_pdrv_genirq\", ended up making them\na little different. That commit, among other things, changed disable_irq()\nto disable_irq_nosync() in the implementation of irqcontrol(). The\nmotivation there was to avoid a deadlock between irqcontrol() and\nhandler(), since it added a spinlock in the irq handler, and disable_irq()\nwaits for the completion of the irq handler.\n\nBy changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also\navoid the sleeping-whil\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:26.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9977cb7af5a8f4738198b020436e2e56c5cd721e"
},
{
"url": "https://git.kernel.org/stable/c/a323d24a0183be730d2398b11b3a91e5c2e222a0"
},
{
"url": "https://git.kernel.org/stable/c/ac5585bb06a2e82177269bee93e59887ce591106"
},
{
"url": "https://git.kernel.org/stable/c/eca77a25a7cb3201738f4b55b9b8fa1089d7d002"
},
{
"url": "https://git.kernel.org/stable/c/9bf7a0b2b15cd12e15f7858072bd89933746de67"
},
{
"url": "https://git.kernel.org/stable/c/79a4bdb6b9920134af1a4738a1fa36a0438cd905"
},
{
"url": "https://git.kernel.org/stable/c/030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d"
},
{
"url": "https://git.kernel.org/stable/c/ee180e867ce4b2f744799247b81050b3e5dd62cd"
},
{
"url": "https://git.kernel.org/stable/c/9de255c461d1b3f0242b3ad1450c3323a3e00b34"
}
],
"title": "uio: uio_dmem_genirq: Fix missing unlock in irq configuration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50652",
"datePublished": "2025-12-09T00:00:26.593Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:26.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50749 (GCVE-0-2022-50749)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
acct: fix potential integer overflow in encode_comp_t()
Summary
In the Linux kernel, the following vulnerability has been resolved:
acct: fix potential integer overflow in encode_comp_t()
The integer overflow is descripted with following codes:
> 317 static comp_t encode_comp_t(u64 value)
> 318 {
> 319 int exp, rnd;
......
> 341 exp <<= MANTSIZE;
> 342 exp += value;
> 343 return exp;
> 344 }
Currently comp_t is defined as type of '__u16', but the variable 'exp' is
type of 'int', so overflow would happen when variable 'exp' in line 343 is
greater than 65535.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e93f995a591c352d35d89c518c54f790e1537754
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < cf60bbca1b83a7e0927e36dbf178328982927886 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1750a0983c455a9b3badd848471fc8d58cb61f67 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a815a3e019456c94b03bd183e7ac22fd29e9e6fd (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6edd0cdee5780fd5f43356b72b29a2a6d48ef6da (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ebe16676e1dcaa4556ec4d36ca40c82e99e88cfa (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2224897d8187dc22a83e05d9361efcccf67bcf12 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0aac6e60c464a5f942f995428e67f8ae1c422250 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c5f31c655bcc01b6da53b836ac951c1556245305 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/acct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e93f995a591c352d35d89c518c54f790e1537754",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cf60bbca1b83a7e0927e36dbf178328982927886",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1750a0983c455a9b3badd848471fc8d58cb61f67",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a815a3e019456c94b03bd183e7ac22fd29e9e6fd",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6edd0cdee5780fd5f43356b72b29a2a6d48ef6da",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ebe16676e1dcaa4556ec4d36ca40c82e99e88cfa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2224897d8187dc22a83e05d9361efcccf67bcf12",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0aac6e60c464a5f942f995428e67f8ae1c422250",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c5f31c655bcc01b6da53b836ac951c1556245305",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/acct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nacct: fix potential integer overflow in encode_comp_t()\n\nThe integer overflow is descripted with following codes:\n \u003e 317 static comp_t encode_comp_t(u64 value)\n \u003e 318 {\n \u003e 319 int exp, rnd;\n ......\n \u003e 341 exp \u003c\u003c= MANTSIZE;\n \u003e 342 exp += value;\n \u003e 343 return exp;\n \u003e 344 }\n\nCurrently comp_t is defined as type of \u0027__u16\u0027, but the variable \u0027exp\u0027 is\ntype of \u0027int\u0027, so overflow would happen when variable \u0027exp\u0027 in line 343 is\ngreater than 65535."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:23.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e93f995a591c352d35d89c518c54f790e1537754"
},
{
"url": "https://git.kernel.org/stable/c/cf60bbca1b83a7e0927e36dbf178328982927886"
},
{
"url": "https://git.kernel.org/stable/c/1750a0983c455a9b3badd848471fc8d58cb61f67"
},
{
"url": "https://git.kernel.org/stable/c/a815a3e019456c94b03bd183e7ac22fd29e9e6fd"
},
{
"url": "https://git.kernel.org/stable/c/6edd0cdee5780fd5f43356b72b29a2a6d48ef6da"
},
{
"url": "https://git.kernel.org/stable/c/ebe16676e1dcaa4556ec4d36ca40c82e99e88cfa"
},
{
"url": "https://git.kernel.org/stable/c/2224897d8187dc22a83e05d9361efcccf67bcf12"
},
{
"url": "https://git.kernel.org/stable/c/0aac6e60c464a5f942f995428e67f8ae1c422250"
},
{
"url": "https://git.kernel.org/stable/c/c5f31c655bcc01b6da53b836ac951c1556245305"
}
],
"title": "acct: fix potential integer overflow in encode_comp_t()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50749",
"datePublished": "2025-12-24T13:05:44.734Z",
"dateReserved": "2025-12-24T13:02:21.544Z",
"dateUpdated": "2026-01-02T15:04:23.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54006 (GCVE-0-2023-54006)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
af_unix: Fix data-race around unix_tot_inflight.
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data-race around unix_tot_inflight.
unix_tot_inflight is changed under spin_lock(unix_gc_lock), but
unix_release_sock() reads it locklessly.
Let's use READ_ONCE() for unix_tot_inflight.
Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix:
annote lockless accesses to unix_tot_inflight & gc_in_progress")
BUG: KCSAN: data-race in unix_inflight / unix_release_sock
write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:
unix_inflight+0x130/0x180 net/unix/scm.c:64
unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123
unix_scm_to_skb net/unix/af_unix.c:1832 [inline]
unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:747
____sys_sendmsg+0x4e4/0x610 net/socket.c:2493
___sys_sendmsg+0xc6/0x140 net/socket.c:2547
__sys_sendmsg+0x94/0x140 net/socket.c:2576
__do_sys_sendmsg net/socket.c:2585 [inline]
__se_sys_sendmsg net/socket.c:2583 [inline]
__x64_sys_sendmsg+0x45/0x50 net/socket.c:2583
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:
unix_release_sock+0x608/0x910 net/unix/af_unix.c:671
unix_release+0x59/0x80 net/unix/af_unix.c:1058
__sock_release+0x7d/0x170 net/socket.c:653
sock_close+0x19/0x30 net/socket.c:1385
__fput+0x179/0x5e0 fs/file_table.c:321
____fput+0x15/0x20 fs/file_table.c:349
task_work_run+0x116/0x1a0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x72/0xdc
value changed: 0x00000000 -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < 31b46d5e7c4e295bd112960614a66a177a057dca
(git)
Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < 20aa8325464d8905450089eed96ca102a074d853 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < 5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < cf29b42766ad4af2ae6a449f583796951551b48d (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < e5edc6e44a882c0458878ab10eaddfe60ac34e57 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < 2d8933ca863e252fb09ad0be483255e3dfeb1f54 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < afc284a4a781defbb12b2a40427fae34c3d20e17 (git) Affected: 9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8 , < ade32bd8a738d7497ffe9743c46728db26740f78 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "31b46d5e7c4e295bd112960614a66a177a057dca",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "20aa8325464d8905450089eed96ca102a074d853",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "cf29b42766ad4af2ae6a449f583796951551b48d",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "e5edc6e44a882c0458878ab10eaddfe60ac34e57",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "2d8933ca863e252fb09ad0be483255e3dfeb1f54",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "afc284a4a781defbb12b2a40427fae34c3d20e17",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
},
{
"lessThan": "ade32bd8a738d7497ffe9743c46728db26740f78",
"status": "affected",
"version": "9305cfa4443dbfb99faf35c5603ec0c0e91b5ef8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix data-race around unix_tot_inflight.\n\nunix_tot_inflight is changed under spin_lock(unix_gc_lock), but\nunix_release_sock() reads it locklessly.\n\nLet\u0027s use READ_ONCE() for unix_tot_inflight.\n\nNote that the writer side was marked by commit 9d6d7f1cb67c (\"af_unix:\nannote lockless accesses to unix_tot_inflight \u0026 gc_in_progress\")\n\nBUG: KCSAN: data-race in unix_inflight / unix_release_sock\n\nwrite (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:\n unix_inflight+0x130/0x180 net/unix/scm.c:64\n unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123\n unix_scm_to_skb net/unix/af_unix.c:1832 [inline]\n unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x148/0x160 net/socket.c:747\n ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493\n ___sys_sendmsg+0xc6/0x140 net/socket.c:2547\n __sys_sendmsg+0x94/0x140 net/socket.c:2576\n __do_sys_sendmsg net/socket.c:2585 [inline]\n __se_sys_sendmsg net/socket.c:2583 [inline]\n __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nread to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:\n unix_release_sock+0x608/0x910 net/unix/af_unix.c:671\n unix_release+0x59/0x80 net/unix/af_unix.c:1058\n __sock_release+0x7d/0x170 net/socket.c:653\n sock_close+0x19/0x30 net/socket.c:1385\n __fput+0x179/0x5e0 fs/file_table.c:321\n ____fput+0x15/0x20 fs/file_table.c:349\n task_work_run+0x116/0x1a0 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:171 [inline]\n exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204\n __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]\n syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297\n do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nvalue changed: 0x00000000 -\u003e 0x00000001\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:40.534Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/31b46d5e7c4e295bd112960614a66a177a057dca"
},
{
"url": "https://git.kernel.org/stable/c/20aa8325464d8905450089eed96ca102a074d853"
},
{
"url": "https://git.kernel.org/stable/c/5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840"
},
{
"url": "https://git.kernel.org/stable/c/cf29b42766ad4af2ae6a449f583796951551b48d"
},
{
"url": "https://git.kernel.org/stable/c/e5edc6e44a882c0458878ab10eaddfe60ac34e57"
},
{
"url": "https://git.kernel.org/stable/c/2d8933ca863e252fb09ad0be483255e3dfeb1f54"
},
{
"url": "https://git.kernel.org/stable/c/afc284a4a781defbb12b2a40427fae34c3d20e17"
},
{
"url": "https://git.kernel.org/stable/c/ade32bd8a738d7497ffe9743c46728db26740f78"
}
],
"title": "af_unix: Fix data-race around unix_tot_inflight.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54006",
"datePublished": "2025-12-24T10:55:40.534Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:40.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54325 (GCVE-0-2023-54325)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
EPSS
Title
crypto: qat - fix out-of-bounds read
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - fix out-of-bounds read
When preparing an AER-CTR request, the driver copies the key provided by
the user into a data structure that is accessible by the firmware.
If the target device is QAT GEN4, the key size is rounded up by 16 since
a rounded up size is expected by the device.
If the key size is rounded up before the copy, the size used for copying
the key might be bigger than the size of the region containing the key,
causing an out-of-bounds read.
Fix by doing the copy first and then update the keylen.
This is to fix the following warning reported by KASAN:
[ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]
[ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340
[ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45
[ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022
[ 138.150663] Call Trace:
[ 138.150668] <TASK>
[ 138.150922] kasan_check_range+0x13a/0x1c0
[ 138.150931] memcpy+0x1f/0x60
[ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]
[ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]
[ 138.151073] crypto_skcipher_setkey+0x82/0x160
[ 138.151085] ? prepare_keybuf+0xa2/0xd0
[ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
67916c9516893528ecce060ada1f58af0ce33d93 , < 7697139d5dfd491f4c495a914a1dd68f6e827a0f
(git)
Affected: 67916c9516893528ecce060ada1f58af0ce33d93 , < dc3809f390357c8992f0a23083da934a20fef9af (git) Affected: 67916c9516893528ecce060ada1f58af0ce33d93 , < 2b1501f058245573a3aa6bf234d205dde1196184 (git) Affected: 67916c9516893528ecce060ada1f58af0ce33d93 , < f6044cc3030e139f60c281386f28bda6e3049d66 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7697139d5dfd491f4c495a914a1dd68f6e827a0f",
"status": "affected",
"version": "67916c9516893528ecce060ada1f58af0ce33d93",
"versionType": "git"
},
{
"lessThan": "dc3809f390357c8992f0a23083da934a20fef9af",
"status": "affected",
"version": "67916c9516893528ecce060ada1f58af0ce33d93",
"versionType": "git"
},
{
"lessThan": "2b1501f058245573a3aa6bf234d205dde1196184",
"status": "affected",
"version": "67916c9516893528ecce060ada1f58af0ce33d93",
"versionType": "git"
},
{
"lessThan": "f6044cc3030e139f60c281386f28bda6e3049d66",
"status": "affected",
"version": "67916c9516893528ecce060ada1f58af0ce33d93",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/qat/qat_common/qat_algs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - fix out-of-bounds read\n\nWhen preparing an AER-CTR request, the driver copies the key provided by\nthe user into a data structure that is accessible by the firmware.\nIf the target device is QAT GEN4, the key size is rounded up by 16 since\na rounded up size is expected by the device.\nIf the key size is rounded up before the copy, the size used for copying\nthe key might be bigger than the size of the region containing the key,\ncausing an out-of-bounds read.\n\nFix by doing the copy first and then update the keylen.\n\nThis is to fix the following warning reported by KASAN:\n\n\t[ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340\n\n\t[ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45\n\t[ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022\n\t[ 138.150663] Call Trace:\n\t[ 138.150668] \u003cTASK\u003e\n\t[ 138.150922] kasan_check_range+0x13a/0x1c0\n\t[ 138.150931] memcpy+0x1f/0x60\n\t[ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]\n\t[ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]\n\t[ 138.151073] crypto_skcipher_setkey+0x82/0x160\n\t[ 138.151085] ? prepare_keybuf+0xa2/0xd0\n\t[ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:09.015Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7697139d5dfd491f4c495a914a1dd68f6e827a0f"
},
{
"url": "https://git.kernel.org/stable/c/dc3809f390357c8992f0a23083da934a20fef9af"
},
{
"url": "https://git.kernel.org/stable/c/2b1501f058245573a3aa6bf234d205dde1196184"
},
{
"url": "https://git.kernel.org/stable/c/f6044cc3030e139f60c281386f28bda6e3049d66"
}
],
"title": "crypto: qat - fix out-of-bounds read",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54325",
"datePublished": "2025-12-30T12:37:09.015Z",
"dateReserved": "2025-12-30T12:35:56.209Z",
"dateUpdated": "2025-12-30T12:37:09.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38572 (GCVE-0-2025-38572)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-11-03 17:39
VLAI?
EPSS
Title
ipv6: reject malicious packets in ipv6_gso_segment()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: reject malicious packets in ipv6_gso_segment()
syzbot was able to craft a packet with very long IPv6 extension headers
leading to an overflow of skb->transport_header.
This 16bit field has a limited range.
Add skb_reset_transport_header_careful() helper and use it
from ipv6_gso_segment()
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Modules linked in:
CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Call Trace:
<TASK>
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
__skb_gso_segment+0x342/0x510 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950
validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000
sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329
__dev_xmit_skb net/core/dev.c:4102 [inline]
__dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 5dc60b2a00ed7629214ac0c48e43f40af2078703
(git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 3f638e0b28bde7c3354a0df938ab3a96739455d1 (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 09ff062b89d8e48165247d677d1ca23d6d607e9b (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < de322cdf600fc9433845a9e944d1ca6b31cfb67e (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < ef05007b403dcc21e701cb1f30d4572ac0a9da20 (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 5489e7fc6f8be3062f8cb7e49406de4bfd94db67 (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 573b8250fc2554761db3bc2bbdbab23789d52d4e (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < ee851768e4b8371ce151fd446d24bf3ae2d18789 (git) Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < d45cf1e7d7180256e17c9ce88e32e8061a7887fe (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:59.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/ipv6/ip6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5dc60b2a00ed7629214ac0c48e43f40af2078703",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "3f638e0b28bde7c3354a0df938ab3a96739455d1",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "09ff062b89d8e48165247d677d1ca23d6d607e9b",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "de322cdf600fc9433845a9e944d1ca6b31cfb67e",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "ef05007b403dcc21e701cb1f30d4572ac0a9da20",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "5489e7fc6f8be3062f8cb7e49406de4bfd94db67",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "573b8250fc2554761db3bc2bbdbab23789d52d4e",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "ee851768e4b8371ce151fd446d24bf3ae2d18789",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
},
{
"lessThan": "d45cf1e7d7180256e17c9ce88e32e8061a7887fe",
"status": "affected",
"version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/skbuff.h",
"net/ipv6/ip6_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb-\u003etransport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n \u003cTASK\u003e\n skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n skb_gso_segment include/net/gso.h:83 [inline]\n validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n __dev_xmit_skb net/core/dev.c:4102 [inline]\n __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:03.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703"
},
{
"url": "https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1"
},
{
"url": "https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b"
},
{
"url": "https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e"
},
{
"url": "https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20"
},
{
"url": "https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67"
},
{
"url": "https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e"
},
{
"url": "https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789"
},
{
"url": "https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe"
}
],
"title": "ipv6: reject malicious packets in ipv6_gso_segment()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38572",
"datePublished": "2025-08-19T17:02:52.340Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2025-11-03T17:39:59.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54269 (GCVE-0-2023-54269)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16
VLAI?
EPSS
Title
SUNRPC: double free xprt_ctxt while still in use
Summary
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: double free xprt_ctxt while still in use
When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out
of the svc_rqst into the svc_deferred_req.
When the deferred request is revisited, the pointer is copied into
the new svc_rqst - and also remains in the svc_deferred_req.
In the (rare?) case that the request is deferred a second time, the old
svc_deferred_req is reused - it still has all the correct content.
However in that case the rq_xprt_ctxt pointer is NOT cleared so that
when xpo_release_xprt is called, the ctxt is freed (UDP) or possible
added to a free list (RDMA).
When the deferred request is revisited for a second time, it will
reference this ctxt which may be invalid, and the free the object a
second time which is likely to oops.
So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that
the value is now stored in the svc_deferred_req.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f5e13d700a4d40ccde3d36e383f9247dcb3c1d2d , < 7851771789e87108a92697194105ef0c9307dc5e
(git)
Affected: 773f91b2cf3f52df0d7508fdbf60f37567cdaee4 , < fd86534872f445f54dc01e7db001e25eadf063a8 (git) Affected: 773f91b2cf3f52df0d7508fdbf60f37567cdaee4 , < e0c648627322a4c7e018e5c7f837c3c03e297dbb (git) Affected: 773f91b2cf3f52df0d7508fdbf60f37567cdaee4 , < eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 (git) Affected: 11fab500f86403b2ebf6795feeade6e10302e448 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svc_xprt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7851771789e87108a92697194105ef0c9307dc5e",
"status": "affected",
"version": "f5e13d700a4d40ccde3d36e383f9247dcb3c1d2d",
"versionType": "git"
},
{
"lessThan": "fd86534872f445f54dc01e7db001e25eadf063a8",
"status": "affected",
"version": "773f91b2cf3f52df0d7508fdbf60f37567cdaee4",
"versionType": "git"
},
{
"lessThan": "e0c648627322a4c7e018e5c7f837c3c03e297dbb",
"status": "affected",
"version": "773f91b2cf3f52df0d7508fdbf60f37567cdaee4",
"versionType": "git"
},
{
"lessThan": "eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1",
"status": "affected",
"version": "773f91b2cf3f52df0d7508fdbf60f37567cdaee4",
"versionType": "git"
},
{
"status": "affected",
"version": "11fab500f86403b2ebf6795feeade6e10302e448",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svc_xprt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.15.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: double free xprt_ctxt while still in use\n\nWhen an RPC request is deferred, the rq_xprt_ctxt pointer is moved out\nof the svc_rqst into the svc_deferred_req.\nWhen the deferred request is revisited, the pointer is copied into\nthe new svc_rqst - and also remains in the svc_deferred_req.\n\nIn the (rare?) case that the request is deferred a second time, the old\nsvc_deferred_req is reused - it still has all the correct content.\nHowever in that case the rq_xprt_ctxt pointer is NOT cleared so that\nwhen xpo_release_xprt is called, the ctxt is freed (UDP) or possible\nadded to a free list (RDMA).\nWhen the deferred request is revisited for a second time, it will\nreference this ctxt which may be invalid, and the free the object a\nsecond time which is likely to oops.\n\nSo change svc_defer() to *always* clear rq_xprt_ctxt, and assert that\nthe value is now stored in the svc_deferred_req."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:16:00.317Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7851771789e87108a92697194105ef0c9307dc5e"
},
{
"url": "https://git.kernel.org/stable/c/fd86534872f445f54dc01e7db001e25eadf063a8"
},
{
"url": "https://git.kernel.org/stable/c/e0c648627322a4c7e018e5c7f837c3c03e297dbb"
},
{
"url": "https://git.kernel.org/stable/c/eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1"
}
],
"title": "SUNRPC: double free xprt_ctxt while still in use",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54269",
"datePublished": "2025-12-30T12:16:00.317Z",
"dateReserved": "2025-12-30T12:06:44.518Z",
"dateUpdated": "2025-12-30T12:16:00.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54275 (GCVE-0-2023-54275)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16
VLAI?
EPSS
Title
wifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup
crypto_alloc_shash() allocates resources, which should be released by
crypto_free_shash(). When ath11k_peer_find() fails, there has memory
leak. Add missing crypto_free_shash() to fix this.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
243874c64c8137bc90455200a7735da72836ecab , < 137963e3b95776f1d57c62f249a93fe47e019a22
(git)
Affected: 243874c64c8137bc90455200a7735da72836ecab , < 53c8a256e5d3f31d80186de03a3d2a7f747b2aa0 (git) Affected: 243874c64c8137bc90455200a7735da72836ecab , < e596b36e15a7158b0bb2d55077b6b381ee41020c (git) Affected: 243874c64c8137bc90455200a7735da72836ecab , < 64a78ec4f4579798d8e885aca9bdd707bca6b16b (git) Affected: 243874c64c8137bc90455200a7735da72836ecab , < ed3f83b3459a67a3ab9d806490ac304b567b1c2d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "137963e3b95776f1d57c62f249a93fe47e019a22",
"status": "affected",
"version": "243874c64c8137bc90455200a7735da72836ecab",
"versionType": "git"
},
{
"lessThan": "53c8a256e5d3f31d80186de03a3d2a7f747b2aa0",
"status": "affected",
"version": "243874c64c8137bc90455200a7735da72836ecab",
"versionType": "git"
},
{
"lessThan": "e596b36e15a7158b0bb2d55077b6b381ee41020c",
"status": "affected",
"version": "243874c64c8137bc90455200a7735da72836ecab",
"versionType": "git"
},
{
"lessThan": "64a78ec4f4579798d8e885aca9bdd707bca6b16b",
"status": "affected",
"version": "243874c64c8137bc90455200a7735da72836ecab",
"versionType": "git"
},
{
"lessThan": "ed3f83b3459a67a3ab9d806490ac304b567b1c2d",
"status": "affected",
"version": "243874c64c8137bc90455200a7735da72836ecab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup\n\ncrypto_alloc_shash() allocates resources, which should be released by\ncrypto_free_shash(). When ath11k_peer_find() fails, there has memory\nleak. Add missing crypto_free_shash() to fix this."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:16:04.380Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/137963e3b95776f1d57c62f249a93fe47e019a22"
},
{
"url": "https://git.kernel.org/stable/c/53c8a256e5d3f31d80186de03a3d2a7f747b2aa0"
},
{
"url": "https://git.kernel.org/stable/c/e596b36e15a7158b0bb2d55077b6b381ee41020c"
},
{
"url": "https://git.kernel.org/stable/c/64a78ec4f4579798d8e885aca9bdd707bca6b16b"
},
{
"url": "https://git.kernel.org/stable/c/ed3f83b3459a67a3ab9d806490ac304b567b1c2d"
}
],
"title": "wifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54275",
"datePublished": "2025-12-30T12:16:04.380Z",
"dateReserved": "2025-12-30T12:06:44.523Z",
"dateUpdated": "2025-12-30T12:16:04.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40123 (GCVE-0-2025-40123)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
bpf: Enforce expected_attach_type for tailcall compatibility
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Enforce expected_attach_type for tailcall compatibility
Yinhao et al. recently reported:
Our fuzzer tool discovered an uninitialized pointer issue in the
bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem.
This leads to a NULL pointer dereference when a BPF program attempts to
deference the txq member of struct xdp_buff object.
The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the
entry point for bpf_prog_test_run_xdp() and its expected_attach_type can
neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot
of a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAP
to pass xdp_is_valid_access() validation. The program returns struct xdp_md's
egress_ifindex, and the latter is only allowed to be accessed under mentioned
expected_attach_type. progB is then inserted into the tailcall which progA
calls.
The underlying issue goes beyond XDP though. Another example are programs
of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well
as sock_addr_func_proto() have different logic depending on the programs'
expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME
should not be allowed doing a tailcall into a program which calls bpf_bind()
out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.
In short, specifying expected_attach_type allows to open up additional
functionality or restrictions beyond what the basic bpf_prog_type enables.
The use of tailcalls must not violate these constraints. Fix it by enforcing
expected_attach_type in __bpf_prog_map_compatible().
Note that we only enforce this for tailcall maps, but not for BPF devmaps or
cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and
cpu_map_bpf_prog_run*() which set up a new environment / context and therefore
these situations are not prone to this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < a99de19128aec0913f3d529f529fbbff5edfaff8
(git)
Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < 08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32 (git) Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a (git) Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < c1ad19b5d8e23123503dcaf2d4342e1b90b923ad (git) Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < 4540aed51b12bc13364149bf95f6ecef013197c0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a99de19128aec0913f3d529f529fbbff5edfaff8",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
},
{
"lessThan": "08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
},
{
"lessThan": "f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
},
{
"lessThan": "c1ad19b5d8e23123503dcaf2d4342e1b90b923ad",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
},
{
"lessThan": "4540aed51b12bc13364149bf95f6ecef013197c0",
"status": "affected",
"version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/bpf.h",
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Enforce expected_attach_type for tailcall compatibility\n\nYinhao et al. recently reported:\n\n Our fuzzer tool discovered an uninitialized pointer issue in the\n bpf_prog_test_run_xdp() function within the Linux kernel\u0027s BPF subsystem.\n This leads to a NULL pointer dereference when a BPF program attempts to\n deference the txq member of struct xdp_buff object.\n\nThe test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the\nentry point for bpf_prog_test_run_xdp() and its expected_attach_type can\nneither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot\nof a tailcall map it owns. progB\u0027s expected_attach_type must be BPF_XDP_DEVMAP\nto pass xdp_is_valid_access() validation. The program returns struct xdp_md\u0027s\negress_ifindex, and the latter is only allowed to be accessed under mentioned\nexpected_attach_type. progB is then inserted into the tailcall which progA\ncalls.\n\nThe underlying issue goes beyond XDP though. Another example are programs\nof type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well\nas sock_addr_func_proto() have different logic depending on the programs\u0027\nexpected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME\nshould not be allowed doing a tailcall into a program which calls bpf_bind()\nout of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.\n\nIn short, specifying expected_attach_type allows to open up additional\nfunctionality or restrictions beyond what the basic bpf_prog_type enables.\nThe use of tailcalls must not violate these constraints. Fix it by enforcing\nexpected_attach_type in __bpf_prog_map_compatible().\n\nNote that we only enforce this for tailcall maps, but not for BPF devmaps or\ncpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and\ncpu_map_bpf_prog_run*() which set up a new environment / context and therefore\nthese situations are not prone to this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:28.394Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a99de19128aec0913f3d529f529fbbff5edfaff8"
},
{
"url": "https://git.kernel.org/stable/c/08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32"
},
{
"url": "https://git.kernel.org/stable/c/f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a"
},
{
"url": "https://git.kernel.org/stable/c/c1ad19b5d8e23123503dcaf2d4342e1b90b923ad"
},
{
"url": "https://git.kernel.org/stable/c/4540aed51b12bc13364149bf95f6ecef013197c0"
}
],
"title": "bpf: Enforce expected_attach_type for tailcall compatibility",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40123",
"datePublished": "2025-11-12T10:23:19.589Z",
"dateReserved": "2025-04-16T07:20:57.169Z",
"dateUpdated": "2025-12-01T06:18:28.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50835 (GCVE-0-2022-50835)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
jbd2: add miss release buffer head in fc_do_one_pass()
Summary
In the Linux kernel, the following vulnerability has been resolved:
jbd2: add miss release buffer head in fc_do_one_pass()
In fc_do_one_pass() miss release buffer head after use which will lead
to reference count leak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5b849b5f96b47d82b5a432d8b91a8ad260e1de46 , < e65506ff181fc176088f32117d69b9cb1ddda777
(git)
Affected: 5b849b5f96b47d82b5a432d8b91a8ad260e1de46 , < 56fcd0788f0d9243c1754bd6f80b8b327c4afeee (git) Affected: 5b849b5f96b47d82b5a432d8b91a8ad260e1de46 , < 27c7bd35135d5ab38b9138ecf186ce54a96c98d9 (git) Affected: 5b849b5f96b47d82b5a432d8b91a8ad260e1de46 , < 1f48116cbd3404898c9022892e114dd7cc3063c1 (git) Affected: 5b849b5f96b47d82b5a432d8b91a8ad260e1de46 , < dfff66f30f66b9524b661f311bbed8ff3d2ca49f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/jbd2/recovery.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e65506ff181fc176088f32117d69b9cb1ddda777",
"status": "affected",
"version": "5b849b5f96b47d82b5a432d8b91a8ad260e1de46",
"versionType": "git"
},
{
"lessThan": "56fcd0788f0d9243c1754bd6f80b8b327c4afeee",
"status": "affected",
"version": "5b849b5f96b47d82b5a432d8b91a8ad260e1de46",
"versionType": "git"
},
{
"lessThan": "27c7bd35135d5ab38b9138ecf186ce54a96c98d9",
"status": "affected",
"version": "5b849b5f96b47d82b5a432d8b91a8ad260e1de46",
"versionType": "git"
},
{
"lessThan": "1f48116cbd3404898c9022892e114dd7cc3063c1",
"status": "affected",
"version": "5b849b5f96b47d82b5a432d8b91a8ad260e1de46",
"versionType": "git"
},
{
"lessThan": "dfff66f30f66b9524b661f311bbed8ff3d2ca49f",
"status": "affected",
"version": "5b849b5f96b47d82b5a432d8b91a8ad260e1de46",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/jbd2/recovery.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: add miss release buffer head in fc_do_one_pass()\n\nIn fc_do_one_pass() miss release buffer head after use which will lead\nto reference count leak."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:53.097Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e65506ff181fc176088f32117d69b9cb1ddda777"
},
{
"url": "https://git.kernel.org/stable/c/56fcd0788f0d9243c1754bd6f80b8b327c4afeee"
},
{
"url": "https://git.kernel.org/stable/c/27c7bd35135d5ab38b9138ecf186ce54a96c98d9"
},
{
"url": "https://git.kernel.org/stable/c/1f48116cbd3404898c9022892e114dd7cc3063c1"
},
{
"url": "https://git.kernel.org/stable/c/dfff66f30f66b9524b661f311bbed8ff3d2ca49f"
}
],
"title": "jbd2: add miss release buffer head in fc_do_one_pass()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50835",
"datePublished": "2025-12-30T12:10:55.715Z",
"dateReserved": "2025-12-30T12:06:07.132Z",
"dateUpdated": "2026-01-02T15:04:53.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40223 (GCVE-0-2025-40223)
Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31
VLAI?
EPSS
Title
most: usb: Fix use-after-free in hdm_disconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: Fix use-after-free in hdm_disconnect
hdm_disconnect() calls most_deregister_interface(), which eventually
unregisters the MOST interface device with device_unregister(iface->dev).
If that drops the last reference, the device core may call release_mdev()
immediately while hdm_disconnect() is still executing.
The old code also freed several mdev-owned allocations in
hdm_disconnect() and then performed additional put_device() calls.
Depending on refcount order, this could lead to use-after-free or
double-free when release_mdev() ran (or when unregister paths also
performed puts).
Fix by moving the frees of mdev-owned allocations into release_mdev(),
so they happen exactly once when the device is truly released, and by
dropping the extra put_device() calls in hdm_disconnect() that are
redundant after device_unregister() and most_deregister_interface().
This addresses the KASAN slab-use-after-free reported by syzbot in
hdm_disconnect(). See report and stack traces in the bug link below.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831
(git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 578eb18cd111addec94c43f61cd4b4429e454809 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 33daf469f5294b9d07c4fc98216cace9f4f34cc6 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 72427dc6f87523995f4e6ae35a948bb2992cabce (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < f93a84ffb884d761a9d4e869ba29c238711e81f1 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6 (git) Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 4b1270902609ef0d935ed2faa2ea6d122bd148f5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "578eb18cd111addec94c43f61cd4b4429e454809",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "33daf469f5294b9d07c4fc98216cace9f4f34cc6",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "72427dc6f87523995f4e6ae35a948bb2992cabce",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "f93a84ffb884d761a9d4e869ba29c238711e81f1",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
},
{
"lessThan": "4b1270902609ef0d935ed2faa2ea6d122bd148f5",
"status": "affected",
"version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: Fix use-after-free in hdm_disconnect\n\nhdm_disconnect() calls most_deregister_interface(), which eventually\nunregisters the MOST interface device with device_unregister(iface-\u003edev).\nIf that drops the last reference, the device core may call release_mdev()\nimmediately while hdm_disconnect() is still executing.\n\nThe old code also freed several mdev-owned allocations in\nhdm_disconnect() and then performed additional put_device() calls.\nDepending on refcount order, this could lead to use-after-free or\ndouble-free when release_mdev() ran (or when unregister paths also\nperformed puts).\n\nFix by moving the frees of mdev-owned allocations into release_mdev(),\nso they happen exactly once when the device is truly released, and by\ndropping the extra put_device() calls in hdm_disconnect() that are\nredundant after device_unregister() and most_deregister_interface().\n\nThis addresses the KASAN slab-use-after-free reported by syzbot in\nhdm_disconnect(). See report and stack traces in the bug link below."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T15:31:15.158Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831"
},
{
"url": "https://git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809"
},
{
"url": "https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6"
},
{
"url": "https://git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabce"
},
{
"url": "https://git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1"
},
{
"url": "https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6"
},
{
"url": "https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5"
}
],
"title": "most: usb: Fix use-after-free in hdm_disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40223",
"datePublished": "2025-12-04T15:31:15.158Z",
"dateReserved": "2025-04-16T07:20:57.180Z",
"dateUpdated": "2025-12-04T15:31:15.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50625 (GCVE-0-2022-50625)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
serial: amba-pl011: avoid SBSA UART accessing DMACR register
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: amba-pl011: avoid SBSA UART accessing DMACR register
Chapter "B Generic UART" in "ARM Server Base System Architecture" [1]
documentation describes a generic UART interface. Such generic UART
does not support DMA. In current code, sbsa_uart_pops and
amba_pl011_pops share the same stop_rx operation, which will invoke
pl011_dma_rx_stop, leading to an access of the DMACR register. This
commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the
access to DMACR register for SBSA UARTs which does not support DMA.
When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux
SBSA PL011 driver will access PL011 DMACR register in some functions.
For most real SBSA Pl011 hardware implementations, the DMACR write
behaviour will be ignored. So these DMACR operations will not cause
obvious problems. But for some virtual SBSA PL011 hardware, like Xen
virtual SBSA PL011 (vpl011) device, the behaviour might be different.
Xen vpl011 emulation will inject a data abort to guest, when guest is
accessing an unimplemented UART register. As Xen VPL011 is SBSA
compatible, it will not implement DMACR register. So when Linux SBSA
PL011 driver access DMACR register, it will get an unhandled data abort
fault and the application will get a segmentation fault:
Unhandled fault at 0xffffffc00944d048
Mem abort info:
ESR = 0x96000000
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x00: ttbr address size fault
Data abort info:
ISV = 0, ISS = 0x00000000
CM = 0, WnR = 0
swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000
[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13
Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP
...
Call trace:
pl011_stop_rx+0x70/0x80
tty_port_shutdown+0x7c/0xb4
tty_port_close+0x60/0xcc
uart_close+0x34/0x8c
tty_release+0x144/0x4c0
__fput+0x78/0x220
____fput+0x1c/0x30
task_work_run+0x88/0xc0
do_notify_resume+0x8d0/0x123c
el0_svc+0xa8/0xc0
el0t_64_sync_handler+0xa4/0x130
el0t_64_sync+0x1a0/0x1a4
Code: b9000083 b901f001 794038a0 8b000042 (b9000041)
---[ end trace 83dd93df15c3216f ]---
note: bootlogd[132] exited with preempt_count 1
/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon
This has been discussed in the Xen community, and we think it should fix
this in Linux. See [2] for more information.
[1] https://developer.arm.com/documentation/den0094/c/?lang=en
[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0dd1e247fd39aed20fd2baacc62ca44d82534798 , < 1c5f0d3f480abd8c26761b6b1f486822e77faea3
(git)
Affected: 0dd1e247fd39aed20fd2baacc62ca44d82534798 , < a4ea20ab82aa2b197dc7b08f51e1d615578276a0 (git) Affected: 0dd1e247fd39aed20fd2baacc62ca44d82534798 , < 78d837ce20517e0c1ff3ebe08ad64636e02c2e48 (git) Affected: 0dd1e247fd39aed20fd2baacc62ca44d82534798 , < 965f07ea5fd1b9591bcccc825a93ad883e56222c (git) Affected: 0dd1e247fd39aed20fd2baacc62ca44d82534798 , < d5b16eb076f46c88d02d41ece5bec4e0d89158bb (git) Affected: 0dd1e247fd39aed20fd2baacc62ca44d82534798 , < d71a611fca1984c0765f9317ff471ac8cd0e3e2f (git) Affected: 0dd1e247fd39aed20fd2baacc62ca44d82534798 , < 38a10fdd54d17590d45cb1c43b9889da383b6b1a (git) Affected: 0dd1e247fd39aed20fd2baacc62ca44d82534798 , < 64bc5dbc3260230e2f022288c71e5c680059384a (git) Affected: 0dd1e247fd39aed20fd2baacc62ca44d82534798 , < 94cdb9f33698478b0e7062586633c42c6158a786 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/amba-pl011.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1c5f0d3f480abd8c26761b6b1f486822e77faea3",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
},
{
"lessThan": "a4ea20ab82aa2b197dc7b08f51e1d615578276a0",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
},
{
"lessThan": "78d837ce20517e0c1ff3ebe08ad64636e02c2e48",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
},
{
"lessThan": "965f07ea5fd1b9591bcccc825a93ad883e56222c",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
},
{
"lessThan": "d5b16eb076f46c88d02d41ece5bec4e0d89158bb",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
},
{
"lessThan": "d71a611fca1984c0765f9317ff471ac8cd0e3e2f",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
},
{
"lessThan": "38a10fdd54d17590d45cb1c43b9889da383b6b1a",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
},
{
"lessThan": "64bc5dbc3260230e2f022288c71e5c680059384a",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
},
{
"lessThan": "94cdb9f33698478b0e7062586633c42c6158a786",
"status": "affected",
"version": "0dd1e247fd39aed20fd2baacc62ca44d82534798",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/amba-pl011.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: amba-pl011: avoid SBSA UART accessing DMACR register\n\nChapter \"B Generic UART\" in \"ARM Server Base System Architecture\" [1]\ndocumentation describes a generic UART interface. Such generic UART\ndoes not support DMA. In current code, sbsa_uart_pops and\namba_pl011_pops share the same stop_rx operation, which will invoke\npl011_dma_rx_stop, leading to an access of the DMACR register. This\ncommit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the\naccess to DMACR register for SBSA UARTs which does not support DMA.\n\nWhen the kernel enables DMA engine with \"CONFIG_DMA_ENGINE=y\", Linux\nSBSA PL011 driver will access PL011 DMACR register in some functions.\nFor most real SBSA Pl011 hardware implementations, the DMACR write\nbehaviour will be ignored. So these DMACR operations will not cause\nobvious problems. But for some virtual SBSA PL011 hardware, like Xen\nvirtual SBSA PL011 (vpl011) device, the behaviour might be different.\nXen vpl011 emulation will inject a data abort to guest, when guest is\naccessing an unimplemented UART register. As Xen VPL011 is SBSA\ncompatible, it will not implement DMACR register. So when Linux SBSA\nPL011 driver access DMACR register, it will get an unhandled data abort\nfault and the application will get a segmentation fault:\nUnhandled fault at 0xffffffc00944d048\nMem abort info:\n ESR = 0x96000000\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x00: ttbr address size fault\nData abort info:\n ISV = 0, ISS = 0x00000000\n CM = 0, WnR = 0\nswapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000\n[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13\nInternal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP\n...\nCall trace:\n pl011_stop_rx+0x70/0x80\n tty_port_shutdown+0x7c/0xb4\n tty_port_close+0x60/0xcc\n uart_close+0x34/0x8c\n tty_release+0x144/0x4c0\n __fput+0x78/0x220\n ____fput+0x1c/0x30\n task_work_run+0x88/0xc0\n do_notify_resume+0x8d0/0x123c\n el0_svc+0xa8/0xc0\n el0t_64_sync_handler+0xa4/0x130\n el0t_64_sync+0x1a0/0x1a4\nCode: b9000083 b901f001 794038a0 8b000042 (b9000041)\n---[ end trace 83dd93df15c3216f ]---\nnote: bootlogd[132] exited with preempt_count 1\n/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon\n\nThis has been discussed in the Xen community, and we think it should fix\nthis in Linux. See [2] for more information.\n\n[1] https://developer.arm.com/documentation/den0094/c/?lang=en\n[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:39.642Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1c5f0d3f480abd8c26761b6b1f486822e77faea3"
},
{
"url": "https://git.kernel.org/stable/c/a4ea20ab82aa2b197dc7b08f51e1d615578276a0"
},
{
"url": "https://git.kernel.org/stable/c/78d837ce20517e0c1ff3ebe08ad64636e02c2e48"
},
{
"url": "https://git.kernel.org/stable/c/965f07ea5fd1b9591bcccc825a93ad883e56222c"
},
{
"url": "https://git.kernel.org/stable/c/d5b16eb076f46c88d02d41ece5bec4e0d89158bb"
},
{
"url": "https://git.kernel.org/stable/c/d71a611fca1984c0765f9317ff471ac8cd0e3e2f"
},
{
"url": "https://git.kernel.org/stable/c/38a10fdd54d17590d45cb1c43b9889da383b6b1a"
},
{
"url": "https://git.kernel.org/stable/c/64bc5dbc3260230e2f022288c71e5c680059384a"
},
{
"url": "https://git.kernel.org/stable/c/94cdb9f33698478b0e7062586633c42c6158a786"
}
],
"title": "serial: amba-pl011: avoid SBSA UART accessing DMACR register",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50625",
"datePublished": "2025-12-08T01:16:39.642Z",
"dateReserved": "2025-12-08T01:14:55.190Z",
"dateUpdated": "2025-12-08T01:16:39.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50619 (GCVE-0-2022-50619)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr()
If the number of pages from the userptr BO differs from the SG BO then the
allocated memory for the SG table doesn't get freed before returning
-EINVAL, which may lead to a memory leak in some error paths. Fix this by
checking the number of pages before allocating memory for the SG table.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
264fb4d332f5e76743818480e482464437837c52 , < 304a10161696d86300ceab1cbe72b2d74b8cdd94
(git)
Affected: 264fb4d332f5e76743818480e482464437837c52 , < c6dc4c9ba093829ebe1450d5fb101da6fb7a2a58 (git) Affected: 264fb4d332f5e76743818480e482464437837c52 , < 90bfee142af0f0e9d3bec80e7acd5f49b230acf7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "304a10161696d86300ceab1cbe72b2d74b8cdd94",
"status": "affected",
"version": "264fb4d332f5e76743818480e482464437837c52",
"versionType": "git"
},
{
"lessThan": "c6dc4c9ba093829ebe1450d5fb101da6fb7a2a58",
"status": "affected",
"version": "264fb4d332f5e76743818480e482464437837c52",
"versionType": "git"
},
{
"lessThan": "90bfee142af0f0e9d3bec80e7acd5f49b230acf7",
"status": "affected",
"version": "264fb4d332f5e76743818480e482464437837c52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr()\n\nIf the number of pages from the userptr BO differs from the SG BO then the\nallocated memory for the SG table doesn\u0027t get freed before returning\n-EINVAL, which may lead to a memory leak in some error paths. Fix this by\nchecking the number of pages before allocating memory for the SG table."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:32.726Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/304a10161696d86300ceab1cbe72b2d74b8cdd94"
},
{
"url": "https://git.kernel.org/stable/c/c6dc4c9ba093829ebe1450d5fb101da6fb7a2a58"
},
{
"url": "https://git.kernel.org/stable/c/90bfee142af0f0e9d3bec80e7acd5f49b230acf7"
}
],
"title": "drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50619",
"datePublished": "2025-12-08T01:16:32.726Z",
"dateReserved": "2025-12-08T01:14:55.189Z",
"dateUpdated": "2025-12-08T01:16:32.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54197 (GCVE-0-2023-54197)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:09 – Updated: 2025-12-30 12:09
VLAI?
EPSS
Title
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f.
This patch introduces a possible null-ptr-def problem. Revert it. And the
fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth:
btsdio: fix use after free bug in btsdio_remove due to race condition").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
95eacef5692545f199fae4e52abfbfa273acb351 , < 3b4ed52009723f7dfca7a8ca95163bfb441bfb76
(git)
Affected: af4d48754d5517d33bac5e504ff1f1de0808e29e , < 70a104588e3131415e559c06deb834ce259a285a (git) Affected: a18fb433ceb56e0787546a9d77056dd0f215e762 , < de0ffb5145c9f418ad76f00e58d4b91c680410b2 (git) Affected: da3d3fdfb4d523c5da30e35a8dd90e04f0fd8962 , < 0837d10f6c37a47a0c73bccf1e39513613a2fcc2 (git) Affected: 8efae2112d910d8e5166dd0a836791b08721eef1 , < a789192f366147a0fbb395650079906d1d04e0b9 (git) Affected: cbf8deacb7053ce3e3fed64b277c6c6989e65bba , < 952030c914b5f2288609efe868537afcff7a3f51 (git) Affected: c59c65a14e8f7d738429648833f3bb3f9df0513f , < 8f83fa62614c282dd5d1211a0dd99c6a0a515b81 (git) Affected: 1e9ac114c4428fdb7ff4635b45d4f46017e8916f , < d8d7ce037d9a8f1f0714ece268c4c2c50845bbc3 (git) Affected: 1e9ac114c4428fdb7ff4635b45d4f46017e8916f , < db2bf510bd5d57f064d9e1db395ed86a08320c54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btsdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b4ed52009723f7dfca7a8ca95163bfb441bfb76",
"status": "affected",
"version": "95eacef5692545f199fae4e52abfbfa273acb351",
"versionType": "git"
},
{
"lessThan": "70a104588e3131415e559c06deb834ce259a285a",
"status": "affected",
"version": "af4d48754d5517d33bac5e504ff1f1de0808e29e",
"versionType": "git"
},
{
"lessThan": "de0ffb5145c9f418ad76f00e58d4b91c680410b2",
"status": "affected",
"version": "a18fb433ceb56e0787546a9d77056dd0f215e762",
"versionType": "git"
},
{
"lessThan": "0837d10f6c37a47a0c73bccf1e39513613a2fcc2",
"status": "affected",
"version": "da3d3fdfb4d523c5da30e35a8dd90e04f0fd8962",
"versionType": "git"
},
{
"lessThan": "a789192f366147a0fbb395650079906d1d04e0b9",
"status": "affected",
"version": "8efae2112d910d8e5166dd0a836791b08721eef1",
"versionType": "git"
},
{
"lessThan": "952030c914b5f2288609efe868537afcff7a3f51",
"status": "affected",
"version": "cbf8deacb7053ce3e3fed64b277c6c6989e65bba",
"versionType": "git"
},
{
"lessThan": "8f83fa62614c282dd5d1211a0dd99c6a0a515b81",
"status": "affected",
"version": "c59c65a14e8f7d738429648833f3bb3f9df0513f",
"versionType": "git"
},
{
"lessThan": "d8d7ce037d9a8f1f0714ece268c4c2c50845bbc3",
"status": "affected",
"version": "1e9ac114c4428fdb7ff4635b45d4f46017e8916f",
"versionType": "git"
},
{
"lessThan": "db2bf510bd5d57f064d9e1db395ed86a08320c54",
"status": "affected",
"version": "1e9ac114c4428fdb7ff4635b45d4f46017e8916f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btsdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "4.14.312",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "4.19.280",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "5.4.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.10.177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.15.105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "6.1.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "6.2.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work\"\n\nThis reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f.\n\nThis patch introduces a possible null-ptr-def problem. Revert it. And the\nfixed bug by this patch have resolved by commit 73f7b171b7c0 (\"Bluetooth:\nbtsdio: fix use after free bug in btsdio_remove due to race condition\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:09:03.472Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b4ed52009723f7dfca7a8ca95163bfb441bfb76"
},
{
"url": "https://git.kernel.org/stable/c/70a104588e3131415e559c06deb834ce259a285a"
},
{
"url": "https://git.kernel.org/stable/c/de0ffb5145c9f418ad76f00e58d4b91c680410b2"
},
{
"url": "https://git.kernel.org/stable/c/0837d10f6c37a47a0c73bccf1e39513613a2fcc2"
},
{
"url": "https://git.kernel.org/stable/c/a789192f366147a0fbb395650079906d1d04e0b9"
},
{
"url": "https://git.kernel.org/stable/c/952030c914b5f2288609efe868537afcff7a3f51"
},
{
"url": "https://git.kernel.org/stable/c/8f83fa62614c282dd5d1211a0dd99c6a0a515b81"
},
{
"url": "https://git.kernel.org/stable/c/d8d7ce037d9a8f1f0714ece268c4c2c50845bbc3"
},
{
"url": "https://git.kernel.org/stable/c/db2bf510bd5d57f064d9e1db395ed86a08320c54"
}
],
"title": "Revert \"Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54197",
"datePublished": "2025-12-30T12:09:03.472Z",
"dateReserved": "2025-12-30T12:06:44.498Z",
"dateUpdated": "2025-12-30T12:09:03.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54258 (GCVE-0-2023-54258)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
cifs: fix potential oops in cifs_oplock_break
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential oops in cifs_oplock_break
With deferred close we can have closes that race with lease breaks,
and so with the current checks for whether to send the lease response,
oplock_response(), this can mean that an unmount (kill_sb) can occur
just before we were checking if the tcon->ses is valid. See below:
[Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs]
[Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39
[Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206
[Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009
[Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188
[Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900
[Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138
[Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000
[Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000
[Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0
[Fri Aug 4 04:12:50 2023] Call Trace:
[Fri Aug 4 04:12:50 2023] <TASK>
[Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0
[Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0
[Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0
[Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150
[Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50
[Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30
[Fri Aug 4 04:12:50 2023] </TASK>
To fix this change the ordering of the checks before sending the oplock_response
to first check if the openFileList is empty.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
63fb45ddc491895c4b36664e0c2c3b548545ae93 , < b99f490ea87ebcca3a429fd8837067feb56a4c7c
(git)
Affected: 1bf709b9625001eefdd41048c5f4c7544ee33394 , < 5ee28bcfbaacf289eb25c662a2862542ea6ce6a7 (git) Affected: 3b4c15171c3ce9120c81f5564b9367d8d0f4219c , < 6b67a6d2e50634fe127e656147c81915955e9f5e (git) Affected: da787d5b74983f7525d1eb4b9c0b4aff2821511a , < e8f5f849ffce24490eb9449e98312b66c0dba76f (git) Affected: cff7fb969edaeff2bc80c8a8f7cf7b0c8df32da7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b99f490ea87ebcca3a429fd8837067feb56a4c7c",
"status": "affected",
"version": "63fb45ddc491895c4b36664e0c2c3b548545ae93",
"versionType": "git"
},
{
"lessThan": "5ee28bcfbaacf289eb25c662a2862542ea6ce6a7",
"status": "affected",
"version": "1bf709b9625001eefdd41048c5f4c7544ee33394",
"versionType": "git"
},
{
"lessThan": "6b67a6d2e50634fe127e656147c81915955e9f5e",
"status": "affected",
"version": "3b4c15171c3ce9120c81f5564b9367d8d0f4219c",
"versionType": "git"
},
{
"lessThan": "e8f5f849ffce24490eb9449e98312b66c0dba76f",
"status": "affected",
"version": "da787d5b74983f7525d1eb4b9c0b4aff2821511a",
"versionType": "git"
},
{
"status": "affected",
"version": "cff7fb969edaeff2bc80c8a8f7cf7b0c8df32da7",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.128",
"status": "affected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThan": "6.1.47",
"status": "affected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThan": "6.4.12",
"status": "affected",
"version": "6.4.4",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "6.1.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential oops in cifs_oplock_break\n\nWith deferred close we can have closes that race with lease breaks,\nand so with the current checks for whether to send the lease response,\noplock_response(), this can mean that an unmount (kill_sb) can occur\njust before we were checking if the tcon-\u003eses is valid. See below:\n\n[Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs]\n[Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e \u003c48\u003e 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39\n[Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206\n[Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009\n[Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188\n[Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900\n[Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138\n[Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000\n[Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000\n[Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0\n[Fri Aug 4 04:12:50 2023] Call Trace:\n[Fri Aug 4 04:12:50 2023] \u003cTASK\u003e\n[Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0\n[Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0\n[Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0\n[Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150\n[Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50\n[Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30\n[Fri Aug 4 04:12:50 2023] \u003c/TASK\u003e\n\nTo fix this change the ordering of the checks before sending the oplock_response\nto first check if the openFileList is empty."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:52.855Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b99f490ea87ebcca3a429fd8837067feb56a4c7c"
},
{
"url": "https://git.kernel.org/stable/c/5ee28bcfbaacf289eb25c662a2862542ea6ce6a7"
},
{
"url": "https://git.kernel.org/stable/c/6b67a6d2e50634fe127e656147c81915955e9f5e"
},
{
"url": "https://git.kernel.org/stable/c/e8f5f849ffce24490eb9449e98312b66c0dba76f"
}
],
"title": "cifs: fix potential oops in cifs_oplock_break",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54258",
"datePublished": "2025-12-30T12:15:52.855Z",
"dateReserved": "2025-12-30T12:06:44.516Z",
"dateUpdated": "2025-12-30T12:15:52.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40302 (GCVE-0-2025-40302)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
media: videobuf2: forbid remove_bufs when legacy fileio is active
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: videobuf2: forbid remove_bufs when legacy fileio is active
vb2_ioctl_remove_bufs() call manipulates queue internal buffer list,
potentially overwriting some pointers used by the legacy fileio access
mode. Forbid that ioctl when fileio is active to protect internal queue
state between subsequent read/write calls.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a3293a85381ec9680aa2929547fbc76c5d87a1b2 , < a6a493b985bfffac097a4e1be09f98b27729dca8
(git)
Affected: a3293a85381ec9680aa2929547fbc76c5d87a1b2 , < e819b34df0a7030a15c968d619fa8a3ed2455c7a (git) Affected: a3293a85381ec9680aa2929547fbc76c5d87a1b2 , < 27afd6e066cfd80ddbe22a4a11b99174ac89cced (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/common/videobuf2/videobuf2-v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6a493b985bfffac097a4e1be09f98b27729dca8",
"status": "affected",
"version": "a3293a85381ec9680aa2929547fbc76c5d87a1b2",
"versionType": "git"
},
{
"lessThan": "e819b34df0a7030a15c968d619fa8a3ed2455c7a",
"status": "affected",
"version": "a3293a85381ec9680aa2929547fbc76c5d87a1b2",
"versionType": "git"
},
{
"lessThan": "27afd6e066cfd80ddbe22a4a11b99174ac89cced",
"status": "affected",
"version": "a3293a85381ec9680aa2929547fbc76c5d87a1b2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/common/videobuf2/videobuf2-v4l2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: videobuf2: forbid remove_bufs when legacy fileio is active\n\nvb2_ioctl_remove_bufs() call manipulates queue internal buffer list,\npotentially overwriting some pointers used by the legacy fileio access\nmode. Forbid that ioctl when fileio is active to protect internal queue\nstate between subsequent read/write calls."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:26.293Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6a493b985bfffac097a4e1be09f98b27729dca8"
},
{
"url": "https://git.kernel.org/stable/c/e819b34df0a7030a15c968d619fa8a3ed2455c7a"
},
{
"url": "https://git.kernel.org/stable/c/27afd6e066cfd80ddbe22a4a11b99174ac89cced"
}
],
"title": "media: videobuf2: forbid remove_bufs when legacy fileio is active",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40302",
"datePublished": "2025-12-08T00:46:26.293Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:26.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50754 (GCVE-0-2022-50754)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
apparmor: fix a memleak in multi_transaction_new()
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix a memleak in multi_transaction_new()
In multi_transaction_new(), the variable t is not freed or passed out
on the failure of copy_from_user(t->data, buf, size), which could lead
to a memleak.
Fix this bug by adding a put_multi_transaction(t) in the error path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1dea3b41e84c5923173fe654dcb758a5cb4a46e5 , < 11d5fe7da67c3334cefc981297fd5defb78df15c
(git)
Affected: 1dea3b41e84c5923173fe654dcb758a5cb4a46e5 , < 95e6adc6a7a4761ddf69ad713e55a06a3206309d (git) Affected: 1dea3b41e84c5923173fe654dcb758a5cb4a46e5 , < eb0f78e28cbc8f97439c0a4c80ee5160c1df5ce6 (git) Affected: 1dea3b41e84c5923173fe654dcb758a5cb4a46e5 , < 935d86b29093e75b6c547d90b3979c2c2d23f1c4 (git) Affected: 1dea3b41e84c5923173fe654dcb758a5cb4a46e5 , < 775a37ffa9f4681c4ad84c8634a7eec8af7098d4 (git) Affected: 1dea3b41e84c5923173fe654dcb758a5cb4a46e5 , < 88989932c2269ea66074f52a6213598838f8b9e7 (git) Affected: 1dea3b41e84c5923173fe654dcb758a5cb4a46e5 , < 3d27a436e294ac5d7a51bd5348ca63a42a468b35 (git) Affected: 1dea3b41e84c5923173fe654dcb758a5cb4a46e5 , < c73275cf6834787ca090317f1d20dbfa3b7f05aa (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11d5fe7da67c3334cefc981297fd5defb78df15c",
"status": "affected",
"version": "1dea3b41e84c5923173fe654dcb758a5cb4a46e5",
"versionType": "git"
},
{
"lessThan": "95e6adc6a7a4761ddf69ad713e55a06a3206309d",
"status": "affected",
"version": "1dea3b41e84c5923173fe654dcb758a5cb4a46e5",
"versionType": "git"
},
{
"lessThan": "eb0f78e28cbc8f97439c0a4c80ee5160c1df5ce6",
"status": "affected",
"version": "1dea3b41e84c5923173fe654dcb758a5cb4a46e5",
"versionType": "git"
},
{
"lessThan": "935d86b29093e75b6c547d90b3979c2c2d23f1c4",
"status": "affected",
"version": "1dea3b41e84c5923173fe654dcb758a5cb4a46e5",
"versionType": "git"
},
{
"lessThan": "775a37ffa9f4681c4ad84c8634a7eec8af7098d4",
"status": "affected",
"version": "1dea3b41e84c5923173fe654dcb758a5cb4a46e5",
"versionType": "git"
},
{
"lessThan": "88989932c2269ea66074f52a6213598838f8b9e7",
"status": "affected",
"version": "1dea3b41e84c5923173fe654dcb758a5cb4a46e5",
"versionType": "git"
},
{
"lessThan": "3d27a436e294ac5d7a51bd5348ca63a42a468b35",
"status": "affected",
"version": "1dea3b41e84c5923173fe654dcb758a5cb4a46e5",
"versionType": "git"
},
{
"lessThan": "c73275cf6834787ca090317f1d20dbfa3b7f05aa",
"status": "affected",
"version": "1dea3b41e84c5923173fe654dcb758a5cb4a46e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix a memleak in multi_transaction_new()\n\nIn multi_transaction_new(), the variable t is not freed or passed out\non the failure of copy_from_user(t-\u003edata, buf, size), which could lead\nto a memleak.\n\nFix this bug by adding a put_multi_transaction(t) in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:48.245Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11d5fe7da67c3334cefc981297fd5defb78df15c"
},
{
"url": "https://git.kernel.org/stable/c/95e6adc6a7a4761ddf69ad713e55a06a3206309d"
},
{
"url": "https://git.kernel.org/stable/c/eb0f78e28cbc8f97439c0a4c80ee5160c1df5ce6"
},
{
"url": "https://git.kernel.org/stable/c/935d86b29093e75b6c547d90b3979c2c2d23f1c4"
},
{
"url": "https://git.kernel.org/stable/c/775a37ffa9f4681c4ad84c8634a7eec8af7098d4"
},
{
"url": "https://git.kernel.org/stable/c/88989932c2269ea66074f52a6213598838f8b9e7"
},
{
"url": "https://git.kernel.org/stable/c/3d27a436e294ac5d7a51bd5348ca63a42a468b35"
},
{
"url": "https://git.kernel.org/stable/c/c73275cf6834787ca090317f1d20dbfa3b7f05aa"
}
],
"title": "apparmor: fix a memleak in multi_transaction_new()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50754",
"datePublished": "2025-12-24T13:05:48.245Z",
"dateReserved": "2025-12-24T13:02:21.544Z",
"dateUpdated": "2025-12-24T13:05:48.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50856 (GCVE-0-2022-50856)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
cifs: Fix xid leak in cifs_ses_add_channel()
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix xid leak in cifs_ses_add_channel()
Before return, should free the xid, otherwise, the
xid will be leaked.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d70e9fa55884760b6d6c293dbf20d8c52ce11fb7 , < 7286f875510486fdc2fc426b7c826262e2283a65
(git)
Affected: d70e9fa55884760b6d6c293dbf20d8c52ce11fb7 , < 847301f0ee1c29f34cc48547ce1071990f24969c (git) Affected: d70e9fa55884760b6d6c293dbf20d8c52ce11fb7 , < db2a8b6c17e128d91f35d836c569f4a6bda4471b (git) Affected: d70e9fa55884760b6d6c293dbf20d8c52ce11fb7 , < e909d054bdea75ef1ec48c18c5936affdaecbb2c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/sess.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7286f875510486fdc2fc426b7c826262e2283a65",
"status": "affected",
"version": "d70e9fa55884760b6d6c293dbf20d8c52ce11fb7",
"versionType": "git"
},
{
"lessThan": "847301f0ee1c29f34cc48547ce1071990f24969c",
"status": "affected",
"version": "d70e9fa55884760b6d6c293dbf20d8c52ce11fb7",
"versionType": "git"
},
{
"lessThan": "db2a8b6c17e128d91f35d836c569f4a6bda4471b",
"status": "affected",
"version": "d70e9fa55884760b6d6c293dbf20d8c52ce11fb7",
"versionType": "git"
},
{
"lessThan": "e909d054bdea75ef1ec48c18c5936affdaecbb2c",
"status": "affected",
"version": "d70e9fa55884760b6d6c293dbf20d8c52ce11fb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/sess.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_ses_add_channel()\n\nBefore return, should free the xid, otherwise, the\nxid will be leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:31.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7286f875510486fdc2fc426b7c826262e2283a65"
},
{
"url": "https://git.kernel.org/stable/c/847301f0ee1c29f34cc48547ce1071990f24969c"
},
{
"url": "https://git.kernel.org/stable/c/db2a8b6c17e128d91f35d836c569f4a6bda4471b"
},
{
"url": "https://git.kernel.org/stable/c/e909d054bdea75ef1ec48c18c5936affdaecbb2c"
}
],
"title": "cifs: Fix xid leak in cifs_ses_add_channel()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50856",
"datePublished": "2025-12-30T12:15:31.193Z",
"dateReserved": "2025-12-30T12:06:07.135Z",
"dateUpdated": "2025-12-30T12:15:31.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68207 (GCVE-0-2025-68207)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48
VLAI?
EPSS
Title
drm/xe/guc: Synchronize Dead CT worker with unbind
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/guc: Synchronize Dead CT worker with unbind
Cancel and wait for any Dead CT worker to complete before continuing
with device unbinding. Else the worker will end up using resources freed
by the undind operation.
(cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ff6482fb458953e111a82b7c537363d9aacf04bf , < 35959ab7d16b618616edf6df882a4533d2efe193
(git)
Affected: d2c5a5a926f43b2e42c5c955f917bad8ad6dd68c , < ce6ccf8e881a919bf902174ac879f80c97669498 (git) Affected: d2c5a5a926f43b2e42c5c955f917bad8ad6dd68c , < 95af8f4fdce8349a5fe75264007f1af2aa1082ea (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_guc_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35959ab7d16b618616edf6df882a4533d2efe193",
"status": "affected",
"version": "ff6482fb458953e111a82b7c537363d9aacf04bf",
"versionType": "git"
},
{
"lessThan": "ce6ccf8e881a919bf902174ac879f80c97669498",
"status": "affected",
"version": "d2c5a5a926f43b2e42c5c955f917bad8ad6dd68c",
"versionType": "git"
},
{
"lessThan": "95af8f4fdce8349a5fe75264007f1af2aa1082ea",
"status": "affected",
"version": "d2c5a5a926f43b2e42c5c955f917bad8ad6dd68c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_guc_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.12.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Synchronize Dead CT worker with unbind\n\nCancel and wait for any Dead CT worker to complete before continuing\nwith device unbinding. Else the worker will end up using resources freed\nby the undind operation.\n\n(cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:48:34.574Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35959ab7d16b618616edf6df882a4533d2efe193"
},
{
"url": "https://git.kernel.org/stable/c/ce6ccf8e881a919bf902174ac879f80c97669498"
},
{
"url": "https://git.kernel.org/stable/c/95af8f4fdce8349a5fe75264007f1af2aa1082ea"
}
],
"title": "drm/xe/guc: Synchronize Dead CT worker with unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68207",
"datePublished": "2025-12-16T13:48:34.574Z",
"dateReserved": "2025-12-16T13:41:40.255Z",
"dateUpdated": "2025-12-16T13:48:34.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40278 (GCVE-0-2025-40278)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak
Fix a KMSAN kernel-infoleak detected by the syzbot .
[net?] KMSAN: kernel-infoleak in __skb_datagram_iter
In tcf_ife_dump(), the variable 'opt' was partially initialized using a
designatied initializer. While the padding bytes are reamined
uninitialized. nla_put() copies the entire structure into a
netlink message, these uninitialized bytes leaked to userspace.
Initialize the structure with memset before assigning its fields
to ensure all members and padding are cleared prior to beign copied.
This change silences the KMSAN report and prevents potential information
leaks from the kernel memory.
This fix has been tested and validated by syzbot. This patch closes the
bug reported at the following syzkaller link and ensures no infoleak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 918e063304f945fb93be9bb70cacea07d0b730ea
(git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 5e3644ef147bf7140259dfa4cace680c9b26fe8b (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 37f0680887c5aeba9a433fe04b35169010568bb1 (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 2191662058443e0bcc28d11694293d8339af6dde (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < a676a296af65d33725bdf7396803180957dbd92e (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < d1dbbbe839647486c9b893e5011fe84a052962df (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e (git) Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < ce50039be49eea9b4cd8873ca6eccded1b4a130a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "918e063304f945fb93be9bb70cacea07d0b730ea",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "5e3644ef147bf7140259dfa4cace680c9b26fe8b",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "37f0680887c5aeba9a433fe04b35169010568bb1",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "2191662058443e0bcc28d11694293d8339af6dde",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "a676a296af65d33725bdf7396803180957dbd92e",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "d1dbbbe839647486c9b893e5011fe84a052962df",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
},
{
"lessThan": "ce50039be49eea9b4cd8873ca6eccded1b4a130a",
"status": "affected",
"version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ife.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak\n\nFix a KMSAN kernel-infoleak detected by the syzbot .\n\n[net?] KMSAN: kernel-infoleak in __skb_datagram_iter\n\nIn tcf_ife_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied.\n\nThis change silences the KMSAN report and prevents potential information\nleaks from the kernel memory.\n\nThis fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures no infoleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:01.693Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/918e063304f945fb93be9bb70cacea07d0b730ea"
},
{
"url": "https://git.kernel.org/stable/c/5e3644ef147bf7140259dfa4cace680c9b26fe8b"
},
{
"url": "https://git.kernel.org/stable/c/37f0680887c5aeba9a433fe04b35169010568bb1"
},
{
"url": "https://git.kernel.org/stable/c/2191662058443e0bcc28d11694293d8339af6dde"
},
{
"url": "https://git.kernel.org/stable/c/a676a296af65d33725bdf7396803180957dbd92e"
},
{
"url": "https://git.kernel.org/stable/c/d1dbbbe839647486c9b893e5011fe84a052962df"
},
{
"url": "https://git.kernel.org/stable/c/c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e"
},
{
"url": "https://git.kernel.org/stable/c/ce50039be49eea9b4cd8873ca6eccded1b4a130a"
}
],
"title": "net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40278",
"datePublished": "2025-12-06T21:51:01.693Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:01.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68192 (GCVE-0-2025-68192)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43
VLAI?
EPSS
Title
net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
Raw IP packets have no MAC header, leaving skb->mac_header uninitialized.
This can trigger kernel panics on ARM64 when xfrm or other subsystems
access the offset due to strict alignment checks.
Initialize the MAC header to prevent such crashes.
This can trigger kernel panics on ARM when running IPsec over the
qmimux0 interface.
Example trace:
Internal error: Oops: 000000009600004f [#1] SMP
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1
Hardware name: LS1028A RDB Board (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : xfrm_input+0xde8/0x1318
lr : xfrm_input+0x61c/0x1318
sp : ffff800080003b20
Call trace:
xfrm_input+0xde8/0x1318
xfrm6_rcv+0x38/0x44
xfrm6_esp_rcv+0x48/0xa8
ip6_protocol_deliver_rcu+0x94/0x4b0
ip6_input_finish+0x44/0x70
ip6_input+0x44/0xc0
ipv6_rcv+0x6c/0x114
__netif_receive_skb_one_core+0x5c/0x8c
__netif_receive_skb+0x18/0x60
process_backlog+0x78/0x17c
__napi_poll+0x38/0x180
net_rx_action+0x168/0x2f0
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c6adf77953bcec0ad63d7782479452464e50f7a3 , < d693c47fb902b988f5752182e4f7fbde5e6dcaf9
(git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 0aabccdcec1f4a36f95829ea2263f845bbc77223 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 4e6b9004f01d0fef5b19778399bc5bf55f8c2d71 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < bf527b80b80a282ab5bf1540546211fc35e5cd42 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < dd03780c29f87c26c0e0bb7e0db528c8109461fb (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < ae811175cea35b03ac6d7c910f43a82a43b9c3b3 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 8ab3b8f958d861a7f725a5be60769106509fbd69 (git) Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < e120f46768d98151ece8756ebd688b0e43dc8b29 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/qmi_wwan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d693c47fb902b988f5752182e4f7fbde5e6dcaf9",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "0aabccdcec1f4a36f95829ea2263f845bbc77223",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "4e6b9004f01d0fef5b19778399bc5bf55f8c2d71",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "bf527b80b80a282ab5bf1540546211fc35e5cd42",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "dd03780c29f87c26c0e0bb7e0db528c8109461fb",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "ae811175cea35b03ac6d7c910f43a82a43b9c3b3",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "8ab3b8f958d861a7f725a5be60769106509fbd69",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
},
{
"lessThan": "e120f46768d98151ece8756ebd688b0e43dc8b29",
"status": "affected",
"version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/qmi_wwan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup\n\nRaw IP packets have no MAC header, leaving skb-\u003emac_header uninitialized.\nThis can trigger kernel panics on ARM64 when xfrm or other subsystems\naccess the offset due to strict alignment checks.\n\nInitialize the MAC header to prevent such crashes.\n\nThis can trigger kernel panics on ARM when running IPsec over the\nqmimux0 interface.\n\nExample trace:\n\n Internal error: Oops: 000000009600004f [#1] SMP\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1\n Hardware name: LS1028A RDB Board (DT)\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : xfrm_input+0xde8/0x1318\n lr : xfrm_input+0x61c/0x1318\n sp : ffff800080003b20\n Call trace:\n xfrm_input+0xde8/0x1318\n xfrm6_rcv+0x38/0x44\n xfrm6_esp_rcv+0x48/0xa8\n ip6_protocol_deliver_rcu+0x94/0x4b0\n ip6_input_finish+0x44/0x70\n ip6_input+0x44/0xc0\n ipv6_rcv+0x6c/0x114\n __netif_receive_skb_one_core+0x5c/0x8c\n __netif_receive_skb+0x18/0x60\n process_backlog+0x78/0x17c\n __napi_poll+0x38/0x180\n net_rx_action+0x168/0x2f0"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:43:18.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d693c47fb902b988f5752182e4f7fbde5e6dcaf9"
},
{
"url": "https://git.kernel.org/stable/c/0aabccdcec1f4a36f95829ea2263f845bbc77223"
},
{
"url": "https://git.kernel.org/stable/c/4e6b9004f01d0fef5b19778399bc5bf55f8c2d71"
},
{
"url": "https://git.kernel.org/stable/c/bf527b80b80a282ab5bf1540546211fc35e5cd42"
},
{
"url": "https://git.kernel.org/stable/c/dd03780c29f87c26c0e0bb7e0db528c8109461fb"
},
{
"url": "https://git.kernel.org/stable/c/ae811175cea35b03ac6d7c910f43a82a43b9c3b3"
},
{
"url": "https://git.kernel.org/stable/c/8ab3b8f958d861a7f725a5be60769106509fbd69"
},
{
"url": "https://git.kernel.org/stable/c/e120f46768d98151ece8756ebd688b0e43dc8b29"
}
],
"title": "net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68192",
"datePublished": "2025-12-16T13:43:18.858Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2025-12-16T13:43:18.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54005 (GCVE-0-2023-54005)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
binder: fix memory leak in binder_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
binder: fix memory leak in binder_init()
In binder_init(), the destruction of binder_alloc_shrinker_init() is not
performed in the wrong path, which will cause memory leaks. So this commit
introduces binder_alloc_shrinker_exit() and calls it in the wrong path to
fix that.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f2517eb76f1f2f7f89761f9db2b202e89931738c , < 486dd742ba186ea333664c517d6775b06b1448ca
(git)
Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < ceb0f8cc987fb3d25c06b9662e08a42f99651207 (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < b97dad01c12169991f895de3d4f61b8115d12bab (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < d7e5e2b87f5d27469075b6326b6b358e38cd9dcb (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < 03eebad96233397f951d8e9fafd82a1674a77284 (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < ee95051c0c1928051f86198bf5e554277a53b26b (git) Affected: f2517eb76f1f2f7f89761f9db2b202e89931738c , < adb9743d6a08778b78d62d16b4230346d3508986 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/android/binder.c",
"drivers/android/binder_alloc.c",
"drivers/android/binder_alloc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "486dd742ba186ea333664c517d6775b06b1448ca",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "ceb0f8cc987fb3d25c06b9662e08a42f99651207",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "b97dad01c12169991f895de3d4f61b8115d12bab",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "d7e5e2b87f5d27469075b6326b6b358e38cd9dcb",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "03eebad96233397f951d8e9fafd82a1674a77284",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "ee95051c0c1928051f86198bf5e554277a53b26b",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
},
{
"lessThan": "adb9743d6a08778b78d62d16b4230346d3508986",
"status": "affected",
"version": "f2517eb76f1f2f7f89761f9db2b202e89931738c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/android/binder.c",
"drivers/android/binder_alloc.c",
"drivers/android/binder_alloc.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix memory leak in binder_init()\n\nIn binder_init(), the destruction of binder_alloc_shrinker_init() is not\nperformed in the wrong path, which will cause memory leaks. So this commit\nintroduces binder_alloc_shrinker_exit() and calls it in the wrong path to\nfix that."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:39.826Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/486dd742ba186ea333664c517d6775b06b1448ca"
},
{
"url": "https://git.kernel.org/stable/c/ceb0f8cc987fb3d25c06b9662e08a42f99651207"
},
{
"url": "https://git.kernel.org/stable/c/b97dad01c12169991f895de3d4f61b8115d12bab"
},
{
"url": "https://git.kernel.org/stable/c/d7e5e2b87f5d27469075b6326b6b358e38cd9dcb"
},
{
"url": "https://git.kernel.org/stable/c/03eebad96233397f951d8e9fafd82a1674a77284"
},
{
"url": "https://git.kernel.org/stable/c/f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f"
},
{
"url": "https://git.kernel.org/stable/c/ee95051c0c1928051f86198bf5e554277a53b26b"
},
{
"url": "https://git.kernel.org/stable/c/adb9743d6a08778b78d62d16b4230346d3508986"
}
],
"title": "binder: fix memory leak in binder_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54005",
"datePublished": "2025-12-24T10:55:39.826Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:39.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-26944 (GCVE-0-2024-26944)
Vulnerability from cvelistv5 – Published: 2024-05-01 05:18 – Updated: 2025-05-21 08:05
VLAI?
EPSS
Title
btrfs: zoned: fix use-after-free in do_zone_finish()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: fix use-after-free in do_zone_finish()
Shinichiro reported the following use-after-free triggered by the device
replace operation in fstests btrfs/070.
BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0
==================================================================
BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]
Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007
CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1
Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x90
print_report+0xcf/0x670
? __virt_addr_valid+0x200/0x3e0
kasan_report+0xd8/0x110
? do_zone_finish+0x91a/0xb90 [btrfs]
? do_zone_finish+0x91a/0xb90 [btrfs]
do_zone_finish+0x91a/0xb90 [btrfs]
btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]
? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]
? btrfs_put_root+0x2d/0x220 [btrfs]
? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]
cleaner_kthread+0x21e/0x380 [btrfs]
? __pfx_cleaner_kthread+0x10/0x10 [btrfs]
kthread+0x2e3/0x3c0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Allocated by task 3493983:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_kmalloc+0xaa/0xb0
btrfs_alloc_device+0xb3/0x4e0 [btrfs]
device_list_add.constprop.0+0x993/0x1630 [btrfs]
btrfs_scan_one_device+0x219/0x3d0 [btrfs]
btrfs_control_ioctl+0x26e/0x310 [btrfs]
__x64_sys_ioctl+0x134/0x1b0
do_syscall_64+0x99/0x190
entry_SYSCALL_64_after_hwframe+0x6e/0x76
Freed by task 3494056:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3f/0x60
poison_slab_object+0x102/0x170
__kasan_slab_free+0x32/0x70
kfree+0x11b/0x320
btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]
btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]
btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]
btrfs_ioctl+0xb27/0x57d0 [btrfs]
__x64_sys_ioctl+0x134/0x1b0
do_syscall_64+0x99/0x190
entry_SYSCALL_64_after_hwframe+0x6e/0x76
The buggy address belongs to the object at ffff8881543c8000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 96 bytes inside of
freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)
The buggy address belongs to the physical page:
page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8
head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
This UAF happens because we're accessing stale zone information of a
already removed btrfs_device in do_zone_finish().
The sequence of events is as follows:
btrfs_dev_replace_start
btrfs_scrub_dev
btrfs_dev_replace_finishing
btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced
btrfs_rm_dev_replace_free_srcdev
btrfs_free_device <-- device freed
cleaner_kthread
btrfs_delete_unused_bgs
btrfs_zone_finish
do_zone_finish <-- refers the freed device
The reason for this is that we're using a
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T17:52:17.817601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:14.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:21:05.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/zoned.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "34ca809e055eca5cfe63d9c7efbf80b7c21b4e57",
"status": "affected",
"version": "4dcbb8ab31c1292aea6a3f240e19523f633320c2",
"versionType": "git"
},
{
"lessThan": "1ec17ef59168a1a6f1105f5dc517f783839a5302",
"status": "affected",
"version": "4dcbb8ab31c1292aea6a3f240e19523f633320c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/zoned.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0x200/0x3e0\n kasan_report+0xd8/0x110\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n do_zone_finish+0x91a/0xb90 [btrfs]\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n ? btrfs_put_root+0x2d/0x220 [btrfs]\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n cleaner_kthread+0x21e/0x380 [btrfs]\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n kthread+0x2e3/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\n Allocated by task 3493983:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3f/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x32/0x70\n kfree+0x11b/0x320\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u003effff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we\u0027re accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n btrfs_scrub_dev\n btrfs_dev_replace_finishing\n btrfs_dev_replace_update_device_in_mapping_tree \u003c-- devices replaced\n btrfs_rm_dev_replace_free_srcdev\n btrfs_free_device \u003c-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n btrfs_zone_finish\n do_zone_finish \u003c-- refers the freed device\n\nThe reason for this is that we\u0027re using a\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T08:05:14.479Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57"
},
{
"url": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302"
}
],
"title": "btrfs: zoned: fix use-after-free in do_zone_finish()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-26944",
"datePublished": "2024-05-01T05:18:04.909Z",
"dateReserved": "2024-02-19T14:20:24.197Z",
"dateUpdated": "2025-05-21T08:05:14.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-40346 (GCVE-0-2025-40346)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30
VLAI?
EPSS
Title
arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()
Summary
In the Linux kernel, the following vulnerability has been resolved:
arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()
Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()
which causes the code to proceed with NULL clock pointers. The current
logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both
valid pointers and NULL, leading to potential NULL pointer dereference
in clk_get_rate().
Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:
"The error code within @ptr if it is an error pointer; 0 otherwise."
This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL
pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)
when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be
called when of_clk_get() returns NULL.
Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid
pointers, preventing potential NULL pointer dereference in clk_get_rate().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 64da320252e43456cc9ec3055ff567f168467b37
(git)
Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 02fbea0864fd4a863671f5d418129258d7159f68 (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < a77f8434954cb1e9c42c3854e40855fdcf5ab235 (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 3373f263bb647fcc3b5237cfaef757633b9ee25e (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 45379303124487db3a81219af7565d41f498167f (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 3a01b2614e84361aa222f67bc628593987e5cdb2 (git) Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 2eead19334516c8e9927c11b448fbe512b1f18a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/arch_topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64da320252e43456cc9ec3055ff567f168467b37",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "02fbea0864fd4a863671f5d418129258d7159f68",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "a77f8434954cb1e9c42c3854e40855fdcf5ab235",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "3373f263bb647fcc3b5237cfaef757633b9ee25e",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "45379303124487db3a81219af7565d41f498167f",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "3a01b2614e84361aa222f67bc628593987e5cdb2",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
},
{
"lessThan": "2eead19334516c8e9927c11b448fbe512b1f18a1",
"status": "affected",
"version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/arch_topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narch_topology: Fix incorrect error check in topology_parse_cpu_capacity()\n\nFix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()\nwhich causes the code to proceed with NULL clock pointers. The current\nlogic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both\nvalid pointers and NULL, leading to potential NULL pointer dereference\nin clk_get_rate().\n\nPer include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:\n\"The error code within @ptr if it is an error pointer; 0 otherwise.\"\n\nThis means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL\npointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)\nwhen cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be\ncalled when of_clk_get() returns NULL.\n\nReplace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid\npointers, preventing potential NULL pointer dereference in clk_get_rate()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:30:20.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64da320252e43456cc9ec3055ff567f168467b37"
},
{
"url": "https://git.kernel.org/stable/c/02fbea0864fd4a863671f5d418129258d7159f68"
},
{
"url": "https://git.kernel.org/stable/c/a77f8434954cb1e9c42c3854e40855fdcf5ab235"
},
{
"url": "https://git.kernel.org/stable/c/3373f263bb647fcc3b5237cfaef757633b9ee25e"
},
{
"url": "https://git.kernel.org/stable/c/45379303124487db3a81219af7565d41f498167f"
},
{
"url": "https://git.kernel.org/stable/c/3a01b2614e84361aa222f67bc628593987e5cdb2"
},
{
"url": "https://git.kernel.org/stable/c/2eead19334516c8e9927c11b448fbe512b1f18a1"
}
],
"title": "arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40346",
"datePublished": "2025-12-16T13:30:20.395Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-16T13:30:20.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53743 (GCVE-0-2023-53743)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
PCI: Free released resource after coalescing
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI: Free released resource after coalescing
release_resource() doesn't actually free the resource or resource list
entry so free the resource list entry to avoid a leak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
465c195e86f3d0ffd2e250c4b78a5a1f11cc1b0a , < 4443f3695d581ad1a55f2ef59259dcd0c52402b3
(git)
Affected: b9bd8e34ec97615db4b64e043adf0cd643b16ed4 , < a076e73dd6e619729e1af8d0d802fe52ac5eb2b3 (git) Affected: e54223275ba1bc6f704a6bab015fcd2ae4f72572 , < a08713b9d9031683b83b3ecf12bad40a1ca35211 (git) Affected: e54223275ba1bc6f704a6bab015fcd2ae4f72572 , < 8ec9c1d5d0a5a4744516adb483b97a238892f9d5 (git) Affected: 26277a4250207e630c9a11f4ead4ef6e8441bf1f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/probe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4443f3695d581ad1a55f2ef59259dcd0c52402b3",
"status": "affected",
"version": "465c195e86f3d0ffd2e250c4b78a5a1f11cc1b0a",
"versionType": "git"
},
{
"lessThan": "a076e73dd6e619729e1af8d0d802fe52ac5eb2b3",
"status": "affected",
"version": "b9bd8e34ec97615db4b64e043adf0cd643b16ed4",
"versionType": "git"
},
{
"lessThan": "a08713b9d9031683b83b3ecf12bad40a1ca35211",
"status": "affected",
"version": "e54223275ba1bc6f704a6bab015fcd2ae4f72572",
"versionType": "git"
},
{
"lessThan": "8ec9c1d5d0a5a4744516adb483b97a238892f9d5",
"status": "affected",
"version": "e54223275ba1bc6f704a6bab015fcd2ae4f72572",
"versionType": "git"
},
{
"status": "affected",
"version": "26277a4250207e630c9a11f4ead4ef6e8441bf1f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/probe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.1.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.181",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Free released resource after coalescing\n\nrelease_resource() doesn\u0027t actually free the resource or resource list\nentry so free the resource list entry to avoid a leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:01.868Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4443f3695d581ad1a55f2ef59259dcd0c52402b3"
},
{
"url": "https://git.kernel.org/stable/c/a076e73dd6e619729e1af8d0d802fe52ac5eb2b3"
},
{
"url": "https://git.kernel.org/stable/c/a08713b9d9031683b83b3ecf12bad40a1ca35211"
},
{
"url": "https://git.kernel.org/stable/c/8ec9c1d5d0a5a4744516adb483b97a238892f9d5"
}
],
"title": "PCI: Free released resource after coalescing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53743",
"datePublished": "2025-12-08T01:19:01.868Z",
"dateReserved": "2025-12-08T01:18:04.278Z",
"dateUpdated": "2025-12-08T01:19:01.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68181 (GCVE-0-2025-68181)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42
VLAI?
EPSS
Title
drm/radeon: Remove calls to drm_put_dev()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: Remove calls to drm_put_dev()
Since the allocation of the drivers main structure was changed to
devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd
should be done by devres.
However, drm_put_dev() is still in the probe error and device remove
paths. When the driver fails to probe warnings like the following are
shown because devres is trying to drm_put_dev() after the driver
already did it.
[ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22
[ 5.649605] ------------[ cut here ]------------
[ 5.649607] refcount_t: underflow; use-after-free.
[ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < 2fa41445d8c98f2a65503c373796466496edc0e7
(git)
Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < ec18f6b2c743cc471b2539ddb5caed20a012e640 (git) Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < 745bae76acdd71709773c129a69deca01036250b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fa41445d8c98f2a65503c373796466496edc0e7",
"status": "affected",
"version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
"versionType": "git"
},
{
"lessThan": "ec18f6b2c743cc471b2539ddb5caed20a012e640",
"status": "affected",
"version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
"versionType": "git"
},
{
"lessThan": "745bae76acdd71709773c129a69deca01036250b",
"status": "affected",
"version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Remove calls to drm_put_dev()\n\nSince the allocation of the drivers main structure was changed to\ndevm_drm_dev_alloc() drm_put_dev()\u0027ing to trigger it to be free\u0027d\nshould be done by devres.\n\nHowever, drm_put_dev() is still in the probe error and device remove\npaths. When the driver fails to probe warnings like the following are\nshown because devres is trying to drm_put_dev() after the driver\nalready did it.\n\n[ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22\n[ 5.649605] ------------[ cut here ]------------\n[ 5.649607] refcount_t: underflow; use-after-free.\n[ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n\n(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:42:59.600Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fa41445d8c98f2a65503c373796466496edc0e7"
},
{
"url": "https://git.kernel.org/stable/c/ec18f6b2c743cc471b2539ddb5caed20a012e640"
},
{
"url": "https://git.kernel.org/stable/c/745bae76acdd71709773c129a69deca01036250b"
}
],
"title": "drm/radeon: Remove calls to drm_put_dev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68181",
"datePublished": "2025-12-16T13:42:59.600Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2025-12-16T13:42:59.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54003 (GCVE-0-2023-54003)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
RDMA/core: Fix GID entry ref leak when create_ah fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix GID entry ref leak when create_ah fails
If AH create request fails, release sgid_attr to avoid GID entry
referrence leak reported while releasing GID table
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1a1f460ff151710289c2f8d4badd8b603b87d610 , < 9c46c49ad3ffe84121715d392b5a0a94f9f10669
(git)
Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < d1b9b3191697a80aca8e247320eba46f24d41d18 (git) Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < e97ff11b396c320d2cc025b09741ba432fcb20a2 (git) Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < 370280c65c28a515b841c9f2c08524f06182510c (git) Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < 632d6baf8884d803e598bf5164008d23fd9b736c (git) Affected: 1a1f460ff151710289c2f8d4badd8b603b87d610 , < aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c46c49ad3ffe84121715d392b5a0a94f9f10669",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "d1b9b3191697a80aca8e247320eba46f24d41d18",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "e97ff11b396c320d2cc025b09741ba432fcb20a2",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "370280c65c28a515b841c9f2c08524f06182510c",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "632d6baf8884d803e598bf5164008d23fd9b736c",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
},
{
"lessThan": "aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0",
"status": "affected",
"version": "1a1f460ff151710289c2f8d4badd8b603b87d610",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix GID entry ref leak when create_ah fails\n\nIf AH create request fails, release sgid_attr to avoid GID entry\nreferrence leak reported while releasing GID table"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:38.425Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c46c49ad3ffe84121715d392b5a0a94f9f10669"
},
{
"url": "https://git.kernel.org/stable/c/d1b9b3191697a80aca8e247320eba46f24d41d18"
},
{
"url": "https://git.kernel.org/stable/c/e97ff11b396c320d2cc025b09741ba432fcb20a2"
},
{
"url": "https://git.kernel.org/stable/c/370280c65c28a515b841c9f2c08524f06182510c"
},
{
"url": "https://git.kernel.org/stable/c/632d6baf8884d803e598bf5164008d23fd9b736c"
},
{
"url": "https://git.kernel.org/stable/c/aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0"
}
],
"title": "RDMA/core: Fix GID entry ref leak when create_ah fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54003",
"datePublished": "2025-12-24T10:55:38.425Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:38.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54093 (GCVE-0-2023-54093)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
media: anysee: fix null-ptr-deref in anysee_master_xfer
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: anysee: fix null-ptr-deref in anysee_master_xfer
In anysee_master_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach anysee_master_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
[hverkuil: add spaces around +]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b , < 73c0b224ceeba12dee2a7a8cbc147648da0b2e63
(git)
Affected: a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b , < e04affec2506ff5c12a18d78d7e694b3556a8982 (git) Affected: a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b , < 8dc5b370254abc10f0cb4141d90cecf7ce465472 (git) Affected: a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b , < 4a9763d2bc4a6d6fab42555b9c0b2eefa32585ac (git) Affected: a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b , < 3dd5846a873938ec7b6d404ec27662942cd8f2ef (git) Affected: a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b , < 14b94154a72388b57221a2a73795c0ea61a95373 (git) Affected: a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b , < 5975dbbb7ad0767eaabd15d2c37a739ac76acb00 (git) Affected: a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b , < c30411266fd67ea3c02a05c157231654d5a3bdc9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb-v2/anysee.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73c0b224ceeba12dee2a7a8cbc147648da0b2e63",
"status": "affected",
"version": "a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b",
"versionType": "git"
},
{
"lessThan": "e04affec2506ff5c12a18d78d7e694b3556a8982",
"status": "affected",
"version": "a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b",
"versionType": "git"
},
{
"lessThan": "8dc5b370254abc10f0cb4141d90cecf7ce465472",
"status": "affected",
"version": "a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b",
"versionType": "git"
},
{
"lessThan": "4a9763d2bc4a6d6fab42555b9c0b2eefa32585ac",
"status": "affected",
"version": "a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b",
"versionType": "git"
},
{
"lessThan": "3dd5846a873938ec7b6d404ec27662942cd8f2ef",
"status": "affected",
"version": "a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b",
"versionType": "git"
},
{
"lessThan": "14b94154a72388b57221a2a73795c0ea61a95373",
"status": "affected",
"version": "a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b",
"versionType": "git"
},
{
"lessThan": "5975dbbb7ad0767eaabd15d2c37a739ac76acb00",
"status": "affected",
"version": "a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b",
"versionType": "git"
},
{
"lessThan": "c30411266fd67ea3c02a05c157231654d5a3bdc9",
"status": "affected",
"version": "a51e34dd6080d8d5c9e95a4e0292cd4cb889a61b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb-v2/anysee.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: anysee: fix null-ptr-deref in anysee_master_xfer\n\nIn anysee_master_xfer, msg is controlled by user. When msg[i].buf\nis null and msg[i].len is zero, former checks on msg[i].buf would be\npassed. Malicious data finally reach anysee_master_xfer. If accessing\nmsg[i].buf[0] without sanity check, null ptr deref would happen.\nWe add check on msg[i].len to prevent crash.\n\nSimilar commit:\ncommit 0ed554fd769a\n(\"media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()\")\n\n[hverkuil: add spaces around +]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:43.446Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73c0b224ceeba12dee2a7a8cbc147648da0b2e63"
},
{
"url": "https://git.kernel.org/stable/c/e04affec2506ff5c12a18d78d7e694b3556a8982"
},
{
"url": "https://git.kernel.org/stable/c/8dc5b370254abc10f0cb4141d90cecf7ce465472"
},
{
"url": "https://git.kernel.org/stable/c/4a9763d2bc4a6d6fab42555b9c0b2eefa32585ac"
},
{
"url": "https://git.kernel.org/stable/c/3dd5846a873938ec7b6d404ec27662942cd8f2ef"
},
{
"url": "https://git.kernel.org/stable/c/14b94154a72388b57221a2a73795c0ea61a95373"
},
{
"url": "https://git.kernel.org/stable/c/5975dbbb7ad0767eaabd15d2c37a739ac76acb00"
},
{
"url": "https://git.kernel.org/stable/c/c30411266fd67ea3c02a05c157231654d5a3bdc9"
}
],
"title": "media: anysee: fix null-ptr-deref in anysee_master_xfer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54093",
"datePublished": "2025-12-24T13:06:21.774Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2026-01-05T10:33:43.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40318 (GCVE-0-2025-40318)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once
hci_cmd_sync_dequeue_once() does lookup and then cancel
the entry under two separate lock sections. Meanwhile,
hci_cmd_sync_work() can also delete the same entry,
leading to double list_del() and "UAF".
Fix this by holding cmd_sync_work_lock across both
lookup and cancel, so that the entry cannot be removed
concurrently.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f00f36db76eb8fd10d13e80e2590f23b5beaa54d , < 0a94f7e017438935c09ef833a1aa908ad9875213
(git)
Affected: 1499f79995c7ee58e3bfeeff75f6d1b37dcda881 , < 932c0a4f77ac13e526fdd5b42914d29c9821d389 (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < ae76cf6c2c842944c6514c57df54d728f1916553 (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < 9cd536970192b72257afcdfba0bfc09993e6f19c (git) Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 (git) Affected: 357603f4d396d85fbf0045512efaf1d7f7394ed7 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a94f7e017438935c09ef833a1aa908ad9875213",
"status": "affected",
"version": "f00f36db76eb8fd10d13e80e2590f23b5beaa54d",
"versionType": "git"
},
{
"lessThan": "932c0a4f77ac13e526fdd5b42914d29c9821d389",
"status": "affected",
"version": "1499f79995c7ee58e3bfeeff75f6d1b37dcda881",
"versionType": "git"
},
{
"lessThan": "ae76cf6c2c842944c6514c57df54d728f1916553",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"lessThan": "9cd536970192b72257afcdfba0bfc09993e6f19c",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"lessThan": "09b0cd1297b4dbfe736aeaa0ceeab2265f47f772",
"status": "affected",
"version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
"versionType": "git"
},
{
"status": "affected",
"version": "357603f4d396d85fbf0045512efaf1d7f7394ed7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.8.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once\n\nhci_cmd_sync_dequeue_once() does lookup and then cancel\nthe entry under two separate lock sections. Meanwhile,\nhci_cmd_sync_work() can also delete the same entry,\nleading to double list_del() and \"UAF\".\n\nFix this by holding cmd_sync_work_lock across both\nlookup and cancel, so that the entry cannot be removed\nconcurrently."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:45.382Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213"
},
{
"url": "https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389"
},
{
"url": "https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553"
},
{
"url": "https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c"
},
{
"url": "https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772"
}
],
"title": "Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40318",
"datePublished": "2025-12-08T00:46:45.382Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:45.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50623 (GCVE-0-2022-50623)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()
Summary
In the Linux kernel, the following vulnerability has been resolved:
fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()
The "hdr.count * sizeof(s32)" multiplication can overflow on 32 bit
systems leading to memory corruption. Use array_size() to fix that.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
322b598be4d9b9090cda560c4caab78704615ab4 , < f59861946fa51bcc1f305809e4ebc1013b0ee61c
(git)
Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < b94605f5cb99e90c8ca91523597a40e1bd59546b (git) Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < 1b5a931594f7ffd26d706614c37d4da0f2ffb6e7 (git) Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < 940253af8b3865b76de8d1b46bcd4a700104852e (git) Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < 939bc5453b8cbdde9f1e5110ce8309aedb1b501a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/fpga/dfl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f59861946fa51bcc1f305809e4ebc1013b0ee61c",
"status": "affected",
"version": "322b598be4d9b9090cda560c4caab78704615ab4",
"versionType": "git"
},
{
"lessThan": "b94605f5cb99e90c8ca91523597a40e1bd59546b",
"status": "affected",
"version": "322b598be4d9b9090cda560c4caab78704615ab4",
"versionType": "git"
},
{
"lessThan": "1b5a931594f7ffd26d706614c37d4da0f2ffb6e7",
"status": "affected",
"version": "322b598be4d9b9090cda560c4caab78704615ab4",
"versionType": "git"
},
{
"lessThan": "940253af8b3865b76de8d1b46bcd4a700104852e",
"status": "affected",
"version": "322b598be4d9b9090cda560c4caab78704615ab4",
"versionType": "git"
},
{
"lessThan": "939bc5453b8cbdde9f1e5110ce8309aedb1b501a",
"status": "affected",
"version": "322b598be4d9b9090cda560c4caab78704615ab4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/fpga/dfl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: prevent integer overflow in dfl_feature_ioctl_set_irq()\n\nThe \"hdr.count * sizeof(s32)\" multiplication can overflow on 32 bit\nsystems leading to memory corruption. Use array_size() to fix that."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:37.086Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f59861946fa51bcc1f305809e4ebc1013b0ee61c"
},
{
"url": "https://git.kernel.org/stable/c/b94605f5cb99e90c8ca91523597a40e1bd59546b"
},
{
"url": "https://git.kernel.org/stable/c/1b5a931594f7ffd26d706614c37d4da0f2ffb6e7"
},
{
"url": "https://git.kernel.org/stable/c/940253af8b3865b76de8d1b46bcd4a700104852e"
},
{
"url": "https://git.kernel.org/stable/c/939bc5453b8cbdde9f1e5110ce8309aedb1b501a"
}
],
"title": "fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50623",
"datePublished": "2025-12-08T01:16:37.086Z",
"dateReserved": "2025-12-08T01:14:55.190Z",
"dateUpdated": "2025-12-08T01:16:37.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40294 (GCVE-0-2025-40294)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
In the parse_adv_monitor_pattern() function, the value of
the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).
The size of the 'value' array in the mgmt_adv_pattern structure is 31.
If the value of 'pattern[i].length' is set in the user space
and exceeds 31, the 'patterns[i].value' array can be accessed
out of bound when copied.
Increasing the size of the 'value' array in
the 'mgmt_adv_pattern' structure will break the userspace.
Considering this, and to avoid OOB access revert the limits for 'offset'
and 'length' back to the value of HCI_MAX_AD_LENGTH.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
99f30e12e588f9982a6eb1916e53510bff25b3b8 , < 96616530f524a0a76248cd44201de0a9e8526190
(git)
Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 5f7350ff2b179764a4f40ba4161b60b8aaef857b (git) Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 4b7d4aa5399b5a64caee639275615c63c008540d (git) Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 3a50d59b3781bc3a4e96533612509546a4c309a7 (git) Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 8d59fba49362c65332395789fd82771f1028d87e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/mgmt.h",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96616530f524a0a76248cd44201de0a9e8526190",
"status": "affected",
"version": "99f30e12e588f9982a6eb1916e53510bff25b3b8",
"versionType": "git"
},
{
"lessThan": "5f7350ff2b179764a4f40ba4161b60b8aaef857b",
"status": "affected",
"version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
"versionType": "git"
},
{
"lessThan": "4b7d4aa5399b5a64caee639275615c63c008540d",
"status": "affected",
"version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
"versionType": "git"
},
{
"lessThan": "3a50d59b3781bc3a4e96533612509546a4c309a7",
"status": "affected",
"version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
"versionType": "git"
},
{
"lessThan": "8d59fba49362c65332395789fd82771f1028d87e",
"status": "affected",
"version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/bluetooth/mgmt.h",
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()\n\nIn the parse_adv_monitor_pattern() function, the value of\nthe \u0027length\u0027 variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).\nThe size of the \u0027value\u0027 array in the mgmt_adv_pattern structure is 31.\nIf the value of \u0027pattern[i].length\u0027 is set in the user space\nand exceeds 31, the \u0027patterns[i].value\u0027 array can be accessed\nout of bound when copied.\n\nIncreasing the size of the \u0027value\u0027 array in\nthe \u0027mgmt_adv_pattern\u0027 structure will break the userspace.\nConsidering this, and to avoid OOB access revert the limits for \u0027offset\u0027\nand \u0027length\u0027 back to the value of HCI_MAX_AD_LENGTH.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:17.899Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190"
},
{
"url": "https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b"
},
{
"url": "https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d"
},
{
"url": "https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7"
},
{
"url": "https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e"
}
],
"title": "Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40294",
"datePublished": "2025-12-08T00:46:17.899Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:17.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54024 (GCVE-0-2023-54024)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
KVM: Destroy target device if coalesced MMIO unregistration fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Destroy target device if coalesced MMIO unregistration fails
Destroy and free the target coalesced MMIO device if unregistering said
device fails. As clearly noted in the code, kvm_io_bus_unregister_dev()
does not destroy the target device.
BUG: memory leak
unreferenced object 0xffff888112a54880 (size 64):
comm "syz-executor.2", pid 5258, jiffies 4297861402 (age 14.129s)
hex dump (first 32 bytes):
38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g.....
e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g.....
backtrace:
[<0000000006995a8a>] kmalloc include/linux/slab.h:556 [inline]
[<0000000006995a8a>] kzalloc include/linux/slab.h:690 [inline]
[<0000000006995a8a>] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150
[<00000000022550c2>] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323
[<000000008a75102f>] vfs_ioctl fs/ioctl.c:46 [inline]
[<000000008a75102f>] file_ioctl fs/ioctl.c:509 [inline]
[<000000008a75102f>] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696
[<0000000080e3f669>] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713
[<0000000059ef4888>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<0000000059ef4888>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<0000000059ef4888>] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718
[<000000006444fa05>] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290
[<000000009a4ed50b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
BUG: leak checking failed
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7d1bc32d6477ff96a32695ea4be8144e4513ab2d , < 10c2a20d73e99463e69b7e92706791656adc16d7
(git)
Affected: 2a20592baff59c5351c5200ec667e1a2aa22af85 , < 76a9886e1b61ce5592df5ae78a19ed30399ae189 (git) Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < 999439fd5da5a76253e2f2c37b94204f47d75491 (git) Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066 (git) Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < fb436dd6914325075f07d19851ab277b7a693ae7 (git) Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < b1cb1fac22abf102ffeb29dd3eeca208a3869d54 (git) Affected: 168e82f640ed1891a700bdb43e37da354b2ab63c (git) Affected: 50cbad42bfea8c052b7ca590bd4126cdc898713c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/coalesced_mmio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "10c2a20d73e99463e69b7e92706791656adc16d7",
"status": "affected",
"version": "7d1bc32d6477ff96a32695ea4be8144e4513ab2d",
"versionType": "git"
},
{
"lessThan": "76a9886e1b61ce5592df5ae78a19ed30399ae189",
"status": "affected",
"version": "2a20592baff59c5351c5200ec667e1a2aa22af85",
"versionType": "git"
},
{
"lessThan": "999439fd5da5a76253e2f2c37b94204f47d75491",
"status": "affected",
"version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
"versionType": "git"
},
{
"lessThan": "ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066",
"status": "affected",
"version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
"versionType": "git"
},
{
"lessThan": "fb436dd6914325075f07d19851ab277b7a693ae7",
"status": "affected",
"version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
"versionType": "git"
},
{
"lessThan": "b1cb1fac22abf102ffeb29dd3eeca208a3869d54",
"status": "affected",
"version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
"versionType": "git"
},
{
"status": "affected",
"version": "168e82f640ed1891a700bdb43e37da354b2ab63c",
"versionType": "git"
},
{
"status": "affected",
"version": "50cbad42bfea8c052b7ca590bd4126cdc898713c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/coalesced_mmio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.4.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.10.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.11.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.12.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Destroy target device if coalesced MMIO unregistration fails\n\nDestroy and free the target coalesced MMIO device if unregistering said\ndevice fails. As clearly noted in the code, kvm_io_bus_unregister_dev()\ndoes not destroy the target device.\n\n BUG: memory leak\n unreferenced object 0xffff888112a54880 (size 64):\n comm \"syz-executor.2\", pid 5258, jiffies 4297861402 (age 14.129s)\n hex dump (first 32 bytes):\n 38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g.....\n e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g.....\n backtrace:\n [\u003c0000000006995a8a\u003e] kmalloc include/linux/slab.h:556 [inline]\n [\u003c0000000006995a8a\u003e] kzalloc include/linux/slab.h:690 [inline]\n [\u003c0000000006995a8a\u003e] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150\n [\u003c00000000022550c2\u003e] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323\n [\u003c000000008a75102f\u003e] vfs_ioctl fs/ioctl.c:46 [inline]\n [\u003c000000008a75102f\u003e] file_ioctl fs/ioctl.c:509 [inline]\n [\u003c000000008a75102f\u003e] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696\n [\u003c0000000080e3f669\u003e] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713\n [\u003c0000000059ef4888\u003e] __do_sys_ioctl fs/ioctl.c:720 [inline]\n [\u003c0000000059ef4888\u003e] __se_sys_ioctl fs/ioctl.c:718 [inline]\n [\u003c0000000059ef4888\u003e] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718\n [\u003c000000006444fa05\u003e] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290\n [\u003c000000009a4ed50b\u003e] entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\n BUG: leak checking failed"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:53.718Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/10c2a20d73e99463e69b7e92706791656adc16d7"
},
{
"url": "https://git.kernel.org/stable/c/76a9886e1b61ce5592df5ae78a19ed30399ae189"
},
{
"url": "https://git.kernel.org/stable/c/999439fd5da5a76253e2f2c37b94204f47d75491"
},
{
"url": "https://git.kernel.org/stable/c/ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066"
},
{
"url": "https://git.kernel.org/stable/c/fb436dd6914325075f07d19851ab277b7a693ae7"
},
{
"url": "https://git.kernel.org/stable/c/b1cb1fac22abf102ffeb29dd3eeca208a3869d54"
}
],
"title": "KVM: Destroy target device if coalesced MMIO unregistration fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54024",
"datePublished": "2025-12-24T10:55:53.718Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:53.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50880 (GCVE-0-2022-50880)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()
When peer delete failed in a disconnect operation, use-after-free
detected by KFENCE in below log. It is because for each vdev_id and
address, it has only one struct ath10k_peer, it is allocated in
ath10k_peer_map_event(). When connected to an AP, it has more than
one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the
array peer_map of struct ath10k will be set muti-elements to the
same ath10k_peer in ath10k_peer_map_event(). When peer delete failed
in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer
id in array peer_map of struct ath10k, and then use-after-free happened
for the 2nd peer id because they map to the same ath10k_peer.
And clean up all peers in array peer_map for the ath10k_peer, then
user-after-free disappeared
peer map event log:
[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e
[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33
[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246
[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198
[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166
peer unmap event log:
[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)
[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)
[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246
[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198
[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166
use-after-free log:
[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)
[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110
[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed
[21713.799968] ==================================================================
[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]
[21713.799991]
[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):
[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core]
[21713.800041] drv_sta_state+0x115/0x677 [mac80211]
[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211]
[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211]
[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]
[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]
[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]
[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211]
[21713.800161] genl_rcv_msg+0x38e/0x3be
[21713.800166] netlink_rcv_skb+0x89/0xf7
[21713.800171] genl_rcv+0x28/0x36
[21713.800176] netlink_unicast+0x179/0x24b
[21713.800181] netlink_sendmsg+0x3a0/0x40e
[21713.800187] sock_sendmsg+0x72/0x76
[21713.800192] ____sys_sendmsg+0x16d/0x1e3
[21713.800196] ___sys_sendmsg+0x95/0xd1
[21713.800200] __sys_sendmsg+0x85/0xbf
[21713.800205] do_syscall_64+0x43/0x55
[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[21713.800213]
[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k
[21713.800219]
[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:
[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core]
[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]
[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]
[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]
[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d0eeafad118940fe445ca00f45be5624fea2ec34 , < 15604ab67179ae27ea3c7fb24b6df32b143257c4
(git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 2d6259715c9597a6cfa25db8911683eb0073b1c6 (git) Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < f12fc305c127bd07bb50373e29c6037696f916a8 (git) Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 4494ec1c0bb850eaa80fed98e5b041d961011d3e (git) Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 08faf07717be0c88b02b5aa45aad2225dfcdd2dc (git) Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 54a3201f3c1ff813523937da78b5fa7649dbab71 (git) Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 2bf916418d2141b810c40812433ab4ecfd3c2934 (git) Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 38245f2d62cd4d1f38a763a7b4045ab4565b30a0 (git) Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < f020d9570a04df0762a2ac5c50cf1d8c511c9164 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "15604ab67179ae27ea3c7fb24b6df32b143257c4",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
},
{
"lessThan": "2d6259715c9597a6cfa25db8911683eb0073b1c6",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
},
{
"lessThan": "f12fc305c127bd07bb50373e29c6037696f916a8",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
},
{
"lessThan": "4494ec1c0bb850eaa80fed98e5b041d961011d3e",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
},
{
"lessThan": "08faf07717be0c88b02b5aa45aad2225dfcdd2dc",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
},
{
"lessThan": "54a3201f3c1ff813523937da78b5fa7649dbab71",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
},
{
"lessThan": "2bf916418d2141b810c40812433ab4ecfd3c2934",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
},
{
"lessThan": "38245f2d62cd4d1f38a763a7b4045ab4565b30a0",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
},
{
"lessThan": "f020d9570a04df0762a2ac5c50cf1d8c511c9164",
"status": "affected",
"version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath10k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()\n\nWhen peer delete failed in a disconnect operation, use-after-free\ndetected by KFENCE in below log. It is because for each vdev_id and\naddress, it has only one struct ath10k_peer, it is allocated in\nath10k_peer_map_event(). When connected to an AP, it has more than\none HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the\narray peer_map of struct ath10k will be set muti-elements to the\nsame ath10k_peer in ath10k_peer_map_event(). When peer delete failed\nin ath10k_sta_state(), the ath10k_peer will be free for the 1st peer\nid in array peer_map of struct ath10k, and then use-after-free happened\nfor the 2nd peer id because they map to the same ath10k_peer.\n\nAnd clean up all peers in array peer_map for the ath10k_peer, then\nuser-after-free disappeared\n\npeer map event log:\n[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e\n[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33\n[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246\n[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198\n[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166\n\npeer unmap event log:\n[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)\n[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)\n[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246\n[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198\n[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166\n\nuse-after-free log:\n[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)\n[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110\n[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed\n[21713.799968] ==================================================================\n[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.799991]\n[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):\n[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.800041] drv_sta_state+0x115/0x677 [mac80211]\n[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211]\n[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211]\n[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]\n[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]\n[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]\n[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211]\n[21713.800161] genl_rcv_msg+0x38e/0x3be\n[21713.800166] netlink_rcv_skb+0x89/0xf7\n[21713.800171] genl_rcv+0x28/0x36\n[21713.800176] netlink_unicast+0x179/0x24b\n[21713.800181] netlink_sendmsg+0x3a0/0x40e\n[21713.800187] sock_sendmsg+0x72/0x76\n[21713.800192] ____sys_sendmsg+0x16d/0x1e3\n[21713.800196] ___sys_sendmsg+0x95/0xd1\n[21713.800200] __sys_sendmsg+0x85/0xbf\n[21713.800205] do_syscall_64+0x43/0x55\n[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[21713.800213]\n[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k\n[21713.800219]\n[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:\n[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core]\n[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]\n[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]\n[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]\n[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:19.551Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4"
},
{
"url": "https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6"
},
{
"url": "https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8"
},
{
"url": "https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e"
},
{
"url": "https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc"
},
{
"url": "https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71"
},
{
"url": "https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934"
},
{
"url": "https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0"
},
{
"url": "https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164"
}
],
"title": "wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50880",
"datePublished": "2025-12-30T12:23:19.551Z",
"dateReserved": "2025-12-30T12:06:07.137Z",
"dateUpdated": "2025-12-30T12:23:19.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40339 (GCVE-0-2025-40339)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amdgpu: fix nullptr err of vm_handle_moved
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix nullptr err of vm_handle_moved
If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL.
So, such kind of amdgpu_bo_va should be updated separately before
amdgpu_vm_handle_moved.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 47281febebe337586569aa4c5694a7511063a42e
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 273d1ea12e42e9babb9783837906f3c466f213d3 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 859958a7faefe5b7742b7b8cdbc170713d4bf158 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47281febebe337586569aa4c5694a7511063a42e",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "273d1ea12e42e9babb9783837906f3c466f213d3",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "859958a7faefe5b7742b7b8cdbc170713d4bf158",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix nullptr err of vm_handle_moved\n\nIf a amdgpu_bo_va is fpriv-\u003eprt_va, the bo of this one is always NULL.\nSo, such kind of amdgpu_bo_va should be updated separately before\namdgpu_vm_handle_moved."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:10.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47281febebe337586569aa4c5694a7511063a42e"
},
{
"url": "https://git.kernel.org/stable/c/273d1ea12e42e9babb9783837906f3c466f213d3"
},
{
"url": "https://git.kernel.org/stable/c/859958a7faefe5b7742b7b8cdbc170713d4bf158"
}
],
"title": "drm/amdgpu: fix nullptr err of vm_handle_moved",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40339",
"datePublished": "2025-12-09T04:09:55.697Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:10.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50635 (GCVE-0-2022-50635)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
I found a null pointer reference in arch_prepare_kprobe():
# echo 'p cmdline_proc_show' > kprobe_events
# echo 'p cmdline_proc_show+16' >> kprobe_events
Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x00000000
Faulting instruction address: 0xc000000000050bfc
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
Modules linked in:
CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10
NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc
REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)
MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006
CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0
...
NIP arch_prepare_kprobe+0x10c/0x2d0
LR arch_prepare_kprobe+0xfc/0x2d0
Call Trace:
0xc0000000012f77a0 (unreliable)
register_kprobe+0x3c0/0x7a0
__register_trace_kprobe+0x140/0x1a0
__trace_kprobe_create+0x794/0x1040
trace_probe_create+0xc4/0xe0
create_or_delete_trace_kprobe+0x2c/0x80
trace_parse_run_command+0xf0/0x210
probes_write+0x20/0x40
vfs_write+0xfc/0x450
ksys_write+0x84/0x140
system_call_exception+0x17c/0x3a0
system_call_vectored_common+0xe8/0x278
--- interrupt: 3000 at 0x7fffa5682de0
NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000
REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)
MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000
The address being probed has some special:
cmdline_proc_show: Probe based on ftrace
cmdline_proc_show+16: Probe for the next instruction at the ftrace location
The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets
set to NULL. In arch_prepare_kprobe() it will check for:
...
prev = get_kprobe(p->addr - 1);
preempt_enable_no_resched();
if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {
...
If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur
with a null pointer reference. At this point prev->addr will not be a
prefixed instruction, so the check can be skipped.
Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn'
to fix this problem.
[mpe: Trim oops]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b4657f7650babc9bfb41ce875abe41b18604a105 , < 7f536a8cb62dd5c084f112373fc34cdb5168a813
(git)
Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 4eac4f6a86ae73ef4b772d37398beeba2fbfde4e (git) Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 5fd1b369387c53ee6c774ab86e32e362a1e537ac (git) Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 97f88a3d723162781d6cbfdc7b9617eefab55b19 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f536a8cb62dd5c084f112373fc34cdb5168a813",
"status": "affected",
"version": "b4657f7650babc9bfb41ce875abe41b18604a105",
"versionType": "git"
},
{
"lessThan": "4eac4f6a86ae73ef4b772d37398beeba2fbfde4e",
"status": "affected",
"version": "b4657f7650babc9bfb41ce875abe41b18604a105",
"versionType": "git"
},
{
"lessThan": "5fd1b369387c53ee6c774ab86e32e362a1e537ac",
"status": "affected",
"version": "b4657f7650babc9bfb41ce875abe41b18604a105",
"versionType": "git"
},
{
"lessThan": "97f88a3d723162781d6cbfdc7b9617eefab55b19",
"status": "affected",
"version": "b4657f7650babc9bfb41ce875abe41b18604a105",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\n\nI found a null pointer reference in arch_prepare_kprobe():\n\n # echo \u0027p cmdline_proc_show\u0027 \u003e kprobe_events\n # echo \u0027p cmdline_proc_show+16\u0027 \u003e\u003e kprobe_events\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000000050bfc\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n Modules linked in:\n CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\n NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\n REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 9000000000009033 \u003cSF,HV,EE,ME,IR,DR,RI,LE\u003e CR: 88002444 XER: 20040006\n CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n ...\n NIP arch_prepare_kprobe+0x10c/0x2d0\n LR arch_prepare_kprobe+0xfc/0x2d0\n Call Trace:\n 0xc0000000012f77a0 (unreliable)\n register_kprobe+0x3c0/0x7a0\n __register_trace_kprobe+0x140/0x1a0\n __trace_kprobe_create+0x794/0x1040\n trace_probe_create+0xc4/0xe0\n create_or_delete_trace_kprobe+0x2c/0x80\n trace_parse_run_command+0xf0/0x210\n probes_write+0x20/0x40\n vfs_write+0xfc/0x450\n ksys_write+0x84/0x140\n system_call_exception+0x17c/0x3a0\n system_call_vectored_common+0xe8/0x278\n --- interrupt: 3000 at 0x7fffa5682de0\n NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\n REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)\n MSR: 900000000280f033 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE\u003e CR: 44002408 XER: 00000000\n\nThe address being probed has some special:\n\n cmdline_proc_show: Probe based on ftrace\n cmdline_proc_show+16: Probe for the next instruction at the ftrace location\n\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n\n ...\n prev = get_kprobe(p-\u003eaddr - 1);\n preempt_enable_no_resched();\n if (prev \u0026\u0026 ppc_inst_prefixed(ppc_inst_read(prev-\u003eainsn.insn))) {\n ...\n\nIf prev is based on ftrace, \u0027ppc_inst_read(prev-\u003eainsn.insn)\u0027 will occur\nwith a null pointer reference. At this point prev-\u003eaddr will not be a\nprefixed instruction, so the check can be skipped.\n\nCheck if prev is ftrace-based kprobe before reading \u0027prev-\u003eainsn.insn\u0027\nto fix this problem.\n\n[mpe: Trim oops]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:08.590Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813"
},
{
"url": "https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e"
},
{
"url": "https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac"
},
{
"url": "https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19"
}
],
"title": "powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50635",
"datePublished": "2025-12-09T00:00:08.590Z",
"dateReserved": "2025-12-08T23:57:43.370Z",
"dateUpdated": "2025-12-09T00:00:08.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50622 (GCVE-0-2022-50622)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
ext4: fix potential memory leak in ext4_fc_record_modified_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix potential memory leak in ext4_fc_record_modified_inode()
As krealloc may return NULL, in this case 'state->fc_modified_inodes'
may not be freed by krealloc, but 'state->fc_modified_inodes' already
set NULL. Then will lead to 'state->fc_modified_inodes' memory leak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < c9ce7766dc4e88e624c62a68221a3bbe8f06e856
(git)
Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < 9b5eb368a86f97eb9831f5b53b8e43ec69bc7cd4 (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < c0be17635f039f864b1108efec0015c73736e414 (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < 24d39affc6be1acf6df86a8c3e2413b8a73749c7 (git) Affected: 8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2 , < 9305721a309fa1bd7c194e0d4a2335bf3b29dca4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9ce7766dc4e88e624c62a68221a3bbe8f06e856",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "9b5eb368a86f97eb9831f5b53b8e43ec69bc7cd4",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "c0be17635f039f864b1108efec0015c73736e414",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "24d39affc6be1acf6df86a8c3e2413b8a73749c7",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
},
{
"lessThan": "9305721a309fa1bd7c194e0d4a2335bf3b29dca4",
"status": "affected",
"version": "8016e29f4362e285f0f7e38fadc61a5b7bdfdfa2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/fast_commit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential memory leak in ext4_fc_record_modified_inode()\n\nAs krealloc may return NULL, in this case \u0027state-\u003efc_modified_inodes\u0027\nmay not be freed by krealloc, but \u0027state-\u003efc_modified_inodes\u0027 already\nset NULL. Then will lead to \u0027state-\u003efc_modified_inodes\u0027 memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:20.118Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9ce7766dc4e88e624c62a68221a3bbe8f06e856"
},
{
"url": "https://git.kernel.org/stable/c/9b5eb368a86f97eb9831f5b53b8e43ec69bc7cd4"
},
{
"url": "https://git.kernel.org/stable/c/c0be17635f039f864b1108efec0015c73736e414"
},
{
"url": "https://git.kernel.org/stable/c/24d39affc6be1acf6df86a8c3e2413b8a73749c7"
},
{
"url": "https://git.kernel.org/stable/c/9305721a309fa1bd7c194e0d4a2335bf3b29dca4"
}
],
"title": "ext4: fix potential memory leak in ext4_fc_record_modified_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50622",
"datePublished": "2025-12-08T01:16:35.924Z",
"dateReserved": "2025-12-08T01:14:55.189Z",
"dateUpdated": "2025-12-23T13:30:20.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40340 (GCVE-0-2025-40340)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.
I saw an oops in xe_gem_fault when running the xe-fast-feedback
testlist against the realtime kernel without debug options enabled.
The panic happens after core_hotunplug unbind-rebind finishes.
Presumably what happens is that a process mmaps, unlocks because
of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,
causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since
there was nothing left to populate, and then oopses in
"mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource
is NULL.
It's convoluted, but fits the data and explains the oops after
the test exits.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd08ebf6c3525a7ea2186e636df064ea47281987 , < 99428bd6123d5676209dfb1d7a8f176cc830b665
(git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 29a3064f9c5a908aaf0b39cd6ed30374db11840d (git) Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 1cda3c755bb7770be07d75949bb0f45fb88651f6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99428bd6123d5676209dfb1d7a8f176cc830b665",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "29a3064f9c5a908aaf0b39cd6ed30374db11840d",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
},
{
"lessThan": "1cda3c755bb7770be07d75949bb0f45fb88651f6",
"status": "affected",
"version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.\n\nI saw an oops in xe_gem_fault when running the xe-fast-feedback\ntestlist against the realtime kernel without debug options enabled.\n\nThe panic happens after core_hotunplug unbind-rebind finishes.\nPresumably what happens is that a process mmaps, unlocks because\nof the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,\ncausing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since\nthere was nothing left to populate, and then oopses in\n\"mem_type_is_vram(tbo-\u003eresource-\u003emem_type)\" because tbo-\u003eresource\nis NULL.\n\nIt\u0027s convoluted, but fits the data and explains the oops after\nthe test exits."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:11.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665"
},
{
"url": "https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d"
},
{
"url": "https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6"
}
],
"title": "drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40340",
"datePublished": "2025-12-09T04:09:57.059Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:11.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68750 (GCVE-0-2025-68750)
Vulnerability from cvelistv5 – Published: 2025-12-24 15:51 – Updated: 2026-01-02 15:35
VLAI?
EPSS
Title
usb: potential integer overflow in usbg_make_tpg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: potential integer overflow in usbg_make_tpg()
The variable tpgt in usbg_make_tpg() is defined as unsigned long and is
assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an
integer overflow when tpgt is greater than USHRT_MAX (65535). I
haven't tried to trigger it myself, but it is possible to trigger it
by calling usbg_make_tpg() with a large value for tpgt.
I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the
relevant code accordingly.
This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential
memory corruption").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c52661d60f636d17e26ad834457db333bd1df494 , < 0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24
(git)
Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 603a83e5fee38a950bfcfb2f36449311fa00a474 (git) Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 6f77e344515b5258edb3988188311464209b1c7c (git) Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 6722e080b5b39ab7471386c73d0c1b39572f943c (git) Affected: c52661d60f636d17e26ad834457db333bd1df494 , < a33f507f36d5881f602dab581ab0f8d22b49762c (git) Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 358d5ba08f1609c34a054aed88c431844d09705a (git) Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 620a5e1e84a3a7004270703a118d33eeb1c0f368 (git) Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 153874010354d050f62f8ae25cbb960c17633dc5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_tcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24",
"status": "affected",
"version": "c52661d60f636d17e26ad834457db333bd1df494",
"versionType": "git"
},
{
"lessThan": "603a83e5fee38a950bfcfb2f36449311fa00a474",
"status": "affected",
"version": "c52661d60f636d17e26ad834457db333bd1df494",
"versionType": "git"
},
{
"lessThan": "6f77e344515b5258edb3988188311464209b1c7c",
"status": "affected",
"version": "c52661d60f636d17e26ad834457db333bd1df494",
"versionType": "git"
},
{
"lessThan": "6722e080b5b39ab7471386c73d0c1b39572f943c",
"status": "affected",
"version": "c52661d60f636d17e26ad834457db333bd1df494",
"versionType": "git"
},
{
"lessThan": "a33f507f36d5881f602dab581ab0f8d22b49762c",
"status": "affected",
"version": "c52661d60f636d17e26ad834457db333bd1df494",
"versionType": "git"
},
{
"lessThan": "358d5ba08f1609c34a054aed88c431844d09705a",
"status": "affected",
"version": "c52661d60f636d17e26ad834457db333bd1df494",
"versionType": "git"
},
{
"lessThan": "620a5e1e84a3a7004270703a118d33eeb1c0f368",
"status": "affected",
"version": "c52661d60f636d17e26ad834457db333bd1df494",
"versionType": "git"
},
{
"lessThan": "153874010354d050f62f8ae25cbb960c17633dc5",
"status": "affected",
"version": "c52661d60f636d17e26ad834457db333bd1df494",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_tcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.187",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.96",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.187",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.143",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.96",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.5",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: potential integer overflow in usbg_make_tpg()\n\nThe variable tpgt in usbg_make_tpg() is defined as unsigned long and is\nassigned to tpgt-\u003etport_tpgt, which is defined as u16. This may cause an\ninteger overflow when tpgt is greater than USHRT_MAX (65535). I\nhaven\u0027t tried to trigger it myself, but it is possible to trigger it\nby calling usbg_make_tpg() with a large value for tpgt.\n\nI modified the type of tpgt to match tpgt-\u003etport_tpgt and adjusted the\nrelevant code accordingly.\n\nThis patch is similar to commit 59c816c1f24d (\"vhost/scsi: potential\nmemory corruption\")."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:35:14.366Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24"
},
{
"url": "https://git.kernel.org/stable/c/603a83e5fee38a950bfcfb2f36449311fa00a474"
},
{
"url": "https://git.kernel.org/stable/c/6f77e344515b5258edb3988188311464209b1c7c"
},
{
"url": "https://git.kernel.org/stable/c/6722e080b5b39ab7471386c73d0c1b39572f943c"
},
{
"url": "https://git.kernel.org/stable/c/a33f507f36d5881f602dab581ab0f8d22b49762c"
},
{
"url": "https://git.kernel.org/stable/c/358d5ba08f1609c34a054aed88c431844d09705a"
},
{
"url": "https://git.kernel.org/stable/c/620a5e1e84a3a7004270703a118d33eeb1c0f368"
},
{
"url": "https://git.kernel.org/stable/c/153874010354d050f62f8ae25cbb960c17633dc5"
}
],
"title": "usb: potential integer overflow in usbg_make_tpg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68750",
"datePublished": "2025-12-24T15:51:03.141Z",
"dateReserved": "2025-12-24T10:30:51.032Z",
"dateUpdated": "2026-01-02T15:35:14.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53786 (GCVE-0-2023-53786)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
dm flakey: fix a crash with invalid table line
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm flakey: fix a crash with invalid table line
This command will crash with NULL pointer dereference:
dmsetup create flakey --table \
"0 `blockdev --getsize /dev/ram0` flakey /dev/ram0 0 0 1 2 corrupt_bio_byte 512"
Fix the crash by checking if arg_name is non-NULL before comparing it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a3998799fb4df0b0af8271a7d50c4269032397aa , < f95cb1526669ccdf7eb12eefd57a893953e3595f
(git)
Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 12849ed107c0b2869fb775c81208050899006f07 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 337b7af273562b73c46ef77a724604ad139ca762 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < a1e3fffe02e05c05357af91364ac0fc1ed425b5b (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < f76fcb9d43ec014ac4a1bb983768696d5b032df9 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < cb874a190f3f7c3c3fa5b979bee7a3b8cc3a19cc (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 83b4e3d878ea6be9aec1d5a1ab177c766c64d1a0 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 8258d84a7917aeece773716518deadb7ad776cb7 (git) Affected: a3998799fb4df0b0af8271a7d50c4269032397aa , < 98dba02d9a93eec11bffbb93c7c51624290702d2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-flakey.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f95cb1526669ccdf7eb12eefd57a893953e3595f",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "12849ed107c0b2869fb775c81208050899006f07",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "337b7af273562b73c46ef77a724604ad139ca762",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "a1e3fffe02e05c05357af91364ac0fc1ed425b5b",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "f76fcb9d43ec014ac4a1bb983768696d5b032df9",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "cb874a190f3f7c3c3fa5b979bee7a3b8cc3a19cc",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "83b4e3d878ea6be9aec1d5a1ab177c766c64d1a0",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "8258d84a7917aeece773716518deadb7ad776cb7",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
},
{
"lessThan": "98dba02d9a93eec11bffbb93c7c51624290702d2",
"status": "affected",
"version": "a3998799fb4df0b0af8271a7d50c4269032397aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-flakey.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm flakey: fix a crash with invalid table line\n\nThis command will crash with NULL pointer dereference:\n dmsetup create flakey --table \\\n \"0 `blockdev --getsize /dev/ram0` flakey /dev/ram0 0 0 1 2 corrupt_bio_byte 512\"\n\nFix the crash by checking if arg_name is non-NULL before comparing it."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:51.357Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f95cb1526669ccdf7eb12eefd57a893953e3595f"
},
{
"url": "https://git.kernel.org/stable/c/12849ed107c0b2869fb775c81208050899006f07"
},
{
"url": "https://git.kernel.org/stable/c/337b7af273562b73c46ef77a724604ad139ca762"
},
{
"url": "https://git.kernel.org/stable/c/a1e3fffe02e05c05357af91364ac0fc1ed425b5b"
},
{
"url": "https://git.kernel.org/stable/c/f76fcb9d43ec014ac4a1bb983768696d5b032df9"
},
{
"url": "https://git.kernel.org/stable/c/cb874a190f3f7c3c3fa5b979bee7a3b8cc3a19cc"
},
{
"url": "https://git.kernel.org/stable/c/83b4e3d878ea6be9aec1d5a1ab177c766c64d1a0"
},
{
"url": "https://git.kernel.org/stable/c/8258d84a7917aeece773716518deadb7ad776cb7"
},
{
"url": "https://git.kernel.org/stable/c/98dba02d9a93eec11bffbb93c7c51624290702d2"
}
],
"title": "dm flakey: fix a crash with invalid table line",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53786",
"datePublished": "2025-12-09T00:00:41.426Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2026-01-05T10:32:51.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40354 (GCVE-0-2025-40354)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
drm/amd/display: increase max link count and fix link->enc NULL pointer access
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: increase max link count and fix link->enc NULL pointer access
[why]
1.) dc->links[MAX_LINKS] array size smaller than actual requested.
max_connector + max_dpia + 4 virtual = 14.
increase from 12 to 14.
2.) hw_init() access null LINK_ENC for dpia non display_endpoint.
(cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < f28092be4e12b7df9e4f415d25bf0d767bc2d9ed
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < a3fc0d36cfb927f8986b83bf5fba47dbedad3c63 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < bec947cbe9a65783adb475a5fb47980d7b4f4796 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c",
"drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f28092be4e12b7df9e4f415d25bf0d767bc2d9ed",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "a3fc0d36cfb927f8986b83bf5fba47dbedad3c63",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "bec947cbe9a65783adb475a5fb47980d7b4f4796",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c",
"drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: increase max link count and fix link-\u003eenc NULL pointer access\n\n[why]\n1.) dc-\u003elinks[MAX_LINKS] array size smaller than actual requested.\nmax_connector + max_dpia + 4 virtual = 14.\nincrease from 12 to 14.\n\n2.) hw_init() access null LINK_ENC for dpia non display_endpoint.\n\n(cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:14.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f28092be4e12b7df9e4f415d25bf0d767bc2d9ed"
},
{
"url": "https://git.kernel.org/stable/c/a3fc0d36cfb927f8986b83bf5fba47dbedad3c63"
},
{
"url": "https://git.kernel.org/stable/c/bec947cbe9a65783adb475a5fb47980d7b4f4796"
}
],
"title": "drm/amd/display: increase max link count and fix link-\u003eenc NULL pointer access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40354",
"datePublished": "2025-12-16T13:30:27.082Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:14.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50704 (GCVE-0-2022-50704)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
USB: gadget: Fix use-after-free during usb config switch
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix use-after-free during usb config switch
In the process of switching USB config from rndis to other config,
if the hardware does not support the ->pullup callback, or the
hardware encounters a low probability fault, both of them may cause
the ->pullup callback to fail, which will then cause a system panic
(use after free).
The gadget drivers sometimes need to be unloaded regardless of the
hardware's behavior.
Analysis as follows:
=======================================================================
(1) write /config/usb_gadget/g1/UDC "none"
gether_disconnect+0x2c/0x1f8
rndis_disable+0x4c/0x74
composite_disconnect+0x74/0xb0
configfs_composite_disconnect+0x60/0x7c
usb_gadget_disconnect+0x70/0x124
usb_gadget_unregister_driver+0xc8/0x1d8
gadget_dev_desc_UDC_store+0xec/0x1e4
(2) rm /config/usb_gadget/g1/configs/b.1/f1
rndis_deregister+0x28/0x54
rndis_free+0x44/0x7c
usb_put_function+0x14/0x1c
config_usb_cfg_unlink+0xc4/0xe0
configfs_unlink+0x124/0x1c8
vfs_unlink+0x114/0x1dc
(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4
panic+0x1fc/0x3d0
do_page_fault+0xa8/0x46c
do_mem_abort+0x3c/0xac
el1_sync_handler+0x40/0x78
0xffffff801138f880
rndis_close+0x28/0x34
eth_stop+0x74/0x110
dev_close_many+0x48/0x194
rollback_registered_many+0x118/0x814
unregister_netdev+0x20/0x30
gether_cleanup+0x1c/0x38
rndis_attr_release+0xc/0x14
kref_put+0x74/0xb8
configfs_rmdir+0x314/0x374
If gadget->ops->pullup() return an error, function rndis_close() will be
called, then it will causes a use-after-free problem.
=======================================================================
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0a55187a1ec8c03d0619e7ce41d10fdc39cff036 , < 30e926aa835ac2e6ad05822e4cb75833feb0d99f
(git)
Affected: 0a55187a1ec8c03d0619e7ce41d10fdc39cff036 , < 99a58ac42d9b6911834b0224b6782aea0c311346 (git) Affected: 0a55187a1ec8c03d0619e7ce41d10fdc39cff036 , < afdc12887f2b2ecf20d065a7d81ad29824155083 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "30e926aa835ac2e6ad05822e4cb75833feb0d99f",
"status": "affected",
"version": "0a55187a1ec8c03d0619e7ce41d10fdc39cff036",
"versionType": "git"
},
{
"lessThan": "99a58ac42d9b6911834b0224b6782aea0c311346",
"status": "affected",
"version": "0a55187a1ec8c03d0619e7ce41d10fdc39cff036",
"versionType": "git"
},
{
"lessThan": "afdc12887f2b2ecf20d065a7d81ad29824155083",
"status": "affected",
"version": "0a55187a1ec8c03d0619e7ce41d10fdc39cff036",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix use-after-free during usb config switch\n\nIn the process of switching USB config from rndis to other config,\nif the hardware does not support the -\u003epullup callback, or the\nhardware encounters a low probability fault, both of them may cause\nthe -\u003epullup callback to fail, which will then cause a system panic\n(use after free).\n\nThe gadget drivers sometimes need to be unloaded regardless of the\nhardware\u0027s behavior.\n\nAnalysis as follows:\n=======================================================================\n(1) write /config/usb_gadget/g1/UDC \"none\"\n\ngether_disconnect+0x2c/0x1f8\nrndis_disable+0x4c/0x74\ncomposite_disconnect+0x74/0xb0\nconfigfs_composite_disconnect+0x60/0x7c\nusb_gadget_disconnect+0x70/0x124\nusb_gadget_unregister_driver+0xc8/0x1d8\ngadget_dev_desc_UDC_store+0xec/0x1e4\n\n(2) rm /config/usb_gadget/g1/configs/b.1/f1\n\nrndis_deregister+0x28/0x54\nrndis_free+0x44/0x7c\nusb_put_function+0x14/0x1c\nconfig_usb_cfg_unlink+0xc4/0xe0\nconfigfs_unlink+0x124/0x1c8\nvfs_unlink+0x114/0x1dc\n\n(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4\n\npanic+0x1fc/0x3d0\ndo_page_fault+0xa8/0x46c\ndo_mem_abort+0x3c/0xac\nel1_sync_handler+0x40/0x78\n0xffffff801138f880\nrndis_close+0x28/0x34\neth_stop+0x74/0x110\ndev_close_many+0x48/0x194\nrollback_registered_many+0x118/0x814\nunregister_netdev+0x20/0x30\ngether_cleanup+0x1c/0x38\nrndis_attr_release+0xc/0x14\nkref_put+0x74/0xb8\nconfigfs_rmdir+0x314/0x374\n\nIf gadget-\u003eops-\u003epullup() return an error, function rndis_close() will be\ncalled, then it will causes a use-after-free problem.\n======================================================================="
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:19.295Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/30e926aa835ac2e6ad05822e4cb75833feb0d99f"
},
{
"url": "https://git.kernel.org/stable/c/99a58ac42d9b6911834b0224b6782aea0c311346"
},
{
"url": "https://git.kernel.org/stable/c/afdc12887f2b2ecf20d065a7d81ad29824155083"
}
],
"title": "USB: gadget: Fix use-after-free during usb config switch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50704",
"datePublished": "2025-12-24T10:55:19.295Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:19.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68258 (GCVE-0-2025-68258)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
comedi: multiq3: sanitize config options in multiq3_attach()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: multiq3: sanitize config options in multiq3_attach()
Syzbot identified an issue [1] in multiq3_attach() that induces a
task timeout due to open() or COMEDI_DEVCONFIG ioctl operations,
specifically, in the case of multiq3 driver.
This problem arose when syzkaller managed to craft weird configuration
options used to specify the number of channels in encoder subdevice.
If a particularly great number is passed to s->n_chan in
multiq3_attach() via it->options[2], then multiple calls to
multiq3_encoder_reset() at the end of driver-specific attach() method
will be running for minutes, thus blocking tasks and affected devices
as well.
While this issue is most likely not too dangerous for real-life
devices, it still makes sense to sanitize configuration inputs. Enable
a sensible limit on the number of encoder chips (4 chips max, each
with 2 channels) to stop this behaviour from manifesting.
[1] Syzbot crash:
INFO: task syz.2.19:6067 blocked for more than 143 seconds.
...
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5254 [inline]
__schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
__schedule_loop kernel/sched/core.c:6944 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6959
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760
comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x953/0x13f0 fs/open.c:965
vfs_open+0x3b/0x340 fs/open.c:1097
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
77e01cdbad5175f56027fd6fae00bd0fc175651a , < f9ff87aac7b37d462246c46d28912d382a8e2ea6
(git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 4cde9a7e025cc09b88097c70606f6b30c22880f4 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < ad7ed3c9c7b8408e8612697bc43a5441fe386c71 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 049f14557450351750f929ebfff36d849511e132 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 8952bc1973cd54158c35e06bfb8c29ace7375a48 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 543f4c380c2e1f35e60528df7cb54705cda7fee3 (git) Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < f24c6e3a39fa355dabfb684c9ca82db579534e72 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/multiq3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9ff87aac7b37d462246c46d28912d382a8e2ea6",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "4cde9a7e025cc09b88097c70606f6b30c22880f4",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "ad7ed3c9c7b8408e8612697bc43a5441fe386c71",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "049f14557450351750f929ebfff36d849511e132",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "8952bc1973cd54158c35e06bfb8c29ace7375a48",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "543f4c380c2e1f35e60528df7cb54705cda7fee3",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
},
{
"lessThan": "f24c6e3a39fa355dabfb684c9ca82db579534e72",
"status": "affected",
"version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/multiq3.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: multiq3: sanitize config options in multiq3_attach()\n\nSyzbot identified an issue [1] in multiq3_attach() that induces a\ntask timeout due to open() or COMEDI_DEVCONFIG ioctl operations,\nspecifically, in the case of multiq3 driver.\n\nThis problem arose when syzkaller managed to craft weird configuration\noptions used to specify the number of channels in encoder subdevice.\nIf a particularly great number is passed to s-\u003en_chan in\nmultiq3_attach() via it-\u003eoptions[2], then multiple calls to\nmultiq3_encoder_reset() at the end of driver-specific attach() method\nwill be running for minutes, thus blocking tasks and affected devices\nas well.\n\nWhile this issue is most likely not too dangerous for real-life\ndevices, it still makes sense to sanitize configuration inputs. Enable\na sensible limit on the number of encoder chips (4 chips max, each\nwith 2 channels) to stop this behaviour from manifesting.\n\n[1] Syzbot crash:\nINFO: task syz.2.19:6067 blocked for more than 143 seconds.\n...\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5254 [inline]\n __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862\n __schedule_loop kernel/sched/core.c:6944 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:6959\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016\n __mutex_lock_common kernel/locking/mutex.c:676 [inline]\n __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760\n comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868\n chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414\n do_dentry_open+0x953/0x13f0 fs/open.c:965\n vfs_open+0x3b/0x340 fs/open.c:1097\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:11.655Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9ff87aac7b37d462246c46d28912d382a8e2ea6"
},
{
"url": "https://git.kernel.org/stable/c/4cde9a7e025cc09b88097c70606f6b30c22880f4"
},
{
"url": "https://git.kernel.org/stable/c/ad7ed3c9c7b8408e8612697bc43a5441fe386c71"
},
{
"url": "https://git.kernel.org/stable/c/049f14557450351750f929ebfff36d849511e132"
},
{
"url": "https://git.kernel.org/stable/c/8952bc1973cd54158c35e06bfb8c29ace7375a48"
},
{
"url": "https://git.kernel.org/stable/c/8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3"
},
{
"url": "https://git.kernel.org/stable/c/543f4c380c2e1f35e60528df7cb54705cda7fee3"
},
{
"url": "https://git.kernel.org/stable/c/f24c6e3a39fa355dabfb684c9ca82db579534e72"
}
],
"title": "comedi: multiq3: sanitize config options in multiq3_attach()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68258",
"datePublished": "2025-12-16T14:45:00.920Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-01-19T12:18:11.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53806 (GCVE-0-2023-53806)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amd/display: populate subvp cmd info only for the top pipe
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: populate subvp cmd info only for the top pipe
[Why]
System restart observed while changing the display resolution
to 8k with extended mode. Sytem restart was caused by a page fault.
[How]
When the driver populates subvp info it did it for both the pipes using
vblank which caused an outof bounds array access causing the page fault.
added checks to allow the top pipe only to fix this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 92e6c79acad4b96efeff261d27bdbd8089a7dd24
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 375d192eb1f1d9229a6d994da7ba31f3582b106b (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92e6c79acad4b96efeff261d27bdbd8089a7dd24",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "375d192eb1f1d9229a6d994da7ba31f3582b106b",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: populate subvp cmd info only for the top pipe\n\n[Why]\nSystem restart observed while changing the display resolution\nto 8k with extended mode. Sytem restart was caused by a page fault.\n\n[How]\nWhen the driver populates subvp info it did it for both the pipes using\nvblank which caused an outof bounds array access causing the page fault.\nadded checks to allow the top pipe only to fix this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:24.296Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92e6c79acad4b96efeff261d27bdbd8089a7dd24"
},
{
"url": "https://git.kernel.org/stable/c/375d192eb1f1d9229a6d994da7ba31f3582b106b"
},
{
"url": "https://git.kernel.org/stable/c/9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0"
}
],
"title": "drm/amd/display: populate subvp cmd info only for the top pipe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53806",
"datePublished": "2025-12-09T00:01:04.413Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2025-12-20T08:51:24.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50760 (GCVE-0-2022-50760)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
As comment of pci_get_class() says, it returns a pci_device with its
refcount increased and decreased the refcount for the input parameter
@from if it is not NULL.
If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we
need to call pci_dev_put() to decrease the refcount. Add the missing
pci_dev_put() to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 6611feef35c0c8c4d297b28a7fc6ab3a2c47eca7
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < da7c78ea9e62bb65273d3ff19a3866ec205bfe18 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 3360125d721c91d697c71201f18f042ff743e936 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 981024abf5fe605c94d4f906f65d1b3408d628be (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 7c1ddf7c664b5bc91f14b1bdeaa45520ef1760e4 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 8f2d2badf8ca5e7e7c30d88840b695c8af7286f3 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 9d4057d0452243917e12eb19f1599c96f2f05b14 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < a8b54ad7106c0604c4adc4933138b3557739bce0 (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < ca54639c7752edf1304d92ff4d0c049d4efc9ba0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6611feef35c0c8c4d297b28a7fc6ab3a2c47eca7",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "da7c78ea9e62bb65273d3ff19a3866ec205bfe18",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "3360125d721c91d697c71201f18f042ff743e936",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "981024abf5fe605c94d4f906f65d1b3408d628be",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "7c1ddf7c664b5bc91f14b1bdeaa45520ef1760e4",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "8f2d2badf8ca5e7e7c30d88840b695c8af7286f3",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "9d4057d0452243917e12eb19f1599c96f2f05b14",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "a8b54ad7106c0604c4adc4933138b3557739bce0",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "ca54639c7752edf1304d92ff4d0c049d4efc9ba0",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()\n\nAs comment of pci_get_class() says, it returns a pci_device with its\nrefcount increased and decreased the refcount for the input parameter\n@from if it is not NULL.\n\nIf we break the loop in amdgpu_atrm_get_bios() with \u0027pdev\u0027 not NULL, we\nneed to call pci_dev_put() to decrease the refcount. Add the missing\npci_dev_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:52.582Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6611feef35c0c8c4d297b28a7fc6ab3a2c47eca7"
},
{
"url": "https://git.kernel.org/stable/c/da7c78ea9e62bb65273d3ff19a3866ec205bfe18"
},
{
"url": "https://git.kernel.org/stable/c/3360125d721c91d697c71201f18f042ff743e936"
},
{
"url": "https://git.kernel.org/stable/c/981024abf5fe605c94d4f906f65d1b3408d628be"
},
{
"url": "https://git.kernel.org/stable/c/7c1ddf7c664b5bc91f14b1bdeaa45520ef1760e4"
},
{
"url": "https://git.kernel.org/stable/c/8f2d2badf8ca5e7e7c30d88840b695c8af7286f3"
},
{
"url": "https://git.kernel.org/stable/c/9d4057d0452243917e12eb19f1599c96f2f05b14"
},
{
"url": "https://git.kernel.org/stable/c/a8b54ad7106c0604c4adc4933138b3557739bce0"
},
{
"url": "https://git.kernel.org/stable/c/ca54639c7752edf1304d92ff4d0c049d4efc9ba0"
}
],
"title": "drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50760",
"datePublished": "2025-12-24T13:05:52.582Z",
"dateReserved": "2025-12-24T13:02:21.545Z",
"dateUpdated": "2025-12-24T13:05:52.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54007 (GCVE-0-2023-54007)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
vmci_host: fix a race condition in vmci_host_poll() causing GPF
Summary
In the Linux kernel, the following vulnerability has been resolved:
vmci_host: fix a race condition in vmci_host_poll() causing GPF
During fuzzing, a general protection fault is observed in
vmci_host_poll().
general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
<- omitting registers ->
Call Trace:
<TASK>
lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162
add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22
poll_wait include/linux/poll.h:49 [inline]
vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174
vfs_poll include/linux/poll.h:88 [inline]
do_pollfd fs/select.c:873 [inline]
do_poll fs/select.c:921 [inline]
do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015
__do_sys_ppoll fs/select.c:1121 [inline]
__se_sys_ppoll+0x2cc/0x330 fs/select.c:1101
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Example thread interleaving that causes the general protection fault
is as follows:
CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)
----- -----
// Read uninitialized context
context = vmci_host_dev->context;
// Initialize context
vmci_host_dev->context = vmci_ctx_create();
vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;
if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {
// Dereferencing the wrong pointer
poll_wait(..., &context->host_context);
}
In this scenario, vmci_host_poll() reads vmci_host_dev->context first,
and then reads vmci_host_dev->ct_type to check that
vmci_host_dev->context is initialized. However, since these two reads
are not atomically executed, there is a chance of a race condition as
described above.
To fix this race condition, read vmci_host_dev->context after checking
the value of vmci_host_dev->ct_type so that vmci_host_poll() always
reads an initialized context.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 2053e93ac15519ed1f1fe6eba79a33a4963be4a3
(git)
Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ca0f4ad2b7a36c799213ef0a213eb977a51e03dc (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 770d30b1355c6c8879973dd054fca9168def182c (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < d22b2a35729cb1de311cb650cd67518a24e13fc9 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < 67e35824f861a05b44b19d38e16a83f653bd9d92 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ab64bd32b9fac27ff4737d63711b9db5e5462448 (git) Affected: 8bf503991f87e32ea42a7bd69b79ba084fddc5d7 , < ae13381da5ff0e8e084c0323c3cc0a945e43e9c7 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2053e93ac15519ed1f1fe6eba79a33a4963be4a3",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ca0f4ad2b7a36c799213ef0a213eb977a51e03dc",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "770d30b1355c6c8879973dd054fca9168def182c",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "d22b2a35729cb1de311cb650cd67518a24e13fc9",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "67e35824f861a05b44b19d38e16a83f653bd9d92",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ab64bd32b9fac27ff4737d63711b9db5e5462448",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
},
{
"lessThan": "ae13381da5ff0e8e084c0323c3cc0a945e43e9c7",
"status": "affected",
"version": "8bf503991f87e32ea42a7bd69b79ba084fddc5d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmci_host: fix a race condition in vmci_host_poll() causing GPF\n\nDuring fuzzing, a general protection fault is observed in\nvmci_host_poll().\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]\nRIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926\n\u003c- omitting registers -\u003e\nCall Trace:\n \u003cTASK\u003e\n lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162\n add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22\n poll_wait include/linux/poll.h:49 [inline]\n vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174\n vfs_poll include/linux/poll.h:88 [inline]\n do_pollfd fs/select.c:873 [inline]\n do_poll fs/select.c:921 [inline]\n do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015\n __do_sys_ppoll fs/select.c:1121 [inline]\n __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nExample thread interleaving that causes the general protection fault\nis as follows:\n\nCPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context)\n----- -----\n// Read uninitialized context\ncontext = vmci_host_dev-\u003econtext;\n // Initialize context\n vmci_host_dev-\u003econtext = vmci_ctx_create();\n vmci_host_dev-\u003ect_type = VMCIOBJ_CONTEXT;\n\nif (vmci_host_dev-\u003ect_type == VMCIOBJ_CONTEXT) {\n // Dereferencing the wrong pointer\n poll_wait(..., \u0026context-\u003ehost_context);\n}\n\nIn this scenario, vmci_host_poll() reads vmci_host_dev-\u003econtext first,\nand then reads vmci_host_dev-\u003ect_type to check that\nvmci_host_dev-\u003econtext is initialized. However, since these two reads\nare not atomically executed, there is a chance of a race condition as\ndescribed above.\n\nTo fix this race condition, read vmci_host_dev-\u003econtext after checking\nthe value of vmci_host_dev-\u003ect_type so that vmci_host_poll() always\nreads an initialized context."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:41.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3"
},
{
"url": "https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc"
},
{
"url": "https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b"
},
{
"url": "https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c"
},
{
"url": "https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9"
},
{
"url": "https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92"
},
{
"url": "https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448"
},
{
"url": "https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7"
}
],
"title": "vmci_host: fix a race condition in vmci_host_poll() causing GPF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54007",
"datePublished": "2025-12-24T10:55:41.281Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:41.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68734 (GCVE-0-2025-68734)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:58 – Updated: 2025-12-24 10:58
VLAI?
EPSS
Title
isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when
setup_instance() fails with an error code. Fix that by freeing the urb
before freeing the hw structure. Also change the error paths to use the
goto ladder style.
Compile tested only. Issue found using a prototype static analysis tool.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
69f52adb2d534afc41fcc658f155e01f0b322f9e , < 475032fa2bb82ffb592c321885e917e39f47357f
(git)
Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < adb7577e23a431fc53aa1b6107733c0d751015fb (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < b70c24827e11fdc71465f9207e974526fb457bb9 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 3f7c72bc73c4e542fde14cce017549d8a0b61a3c (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 03695541b3349bc40bf5d6563d44d6147fb20260 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 6dce43433e0635e7b00346bc937b69ce48ea71bb (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < ea7936304ed74ab7f965d17f942a173ce91a5ca8 (git) Affected: 69f52adb2d534afc41fcc658f155e01f0b322f9e , < 3f978e3f1570155a1327ffa25f60968bc7b9398f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "475032fa2bb82ffb592c321885e917e39f47357f",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "adb7577e23a431fc53aa1b6107733c0d751015fb",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "b70c24827e11fdc71465f9207e974526fb457bb9",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "3f7c72bc73c4e542fde14cce017549d8a0b61a3c",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "03695541b3349bc40bf5d6563d44d6147fb20260",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "6dce43433e0635e7b00346bc937b69ce48ea71bb",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "ea7936304ed74ab7f965d17f942a173ce91a5ca8",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
},
{
"lessThan": "3f978e3f1570155a1327ffa25f60968bc7b9398f",
"status": "affected",
"version": "69f52adb2d534afc41fcc658f155e01f0b322f9e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcsusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()\n\nIn hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when\nsetup_instance() fails with an error code. Fix that by freeing the urb\nbefore freeing the hw structure. Also change the error paths to use the\ngoto ladder style.\n\nCompile tested only. Issue found using a prototype static analysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:58:49.938Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/475032fa2bb82ffb592c321885e917e39f47357f"
},
{
"url": "https://git.kernel.org/stable/c/adb7577e23a431fc53aa1b6107733c0d751015fb"
},
{
"url": "https://git.kernel.org/stable/c/b70c24827e11fdc71465f9207e974526fb457bb9"
},
{
"url": "https://git.kernel.org/stable/c/3f7c72bc73c4e542fde14cce017549d8a0b61a3c"
},
{
"url": "https://git.kernel.org/stable/c/03695541b3349bc40bf5d6563d44d6147fb20260"
},
{
"url": "https://git.kernel.org/stable/c/6dce43433e0635e7b00346bc937b69ce48ea71bb"
},
{
"url": "https://git.kernel.org/stable/c/ea7936304ed74ab7f965d17f942a173ce91a5ca8"
},
{
"url": "https://git.kernel.org/stable/c/3f978e3f1570155a1327ffa25f60968bc7b9398f"
}
],
"title": "isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68734",
"datePublished": "2025-12-24T10:58:49.938Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2025-12-24T10:58:49.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53837 (GCVE-0-2023-53837)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
drm/msm: fix NULL-deref on snapshot tear down
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix NULL-deref on snapshot tear down
In case of early initialisation errors and on platforms that do not use
the DPU controller, the deinitilisation code can be called with the kms
pointer set to NULL.
Patchwork: https://patchwork.freedesktop.org/patch/525099/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98659487b845c05b6bed85d881713545db674c7c , < 8f0e1ad5327a3499e7f09157cb714302a856e8a4
(git)
Affected: 98659487b845c05b6bed85d881713545db674c7c , < 16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < 8eca32b5b92a0be956a8934d7eddf4f70c107927 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < 19fe79ae816a7e3400df1eb4d27530bf9b8ae258 (git) Affected: 98659487b845c05b6bed85d881713545db674c7c , < a465353b9250802f87b97123e33a17f51277f0b1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f0e1ad5327a3499e7f09157cb714302a856e8a4",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "8eca32b5b92a0be956a8934d7eddf4f70c107927",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "19fe79ae816a7e3400df1eb4d27530bf9b8ae258",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
},
{
"lessThan": "a465353b9250802f87b97123e33a17f51277f0b1",
"status": "affected",
"version": "98659487b845c05b6bed85d881713545db674c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix NULL-deref on snapshot tear down\n\nIn case of early initialisation errors and on platforms that do not use\nthe DPU controller, the deinitilisation code can be called with the kms\npointer set to NULL.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525099/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:53.194Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f0e1ad5327a3499e7f09157cb714302a856e8a4"
},
{
"url": "https://git.kernel.org/stable/c/16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175"
},
{
"url": "https://git.kernel.org/stable/c/8eca32b5b92a0be956a8934d7eddf4f70c107927"
},
{
"url": "https://git.kernel.org/stable/c/19fe79ae816a7e3400df1eb4d27530bf9b8ae258"
},
{
"url": "https://git.kernel.org/stable/c/a465353b9250802f87b97123e33a17f51277f0b1"
}
],
"title": "drm/msm: fix NULL-deref on snapshot tear down",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53837",
"datePublished": "2025-12-09T01:29:53.194Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:53.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50872 (GCVE-0-2022-50872)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
ARM: OMAP2+: Fix memory leak in realtime_counter_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ARM: OMAP2+: Fix memory leak in realtime_counter_init()
The "sys_clk" resource is malloced by clk_get(),
it is not released when the function return.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fa6d79d27614223d82418023b7f5300f1a1530d3 , < 5f9aedabce3404dd8bb769822fc11317c55fbdc1
(git)
Affected: fa6d79d27614223d82418023b7f5300f1a1530d3 , < e3a6af3059e4f83d1a986a3180eb1e04f99c9e64 (git) Affected: fa6d79d27614223d82418023b7f5300f1a1530d3 , < 8041f9a2a958277f95926560dc85910aecd48c0b (git) Affected: fa6d79d27614223d82418023b7f5300f1a1530d3 , < 4862c41d5f3bee1ec64c979c82bd8cfe96b78f7d (git) Affected: fa6d79d27614223d82418023b7f5300f1a1530d3 , < 10fcdad2b9f3f424873714eb8713a3e6f7ab84bb (git) Affected: fa6d79d27614223d82418023b7f5300f1a1530d3 , < 98df4bdf3b010c23cc3c542d0c303016e5fceb40 (git) Affected: fa6d79d27614223d82418023b7f5300f1a1530d3 , < 4f7ad1b08533247c4bf29217ba499ea4138cc2c1 (git) Affected: fa6d79d27614223d82418023b7f5300f1a1530d3 , < ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-omap2/timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f9aedabce3404dd8bb769822fc11317c55fbdc1",
"status": "affected",
"version": "fa6d79d27614223d82418023b7f5300f1a1530d3",
"versionType": "git"
},
{
"lessThan": "e3a6af3059e4f83d1a986a3180eb1e04f99c9e64",
"status": "affected",
"version": "fa6d79d27614223d82418023b7f5300f1a1530d3",
"versionType": "git"
},
{
"lessThan": "8041f9a2a958277f95926560dc85910aecd48c0b",
"status": "affected",
"version": "fa6d79d27614223d82418023b7f5300f1a1530d3",
"versionType": "git"
},
{
"lessThan": "4862c41d5f3bee1ec64c979c82bd8cfe96b78f7d",
"status": "affected",
"version": "fa6d79d27614223d82418023b7f5300f1a1530d3",
"versionType": "git"
},
{
"lessThan": "10fcdad2b9f3f424873714eb8713a3e6f7ab84bb",
"status": "affected",
"version": "fa6d79d27614223d82418023b7f5300f1a1530d3",
"versionType": "git"
},
{
"lessThan": "98df4bdf3b010c23cc3c542d0c303016e5fceb40",
"status": "affected",
"version": "fa6d79d27614223d82418023b7f5300f1a1530d3",
"versionType": "git"
},
{
"lessThan": "4f7ad1b08533247c4bf29217ba499ea4138cc2c1",
"status": "affected",
"version": "fa6d79d27614223d82418023b7f5300f1a1530d3",
"versionType": "git"
},
{
"lessThan": "ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac",
"status": "affected",
"version": "fa6d79d27614223d82418023b7f5300f1a1530d3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm/mach-omap2/timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: OMAP2+: Fix memory leak in realtime_counter_init()\n\nThe \"sys_clk\" resource is malloced by clk_get(),\nit is not released when the function return."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:42.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f9aedabce3404dd8bb769822fc11317c55fbdc1"
},
{
"url": "https://git.kernel.org/stable/c/e3a6af3059e4f83d1a986a3180eb1e04f99c9e64"
},
{
"url": "https://git.kernel.org/stable/c/8041f9a2a958277f95926560dc85910aecd48c0b"
},
{
"url": "https://git.kernel.org/stable/c/4862c41d5f3bee1ec64c979c82bd8cfe96b78f7d"
},
{
"url": "https://git.kernel.org/stable/c/10fcdad2b9f3f424873714eb8713a3e6f7ab84bb"
},
{
"url": "https://git.kernel.org/stable/c/98df4bdf3b010c23cc3c542d0c303016e5fceb40"
},
{
"url": "https://git.kernel.org/stable/c/4f7ad1b08533247c4bf29217ba499ea4138cc2c1"
},
{
"url": "https://git.kernel.org/stable/c/ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac"
}
],
"title": "ARM: OMAP2+: Fix memory leak in realtime_counter_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50872",
"datePublished": "2025-12-30T12:15:42.035Z",
"dateReserved": "2025-12-30T12:06:07.136Z",
"dateUpdated": "2025-12-30T12:15:42.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54202 (GCVE-0-2023-54202)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:09 – Updated: 2025-12-30 12:09
VLAI?
EPSS
Title
drm/i915: fix race condition UAF in i915_perf_add_config_ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: fix race condition UAF in i915_perf_add_config_ioctl
Userspace can guess the id value and try to race oa_config object creation
with config remove, resulting in a use-after-free if we dereference the
object after unlocking the metrics_lock. For that reason, unlocking the
metrics_lock must be done after we are done dereferencing the object.
[tursulin: Manually added stable tag.]
(cherry picked from commit 49f6f6483b652108bcb73accd0204a464b922395)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f89823c212246d0671cc51e69894a3df1a743aee , < 6eeb1cba4c9dc47656ea328afa34953c28783d8c
(git)
Affected: f89823c212246d0671cc51e69894a3df1a743aee , < 240b1502708858b5e3f10b6dc5ca3f148a322fef (git) Affected: f89823c212246d0671cc51e69894a3df1a743aee , < 7eb98f5ac551863efe8be810cea1cd5411d677b1 (git) Affected: f89823c212246d0671cc51e69894a3df1a743aee , < dc30c011469165d57af9adac5baff7d767d20e5c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_perf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6eeb1cba4c9dc47656ea328afa34953c28783d8c",
"status": "affected",
"version": "f89823c212246d0671cc51e69894a3df1a743aee",
"versionType": "git"
},
{
"lessThan": "240b1502708858b5e3f10b6dc5ca3f148a322fef",
"status": "affected",
"version": "f89823c212246d0671cc51e69894a3df1a743aee",
"versionType": "git"
},
{
"lessThan": "7eb98f5ac551863efe8be810cea1cd5411d677b1",
"status": "affected",
"version": "f89823c212246d0671cc51e69894a3df1a743aee",
"versionType": "git"
},
{
"lessThan": "dc30c011469165d57af9adac5baff7d767d20e5c",
"status": "affected",
"version": "f89823c212246d0671cc51e69894a3df1a743aee",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/i915_perf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: fix race condition UAF in i915_perf_add_config_ioctl\n\nUserspace can guess the id value and try to race oa_config object creation\nwith config remove, resulting in a use-after-free if we dereference the\nobject after unlocking the metrics_lock. For that reason, unlocking the\nmetrics_lock must be done after we are done dereferencing the object.\n\n[tursulin: Manually added stable tag.]\n(cherry picked from commit 49f6f6483b652108bcb73accd0204a464b922395)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:09:06.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6eeb1cba4c9dc47656ea328afa34953c28783d8c"
},
{
"url": "https://git.kernel.org/stable/c/240b1502708858b5e3f10b6dc5ca3f148a322fef"
},
{
"url": "https://git.kernel.org/stable/c/7eb98f5ac551863efe8be810cea1cd5411d677b1"
},
{
"url": "https://git.kernel.org/stable/c/dc30c011469165d57af9adac5baff7d767d20e5c"
}
],
"title": "drm/i915: fix race condition UAF in i915_perf_add_config_ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54202",
"datePublished": "2025-12-30T12:09:06.872Z",
"dateReserved": "2025-12-30T12:06:44.499Z",
"dateUpdated": "2025-12-30T12:09:06.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40301 (GCVE-0-2025-40301)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
Bluetooth: hci_event: validate skb length for unknown CC opcode
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: validate skb length for unknown CC opcode
In hci_cmd_complete_evt(), if the command complete event has an unknown
opcode, we assume the first byte of the remaining skb->data contains the
return status. However, parameter data has previously been pulled in
hci_event_func(), which may leave the skb empty. If so, using skb->data[0]
for the return status uses un-init memory.
The fix is to check skb->len before using skb->data.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < fea895de78d3bb2f0c09db9f10b18f8121b15759
(git)
Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8 (git) Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < cf2c2acec1cf456c3d11c11a7589e886a0f963a9 (git) Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50 (git) Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fea895de78d3bb2f0c09db9f10b18f8121b15759",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
},
{
"lessThan": "779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
},
{
"lessThan": "cf2c2acec1cf456c3d11c11a7589e886a0f963a9",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
},
{
"lessThan": "1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
},
{
"lessThan": "5c5f1f64681cc889d9b13e4a61285e9e029d6ab5",
"status": "affected",
"version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: validate skb length for unknown CC opcode\n\nIn hci_cmd_complete_evt(), if the command complete event has an unknown\nopcode, we assume the first byte of the remaining skb-\u003edata contains the\nreturn status. However, parameter data has previously been pulled in\nhci_event_func(), which may leave the skb empty. If so, using skb-\u003edata[0]\nfor the return status uses un-init memory.\n\nThe fix is to check skb-\u003elen before using skb-\u003edata."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:24.863Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fea895de78d3bb2f0c09db9f10b18f8121b15759"
},
{
"url": "https://git.kernel.org/stable/c/779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8"
},
{
"url": "https://git.kernel.org/stable/c/cf2c2acec1cf456c3d11c11a7589e886a0f963a9"
},
{
"url": "https://git.kernel.org/stable/c/1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50"
},
{
"url": "https://git.kernel.org/stable/c/5c5f1f64681cc889d9b13e4a61285e9e029d6ab5"
}
],
"title": "Bluetooth: hci_event: validate skb length for unknown CC opcode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40301",
"datePublished": "2025-12-08T00:46:24.863Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-08T00:46:24.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54115 (GCVE-0-2023-54115)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()
When nonstatic_release_resource_db() frees all resources associated
with an PCMCIA socket, it forgets to free socket_data too, causing
a memory leak observable with kmemleak:
unreferenced object 0xc28d1000 (size 64):
comm "systemd-udevd", pid 297, jiffies 4294898478 (age 194.484s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ................
00 00 00 00 0c 10 8d c2 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffda4245>] __kmem_cache_alloc_node+0x2d7/0x4a0
[<7e51f0c8>] kmalloc_trace+0x31/0xa4
[<d52b4ca0>] nonstatic_init+0x24/0x1a4 [pcmcia_rsrc]
[<a2f13e08>] pcmcia_register_socket+0x200/0x35c [pcmcia_core]
[<a728be1b>] yenta_probe+0x4d8/0xa70 [yenta_socket]
[<c48fac39>] pci_device_probe+0x99/0x194
[<84b7c690>] really_probe+0x181/0x45c
[<8060fe6e>] __driver_probe_device+0x75/0x1f4
[<b9b76f43>] driver_probe_device+0x28/0xac
[<648b766f>] __driver_attach+0xeb/0x1e4
[<6e9659eb>] bus_for_each_dev+0x61/0xb4
[<25a669f3>] driver_attach+0x1e/0x28
[<d8671d6b>] bus_add_driver+0x102/0x20c
[<df0d323c>] driver_register+0x5b/0x120
[<942cd8a4>] __pci_register_driver+0x44/0x4c
[<e536027e>] __UNIQUE_ID___addressable_cleanup_module188+0x1c/0xfffff000 [iTCO_vendor_support]
Fix this by freeing socket_data too.
Tested on a Acer Travelmate 4002WLMi by manually binding/unbinding
the yenta_cardbus driver (yenta_socket).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bde0b6da7bd893c37afaee3555cc3ac3be582313
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2d45e2be0be35a3d66863563ed2591ee18a6897e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 22100df1d57f04cf2370d5347b9ef547f481deea (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 04bb8af40a7729c398ed4caea7e66cedd2881719 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 97fd1c8e9c5aa833aab7e836760bc13103afa892 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e8a80cf06b4bb0396212289d651b384c949f09d0 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd53a1f28faba2c4806c055e706a7721006291c1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c85fd9422fe0f5d667305efb27f56d09eab120b0 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_nonstatic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bde0b6da7bd893c37afaee3555cc3ac3be582313",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d45e2be0be35a3d66863563ed2591ee18a6897e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "22100df1d57f04cf2370d5347b9ef547f481deea",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "04bb8af40a7729c398ed4caea7e66cedd2881719",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "97fd1c8e9c5aa833aab7e836760bc13103afa892",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e8a80cf06b4bb0396212289d651b384c949f09d0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd53a1f28faba2c4806c055e706a7721006291c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c85fd9422fe0f5d667305efb27f56d09eab120b0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_nonstatic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()\n\nWhen nonstatic_release_resource_db() frees all resources associated\nwith an PCMCIA socket, it forgets to free socket_data too, causing\na memory leak observable with kmemleak:\n\nunreferenced object 0xc28d1000 (size 64):\n comm \"systemd-udevd\", pid 297, jiffies 4294898478 (age 194.484s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ................\n 00 00 00 00 0c 10 8d c2 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffda4245\u003e] __kmem_cache_alloc_node+0x2d7/0x4a0\n [\u003c7e51f0c8\u003e] kmalloc_trace+0x31/0xa4\n [\u003cd52b4ca0\u003e] nonstatic_init+0x24/0x1a4 [pcmcia_rsrc]\n [\u003ca2f13e08\u003e] pcmcia_register_socket+0x200/0x35c [pcmcia_core]\n [\u003ca728be1b\u003e] yenta_probe+0x4d8/0xa70 [yenta_socket]\n [\u003cc48fac39\u003e] pci_device_probe+0x99/0x194\n [\u003c84b7c690\u003e] really_probe+0x181/0x45c\n [\u003c8060fe6e\u003e] __driver_probe_device+0x75/0x1f4\n [\u003cb9b76f43\u003e] driver_probe_device+0x28/0xac\n [\u003c648b766f\u003e] __driver_attach+0xeb/0x1e4\n [\u003c6e9659eb\u003e] bus_for_each_dev+0x61/0xb4\n [\u003c25a669f3\u003e] driver_attach+0x1e/0x28\n [\u003cd8671d6b\u003e] bus_add_driver+0x102/0x20c\n [\u003cdf0d323c\u003e] driver_register+0x5b/0x120\n [\u003c942cd8a4\u003e] __pci_register_driver+0x44/0x4c\n [\u003ce536027e\u003e] __UNIQUE_ID___addressable_cleanup_module188+0x1c/0xfffff000 [iTCO_vendor_support]\n\nFix this by freeing socket_data too.\n\nTested on a Acer Travelmate 4002WLMi by manually binding/unbinding\nthe yenta_cardbus driver (yenta_socket)."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:50.164Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bde0b6da7bd893c37afaee3555cc3ac3be582313"
},
{
"url": "https://git.kernel.org/stable/c/2d45e2be0be35a3d66863563ed2591ee18a6897e"
},
{
"url": "https://git.kernel.org/stable/c/22100df1d57f04cf2370d5347b9ef547f481deea"
},
{
"url": "https://git.kernel.org/stable/c/04bb8af40a7729c398ed4caea7e66cedd2881719"
},
{
"url": "https://git.kernel.org/stable/c/97fd1c8e9c5aa833aab7e836760bc13103afa892"
},
{
"url": "https://git.kernel.org/stable/c/e8a80cf06b4bb0396212289d651b384c949f09d0"
},
{
"url": "https://git.kernel.org/stable/c/fd53a1f28faba2c4806c055e706a7721006291c1"
},
{
"url": "https://git.kernel.org/stable/c/c85fd9422fe0f5d667305efb27f56d09eab120b0"
}
],
"title": "pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54115",
"datePublished": "2025-12-24T13:06:36.892Z",
"dateReserved": "2025-12-24T13:02:52.519Z",
"dateUpdated": "2026-01-05T10:33:50.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54145 (GCVE-0-2023-54145)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:34
VLAI?
EPSS
Title
bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log
It's trivial for user to trigger "verifier log line truncated" warning,
as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at
least two pieces of user-provided information that can be output through
this buffer, and both can be arbitrarily sized by user:
- BTF names;
- BTF.ext source code lines strings.
Verifier log buffer should be properly sized for typical verifier state
output. But it's sort-of expected that this buffer won't be long enough
in some circumstances. So let's drop the check. In any case code will
work correctly, at worst truncating a part of a single line output.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a2a7d5701052542cd2260e7659b12443e0a74733 , < 40c88c429a598006f91ad7a2b89856cd50b3a008
(git)
Affected: a2a7d5701052542cd2260e7659b12443e0a74733 , < 926a175026fed5d534f587ea4ec3ec49265cd3c5 (git) Affected: a2a7d5701052542cd2260e7659b12443e0a74733 , < cff36398bd4c7d322d424433db437f3c3391c491 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40c88c429a598006f91ad7a2b89856cd50b3a008",
"status": "affected",
"version": "a2a7d5701052542cd2260e7659b12443e0a74733",
"versionType": "git"
},
{
"lessThan": "926a175026fed5d534f587ea4ec3ec49265cd3c5",
"status": "affected",
"version": "a2a7d5701052542cd2260e7659b12443e0a74733",
"versionType": "git"
},
{
"lessThan": "cff36398bd4c7d322d424433db437f3c3391c491",
"status": "affected",
"version": "a2a7d5701052542cd2260e7659b12443e0a74733",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.107",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log\n\nIt\u0027s trivial for user to trigger \"verifier log line truncated\" warning,\nas verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at\nleast two pieces of user-provided information that can be output through\nthis buffer, and both can be arbitrarily sized by user:\n - BTF names;\n - BTF.ext source code lines strings.\n\nVerifier log buffer should be properly sized for typical verifier state\noutput. But it\u0027s sort-of expected that this buffer won\u0027t be long enough\nin some circumstances. So let\u0027s drop the check. In any case code will\nwork correctly, at worst truncating a part of a single line output."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:34:01.135Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40c88c429a598006f91ad7a2b89856cd50b3a008"
},
{
"url": "https://git.kernel.org/stable/c/926a175026fed5d534f587ea4ec3ec49265cd3c5"
},
{
"url": "https://git.kernel.org/stable/c/cff36398bd4c7d322d424433db437f3c3391c491"
}
],
"title": "bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54145",
"datePublished": "2025-12-24T13:06:58.227Z",
"dateReserved": "2025-12-24T13:02:52.523Z",
"dateUpdated": "2026-01-05T10:34:01.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54128 (GCVE-0-2023-54128)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
fs: drop peer group ids under namespace lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: drop peer group ids under namespace lock
When cleaning up peer group ids in the failure path we need to make sure
to hold on to the namespace lock. Otherwise another thread might just
turn the mount from a shared into a non-shared mount concurrently.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2a1867219c7b27f928e2545782b86daaf9ad50bd , < 0af8fae81d8b7f1beddc17c5d4cfa43235134648
(git)
Affected: 2a1867219c7b27f928e2545782b86daaf9ad50bd , < ddca03d97daa7b07b60c52e3d3060762732c6666 (git) Affected: 2a1867219c7b27f928e2545782b86daaf9ad50bd , < 65c324d3f35c05e37afec39ac80743583fdcc96c (git) Affected: 2a1867219c7b27f928e2545782b86daaf9ad50bd , < cb2239c198ad9fbd5aced22cf93e45562da781eb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0af8fae81d8b7f1beddc17c5d4cfa43235134648",
"status": "affected",
"version": "2a1867219c7b27f928e2545782b86daaf9ad50bd",
"versionType": "git"
},
{
"lessThan": "ddca03d97daa7b07b60c52e3d3060762732c6666",
"status": "affected",
"version": "2a1867219c7b27f928e2545782b86daaf9ad50bd",
"versionType": "git"
},
{
"lessThan": "65c324d3f35c05e37afec39ac80743583fdcc96c",
"status": "affected",
"version": "2a1867219c7b27f928e2545782b86daaf9ad50bd",
"versionType": "git"
},
{
"lessThan": "cb2239c198ad9fbd5aced22cf93e45562da781eb",
"status": "affected",
"version": "2a1867219c7b27f928e2545782b86daaf9ad50bd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: drop peer group ids under namespace lock\n\nWhen cleaning up peer group ids in the failure path we need to make sure\nto hold on to the namespace lock. Otherwise another thread might just\nturn the mount from a shared into a non-shared mount concurrently."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:46.056Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0af8fae81d8b7f1beddc17c5d4cfa43235134648"
},
{
"url": "https://git.kernel.org/stable/c/ddca03d97daa7b07b60c52e3d3060762732c6666"
},
{
"url": "https://git.kernel.org/stable/c/65c324d3f35c05e37afec39ac80743583fdcc96c"
},
{
"url": "https://git.kernel.org/stable/c/cb2239c198ad9fbd5aced22cf93e45562da781eb"
}
],
"title": "fs: drop peer group ids under namespace lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54128",
"datePublished": "2025-12-24T13:06:46.056Z",
"dateReserved": "2025-12-24T13:02:52.521Z",
"dateUpdated": "2025-12-24T13:06:46.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54210 (GCVE-0-2023-54210)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()
KASAN reports that there's a use-after-free in
hci_remove_adv_monitor(). Trawling through the disassembly, you can
see that the complaint is from the access in bt_dev_dbg() under the
HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because
msft_remove_monitor() can end up freeing the monitor
structure. Specifically:
hci_remove_adv_monitor() ->
msft_remove_monitor() ->
msft_remove_monitor_sync() ->
msft_le_cancel_monitor_advertisement_cb() ->
hci_free_adv_monitor()
Let's fix the problem by just stashing the relevant data when it's
still valid.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c , < 0d4d6b083da9b033ddccef72d77f373c819ae3ea
(git)
Affected: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c , < bf00c2c8f6254f44ac041aa9a311ae9e0caf692b (git) Affected: 7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c , < de6dfcefd107667ce2dbedf4d9337f5ed557a4a1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d4d6b083da9b033ddccef72d77f373c819ae3ea",
"status": "affected",
"version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
"versionType": "git"
},
{
"lessThan": "bf00c2c8f6254f44ac041aa9a311ae9e0caf692b",
"status": "affected",
"version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
"versionType": "git"
},
{
"lessThan": "de6dfcefd107667ce2dbedf4d9337f5ed557a4a1",
"status": "affected",
"version": "7cf5c2978f23fdbb2dd7b4e8b07e362ae2d8211c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()\n\nKASAN reports that there\u0027s a use-after-free in\nhci_remove_adv_monitor(). Trawling through the disassembly, you can\nsee that the complaint is from the access in bt_dev_dbg() under the\nHCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because\nmsft_remove_monitor() can end up freeing the monitor\nstructure. Specifically:\n hci_remove_adv_monitor() -\u003e\n msft_remove_monitor() -\u003e\n msft_remove_monitor_sync() -\u003e\n msft_le_cancel_monitor_advertisement_cb() -\u003e\n hci_free_adv_monitor()\n\nLet\u0027s fix the problem by just stashing the relevant data when it\u0027s\nstill valid."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:08.682Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d4d6b083da9b033ddccef72d77f373c819ae3ea"
},
{
"url": "https://git.kernel.org/stable/c/bf00c2c8f6254f44ac041aa9a311ae9e0caf692b"
},
{
"url": "https://git.kernel.org/stable/c/de6dfcefd107667ce2dbedf4d9337f5ed557a4a1"
}
],
"title": "Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54210",
"datePublished": "2025-12-30T12:11:08.682Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2025-12-30T12:11:08.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53793 (GCVE-0-2023-53793)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
perf tool x86: Fix perf_env memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf tool x86: Fix perf_env memory leak
Found by leak sanitizer:
```
==1632594==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 21 byte(s) in 1 object(s) allocated from:
#0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439
#1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369
#2 0x556701d70589 in perf_env__cpuid util/env.c:465
#3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14
#4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83
#5 0x556701d8f78b in evsel__config util/evsel.c:1366
#6 0x556701ef5872 in evlist__config util/record.c:108
#7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112
#8 0x556701cacd07 in run_test tests/builtin-test.c:236
#9 0x556701cacfac in test_and_print tests/builtin-test.c:265
#10 0x556701cadddb in __cmd_test tests/builtin-test.c:402
#11 0x556701caf2aa in cmd_test tests/builtin-test.c:559
#12 0x556701d3b557 in run_builtin tools/perf/perf.c:323
#13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377
#14 0x556701d3be90 in run_argv tools/perf/perf.c:421
#15 0x556701d3c3f8 in main tools/perf/perf.c:537
#16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s).
```
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f7b58cbdb3ff36eba8622e67eee66c10dd1c9995 , < 75d65c1cc439606ada882755fd205d13c2c7907d
(git)
Affected: f7b58cbdb3ff36eba8622e67eee66c10dd1c9995 , < 010139bfc6bb9ddab81dbc2cf71cd3a9c28adc7f (git) Affected: f7b58cbdb3ff36eba8622e67eee66c10dd1c9995 , < f3daf02a41e3c11e1a473517a8a6169248fb8e7b (git) Affected: f7b58cbdb3ff36eba8622e67eee66c10dd1c9995 , < 99d4850062a84564f36923764bb93935ef2ed108 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"tools/perf/arch/x86/util/env.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "75d65c1cc439606ada882755fd205d13c2c7907d",
"status": "affected",
"version": "f7b58cbdb3ff36eba8622e67eee66c10dd1c9995",
"versionType": "git"
},
{
"lessThan": "010139bfc6bb9ddab81dbc2cf71cd3a9c28adc7f",
"status": "affected",
"version": "f7b58cbdb3ff36eba8622e67eee66c10dd1c9995",
"versionType": "git"
},
{
"lessThan": "f3daf02a41e3c11e1a473517a8a6169248fb8e7b",
"status": "affected",
"version": "f7b58cbdb3ff36eba8622e67eee66c10dd1c9995",
"versionType": "git"
},
{
"lessThan": "99d4850062a84564f36923764bb93935ef2ed108",
"status": "affected",
"version": "f7b58cbdb3ff36eba8622e67eee66c10dd1c9995",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"tools/perf/arch/x86/util/env.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf tool x86: Fix perf_env memory leak\n\nFound by leak sanitizer:\n```\n==1632594==ERROR: LeakSanitizer: detected memory leaks\n\nDirect leak of 21 byte(s) in 1 object(s) allocated from:\n #0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439\n #1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369\n #2 0x556701d70589 in perf_env__cpuid util/env.c:465\n #3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14\n #4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83\n #5 0x556701d8f78b in evsel__config util/evsel.c:1366\n #6 0x556701ef5872 in evlist__config util/record.c:108\n #7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112\n #8 0x556701cacd07 in run_test tests/builtin-test.c:236\n #9 0x556701cacfac in test_and_print tests/builtin-test.c:265\n #10 0x556701cadddb in __cmd_test tests/builtin-test.c:402\n #11 0x556701caf2aa in cmd_test tests/builtin-test.c:559\n #12 0x556701d3b557 in run_builtin tools/perf/perf.c:323\n #13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377\n #14 0x556701d3be90 in run_argv tools/perf/perf.c:421\n #15 0x556701d3c3f8 in main tools/perf/perf.c:537\n #16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n\nSUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s).\n```"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:50.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/75d65c1cc439606ada882755fd205d13c2c7907d"
},
{
"url": "https://git.kernel.org/stable/c/010139bfc6bb9ddab81dbc2cf71cd3a9c28adc7f"
},
{
"url": "https://git.kernel.org/stable/c/f3daf02a41e3c11e1a473517a8a6169248fb8e7b"
},
{
"url": "https://git.kernel.org/stable/c/99d4850062a84564f36923764bb93935ef2ed108"
}
],
"title": "perf tool x86: Fix perf_env memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53793",
"datePublished": "2025-12-09T00:00:50.132Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:50.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54245 (GCVE-0-2023-54245)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds
When we run syzkaller we get below Out of Bound.
"KASAN: slab-out-of-bounds Read in regcache_flat_read"
Below is the backtrace of the issue:
dump_backtrace+0x0/0x4c8
show_stack+0x34/0x44
dump_stack_lvl+0xd8/0x118
print_address_description+0x30/0x2d8
kasan_report+0x158/0x198
__asan_report_load4_noabort+0x44/0x50
regcache_flat_read+0x10c/0x110
regcache_read+0xf4/0x180
_regmap_read+0xc4/0x278
_regmap_update_bits+0x130/0x290
regmap_update_bits_base+0xc0/0x15c
snd_soc_component_update_bits+0xa8/0x22c
snd_soc_component_write_field+0x68/0xd4
tx_macro_digital_mute+0xec/0x140
Actually There is no need to have decimator with 32 bits.
By limiting the variable with short type u8 issue is resolved.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d207bdea0ca9efde321ff142e9b9f2ef73f9cdf5 , < da35a4e6eee5d73886312e85322a6e97df901987
(git)
Affected: d207bdea0ca9efde321ff142e9b9f2ef73f9cdf5 , < 57f9a9a232bde7abfe49c3072b29a255da9ba891 (git) Affected: d207bdea0ca9efde321ff142e9b9f2ef73f9cdf5 , < b0cd740a31412340fead50e69e4fe9bc3781c754 (git) Affected: d207bdea0ca9efde321ff142e9b9f2ef73f9cdf5 , < e5e7e398f6bb7918dab0612eb6991f7bae95520d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-tx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da35a4e6eee5d73886312e85322a6e97df901987",
"status": "affected",
"version": "d207bdea0ca9efde321ff142e9b9f2ef73f9cdf5",
"versionType": "git"
},
{
"lessThan": "57f9a9a232bde7abfe49c3072b29a255da9ba891",
"status": "affected",
"version": "d207bdea0ca9efde321ff142e9b9f2ef73f9cdf5",
"versionType": "git"
},
{
"lessThan": "b0cd740a31412340fead50e69e4fe9bc3781c754",
"status": "affected",
"version": "d207bdea0ca9efde321ff142e9b9f2ef73f9cdf5",
"versionType": "git"
},
{
"lessThan": "e5e7e398f6bb7918dab0612eb6991f7bae95520d",
"status": "affected",
"version": "d207bdea0ca9efde321ff142e9b9f2ef73f9cdf5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/lpass-tx-macro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds\n\nWhen we run syzkaller we get below Out of Bound.\n \"KASAN: slab-out-of-bounds Read in regcache_flat_read\"\n\n Below is the backtrace of the issue:\n\n dump_backtrace+0x0/0x4c8\n show_stack+0x34/0x44\n dump_stack_lvl+0xd8/0x118\n print_address_description+0x30/0x2d8\n kasan_report+0x158/0x198\n __asan_report_load4_noabort+0x44/0x50\n regcache_flat_read+0x10c/0x110\n regcache_read+0xf4/0x180\n _regmap_read+0xc4/0x278\n _regmap_update_bits+0x130/0x290\n regmap_update_bits_base+0xc0/0x15c\n snd_soc_component_update_bits+0xa8/0x22c\n snd_soc_component_write_field+0x68/0xd4\n tx_macro_digital_mute+0xec/0x140\n\n Actually There is no need to have decimator with 32 bits.\n By limiting the variable with short type u8 issue is resolved."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:01.001Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da35a4e6eee5d73886312e85322a6e97df901987"
},
{
"url": "https://git.kernel.org/stable/c/57f9a9a232bde7abfe49c3072b29a255da9ba891"
},
{
"url": "https://git.kernel.org/stable/c/b0cd740a31412340fead50e69e4fe9bc3781c754"
},
{
"url": "https://git.kernel.org/stable/c/e5e7e398f6bb7918dab0612eb6991f7bae95520d"
}
],
"title": "ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54245",
"datePublished": "2025-12-30T12:15:44.060Z",
"dateReserved": "2025-12-30T12:06:44.513Z",
"dateUpdated": "2026-01-05T11:37:01.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53827 (GCVE-0-2023-53827)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free
caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to
prevent referencing a channel that is about to be destroyed.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < f2d38e77aa5f3effc143e7dd24da8acf02925958
(git)
Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < 1351551aa9058e07a20a27a158270cf84fcde621 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < c02421992505c95c7f3c9ad59ee35e22eac60988 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < d9ba36c22a7bb09d6bac4cc2f243eff05da53f43 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < ac6725a634f7e8c0330610a8527f20c730b61115 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < 348d446762e7c70778df8bafbdf3fa0df2123f58 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < d82a439c3cfdb28aa7e82e2e849c5c4dd9fca284 (git) Affected: 61d6ef3e3408cdf7e622646fb90a9f7f9560b943 , < a2a9339e1c9deb7e1e079e12e27a0265aea8421a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f2d38e77aa5f3effc143e7dd24da8acf02925958",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "1351551aa9058e07a20a27a158270cf84fcde621",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "c02421992505c95c7f3c9ad59ee35e22eac60988",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "d9ba36c22a7bb09d6bac4cc2f243eff05da53f43",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "ac6725a634f7e8c0330610a8527f20c730b61115",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "348d446762e7c70778df8bafbdf3fa0df2123f58",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "d82a439c3cfdb28aa7e82e2e849c5c4dd9fca284",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
},
{
"lessThan": "a2a9339e1c9deb7e1e079e12e27a0265aea8421a",
"status": "affected",
"version": "61d6ef3e3408cdf7e622646fb90a9f7f9560b943",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.313",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.281",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.178",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.313",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.281",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.241",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.178",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}\n\nSimilar to commit d0be8347c623 (\"Bluetooth: L2CAP: Fix use-after-free\ncaused by l2cap_chan_put\"), just use l2cap_chan_hold_unless_zero to\nprevent referencing a channel that is about to be destroyed."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:00.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f2d38e77aa5f3effc143e7dd24da8acf02925958"
},
{
"url": "https://git.kernel.org/stable/c/1351551aa9058e07a20a27a158270cf84fcde621"
},
{
"url": "https://git.kernel.org/stable/c/c02421992505c95c7f3c9ad59ee35e22eac60988"
},
{
"url": "https://git.kernel.org/stable/c/d9ba36c22a7bb09d6bac4cc2f243eff05da53f43"
},
{
"url": "https://git.kernel.org/stable/c/ac6725a634f7e8c0330610a8527f20c730b61115"
},
{
"url": "https://git.kernel.org/stable/c/348d446762e7c70778df8bafbdf3fa0df2123f58"
},
{
"url": "https://git.kernel.org/stable/c/d82a439c3cfdb28aa7e82e2e849c5c4dd9fca284"
},
{
"url": "https://git.kernel.org/stable/c/a2a9339e1c9deb7e1e079e12e27a0265aea8421a"
}
],
"title": "Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53827",
"datePublished": "2025-12-09T01:29:40.794Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2026-01-05T10:33:00.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-20569 (GCVE-0-2023-20569)
Vulnerability from cvelistv5 – Published: 2023-08-08 17:02 – Updated: 2024-09-23 03:18
VLAI?
EPSS
Summary
A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled address, potentially leading to information disclosure.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| AMD | Ryzen™ 3000 Series Desktop Processors |
Affected:
various
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-23T03:18:32.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-7005"
},
{
"tags": [
"x_transferred"
],
"url": "http://xenbits.xen.org/xsa/advisory-434.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/08/08/4"
},
{
"tags": [
"x_transferred"
],
"url": "https://comsec.ethz.ch/research/microarch/inception/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4E4TZNMLYL2KETY23IPA43QXFAVJ46V/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKK3IA63LSKM4EC3TN4UM6DDEIOWEQIG/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5475"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7WO5JM74YJSYAE5RBV4DC6A4YLEKWLF/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240605-0006/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 3000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 PRO 3000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 3000 Series Desktop Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 PRO 3000 Series Processors with Radeon\u2122 Vega Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Athlon\u2122 3000 Series Processors with Radeon\u2122 Graphics ",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Athlon\u2122 PRO 3000 Series Processors with Radeon\u2122 Vega Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 4000 Series Desktop Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 PRO 4000 Series Desktop Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 5000 Series Desktop Processors ",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 5000 Series Desktop Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": "AGESA",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 PRO 5000 Series Desktop Processors",
"vendor": " ",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 Threadripper\u2122 2000 Series Processors ",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": " Ryzen\u2122 Threadripper\u2122 5000 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 Threadripper\u2122 3000 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Athlon\u2122 3000 Series Mobile Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 5000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 PRO 5000 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 6000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 PRO 6000 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"packageName": " ",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 7040 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 7000 Series Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"x86"
],
"product": "Ryzen\u2122 7000 Series Processors with Radeon\u2122 Graphics",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"x86"
],
"product": " 1st Gen AMD EPYC\u2122 Processors",
"vendor": "AMD ",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"x86"
],
"product": "2nd Gen AMD EPYC\u2122 Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"x86"
],
"product": "3rd Gen AMD EPYC\u2122 Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
},
{
"defaultStatus": "affected",
"platforms": [
"x86"
],
"product": "4th Gen AMD EPYC\u2122 Processors",
"vendor": "AMD",
"versions": [
{
"status": "affected",
"version": "various "
}
]
}
],
"datePublic": "2023-08-08T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA side channel vulnerability on some \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eof the \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAMD CPUs may allow an attacker to influence \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ereturn address prediction\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. This may\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e result in speculative execution at an attacker-controlled\u202f\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eaddress\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, potentially leading to information disclosure.\u003c/span\u003e\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
}
],
"value": "\n\n\nA side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled\u202faddress, potentially leading to information disclosure.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T17:02:11.318Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-7005"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-434.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/08/08/4"
},
{
"url": "https://comsec.ethz.ch/research/microarch/inception/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4E4TZNMLYL2KETY23IPA43QXFAVJ46V/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKK3IA63LSKM4EC3TN4UM6DDEIOWEQIG/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00013.html"
},
{
"url": "https://www.debian.org/security/2023/dsa-5475"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7WO5JM74YJSYAE5RBV4DC6A4YLEKWLF/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKKYIK2EASDNUV4I7EFJKNBVO3KCKGRR/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240605-0006/"
}
],
"source": {
"advisory": "AMD-SB-7005",
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2023-20569",
"datePublished": "2023-08-08T17:02:11.318Z",
"dateReserved": "2022-10-27T18:53:39.754Z",
"dateUpdated": "2024-09-23T03:18:32.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50705 (GCVE-0-2022-50705)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
io_uring/rw: defer fsnotify calls to task context
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rw: defer fsnotify calls to task context
We can't call these off the kiocb completion as that might be off
soft/hard irq context. Defer the calls to when we process the
task_work for this request. That avoids valid complaints like:
stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_usage_bug kernel/locking/lockdep.c:3961 [inline]
valid_state kernel/locking/lockdep.c:3973 [inline]
mark_lock_irq kernel/locking/lockdep.c:4176 [inline]
mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632
mark_lock kernel/locking/lockdep.c:4596 [inline]
mark_usage kernel/locking/lockdep.c:4527 [inline]
__lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007
lock_acquire kernel/locking/lockdep.c:5666 [inline]
lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
__fs_reclaim_acquire mm/page_alloc.c:4674 [inline]
fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688
might_alloc include/linux/sched/mm.h:271 [inline]
slab_pre_alloc_hook mm/slab.h:700 [inline]
slab_alloc mm/slab.c:3278 [inline]
__kmem_cache_alloc_lru mm/slab.c:3471 [inline]
kmem_cache_alloc+0x39/0x520 mm/slab.c:3491
fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]
fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]
fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948
send_to_group fs/notify/fsnotify.c:360 [inline]
fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570
__fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230
fsnotify_parent include/linux/fsnotify.h:77 [inline]
fsnotify_file include/linux/fsnotify.h:99 [inline]
fsnotify_access include/linux/fsnotify.h:309 [inline]
__io_complete_rw_common+0x485/0x720 io_uring/rw.c:195
io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228
iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]
iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178
bio_endio+0x5f9/0x780 block/bio.c:1564
req_bio_endio block/blk-mq.c:695 [inline]
blk_update_request+0x3fc/0x1300 block/blk-mq.c:825
scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541
scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971
scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438
blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022
__do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
df1ec53252d5b5b26ea49e30438741c9a6d89857 , < 89a410dbd0f159ddd308f19d6eb682fc753e4771
(git)
Affected: f63cf5192fe3418ad5ae1a4412eba5694b145f79 , < 2a853c206e553dd9c0a55c22858fd6a446d93e15 (git) Affected: f63cf5192fe3418ad5ae1a4412eba5694b145f79 , < b000145e9907809406d8164c3b2b8861d95aecd1 (git) Affected: dfbe550c8235b7e98284db37eeeddfd3b4b19b00 (git) Affected: b436d1e92662adecafff4c95baae6352289c2d80 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89a410dbd0f159ddd308f19d6eb682fc753e4771",
"status": "affected",
"version": "df1ec53252d5b5b26ea49e30438741c9a6d89857",
"versionType": "git"
},
{
"lessThan": "2a853c206e553dd9c0a55c22858fd6a446d93e15",
"status": "affected",
"version": "f63cf5192fe3418ad5ae1a4412eba5694b145f79",
"versionType": "git"
},
{
"lessThan": "b000145e9907809406d8164c3b2b8861d95aecd1",
"status": "affected",
"version": "f63cf5192fe3418ad5ae1a4412eba5694b145f79",
"versionType": "git"
},
{
"status": "affected",
"version": "dfbe550c8235b7e98284db37eeeddfd3b4b19b00",
"versionType": "git"
},
{
"status": "affected",
"version": "b436d1e92662adecafff4c95baae6352289c2d80",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/rw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.90",
"versionStartIncluding": "5.15.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/rw: defer fsnotify calls to task context\n\nWe can\u0027t call these off the kiocb completion as that might be off\nsoft/hard irq context. Defer the calls to when we process the\ntask_work for this request. That avoids valid complaints like:\n\nstack backtrace:\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022\nCall Trace:\n \u003cIRQ\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_usage_bug kernel/locking/lockdep.c:3961 [inline]\n valid_state kernel/locking/lockdep.c:3973 [inline]\n mark_lock_irq kernel/locking/lockdep.c:4176 [inline]\n mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632\n mark_lock kernel/locking/lockdep.c:4596 [inline]\n mark_usage kernel/locking/lockdep.c:4527 [inline]\n __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007\n lock_acquire kernel/locking/lockdep.c:5666 [inline]\n lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631\n __fs_reclaim_acquire mm/page_alloc.c:4674 [inline]\n fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688\n might_alloc include/linux/sched/mm.h:271 [inline]\n slab_pre_alloc_hook mm/slab.h:700 [inline]\n slab_alloc mm/slab.c:3278 [inline]\n __kmem_cache_alloc_lru mm/slab.c:3471 [inline]\n kmem_cache_alloc+0x39/0x520 mm/slab.c:3491\n fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]\n fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]\n fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948\n send_to_group fs/notify/fsnotify.c:360 [inline]\n fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570\n __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230\n fsnotify_parent include/linux/fsnotify.h:77 [inline]\n fsnotify_file include/linux/fsnotify.h:99 [inline]\n fsnotify_access include/linux/fsnotify.h:309 [inline]\n __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195\n io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228\n iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]\n iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178\n bio_endio+0x5f9/0x780 block/bio.c:1564\n req_bio_endio block/blk-mq.c:695 [inline]\n blk_update_request+0x3fc/0x1300 block/blk-mq.c:825\n scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541\n scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971\n scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438\n blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022\n __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571\n invoke_softirq kernel/softirq.c:445 [inline]\n __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650\n irq_exit_rcu+0x5/0x20 kernel/softirq.c:662\n common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:20.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89a410dbd0f159ddd308f19d6eb682fc753e4771"
},
{
"url": "https://git.kernel.org/stable/c/2a853c206e553dd9c0a55c22858fd6a446d93e15"
},
{
"url": "https://git.kernel.org/stable/c/b000145e9907809406d8164c3b2b8861d95aecd1"
}
],
"title": "io_uring/rw: defer fsnotify calls to task context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50705",
"datePublished": "2025-12-24T10:55:20.020Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:20.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50840 (GCVE-0-2022-50840)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10
VLAI?
EPSS
Title
scsi: snic: Fix possible UAF in snic_tgt_create()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: snic: Fix possible UAF in snic_tgt_create()
Smatch reports a warning as follows:
drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn:
'&tgt->list' not removed from list
If device_add() fails in snic_tgt_create(), tgt will be freed, but
tgt->list will not be removed from snic->disc.tgt_list, then list traversal
may cause UAF.
Remove from snic->disc.tgt_list before free().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff
(git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 3772319e40527e6a5f2ec1d729e01f271d818f5c (git) Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 3007f96ca20c848d0b1b052df6d2cb5ae5586e78 (git) Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 6866154c23fba40888ad6d554cccd4bf2edb755e (git) Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < ad27f74e901fc48729733c88818e6b96c813057d (git) Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 1895e908b3ae66a5312fd1b2cdda2da82993dca7 (git) Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc (git) Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 4141cd9e8b3379aea52a85d2c35f6eaf26d14e86 (git) Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < e118df492320176af94deec000ae034cc92be754 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/snic/snic_disc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "3772319e40527e6a5f2ec1d729e01f271d818f5c",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "3007f96ca20c848d0b1b052df6d2cb5ae5586e78",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "6866154c23fba40888ad6d554cccd4bf2edb755e",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "ad27f74e901fc48729733c88818e6b96c813057d",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "1895e908b3ae66a5312fd1b2cdda2da82993dca7",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "4141cd9e8b3379aea52a85d2c35f6eaf26d14e86",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
},
{
"lessThan": "e118df492320176af94deec000ae034cc92be754",
"status": "affected",
"version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/snic/snic_disc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: snic: Fix possible UAF in snic_tgt_create()\n\nSmatch reports a warning as follows:\n\ndrivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn:\n \u0027\u0026tgt-\u003elist\u0027 not removed from list\n\nIf device_add() fails in snic_tgt_create(), tgt will be freed, but\ntgt-\u003elist will not be removed from snic-\u003edisc.tgt_list, then list traversal\nmay cause UAF.\n\nRemove from snic-\u003edisc.tgt_list before free()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:59.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff"
},
{
"url": "https://git.kernel.org/stable/c/3772319e40527e6a5f2ec1d729e01f271d818f5c"
},
{
"url": "https://git.kernel.org/stable/c/3007f96ca20c848d0b1b052df6d2cb5ae5586e78"
},
{
"url": "https://git.kernel.org/stable/c/6866154c23fba40888ad6d554cccd4bf2edb755e"
},
{
"url": "https://git.kernel.org/stable/c/ad27f74e901fc48729733c88818e6b96c813057d"
},
{
"url": "https://git.kernel.org/stable/c/1895e908b3ae66a5312fd1b2cdda2da82993dca7"
},
{
"url": "https://git.kernel.org/stable/c/c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc"
},
{
"url": "https://git.kernel.org/stable/c/4141cd9e8b3379aea52a85d2c35f6eaf26d14e86"
},
{
"url": "https://git.kernel.org/stable/c/e118df492320176af94deec000ae034cc92be754"
}
],
"title": "scsi: snic: Fix possible UAF in snic_tgt_create()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50840",
"datePublished": "2025-12-30T12:10:59.066Z",
"dateReserved": "2025-12-30T12:06:07.133Z",
"dateUpdated": "2025-12-30T12:10:59.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54102 (GCVE-0-2023-54102)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
A static code analysis tool flagged the possibility of buffer overflow when
using copy_from_user() for a debugfs entry.
Currently, it is possible that copy_from_user() copies more bytes than what
would fit in the mybuf char array. Add a min() restriction check between
sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect
against buffer overflow.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6a828b0f6192b4930894925d1c1d0dc1f1d99e6e , < 644a9d5e22761a41d5005a26996a643da96de962
(git)
Affected: 6a828b0f6192b4930894925d1c1d0dc1f1d99e6e , < e0e7faee3a7dd6f51350cda64997116a247eb045 (git) Affected: 6a828b0f6192b4930894925d1c1d0dc1f1d99e6e , < f91037487036e2d2f18d3c2481be6b9a366bde7f (git) Affected: 6a828b0f6192b4930894925d1c1d0dc1f1d99e6e , < a9df88cb31dcbd72104ec5883f35cbc1fb587e47 (git) Affected: 6a828b0f6192b4930894925d1c1d0dc1f1d99e6e , < ad050f6cf681ebb850a9d4bc19474d3896476301 (git) Affected: 6a828b0f6192b4930894925d1c1d0dc1f1d99e6e , < c6087b82a9146826564a55c5ca0164cac40348f5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "644a9d5e22761a41d5005a26996a643da96de962",
"status": "affected",
"version": "6a828b0f6192b4930894925d1c1d0dc1f1d99e6e",
"versionType": "git"
},
{
"lessThan": "e0e7faee3a7dd6f51350cda64997116a247eb045",
"status": "affected",
"version": "6a828b0f6192b4930894925d1c1d0dc1f1d99e6e",
"versionType": "git"
},
{
"lessThan": "f91037487036e2d2f18d3c2481be6b9a366bde7f",
"status": "affected",
"version": "6a828b0f6192b4930894925d1c1d0dc1f1d99e6e",
"versionType": "git"
},
{
"lessThan": "a9df88cb31dcbd72104ec5883f35cbc1fb587e47",
"status": "affected",
"version": "6a828b0f6192b4930894925d1c1d0dc1f1d99e6e",
"versionType": "git"
},
{
"lessThan": "ad050f6cf681ebb850a9d4bc19474d3896476301",
"status": "affected",
"version": "6a828b0f6192b4930894925d1c1d0dc1f1d99e6e",
"versionType": "git"
},
{
"lessThan": "c6087b82a9146826564a55c5ca0164cac40348f5",
"status": "affected",
"version": "6a828b0f6192b4930894925d1c1d0dc1f1d99e6e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/lpfc/lpfc_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow\n\nA static code analysis tool flagged the possibility of buffer overflow when\nusing copy_from_user() for a debugfs entry.\n\nCurrently, it is possible that copy_from_user() copies more bytes than what\nwould fit in the mybuf char array. Add a min() restriction check between\nsizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect\nagainst buffer overflow."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:46.034Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/644a9d5e22761a41d5005a26996a643da96de962"
},
{
"url": "https://git.kernel.org/stable/c/e0e7faee3a7dd6f51350cda64997116a247eb045"
},
{
"url": "https://git.kernel.org/stable/c/f91037487036e2d2f18d3c2481be6b9a366bde7f"
},
{
"url": "https://git.kernel.org/stable/c/a9df88cb31dcbd72104ec5883f35cbc1fb587e47"
},
{
"url": "https://git.kernel.org/stable/c/ad050f6cf681ebb850a9d4bc19474d3896476301"
},
{
"url": "https://git.kernel.org/stable/c/c6087b82a9146826564a55c5ca0164cac40348f5"
}
],
"title": "scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54102",
"datePublished": "2025-12-24T13:06:27.915Z",
"dateReserved": "2025-12-24T13:02:52.517Z",
"dateUpdated": "2026-01-05T10:33:46.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53759 (GCVE-0-2023-53759)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-08 01:19
VLAI?
EPSS
Title
HID: hidraw: fix data race on device refcount
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: hidraw: fix data race on device refcount
The hidraw_open() function increments the hidraw device reference
counter. The counter has no dedicated synchronization mechanism,
resulting in a potential data race when concurrently opening a device.
The race is a regression introduced by commit 8590222e4b02 ("HID:
hidraw: Replace hidraw device table mutex with a rwsem"). While
minors_rwsem is intended to protect the hidraw_table itself, by instead
acquiring the lock for writing, the reference counter is also protected.
This is symmetrical to hidraw_release().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8590222e4b021054a7167a4dd35b152a8ed7018e , < 879e79c3aead41b8aa2e91164354b30bd1c4ef3b
(git)
Affected: 8590222e4b021054a7167a4dd35b152a8ed7018e , < ff348eabd97577da974d3db7038857f28c61d2bd (git) Affected: 8590222e4b021054a7167a4dd35b152a8ed7018e , < 05b47034e2488c2924e5c032e20a1979d012b5b5 (git) Affected: 8590222e4b021054a7167a4dd35b152a8ed7018e , < 944ee77dc6ec7b0afd8ec70ffc418b238c92f12b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hidraw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "879e79c3aead41b8aa2e91164354b30bd1c4ef3b",
"status": "affected",
"version": "8590222e4b021054a7167a4dd35b152a8ed7018e",
"versionType": "git"
},
{
"lessThan": "ff348eabd97577da974d3db7038857f28c61d2bd",
"status": "affected",
"version": "8590222e4b021054a7167a4dd35b152a8ed7018e",
"versionType": "git"
},
{
"lessThan": "05b47034e2488c2924e5c032e20a1979d012b5b5",
"status": "affected",
"version": "8590222e4b021054a7167a4dd35b152a8ed7018e",
"versionType": "git"
},
{
"lessThan": "944ee77dc6ec7b0afd8ec70ffc418b238c92f12b",
"status": "affected",
"version": "8590222e4b021054a7167a4dd35b152a8ed7018e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hidraw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.37",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.11",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.1",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hidraw: fix data race on device refcount\n\nThe hidraw_open() function increments the hidraw device reference\ncounter. The counter has no dedicated synchronization mechanism,\nresulting in a potential data race when concurrently opening a device.\n\nThe race is a regression introduced by commit 8590222e4b02 (\"HID:\nhidraw: Replace hidraw device table mutex with a rwsem\"). While\nminors_rwsem is intended to protect the hidraw_table itself, by instead\nacquiring the lock for writing, the reference counter is also protected.\nThis is symmetrical to hidraw_release()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:19:20.432Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/879e79c3aead41b8aa2e91164354b30bd1c4ef3b"
},
{
"url": "https://git.kernel.org/stable/c/ff348eabd97577da974d3db7038857f28c61d2bd"
},
{
"url": "https://git.kernel.org/stable/c/05b47034e2488c2924e5c032e20a1979d012b5b5"
},
{
"url": "https://git.kernel.org/stable/c/944ee77dc6ec7b0afd8ec70ffc418b238c92f12b"
}
],
"title": "HID: hidraw: fix data race on device refcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53759",
"datePublished": "2025-12-08T01:19:20.432Z",
"dateReserved": "2025-12-08T01:18:04.280Z",
"dateUpdated": "2025-12-08T01:19:20.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68222 (GCVE-0-2025-68222)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc
s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its
fields are initialized. Notably, num_custom_params is used in
pinconf_generic_parse_dt_config(), resulting in intermittent allocation
errors, such as the following splat when probing i2c-imx:
WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300
[...]
Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)
[...]
Call trace:
__alloc_pages_noprof+0x290/0x300 (P)
___kmalloc_large_node+0x84/0x168
__kmalloc_large_node_noprof+0x34/0x120
__kmalloc_noprof+0x2ac/0x378
pinconf_generic_parse_dt_config+0x68/0x1a0
s32_dt_node_to_map+0x104/0x248
dt_to_map_one_config+0x154/0x1d8
pinctrl_dt_to_map+0x12c/0x280
create_pinctrl+0x6c/0x270
pinctrl_get+0xc0/0x170
devm_pinctrl_get+0x50/0xa0
pinctrl_bind_pins+0x60/0x2a0
really_probe+0x60/0x3a0
[...]
__platform_driver_register+0x2c/0x40
i2c_adap_imx_init+0x28/0xff8 [i2c_imx]
[...]
This results in later parse failures that can cause issues in dependent
drivers:
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property
[...]
pca953x 0-0022: failed writing register: -6
i2c i2c-0: IMX I2C adapter registered
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property
i2c i2c-1: IMX I2C adapter registered
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property
i2c i2c-2: IMX I2C adapter registered
Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of
devm_kmalloc() in s32_pinctrl_probe(), which sets the previously
uninitialized fields to zero.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 3b90bd8aaeb21b513ecc4ed03299e80ece44a333
(git)
Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 583ac7f65791ceda38ea1a493a4859f7161dcb03 (git) Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 7bbdd6c30e8fd92f7165b7730b038cfe42102004 (git) Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 97ea34defbb57bfaf71ce487b1b0865ffd186e81 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/nxp/pinctrl-s32cc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b90bd8aaeb21b513ecc4ed03299e80ece44a333",
"status": "affected",
"version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
"versionType": "git"
},
{
"lessThan": "583ac7f65791ceda38ea1a493a4859f7161dcb03",
"status": "affected",
"version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
"versionType": "git"
},
{
"lessThan": "7bbdd6c30e8fd92f7165b7730b038cfe42102004",
"status": "affected",
"version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
"versionType": "git"
},
{
"lessThan": "97ea34defbb57bfaf71ce487b1b0865ffd186e81",
"status": "affected",
"version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/nxp/pinctrl-s32cc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc\n\ns32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its\nfields are initialized. Notably, num_custom_params is used in\npinconf_generic_parse_dt_config(), resulting in intermittent allocation\nerrors, such as the following splat when probing i2c-imx:\n\n WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300\n [...]\n Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)\n [...]\n Call trace:\n __alloc_pages_noprof+0x290/0x300 (P)\n ___kmalloc_large_node+0x84/0x168\n __kmalloc_large_node_noprof+0x34/0x120\n __kmalloc_noprof+0x2ac/0x378\n pinconf_generic_parse_dt_config+0x68/0x1a0\n s32_dt_node_to_map+0x104/0x248\n dt_to_map_one_config+0x154/0x1d8\n pinctrl_dt_to_map+0x12c/0x280\n create_pinctrl+0x6c/0x270\n pinctrl_get+0xc0/0x170\n devm_pinctrl_get+0x50/0xa0\n pinctrl_bind_pins+0x60/0x2a0\n really_probe+0x60/0x3a0\n [...]\n __platform_driver_register+0x2c/0x40\n i2c_adap_imx_init+0x28/0xff8 [i2c_imx]\n [...]\n\nThis results in later parse failures that can cause issues in dependent\ndrivers:\n\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property\n [...]\n pca953x 0-0022: failed writing register: -6\n i2c i2c-0: IMX I2C adapter registered\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property\n i2c i2c-1: IMX I2C adapter registered\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property\n s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property\n i2c i2c-2: IMX I2C adapter registered\n\nFix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of\ndevm_kmalloc() in s32_pinctrl_probe(), which sets the previously\nuninitialized fields to zero."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:15.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b90bd8aaeb21b513ecc4ed03299e80ece44a333"
},
{
"url": "https://git.kernel.org/stable/c/583ac7f65791ceda38ea1a493a4859f7161dcb03"
},
{
"url": "https://git.kernel.org/stable/c/7bbdd6c30e8fd92f7165b7730b038cfe42102004"
},
{
"url": "https://git.kernel.org/stable/c/97ea34defbb57bfaf71ce487b1b0865ffd186e81"
}
],
"title": "pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68222",
"datePublished": "2025-12-16T13:57:15.832Z",
"dateReserved": "2025-12-16T13:41:40.257Z",
"dateUpdated": "2025-12-16T13:57:15.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50773 (GCVE-0-2022-50773)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
I got a null-ptr-defer error report when I do the following tests
on the qemu platform:
make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m,
CONFIG_SND_MTS64=m
Then making test scripts:
cat>test_mod1.sh<<EOF
modprobe snd-mts64
modprobe snd-mts64
EOF
Executing the script, perhaps several times, we will get a null-ptr-defer
report, as follow:
syzkaller:~# ./test_mod.sh
snd_mts64: probe of snd_mts64.0 failed with error -5
modprobe: ERROR: could not insert 'snd_mts64': No such device
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 0 PID: 205 Comm: modprobe Not tainted 6.1.0-rc8-00588-g76dcd734eca2 #6
Call Trace:
<IRQ>
snd_mts64_interrupt+0x24/0xa0 [snd_mts64]
parport_irq_handler+0x37/0x50 [parport]
__handle_irq_event_percpu+0x39/0x190
handle_irq_event_percpu+0xa/0x30
handle_irq_event+0x2f/0x50
handle_edge_irq+0x99/0x1b0
__common_interrupt+0x5d/0x100
common_interrupt+0xa0/0xc0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30
parport_claim+0xbd/0x230 [parport]
snd_mts64_probe+0x14a/0x465 [snd_mts64]
platform_probe+0x3f/0xa0
really_probe+0x129/0x2c0
__driver_probe_device+0x6d/0xc0
driver_probe_device+0x1a/0xa0
__device_attach_driver+0x7a/0xb0
bus_for_each_drv+0x62/0xb0
__device_attach+0xe4/0x180
bus_probe_device+0x82/0xa0
device_add+0x550/0x920
platform_device_add+0x106/0x220
snd_mts64_attach+0x2e/0x80 [snd_mts64]
port_check+0x14/0x20 [parport]
bus_for_each_dev+0x6e/0xc0
__parport_register_driver+0x7c/0xb0 [parport]
snd_mts64_module_init+0x31/0x1000 [snd_mts64]
do_one_initcall+0x3c/0x1f0
do_init_module+0x46/0x1c6
load_module+0x1d8d/0x1e10
__do_sys_finit_module+0xa2/0xf0
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Kernel panic - not syncing: Fatal exception in interrupt
Rebooting in 1 seconds..
The mts wa not initialized during interrupt, we add check for
mts to fix this bug.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < 06ec592389f2be3199779ab823c4323dcfd2121f
(git)
Affected: 68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < b471fe61da523a15e4cb60fa81f5a2377e4bad98 (git) Affected: 68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < 7e91667db38abb056da5a496d40fbd044c66bed2 (git) Affected: 68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < c7e9624d90bf20f1eed6b228949396d614b94020 (git) Affected: 68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < 0649129359219ce6ff380ec401f87308485c6ae3 (git) Affected: 68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < cba633b24a98d957e8190ef8bc4d4cdb4f6e9313 (git) Affected: 68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < 1a763c748acd5540ccc43306c57c9c6c5fb60884 (git) Affected: 68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < 250eed7b9994d79f9c409f954dbd08e88f5afd83 (git) Affected: 68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad , < cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/drivers/mts64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "06ec592389f2be3199779ab823c4323dcfd2121f",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
},
{
"lessThan": "b471fe61da523a15e4cb60fa81f5a2377e4bad98",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
},
{
"lessThan": "7e91667db38abb056da5a496d40fbd044c66bed2",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
},
{
"lessThan": "c7e9624d90bf20f1eed6b228949396d614b94020",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
},
{
"lessThan": "0649129359219ce6ff380ec401f87308485c6ae3",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
},
{
"lessThan": "cba633b24a98d957e8190ef8bc4d4cdb4f6e9313",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
},
{
"lessThan": "1a763c748acd5540ccc43306c57c9c6c5fb60884",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
},
{
"lessThan": "250eed7b9994d79f9c409f954dbd08e88f5afd83",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
},
{
"lessThan": "cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad",
"status": "affected",
"version": "68ab801e32bbe2caac8b8c6e6e94f41fe7d687ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/drivers/mts64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt\n\nI got a null-ptr-defer error report when I do the following tests\non the qemu platform:\n\nmake defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m,\nCONFIG_SND_MTS64=m\n\nThen making test scripts:\ncat\u003etest_mod1.sh\u003c\u003cEOF\nmodprobe snd-mts64\nmodprobe snd-mts64\nEOF\n\nExecuting the script, perhaps several times, we will get a null-ptr-defer\nreport, as follow:\n\nsyzkaller:~# ./test_mod.sh\nsnd_mts64: probe of snd_mts64.0 failed with error -5\nmodprobe: ERROR: could not insert \u0027snd_mts64\u0027: No such device\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 0 PID: 205 Comm: modprobe Not tainted 6.1.0-rc8-00588-g76dcd734eca2 #6\n Call Trace:\n \u003cIRQ\u003e\n snd_mts64_interrupt+0x24/0xa0 [snd_mts64]\n parport_irq_handler+0x37/0x50 [parport]\n __handle_irq_event_percpu+0x39/0x190\n handle_irq_event_percpu+0xa/0x30\n handle_irq_event+0x2f/0x50\n handle_edge_irq+0x99/0x1b0\n __common_interrupt+0x5d/0x100\n common_interrupt+0xa0/0xc0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_common_interrupt+0x22/0x40\n RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30\n parport_claim+0xbd/0x230 [parport]\n snd_mts64_probe+0x14a/0x465 [snd_mts64]\n platform_probe+0x3f/0xa0\n really_probe+0x129/0x2c0\n __driver_probe_device+0x6d/0xc0\n driver_probe_device+0x1a/0xa0\n __device_attach_driver+0x7a/0xb0\n bus_for_each_drv+0x62/0xb0\n __device_attach+0xe4/0x180\n bus_probe_device+0x82/0xa0\n device_add+0x550/0x920\n platform_device_add+0x106/0x220\n snd_mts64_attach+0x2e/0x80 [snd_mts64]\n port_check+0x14/0x20 [parport]\n bus_for_each_dev+0x6e/0xc0\n __parport_register_driver+0x7c/0xb0 [parport]\n snd_mts64_module_init+0x31/0x1000 [snd_mts64]\n do_one_initcall+0x3c/0x1f0\n do_init_module+0x46/0x1c6\n load_module+0x1d8d/0x1e10\n __do_sys_finit_module+0xa2/0xf0\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception in interrupt\n Rebooting in 1 seconds..\n\nThe mts wa not initialized during interrupt, we add check for\nmts to fix this bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:03.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/06ec592389f2be3199779ab823c4323dcfd2121f"
},
{
"url": "https://git.kernel.org/stable/c/b471fe61da523a15e4cb60fa81f5a2377e4bad98"
},
{
"url": "https://git.kernel.org/stable/c/7e91667db38abb056da5a496d40fbd044c66bed2"
},
{
"url": "https://git.kernel.org/stable/c/c7e9624d90bf20f1eed6b228949396d614b94020"
},
{
"url": "https://git.kernel.org/stable/c/0649129359219ce6ff380ec401f87308485c6ae3"
},
{
"url": "https://git.kernel.org/stable/c/cba633b24a98d957e8190ef8bc4d4cdb4f6e9313"
},
{
"url": "https://git.kernel.org/stable/c/1a763c748acd5540ccc43306c57c9c6c5fb60884"
},
{
"url": "https://git.kernel.org/stable/c/250eed7b9994d79f9c409f954dbd08e88f5afd83"
},
{
"url": "https://git.kernel.org/stable/c/cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad"
}
],
"title": "ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50773",
"datePublished": "2025-12-24T13:06:03.533Z",
"dateReserved": "2025-12-24T13:02:21.547Z",
"dateUpdated": "2025-12-24T13:06:03.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49546 (GCVE-0-2022-49546)
Vulnerability from cvelistv5 – Published: 2025-02-26 02:13 – Updated: 2025-12-23 13:24
VLAI?
EPSS
Title
x86/kexec: fix memory leak of elf header buffer
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/kexec: fix memory leak of elf header buffer
This is reported by kmemleak detector:
unreferenced object 0xffffc900002a9000 (size 4096):
comm "kexec", pid 14950, jiffies 4295110793 (age 373.951s)
hex dump (first 32 bytes):
7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............
04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..>.............
backtrace:
[<0000000016a8ef9f>] __vmalloc_node_range+0x101/0x170
[<000000002b66b6c0>] __vmalloc_node+0xb4/0x160
[<00000000ad40107d>] crash_prepare_elf64_headers+0x8e/0xcd0
[<0000000019afff23>] crash_load_segments+0x260/0x470
[<0000000019ebe95c>] bzImage64_load+0x814/0xad0
[<0000000093e16b05>] arch_kexec_kernel_image_load+0x1be/0x2a0
[<000000009ef2fc88>] kimage_file_alloc_init+0x2ec/0x5a0
[<0000000038f5a97a>] __do_sys_kexec_file_load+0x28d/0x530
[<0000000087c19992>] do_syscall_64+0x3b/0x90
[<0000000066e063a4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
In crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to
store elf headers. While it's not freed back to system correctly when
kdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it
by introducing x86 specific function arch_kimage_file_post_load_cleanup(),
and freeing the buffer there.
And also remove the incorrect elf header buffer freeing code. Before
calling arch specific kexec_file loading function, the image instance has
been initialized. So 'image->elf_headers' must be NULL. It doesn't make
sense to free the elf header buffer in the place.
Three different people have reported three bugs about the memory leak on
x86_64 inside Redhat.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd5f726076cc7639d9713b334c8c133f77c6757a , < 23cf39dccf7653650701a6f39b119e9116a27f1a
(git)
Affected: dd5f726076cc7639d9713b334c8c133f77c6757a , < 8765a423a87d74ef24ea02b43b2728fe4039f248 (git) Affected: dd5f726076cc7639d9713b334c8c133f77c6757a , < 115ee42a4c2f26ba2b4ace2668a3f004621f6833 (git) Affected: dd5f726076cc7639d9713b334c8c133f77c6757a , < f675e3a9189d84a9324ab45b0cb19906c2bc8fcb (git) Affected: dd5f726076cc7639d9713b334c8c133f77c6757a , < b3e34a47f98974d0844444c5121aaff123004e57 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:27:52.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/machine_kexec_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23cf39dccf7653650701a6f39b119e9116a27f1a",
"status": "affected",
"version": "dd5f726076cc7639d9713b334c8c133f77c6757a",
"versionType": "git"
},
{
"lessThan": "8765a423a87d74ef24ea02b43b2728fe4039f248",
"status": "affected",
"version": "dd5f726076cc7639d9713b334c8c133f77c6757a",
"versionType": "git"
},
{
"lessThan": "115ee42a4c2f26ba2b4ace2668a3f004621f6833",
"status": "affected",
"version": "dd5f726076cc7639d9713b334c8c133f77c6757a",
"versionType": "git"
},
{
"lessThan": "f675e3a9189d84a9324ab45b0cb19906c2bc8fcb",
"status": "affected",
"version": "dd5f726076cc7639d9713b334c8c133f77c6757a",
"versionType": "git"
},
{
"lessThan": "b3e34a47f98974d0844444c5121aaff123004e57",
"status": "affected",
"version": "dd5f726076cc7639d9713b334c8c133f77c6757a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/machine_kexec_64.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.236",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"version": "5.17.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.236",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.46",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.17.14",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.3",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: fix memory leak of elf header buffer\n\nThis is reported by kmemleak detector:\n\nunreferenced object 0xffffc900002a9000 (size 4096):\n comm \"kexec\", pid 14950, jiffies 4295110793 (age 373.951s)\n hex dump (first 32 bytes):\n 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............\n 04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..\u003e.............\n backtrace:\n [\u003c0000000016a8ef9f\u003e] __vmalloc_node_range+0x101/0x170\n [\u003c000000002b66b6c0\u003e] __vmalloc_node+0xb4/0x160\n [\u003c00000000ad40107d\u003e] crash_prepare_elf64_headers+0x8e/0xcd0\n [\u003c0000000019afff23\u003e] crash_load_segments+0x260/0x470\n [\u003c0000000019ebe95c\u003e] bzImage64_load+0x814/0xad0\n [\u003c0000000093e16b05\u003e] arch_kexec_kernel_image_load+0x1be/0x2a0\n [\u003c000000009ef2fc88\u003e] kimage_file_alloc_init+0x2ec/0x5a0\n [\u003c0000000038f5a97a\u003e] __do_sys_kexec_file_load+0x28d/0x530\n [\u003c0000000087c19992\u003e] do_syscall_64+0x3b/0x90\n [\u003c0000000066e063a4\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to\nstore elf headers. While it\u0027s not freed back to system correctly when\nkdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it\nby introducing x86 specific function arch_kimage_file_post_load_cleanup(),\nand freeing the buffer there.\n\nAnd also remove the incorrect elf header buffer freeing code. Before\ncalling arch specific kexec_file loading function, the image instance has\nbeen initialized. So \u0027image-\u003eelf_headers\u0027 must be NULL. It doesn\u0027t make\nsense to free the elf header buffer in the place.\n\nThree different people have reported three bugs about the memory leak on\nx86_64 inside Redhat."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:24:39.736Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23cf39dccf7653650701a6f39b119e9116a27f1a"
},
{
"url": "https://git.kernel.org/stable/c/8765a423a87d74ef24ea02b43b2728fe4039f248"
},
{
"url": "https://git.kernel.org/stable/c/115ee42a4c2f26ba2b4ace2668a3f004621f6833"
},
{
"url": "https://git.kernel.org/stable/c/f675e3a9189d84a9324ab45b0cb19906c2bc8fcb"
},
{
"url": "https://git.kernel.org/stable/c/b3e34a47f98974d0844444c5121aaff123004e57"
}
],
"title": "x86/kexec: fix memory leak of elf header buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49546",
"datePublished": "2025-02-26T02:13:58.867Z",
"dateReserved": "2025-02-26T02:08:31.590Z",
"dateUpdated": "2025-12-23T13:24:39.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50615 (GCVE-0-2022-50615)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()
pci_get_device() will increase the reference count for the returned
pci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its
reference count increased. We need to call pci_dev_put() to decrease the
reference count. Let's add the missing pci_dev_put().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee49532b38dd084650bf715eabe7e3828fb8d275 , < d2afced51108813256d8072c6e464b0c9f0bb890
(git)
Affected: ee49532b38dd084650bf715eabe7e3828fb8d275 , < 433bd587dca5c3f7157fef2fe571290cd392cbf6 (git) Affected: ee49532b38dd084650bf715eabe7e3828fb8d275 , < a67146437b6428069b71a7e5e740a2a8e1c40ac9 (git) Affected: ee49532b38dd084650bf715eabe7e3828fb8d275 , < dc7f07bc1ebb56a23fd1c4f664db5cbeb8900800 (git) Affected: ee49532b38dd084650bf715eabe7e3828fb8d275 , < 8ebd16c11c346751b3944d708e6c181ed4746c39 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/intel/uncore_snbep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2afced51108813256d8072c6e464b0c9f0bb890",
"status": "affected",
"version": "ee49532b38dd084650bf715eabe7e3828fb8d275",
"versionType": "git"
},
{
"lessThan": "433bd587dca5c3f7157fef2fe571290cd392cbf6",
"status": "affected",
"version": "ee49532b38dd084650bf715eabe7e3828fb8d275",
"versionType": "git"
},
{
"lessThan": "a67146437b6428069b71a7e5e740a2a8e1c40ac9",
"status": "affected",
"version": "ee49532b38dd084650bf715eabe7e3828fb8d275",
"versionType": "git"
},
{
"lessThan": "dc7f07bc1ebb56a23fd1c4f664db5cbeb8900800",
"status": "affected",
"version": "ee49532b38dd084650bf715eabe7e3828fb8d275",
"versionType": "git"
},
{
"lessThan": "8ebd16c11c346751b3944d708e6c181ed4746c39",
"status": "affected",
"version": "ee49532b38dd084650bf715eabe7e3828fb8d275",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/intel/uncore_snbep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()\n\npci_get_device() will increase the reference count for the returned\npci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its\nreference count increased. We need to call pci_dev_put() to decrease the\nreference count. Let\u0027s add the missing pci_dev_put()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:28.314Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2afced51108813256d8072c6e464b0c9f0bb890"
},
{
"url": "https://git.kernel.org/stable/c/433bd587dca5c3f7157fef2fe571290cd392cbf6"
},
{
"url": "https://git.kernel.org/stable/c/a67146437b6428069b71a7e5e740a2a8e1c40ac9"
},
{
"url": "https://git.kernel.org/stable/c/dc7f07bc1ebb56a23fd1c4f664db5cbeb8900800"
},
{
"url": "https://git.kernel.org/stable/c/8ebd16c11c346751b3944d708e6c181ed4746c39"
}
],
"title": "perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50615",
"datePublished": "2025-12-08T01:16:28.314Z",
"dateReserved": "2025-12-08T01:14:55.189Z",
"dateUpdated": "2025-12-08T01:16:28.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54052 (GCVE-0-2023-54052)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU
txs may be dropped if the frame is aggregated in AMSDU. When the problem
shows up, some SKBs would be hold in driver to cause network stopped
temporarily. Even if the problem can be recovered by txs timeout handling,
mt7921 still need to disable txs in AMSDU to avoid this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
163f4d22c118d4eb9e275bf9ee1577c0d14b3208 , < 1cd102aaedb277fbe81dd08cd9f5cae951de2bff
(git)
Affected: 163f4d22c118d4eb9e275bf9ee1577c0d14b3208 , < e74778e91fedc3b2a0143264887bbb32508c5000 (git) Affected: 163f4d22c118d4eb9e275bf9ee1577c0d14b3208 , < bf5d3fad7219b8de7d3a9cb59f0ea5243b018f07 (git) Affected: 163f4d22c118d4eb9e275bf9ee1577c0d14b3208 , < b642f4c5f3de0a8f47808d32b1ebd9c427a42a66 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1cd102aaedb277fbe81dd08cd9f5cae951de2bff",
"status": "affected",
"version": "163f4d22c118d4eb9e275bf9ee1577c0d14b3208",
"versionType": "git"
},
{
"lessThan": "e74778e91fedc3b2a0143264887bbb32508c5000",
"status": "affected",
"version": "163f4d22c118d4eb9e275bf9ee1577c0d14b3208",
"versionType": "git"
},
{
"lessThan": "bf5d3fad7219b8de7d3a9cb59f0ea5243b018f07",
"status": "affected",
"version": "163f4d22c118d4eb9e275bf9ee1577c0d14b3208",
"versionType": "git"
},
{
"lessThan": "b642f4c5f3de0a8f47808d32b1ebd9c427a42a66",
"status": "affected",
"version": "163f4d22c118d4eb9e275bf9ee1577c0d14b3208",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.52",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.15",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix skb leak by txs missing in AMSDU\n\ntxs may be dropped if the frame is aggregated in AMSDU. When the problem\nshows up, some SKBs would be hold in driver to cause network stopped\ntemporarily. Even if the problem can be recovered by txs timeout handling,\nmt7921 still need to disable txs in AMSDU to avoid this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:01.797Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1cd102aaedb277fbe81dd08cd9f5cae951de2bff"
},
{
"url": "https://git.kernel.org/stable/c/e74778e91fedc3b2a0143264887bbb32508c5000"
},
{
"url": "https://git.kernel.org/stable/c/bf5d3fad7219b8de7d3a9cb59f0ea5243b018f07"
},
{
"url": "https://git.kernel.org/stable/c/b642f4c5f3de0a8f47808d32b1ebd9c427a42a66"
}
],
"title": "wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54052",
"datePublished": "2025-12-24T12:23:01.797Z",
"dateReserved": "2025-12-24T12:21:05.090Z",
"dateUpdated": "2025-12-24T12:23:01.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39682 (GCVE-0-2025-39682)
Vulnerability from cvelistv5 – Published: 2025-09-05 17:20 – Updated: 2025-11-03 17:42
VLAI?
EPSS
Title
tls: fix handling of zero-length records on the rx_list
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: fix handling of zero-length records on the rx_list
Each recvmsg() call must process either
- only contiguous DATA records (any number of them)
- one non-DATA record
If the next record has different type than what has already been
processed we break out of the main processing loop. If the record
has already been decrypted (which may be the case for TLS 1.3 where
we don't know type until decryption) we queue the pending record
to the rx_list. Next recvmsg() will pick it up from there.
Queuing the skb to rx_list after zero-copy decrypt is not possible,
since in that case we decrypted directly to the user space buffer,
and we don't have an skb to queue (darg.skb points to the ciphertext
skb for access to metadata like length).
Only data records are allowed zero-copy, and we break the processing
loop after each non-data record. So we should never zero-copy and
then find out that the record type has changed. The corner case
we missed is when the initial record comes from rx_list, and it's
zero length.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 2902c3ebcca52ca845c03182000e8d71d3a5196f
(git)
Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 3439c15ae91a517cf3c650ea15a8987699416ad9 (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e (git) Affected: 84c61fe1a75b4255df1e1e7c054c9e6d048da417 , < 62708b9452f8eb77513115b17c4f8d1a22ebf843 (git) |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:13.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2902c3ebcca52ca845c03182000e8d71d3a5196f",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "3439c15ae91a517cf3c650ea15a8987699416ad9",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
},
{
"lessThan": "62708b9452f8eb77513115b17c4f8d1a22ebf843",
"status": "affected",
"version": "84c61fe1a75b4255df1e1e7c054c9e6d048da417",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.44",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.44",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.4",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix handling of zero-length records on the rx_list\n\nEach recvmsg() call must process either\n - only contiguous DATA records (any number of them)\n - one non-DATA record\n\nIf the next record has different type than what has already been\nprocessed we break out of the main processing loop. If the record\nhas already been decrypted (which may be the case for TLS 1.3 where\nwe don\u0027t know type until decryption) we queue the pending record\nto the rx_list. Next recvmsg() will pick it up from there.\n\nQueuing the skb to rx_list after zero-copy decrypt is not possible,\nsince in that case we decrypted directly to the user space buffer,\nand we don\u0027t have an skb to queue (darg.skb points to the ciphertext\nskb for access to metadata like length).\n\nOnly data records are allowed zero-copy, and we break the processing\nloop after each non-data record. So we should never zero-copy and\nthen find out that the record type has changed. The corner case\nwe missed is when the initial record comes from rx_list, and it\u0027s\nzero length."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:57:19.459Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2902c3ebcca52ca845c03182000e8d71d3a5196f"
},
{
"url": "https://git.kernel.org/stable/c/c09dd3773b5950e9cfb6c9b9a5f6e36d06c62677"
},
{
"url": "https://git.kernel.org/stable/c/3439c15ae91a517cf3c650ea15a8987699416ad9"
},
{
"url": "https://git.kernel.org/stable/c/29c0ce3c8cdb6dc5d61139c937f34cb888a6f42e"
},
{
"url": "https://git.kernel.org/stable/c/62708b9452f8eb77513115b17c4f8d1a22ebf843"
}
],
"title": "tls: fix handling of zero-length records on the rx_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39682",
"datePublished": "2025-09-05T17:20:48.657Z",
"dateReserved": "2025-04-16T07:20:57.113Z",
"dateUpdated": "2025-11-03T17:42:13.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54178 (GCVE-0-2023-54178)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
Summary
In the Linux kernel, the following vulnerability has been resolved:
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
when kmalloc() fail to allocate memory in kasprintf(), name
or full_name will be NULL, strcmp() will cause
null pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0d638a07d3a1e98a7598eb2812a6236324e4c55f , < c364fa869b33ca42a263bf91c22fce7e6c61d479
(git)
Affected: 0d638a07d3a1e98a7598eb2812a6236324e4c55f , < 0b7d715511915a1b39f5fdcbe57a7922dfd66513 (git) Affected: 0d638a07d3a1e98a7598eb2812a6236324e4c55f , < dadf0d0dfcc81cdcb27ba5426676d13a9e4fb925 (git) Affected: 0d638a07d3a1e98a7598eb2812a6236324e4c55f , < f41c65f8d05be734898cbe72af59a401b97d298a (git) Affected: 0d638a07d3a1e98a7598eb2812a6236324e4c55f , < ea5bc6f5aa099e3e84d037282836234ad77cba88 (git) Affected: 0d638a07d3a1e98a7598eb2812a6236324e4c55f , < 43cc228099c514467b8074d7ede6673cef9f33b9 (git) Affected: 0d638a07d3a1e98a7598eb2812a6236324e4c55f , < c74ae8124f9687062dd99858f34c9d027ddd73da (git) Affected: 0d638a07d3a1e98a7598eb2812a6236324e4c55f , < 2dd8ee9de71ad8447f8459fb01dade7f6c7132da (git) Affected: 0d638a07d3a1e98a7598eb2812a6236324e4c55f , < d6ce4f0ea19c32f10867ed93d8386924326ab474 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/unittest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c364fa869b33ca42a263bf91c22fce7e6c61d479",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
},
{
"lessThan": "0b7d715511915a1b39f5fdcbe57a7922dfd66513",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
},
{
"lessThan": "dadf0d0dfcc81cdcb27ba5426676d13a9e4fb925",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
},
{
"lessThan": "f41c65f8d05be734898cbe72af59a401b97d298a",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
},
{
"lessThan": "ea5bc6f5aa099e3e84d037282836234ad77cba88",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
},
{
"lessThan": "43cc228099c514467b8074d7ede6673cef9f33b9",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
},
{
"lessThan": "c74ae8124f9687062dd99858f34c9d027ddd73da",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
},
{
"lessThan": "2dd8ee9de71ad8447f8459fb01dade7f6c7132da",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
},
{
"lessThan": "d6ce4f0ea19c32f10867ed93d8386924326ab474",
"status": "affected",
"version": "0d638a07d3a1e98a7598eb2812a6236324e4c55f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/unittest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()\n\nwhen kmalloc() fail to allocate memory in kasprintf(), name\nor full_name will be NULL, strcmp() will cause\nnull pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:50.324Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c364fa869b33ca42a263bf91c22fce7e6c61d479"
},
{
"url": "https://git.kernel.org/stable/c/0b7d715511915a1b39f5fdcbe57a7922dfd66513"
},
{
"url": "https://git.kernel.org/stable/c/dadf0d0dfcc81cdcb27ba5426676d13a9e4fb925"
},
{
"url": "https://git.kernel.org/stable/c/f41c65f8d05be734898cbe72af59a401b97d298a"
},
{
"url": "https://git.kernel.org/stable/c/ea5bc6f5aa099e3e84d037282836234ad77cba88"
},
{
"url": "https://git.kernel.org/stable/c/43cc228099c514467b8074d7ede6673cef9f33b9"
},
{
"url": "https://git.kernel.org/stable/c/c74ae8124f9687062dd99858f34c9d027ddd73da"
},
{
"url": "https://git.kernel.org/stable/c/2dd8ee9de71ad8447f8459fb01dade7f6c7132da"
},
{
"url": "https://git.kernel.org/stable/c/d6ce4f0ea19c32f10867ed93d8386924326ab474"
}
],
"title": "of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54178",
"datePublished": "2025-12-30T12:08:50.324Z",
"dateReserved": "2025-12-30T12:06:44.496Z",
"dateUpdated": "2025-12-30T12:08:50.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54219 (GCVE-0-2023-54219)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
Revert "IB/isert: Fix incorrect release of isert connection"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "IB/isert: Fix incorrect release of isert connection"
Commit: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") is
causing problems on OPA when DEVICE_REMOVAL is happening.
------------[ cut here ]------------
WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359
ib_cq_pool_cleanup+0xac/0xb0 [ib_core]
Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc
scsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file
rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs
rfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod
opa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm
ib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core
x86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt
ipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma
intel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter
acpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul
crc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci
ghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse
CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1
Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS
SE5C610.86B.01.01.0014.121820151719 12/18/2015
RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core]
Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83
c4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f
RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206
RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d
RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640
RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d
R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18
R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38
FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0
Call Trace:
<TASK>
? __warn+0x80/0x130
? ib_cq_pool_cleanup+0xac/0xb0 [ib_core]
? report_bug+0x195/0x1a0
? handle_bug+0x3c/0x70
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? ib_cq_pool_cleanup+0xac/0xb0 [ib_core]
disable_device+0x9d/0x160 [ib_core]
__ib_unregister_device+0x42/0xb0 [ib_core]
ib_unregister_device+0x22/0x30 [ib_core]
rvt_unregister_device+0x20/0x90 [rdmavt]
hfi1_unregister_ib_device+0x16/0xf0 [hfi1]
remove_one+0x55/0x1a0 [hfi1]
pci_device_remove+0x36/0xa0
device_release_driver_internal+0x193/0x200
driver_detach+0x44/0x90
bus_remove_driver+0x69/0xf0
pci_unregister_driver+0x2a/0xb0
hfi1_mod_cleanup+0xc/0x3c [hfi1]
__do_sys_delete_module.constprop.0+0x17a/0x2f0
? exit_to_user_mode_prepare+0xc4/0xd0
? syscall_trace_enter.constprop.0+0x126/0x1a0
do_syscall_64+0x5c/0x90
? syscall_exit_to_user_mode+0x12/0x30
? do_syscall_64+0x69/0x90
? syscall_exit_work+0x103/0x130
? syscall_exit_to_user_mode+0x12/0x30
? do_syscall_64+0x69/0x90
? exc_page_fault+0x65/0x150
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7ff1e643f5ab
Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3
66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0
ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab
RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8
RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000
R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8
R13: 00000000000
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ccf5a1b28e2b73952e8d23126fa1abc6ff99de55 , < 77e90bd53019d4d4c9e25552b5efb06dfd8c3c82
(git)
Affected: fb4043077b51e577ecccb3233ecfb8764fcea393 , < a277b736309f923d9baff0ef166d694d348a5b96 (git) Affected: 6718478c18a4f4923d86b81dc7e51363e1a60b03 , < 9b6296861a5a9d58aacd72c249a68b073c78bfb4 (git) Affected: 3c97f2c9ec29ce2f61772f6120aabc852f57132e , < aa950b9835f2d004b071fd220459edd3cd0a3603 (git) Affected: 18512de74454fba6ebd06e579f4f1a3200a9e50d , < 1bb42aca7a9611c1991a790834e2a65f3345c5e8 (git) Affected: 277fbf63b34a377c800d25c7cfd8231ba19cffe2 , < 3f39698e7e842abc9bd2bd97bf5eeda4543db758 (git) Affected: 699826f4e30ab76a62c238c86fbef7e826639c8d , < 4082b59705ee9e3912eaa9e15abda8e76039b681 (git) Affected: 699826f4e30ab76a62c238c86fbef7e826639c8d , < a3189341e2f609d48f730b18c8bbbf6783233477 (git) Affected: 699826f4e30ab76a62c238c86fbef7e826639c8d , < dfe261107c080709459c32695847eec96238852b (git) Affected: 2f884e6df67347301e51e6be5ad4b61cc8989114 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/ulp/isert/ib_isert.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77e90bd53019d4d4c9e25552b5efb06dfd8c3c82",
"status": "affected",
"version": "ccf5a1b28e2b73952e8d23126fa1abc6ff99de55",
"versionType": "git"
},
{
"lessThan": "a277b736309f923d9baff0ef166d694d348a5b96",
"status": "affected",
"version": "fb4043077b51e577ecccb3233ecfb8764fcea393",
"versionType": "git"
},
{
"lessThan": "9b6296861a5a9d58aacd72c249a68b073c78bfb4",
"status": "affected",
"version": "6718478c18a4f4923d86b81dc7e51363e1a60b03",
"versionType": "git"
},
{
"lessThan": "aa950b9835f2d004b071fd220459edd3cd0a3603",
"status": "affected",
"version": "3c97f2c9ec29ce2f61772f6120aabc852f57132e",
"versionType": "git"
},
{
"lessThan": "1bb42aca7a9611c1991a790834e2a65f3345c5e8",
"status": "affected",
"version": "18512de74454fba6ebd06e579f4f1a3200a9e50d",
"versionType": "git"
},
{
"lessThan": "3f39698e7e842abc9bd2bd97bf5eeda4543db758",
"status": "affected",
"version": "277fbf63b34a377c800d25c7cfd8231ba19cffe2",
"versionType": "git"
},
{
"lessThan": "4082b59705ee9e3912eaa9e15abda8e76039b681",
"status": "affected",
"version": "699826f4e30ab76a62c238c86fbef7e826639c8d",
"versionType": "git"
},
{
"lessThan": "a3189341e2f609d48f730b18c8bbbf6783233477",
"status": "affected",
"version": "699826f4e30ab76a62c238c86fbef7e826639c8d",
"versionType": "git"
},
{
"lessThan": "dfe261107c080709459c32695847eec96238852b",
"status": "affected",
"version": "699826f4e30ab76a62c238c86fbef7e826639c8d",
"versionType": "git"
},
{
"status": "affected",
"version": "2f884e6df67347301e51e6be5ad4b61cc8989114",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/ulp/isert/ib_isert.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14.319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19.287",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.4.248",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.10.185",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.1.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"IB/isert: Fix incorrect release of isert connection\"\n\nCommit: 699826f4e30a (\"IB/isert: Fix incorrect release of isert connection\") is\ncausing problems on OPA when DEVICE_REMOVAL is happening.\n\n ------------[ cut here ]------------\n WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359\nib_cq_pool_cleanup+0xac/0xb0 [ib_core]\n Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc\nscsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file\nrpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs\nrfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod\nopa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm\nib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core\nx86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt\nipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma\nintel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter\nacpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul\ncrc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci\nghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse\n CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1\n Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS\nSE5C610.86B.01.01.0014.121820151719 12/18/2015\n RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core]\n Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83\nc4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc \u003c0f\u003e 0b eb a1\n90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f\n RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206\n RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d\n RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640\n RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d\n R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18\n R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38\n FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0\n Call Trace:\n \u003cTASK\u003e\n ? __warn+0x80/0x130\n ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core]\n ? report_bug+0x195/0x1a0\n ? handle_bug+0x3c/0x70\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core]\n disable_device+0x9d/0x160 [ib_core]\n __ib_unregister_device+0x42/0xb0 [ib_core]\n ib_unregister_device+0x22/0x30 [ib_core]\n rvt_unregister_device+0x20/0x90 [rdmavt]\n hfi1_unregister_ib_device+0x16/0xf0 [hfi1]\n remove_one+0x55/0x1a0 [hfi1]\n pci_device_remove+0x36/0xa0\n device_release_driver_internal+0x193/0x200\n driver_detach+0x44/0x90\n bus_remove_driver+0x69/0xf0\n pci_unregister_driver+0x2a/0xb0\n hfi1_mod_cleanup+0xc/0x3c [hfi1]\n __do_sys_delete_module.constprop.0+0x17a/0x2f0\n ? exit_to_user_mode_prepare+0xc4/0xd0\n ? syscall_trace_enter.constprop.0+0x126/0x1a0\n do_syscall_64+0x5c/0x90\n ? syscall_exit_to_user_mode+0x12/0x30\n ? do_syscall_64+0x69/0x90\n ? syscall_exit_work+0x103/0x130\n ? syscall_exit_to_user_mode+0x12/0x30\n ? do_syscall_64+0x69/0x90\n ? exc_page_fault+0x65/0x150\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n RIP: 0033:0x7ff1e643f5ab\n Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3\n66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 \u003c48\u003e 3d 01 f0\nff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48\n RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0\n RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab\n RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8\n RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000\n R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8\n R13: 00000000000\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:14.720Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77e90bd53019d4d4c9e25552b5efb06dfd8c3c82"
},
{
"url": "https://git.kernel.org/stable/c/a277b736309f923d9baff0ef166d694d348a5b96"
},
{
"url": "https://git.kernel.org/stable/c/9b6296861a5a9d58aacd72c249a68b073c78bfb4"
},
{
"url": "https://git.kernel.org/stable/c/aa950b9835f2d004b071fd220459edd3cd0a3603"
},
{
"url": "https://git.kernel.org/stable/c/1bb42aca7a9611c1991a790834e2a65f3345c5e8"
},
{
"url": "https://git.kernel.org/stable/c/3f39698e7e842abc9bd2bd97bf5eeda4543db758"
},
{
"url": "https://git.kernel.org/stable/c/4082b59705ee9e3912eaa9e15abda8e76039b681"
},
{
"url": "https://git.kernel.org/stable/c/a3189341e2f609d48f730b18c8bbbf6783233477"
},
{
"url": "https://git.kernel.org/stable/c/dfe261107c080709459c32695847eec96238852b"
}
],
"title": "Revert \"IB/isert: Fix incorrect release of isert connection\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54219",
"datePublished": "2025-12-30T12:11:14.720Z",
"dateReserved": "2025-12-30T12:06:44.501Z",
"dateUpdated": "2025-12-30T12:11:14.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54254 (GCVE-0-2023-54254)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
drm/ttm: Don't leak a resource on eviction error
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/ttm: Don't leak a resource on eviction error
On eviction errors other than -EMULTIHOP we were leaking a resource.
Fix.
v2:
- Avoid yet another goto (Andi Shyti)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
403797925768d9fa870f5b1ebcd20016b397083b , < 7738335d73d0686ec8995e0448e5d1b48cffb2a4
(git)
Affected: 403797925768d9fa870f5b1ebcd20016b397083b , < e9c44738cb1f537b177cc1beabcf6913690460cd (git) Affected: 403797925768d9fa870f5b1ebcd20016b397083b , < 6aea0032380bbb1efebd598ad733d16925167921 (git) Affected: 403797925768d9fa870f5b1ebcd20016b397083b , < e8188c461ee015ba0b9ab2fc82dbd5ebca5a5532 (git) Affected: 6c68fbafb9cd13e13476043fd9f6e10f792f685a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7738335d73d0686ec8995e0448e5d1b48cffb2a4",
"status": "affected",
"version": "403797925768d9fa870f5b1ebcd20016b397083b",
"versionType": "git"
},
{
"lessThan": "e9c44738cb1f537b177cc1beabcf6913690460cd",
"status": "affected",
"version": "403797925768d9fa870f5b1ebcd20016b397083b",
"versionType": "git"
},
{
"lessThan": "6aea0032380bbb1efebd598ad733d16925167921",
"status": "affected",
"version": "403797925768d9fa870f5b1ebcd20016b397083b",
"versionType": "git"
},
{
"lessThan": "e8188c461ee015ba0b9ab2fc82dbd5ebca5a5532",
"status": "affected",
"version": "403797925768d9fa870f5b1ebcd20016b397083b",
"versionType": "git"
},
{
"status": "affected",
"version": "6c68fbafb9cd13e13476043fd9f6e10f792f685a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/ttm/ttm_bo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.14.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Don\u0027t leak a resource on eviction error\n\nOn eviction errors other than -EMULTIHOP we were leaking a resource.\nFix.\n\nv2:\n- Avoid yet another goto (Andi Shyti)"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:50.163Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7738335d73d0686ec8995e0448e5d1b48cffb2a4"
},
{
"url": "https://git.kernel.org/stable/c/e9c44738cb1f537b177cc1beabcf6913690460cd"
},
{
"url": "https://git.kernel.org/stable/c/6aea0032380bbb1efebd598ad733d16925167921"
},
{
"url": "https://git.kernel.org/stable/c/e8188c461ee015ba0b9ab2fc82dbd5ebca5a5532"
}
],
"title": "drm/ttm: Don\u0027t leak a resource on eviction error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54254",
"datePublished": "2025-12-30T12:15:50.163Z",
"dateReserved": "2025-12-30T12:06:44.515Z",
"dateUpdated": "2025-12-30T12:15:50.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53845 (GCVE-0-2023-53845)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
nilfs2: fix infinite loop in nilfs_mdt_get_block()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix infinite loop in nilfs_mdt_get_block()
If the disk image that nilfs2 mounts is corrupted and a virtual block
address obtained by block lookup for a metadata file is invalid,
nilfs_bmap_lookup_at_level() may return the same internal return code as
-ENOENT, meaning the block does not exist in the metadata file.
This duplication of return codes confuses nilfs_mdt_get_block(), causing
it to read and create a metadata block indefinitely.
In particular, if this happens to the inode metadata file, ifile,
semaphore i_rwsem can be left held, causing task hangs in lock_mount.
Fix this issue by making nilfs_bmap_lookup_at_level() treat virtual block
address translation failures with -ENOENT as metadata corruption instead
of returning the error code.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bdb265eae08db578e7cf5739be16f389d495fc75 , < cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2
(git)
Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < d536f9976bb04e9c84cf80045a9355975e418f41 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 8a89d36a07afe1ed4564df51fefa2bb556c85412 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 8d07d9119642ba43d21f8ba64d51d01931096b20 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 25457d07c8146e57d28906c663def033dc425af6 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 34c5f17222b50c79848bb03ec8811648813e6a45 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < 5b29661669cb65b9750a3cf70ed3eaf947b92167 (git) Affected: bdb265eae08db578e7cf5739be16f389d495fc75 , < a6a491c048882e7e424d407d32cba0b52d9ef2bf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/bmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "d536f9976bb04e9c84cf80045a9355975e418f41",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "8a89d36a07afe1ed4564df51fefa2bb556c85412",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "8d07d9119642ba43d21f8ba64d51d01931096b20",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "25457d07c8146e57d28906c663def033dc425af6",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "34c5f17222b50c79848bb03ec8811648813e6a45",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "5b29661669cb65b9750a3cf70ed3eaf947b92167",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
},
{
"lessThan": "a6a491c048882e7e424d407d32cba0b52d9ef2bf",
"status": "affected",
"version": "bdb265eae08db578e7cf5739be16f389d495fc75",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/bmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.315",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.315",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix infinite loop in nilfs_mdt_get_block()\n\nIf the disk image that nilfs2 mounts is corrupted and a virtual block\naddress obtained by block lookup for a metadata file is invalid,\nnilfs_bmap_lookup_at_level() may return the same internal return code as\n-ENOENT, meaning the block does not exist in the metadata file.\n\nThis duplication of return codes confuses nilfs_mdt_get_block(), causing\nit to read and create a metadata block indefinitely.\n\nIn particular, if this happens to the inode metadata file, ifile,\nsemaphore i_rwsem can be left held, causing task hangs in lock_mount.\n\nFix this issue by making nilfs_bmap_lookup_at_level() treat virtual block\naddress translation failures with -ENOENT as metadata corruption instead\nof returning the error code."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:03.587Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2"
},
{
"url": "https://git.kernel.org/stable/c/d536f9976bb04e9c84cf80045a9355975e418f41"
},
{
"url": "https://git.kernel.org/stable/c/fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0"
},
{
"url": "https://git.kernel.org/stable/c/8a89d36a07afe1ed4564df51fefa2bb556c85412"
},
{
"url": "https://git.kernel.org/stable/c/8d07d9119642ba43d21f8ba64d51d01931096b20"
},
{
"url": "https://git.kernel.org/stable/c/25457d07c8146e57d28906c663def033dc425af6"
},
{
"url": "https://git.kernel.org/stable/c/34c5f17222b50c79848bb03ec8811648813e6a45"
},
{
"url": "https://git.kernel.org/stable/c/5b29661669cb65b9750a3cf70ed3eaf947b92167"
},
{
"url": "https://git.kernel.org/stable/c/a6a491c048882e7e424d407d32cba0b52d9ef2bf"
}
],
"title": "nilfs2: fix infinite loop in nilfs_mdt_get_block()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53845",
"datePublished": "2025-12-09T01:30:08.016Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2026-01-05T10:33:03.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54037 (GCVE-0-2023-54037)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
ice: prevent NULL pointer deref during reload
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: prevent NULL pointer deref during reload
Calling ethtool during reload can lead to call trace, because VSI isn't
configured for some time, but netdev is alive.
To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors
to 0 after freeing and add a check for ::tx/rx_rings in ring related
ethtool ops.
Add proper unroll of filters in ice_start_eth().
Reproduction:
$watch -n 0.1 -d 'ethtool -g enp24s0f0np0'
$devlink dev reload pci/0000:18:00.0 action driver_reinit
Call trace before fix:
[66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000
[66303.926259] #PF: supervisor read access in kernel mode
[66303.926286] #PF: error_code(0x0000) - not-present page
[66303.926311] PGD 0 P4D 0
[66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI
[66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1
[66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018
[66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice]
[66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48
[66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246
[66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48
[66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000
[66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000
[66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000
[66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50
[66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000
[66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0
[66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[66303.927060] PKRU: 55555554
[66303.927075] Call Trace:
[66303.927094] <TASK>
[66303.927111] ? __die+0x23/0x70
[66303.927140] ? page_fault_oops+0x171/0x4e0
[66303.927176] ? exc_page_fault+0x7f/0x180
[66303.927209] ? asm_exc_page_fault+0x26/0x30
[66303.927244] ? ice_get_ringparam+0x22/0x50 [ice]
[66303.927433] rings_prepare_data+0x62/0x80
[66303.927469] ethnl_default_doit+0xe2/0x350
[66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140
[66303.927538] genl_rcv_msg+0x1b1/0x2c0
[66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10
[66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10
[66303.927615] netlink_rcv_skb+0x58/0x110
[66303.927644] genl_rcv+0x28/0x40
[66303.927665] netlink_unicast+0x19e/0x290
[66303.927691] netlink_sendmsg+0x254/0x4d0
[66303.927717] sock_sendmsg+0x93/0xa0
[66303.927743] __sys_sendto+0x126/0x170
[66303.927780] __x64_sys_sendto+0x24/0x30
[66303.928593] do_syscall_64+0x5d/0x90
[66303.929370] ? __count_memcg_events+0x60/0xa0
[66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30
[66303.930920] ? handle_mm_fault+0x9e/0x350
[66303.931688] ? do_user_addr_fault+0x258/0x740
[66303.932452] ? exc_page_fault+0x7f/0x180
[66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_base.c",
"drivers/net/ethernet/intel/ice/ice_ethtool.c",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca03b327224ed6be2d07f42ee6ee1cdd586cfd5b",
"status": "affected",
"version": "5b246e533d0177775c64b40a2af1e62aff5d279b",
"versionType": "git"
},
{
"lessThan": "b3e7b3a6ee92ab927f750a6b19615ce88ece808f",
"status": "affected",
"version": "5b246e533d0177775c64b40a2af1e62aff5d279b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_base.c",
"drivers/net/ethernet/intel/ice/ice_ethtool.c",
"drivers/net/ethernet/intel/ice/ice_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: prevent NULL pointer deref during reload\n\nCalling ethtool during reload can lead to call trace, because VSI isn\u0027t\nconfigured for some time, but netdev is alive.\n\nTo fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors\nto 0 after freeing and add a check for ::tx/rx_rings in ring related\nethtool ops.\n\nAdd proper unroll of filters in ice_start_eth().\n\nReproduction:\n$watch -n 0.1 -d \u0027ethtool -g enp24s0f0np0\u0027\n$devlink dev reload pci/0000:18:00.0 action driver_reinit\n\nCall trace before fix:\n[66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[66303.926259] #PF: supervisor read access in kernel mode\n[66303.926286] #PF: error_code(0x0000) - not-present page\n[66303.926311] PGD 0 P4D 0\n[66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI\n[66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1\n[66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018\n[66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice]\n[66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 \u003c48\u003e 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48\n[66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246\n[66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48\n[66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000\n[66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000\n[66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000\n[66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50\n[66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000\n[66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0\n[66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[66303.927060] PKRU: 55555554\n[66303.927075] Call Trace:\n[66303.927094] \u003cTASK\u003e\n[66303.927111] ? __die+0x23/0x70\n[66303.927140] ? page_fault_oops+0x171/0x4e0\n[66303.927176] ? exc_page_fault+0x7f/0x180\n[66303.927209] ? asm_exc_page_fault+0x26/0x30\n[66303.927244] ? ice_get_ringparam+0x22/0x50 [ice]\n[66303.927433] rings_prepare_data+0x62/0x80\n[66303.927469] ethnl_default_doit+0xe2/0x350\n[66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140\n[66303.927538] genl_rcv_msg+0x1b1/0x2c0\n[66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10\n[66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10\n[66303.927615] netlink_rcv_skb+0x58/0x110\n[66303.927644] genl_rcv+0x28/0x40\n[66303.927665] netlink_unicast+0x19e/0x290\n[66303.927691] netlink_sendmsg+0x254/0x4d0\n[66303.927717] sock_sendmsg+0x93/0xa0\n[66303.927743] __sys_sendto+0x126/0x170\n[66303.927780] __x64_sys_sendto+0x24/0x30\n[66303.928593] do_syscall_64+0x5d/0x90\n[66303.929370] ? __count_memcg_events+0x60/0xa0\n[66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30\n[66303.930920] ? handle_mm_fault+0x9e/0x350\n[66303.931688] ? do_user_addr_fault+0x258/0x740\n[66303.932452] ? exc_page_fault+0x7f/0x180\n[66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:03.906Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca03b327224ed6be2d07f42ee6ee1cdd586cfd5b"
},
{
"url": "https://git.kernel.org/stable/c/b3e7b3a6ee92ab927f750a6b19615ce88ece808f"
}
],
"title": "ice: prevent NULL pointer deref during reload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54037",
"datePublished": "2025-12-24T10:56:03.906Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:03.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50883 (GCVE-0-2022-50883)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
bpf: Prevent decl_tag from being referenced in func_proto arg
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Prevent decl_tag from being referenced in func_proto arg
Syzkaller managed to hit another decl_tag issue:
btf_func_proto_check kernel/bpf/btf.c:4506 [inline]
btf_check_all_types kernel/bpf/btf.c:4734 [inline]
btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763
btf_parse kernel/bpf/btf.c:5042 [inline]
btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709
bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342
__sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034
__do_sys_bpf kernel/bpf/syscall.c:5093 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5091 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091
do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being
referenced in func_proto") but for the argument.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef , < 3f3d54962a032581996edda8e6bcbf7a30371234
(git)
Affected: b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef , < e6d276dcc9204f95632580c43d66c52ca502d7ec (git) Affected: b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef , < f17472d4599697d701aa239b4c475a506bccfd19 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f3d54962a032581996edda8e6bcbf7a30371234",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
},
{
"lessThan": "e6d276dcc9204f95632580c43d66c52ca502d7ec",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
},
{
"lessThan": "f17472d4599697d701aa239b4c475a506bccfd19",
"status": "affected",
"version": "b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/btf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent decl_tag from being referenced in func_proto arg\n\nSyzkaller managed to hit another decl_tag issue:\n\n btf_func_proto_check kernel/bpf/btf.c:4506 [inline]\n btf_check_all_types kernel/bpf/btf.c:4734 [inline]\n btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763\n btf_parse kernel/bpf/btf.c:5042 [inline]\n btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709\n bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342\n __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034\n __do_sys_bpf kernel/bpf/syscall.c:5093 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5091 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091\n do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48\n\nThis seems similar to commit ea68376c8bed (\"bpf: prevent decl_tag from being\nreferenced in func_proto\") but for the argument."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:16.927Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f3d54962a032581996edda8e6bcbf7a30371234"
},
{
"url": "https://git.kernel.org/stable/c/e6d276dcc9204f95632580c43d66c52ca502d7ec"
},
{
"url": "https://git.kernel.org/stable/c/f17472d4599697d701aa239b4c475a506bccfd19"
}
],
"title": "bpf: Prevent decl_tag from being referenced in func_proto arg",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50883",
"datePublished": "2025-12-30T12:23:21.675Z",
"dateReserved": "2025-12-30T12:06:07.138Z",
"dateUpdated": "2026-01-02T15:05:16.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53753 (GCVE-0-2023-53753)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2025-12-20 08:51
VLAI?
EPSS
Title
drm/amd/display: fix mapping to non-allocated address
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: fix mapping to non-allocated address
[Why]
There is an issue mapping non-allocated location of memory.
It would allocate gpio registers from an array out of bounds.
[How]
Patch correct numbers of bounds for using.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 8ce8a443ddd9002861a4ee8a7e33a0c02717422f
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 24aaf6603600d6d1159973c809ea2737664b28c4 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 9190d4a263264eabf715f5fc1827da45e3fdc247 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/gpio/dcn20/hw_factory_dcn20.c",
"drivers/gpu/drm/amd/display/dc/gpio/dcn30/hw_factory_dcn30.c",
"drivers/gpu/drm/amd/display/dc/gpio/dcn32/hw_factory_dcn32.c",
"drivers/gpu/drm/amd/display/dc/gpio/ddc_regs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ce8a443ddd9002861a4ee8a7e33a0c02717422f",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "24aaf6603600d6d1159973c809ea2737664b28c4",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "9190d4a263264eabf715f5fc1827da45e3fdc247",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/gpio/dcn20/hw_factory_dcn20.c",
"drivers/gpu/drm/amd/display/dc/gpio/dcn30/hw_factory_dcn30.c",
"drivers/gpu/drm/amd/display/dc/gpio/dcn32/hw_factory_dcn32.c",
"drivers/gpu/drm/amd/display/dc/gpio/ddc_regs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix mapping to non-allocated address\n\n[Why]\nThere is an issue mapping non-allocated location of memory.\nIt would allocate gpio registers from an array out of bounds.\n\n[How]\nPatch correct numbers of bounds for using."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:51:14.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ce8a443ddd9002861a4ee8a7e33a0c02717422f"
},
{
"url": "https://git.kernel.org/stable/c/24aaf6603600d6d1159973c809ea2737664b28c4"
},
{
"url": "https://git.kernel.org/stable/c/9190d4a263264eabf715f5fc1827da45e3fdc247"
}
],
"title": "drm/amd/display: fix mapping to non-allocated address",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53753",
"datePublished": "2025-12-08T01:19:13.743Z",
"dateReserved": "2025-12-08T01:18:04.279Z",
"dateUpdated": "2025-12-20T08:51:14.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54208 (GCVE-0-2023-54208)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
media: ov5675: Fix memleak in ov5675_init_controls()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: ov5675: Fix memleak in ov5675_init_controls()
There is a kmemleak when testing the media/i2c/ov5675.c with bpf mock
device:
AssertionError: unreferenced object 0xffff888107362160 (size 16):
comm "python3", pid 277, jiffies 4294832798 (age 20.722s)
hex dump (first 16 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000abe7d67c>] __kmalloc_node+0x44/0x1b0
[<000000008a725aac>] kvmalloc_node+0x34/0x180
[<000000009a53cd11>] v4l2_ctrl_handler_init_class+0x11d/0x180
[videodev]
[<0000000055b46db0>] ov5675_probe+0x38b/0x897 [ov5675]
[<00000000153d886c>] i2c_device_probe+0x28d/0x680
[<000000004afb7e8f>] really_probe+0x17c/0x3f0
[<00000000ff2f18e4>] __driver_probe_device+0xe3/0x170
[<000000000a001029>] driver_probe_device+0x49/0x120
[<00000000e39743c7>] __device_attach_driver+0xf7/0x150
[<00000000d32fd070>] bus_for_each_drv+0x114/0x180
[<000000009083ac41>] __device_attach+0x1e5/0x2d0
[<0000000015b4a830>] bus_probe_device+0x126/0x140
[<000000007813deaf>] device_add+0x810/0x1130
[<000000007becb867>] i2c_new_client_device+0x386/0x540
[<000000007f9cf4b4>] of_i2c_register_device+0xf1/0x110
[<00000000ebfdd032>] of_i2c_notify+0xfc/0x1f0
ov5675_init_controls() won't clean all the allocated resources in fail
path, which may causes the memleaks. Add v4l2_ctrl_handler_free() to
prevent memleak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bf27502b1f3bf8095bf81736e506d354a2ce9ec4 , < 086a80b842bcb621d6c4eedad20683f1f674d0c2
(git)
Affected: bf27502b1f3bf8095bf81736e506d354a2ce9ec4 , < bcae9115a163198dce9126aa8bedc1c007ec30ed (git) Affected: bf27502b1f3bf8095bf81736e506d354a2ce9ec4 , < ba54908ae8225d58f1830edb394d4153bcb7d0aa (git) Affected: bf27502b1f3bf8095bf81736e506d354a2ce9ec4 , < 49b849824b9862f177fc77fc92ef95ec54566ecf (git) Affected: bf27502b1f3bf8095bf81736e506d354a2ce9ec4 , < 7a36a6be694df87d019663863b922913947b42af (git) Affected: bf27502b1f3bf8095bf81736e506d354a2ce9ec4 , < dd74ed6c213003533e3abf4c204374ef01d86978 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/ov5675.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "086a80b842bcb621d6c4eedad20683f1f674d0c2",
"status": "affected",
"version": "bf27502b1f3bf8095bf81736e506d354a2ce9ec4",
"versionType": "git"
},
{
"lessThan": "bcae9115a163198dce9126aa8bedc1c007ec30ed",
"status": "affected",
"version": "bf27502b1f3bf8095bf81736e506d354a2ce9ec4",
"versionType": "git"
},
{
"lessThan": "ba54908ae8225d58f1830edb394d4153bcb7d0aa",
"status": "affected",
"version": "bf27502b1f3bf8095bf81736e506d354a2ce9ec4",
"versionType": "git"
},
{
"lessThan": "49b849824b9862f177fc77fc92ef95ec54566ecf",
"status": "affected",
"version": "bf27502b1f3bf8095bf81736e506d354a2ce9ec4",
"versionType": "git"
},
{
"lessThan": "7a36a6be694df87d019663863b922913947b42af",
"status": "affected",
"version": "bf27502b1f3bf8095bf81736e506d354a2ce9ec4",
"versionType": "git"
},
{
"lessThan": "dd74ed6c213003533e3abf4c204374ef01d86978",
"status": "affected",
"version": "bf27502b1f3bf8095bf81736e506d354a2ce9ec4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/i2c/ov5675.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ov5675: Fix memleak in ov5675_init_controls()\n\nThere is a kmemleak when testing the media/i2c/ov5675.c with bpf mock\ndevice:\n\nAssertionError: unreferenced object 0xffff888107362160 (size 16):\n comm \"python3\", pid 277, jiffies 4294832798 (age 20.722s)\n hex dump (first 16 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c00000000abe7d67c\u003e] __kmalloc_node+0x44/0x1b0\n [\u003c000000008a725aac\u003e] kvmalloc_node+0x34/0x180\n [\u003c000000009a53cd11\u003e] v4l2_ctrl_handler_init_class+0x11d/0x180\n[videodev]\n [\u003c0000000055b46db0\u003e] ov5675_probe+0x38b/0x897 [ov5675]\n [\u003c00000000153d886c\u003e] i2c_device_probe+0x28d/0x680\n [\u003c000000004afb7e8f\u003e] really_probe+0x17c/0x3f0\n [\u003c00000000ff2f18e4\u003e] __driver_probe_device+0xe3/0x170\n [\u003c000000000a001029\u003e] driver_probe_device+0x49/0x120\n [\u003c00000000e39743c7\u003e] __device_attach_driver+0xf7/0x150\n [\u003c00000000d32fd070\u003e] bus_for_each_drv+0x114/0x180\n [\u003c000000009083ac41\u003e] __device_attach+0x1e5/0x2d0\n [\u003c0000000015b4a830\u003e] bus_probe_device+0x126/0x140\n [\u003c000000007813deaf\u003e] device_add+0x810/0x1130\n [\u003c000000007becb867\u003e] i2c_new_client_device+0x386/0x540\n [\u003c000000007f9cf4b4\u003e] of_i2c_register_device+0xf1/0x110\n [\u003c00000000ebfdd032\u003e] of_i2c_notify+0xfc/0x1f0\n\nov5675_init_controls() won\u0027t clean all the allocated resources in fail\npath, which may causes the memleaks. Add v4l2_ctrl_handler_free() to\nprevent memleak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:07.336Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/086a80b842bcb621d6c4eedad20683f1f674d0c2"
},
{
"url": "https://git.kernel.org/stable/c/bcae9115a163198dce9126aa8bedc1c007ec30ed"
},
{
"url": "https://git.kernel.org/stable/c/ba54908ae8225d58f1830edb394d4153bcb7d0aa"
},
{
"url": "https://git.kernel.org/stable/c/49b849824b9862f177fc77fc92ef95ec54566ecf"
},
{
"url": "https://git.kernel.org/stable/c/7a36a6be694df87d019663863b922913947b42af"
},
{
"url": "https://git.kernel.org/stable/c/dd74ed6c213003533e3abf4c204374ef01d86978"
}
],
"title": "media: ov5675: Fix memleak in ov5675_init_controls()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54208",
"datePublished": "2025-12-30T12:11:07.336Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2025-12-30T12:11:07.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54121 (GCVE-0-2023-54121)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
btrfs: fix incorrect splitting in btrfs_drop_extent_map_range
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix incorrect splitting in btrfs_drop_extent_map_range
In production we were seeing a variety of WARN_ON()'s in the extent_map
code, specifically in btrfs_drop_extent_map_range() when we have to call
add_extent_mapping() for our second split.
Consider the following extent map layout
PINNED
[0 16K) [32K, 48K)
and then we call btrfs_drop_extent_map_range for [0, 36K), with
skip_pinned == true. The initial loop will have
start = 0
end = 36K
len = 36K
we will find the [0, 16k) extent, but since we are pinned we will skip
it, which has this code
start = em_end;
if (end != (u64)-1)
len = start + len - em_end;
em_end here is 16K, so now the values are
start = 16K
len = 16K + 36K - 16K = 36K
len should instead be 20K. This is a problem when we find the next
extent at [32K, 48K), we need to split this extent to leave [36K, 48k),
however the code for the split looks like this
split->start = start + len;
split->len = em_end - (start + len);
In this case we have
em_end = 48K
split->start = 16K + 36K // this should be 16K + 20K
split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K
and now we have an invalid extent_map in the tree that potentially
overlaps other entries in the extent map. Even in the non-overlapping
case we will have split->start set improperly, which will cause problems
with any block related calculations.
We don't actually need len in this loop, we can simply use end as our
end point, and only adjust start up when we find a pinned extent we need
to skip.
Adjust the logic to do this, which keeps us from inserting an invalid
extent map.
We only skip_pinned in the relocation case, so this is relatively rare,
except in the case where you are running relocation a lot, which can
happen with auto relocation on.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
55ef68990029fcd8d04d42fc184aa7fb18cf309e , < 9f68e2105dd96cf0fafffffafb2337fbd0fbae1f
(git)
Affected: 55ef68990029fcd8d04d42fc184aa7fb18cf309e , < b43a4c99d878cf5e59040e45c96bb0a8358bfb3b (git) Affected: 55ef68990029fcd8d04d42fc184aa7fb18cf309e , < c962098ca4af146f2625ed64399926a098752c9c (git) Affected: c87afd35a28b2661a2626a1b28e9fd69adcad9f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f68e2105dd96cf0fafffffafb2337fbd0fbae1f",
"status": "affected",
"version": "55ef68990029fcd8d04d42fc184aa7fb18cf309e",
"versionType": "git"
},
{
"lessThan": "b43a4c99d878cf5e59040e45c96bb0a8358bfb3b",
"status": "affected",
"version": "55ef68990029fcd8d04d42fc184aa7fb18cf309e",
"versionType": "git"
},
{
"lessThan": "c962098ca4af146f2625ed64399926a098752c9c",
"status": "affected",
"version": "55ef68990029fcd8d04d42fc184aa7fb18cf309e",
"versionType": "git"
},
{
"status": "affected",
"version": "c87afd35a28b2661a2626a1b28e9fd69adcad9f9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix incorrect splitting in btrfs_drop_extent_map_range\n\nIn production we were seeing a variety of WARN_ON()\u0027s in the extent_map\ncode, specifically in btrfs_drop_extent_map_range() when we have to call\nadd_extent_mapping() for our second split.\n\nConsider the following extent map layout\n\n\tPINNED\n\t[0 16K) [32K, 48K)\n\nand then we call btrfs_drop_extent_map_range for [0, 36K), with\nskip_pinned == true. The initial loop will have\n\n\tstart = 0\n\tend = 36K\n\tlen = 36K\n\nwe will find the [0, 16k) extent, but since we are pinned we will skip\nit, which has this code\n\n\tstart = em_end;\n\tif (end != (u64)-1)\n\t\tlen = start + len - em_end;\n\nem_end here is 16K, so now the values are\n\n\tstart = 16K\n\tlen = 16K + 36K - 16K = 36K\n\nlen should instead be 20K. This is a problem when we find the next\nextent at [32K, 48K), we need to split this extent to leave [36K, 48k),\nhowever the code for the split looks like this\n\n\tsplit-\u003estart = start + len;\n\tsplit-\u003elen = em_end - (start + len);\n\nIn this case we have\n\n\tem_end = 48K\n\tsplit-\u003estart = 16K + 36K // this should be 16K + 20K\n\tsplit-\u003elen = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K\n\nand now we have an invalid extent_map in the tree that potentially\noverlaps other entries in the extent map. Even in the non-overlapping\ncase we will have split-\u003estart set improperly, which will cause problems\nwith any block related calculations.\n\nWe don\u0027t actually need len in this loop, we can simply use end as our\nend point, and only adjust start up when we find a pinned extent we need\nto skip.\n\nAdjust the logic to do this, which keeps us from inserting an invalid\nextent map.\n\nWe only skip_pinned in the relocation case, so this is relatively rare,\nexcept in the case where you are running relocation a lot, which can\nhappen with auto relocation on."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:41.185Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f68e2105dd96cf0fafffffafb2337fbd0fbae1f"
},
{
"url": "https://git.kernel.org/stable/c/b43a4c99d878cf5e59040e45c96bb0a8358bfb3b"
},
{
"url": "https://git.kernel.org/stable/c/c962098ca4af146f2625ed64399926a098752c9c"
}
],
"title": "btrfs: fix incorrect splitting in btrfs_drop_extent_map_range",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54121",
"datePublished": "2025-12-24T13:06:41.185Z",
"dateReserved": "2025-12-24T13:02:52.520Z",
"dateUpdated": "2025-12-24T13:06:41.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40187 (GCVE-0-2025-40187)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0
and sctp_ulpevent_make_authkey() returns 0, then the variable
ai_ev remains zero and the zero will be dereferenced
in the sctp_ulpevent_free() function.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < 1014b83778c8677f1d7a57c26dc728baa801ac62
(git)
Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < 7f702f85df0266ed7b5bab81ba50394c92f3c928 (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < dbceedc0213e75bf3e9f9f9e2f66b10699d004fe (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < 025419f4e216a3ae0d0cec622262e98e8078c447 (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < c21f45cfa4a9526b34d76b397c9ef080668b6e73 (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < d0e8f1445c19b1786759ba72a38267e1449bab7e (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < badbd79313e6591616c1b78e29a9b71efed7f035 (git) Affected: 30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b , < 2f3119686ef50319490ccaec81a575973da98815 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1014b83778c8677f1d7a57c26dc728baa801ac62",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "7f702f85df0266ed7b5bab81ba50394c92f3c928",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "dbceedc0213e75bf3e9f9f9e2f66b10699d004fe",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "025419f4e216a3ae0d0cec622262e98e8078c447",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "c21f45cfa4a9526b34d76b397c9ef080668b6e73",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "d0e8f1445c19b1786759ba72a38267e1449bab7e",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "badbd79313e6591616c1b78e29a9b71efed7f035",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
},
{
"lessThan": "2f3119686ef50319490ccaec81a575973da98815",
"status": "affected",
"version": "30f6ebf65bc46161c5aaff1db2e6e7c76aa4a06b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/sm_statefuns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()\n\nIf new_asoc-\u003epeer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0\nand sctp_ulpevent_make_authkey() returns 0, then the variable\nai_ev remains zero and the zero will be dereferenced\nin the sctp_ulpevent_free() function."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:45.756Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1014b83778c8677f1d7a57c26dc728baa801ac62"
},
{
"url": "https://git.kernel.org/stable/c/7f702f85df0266ed7b5bab81ba50394c92f3c928"
},
{
"url": "https://git.kernel.org/stable/c/dbceedc0213e75bf3e9f9f9e2f66b10699d004fe"
},
{
"url": "https://git.kernel.org/stable/c/025419f4e216a3ae0d0cec622262e98e8078c447"
},
{
"url": "https://git.kernel.org/stable/c/c21f45cfa4a9526b34d76b397c9ef080668b6e73"
},
{
"url": "https://git.kernel.org/stable/c/d0e8f1445c19b1786759ba72a38267e1449bab7e"
},
{
"url": "https://git.kernel.org/stable/c/badbd79313e6591616c1b78e29a9b71efed7f035"
},
{
"url": "https://git.kernel.org/stable/c/2f3119686ef50319490ccaec81a575973da98815"
}
],
"title": "net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40187",
"datePublished": "2025-11-12T21:56:29.504Z",
"dateReserved": "2025-04-16T07:20:57.177Z",
"dateUpdated": "2025-12-01T06:19:45.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54159 (GCVE-0-2023-54159)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:07 – Updated: 2025-12-24 13:07
VLAI?
EPSS
Title
usb: mtu3: fix kernel panic at qmu transfer done irq handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: mtu3: fix kernel panic at qmu transfer done irq handler
When handle qmu transfer irq, it will unlock @mtu->lock before give back
request, if another thread handle disconnect event at the same time, and
try to disable ep, it may lock @mtu->lock and free qmu ring, then qmu
irq hanlder may get a NULL gpd, avoid the KE by checking gpd's value before
handling it.
e.g.
qmu done irq on cpu0 thread running on cpu1
qmu_done_tx()
handle gpd [0]
mtu3_requ_complete() mtu3_gadget_ep_disable()
unlock @mtu->lock
give back request lock @mtu->lock
mtu3_ep_disable()
mtu3_gpd_ring_free()
unlock @mtu->lock
lock @mtu->lock
get next gpd [1]
[1]: goto [0] to handle next gpd, and next gpd may be NULL.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
48e0d3735aa557a8adaf94632ca3cf78798e8505 , < 26ca30516b2c49dd04c134cbdf122311c538df98
(git)
Affected: 48e0d3735aa557a8adaf94632ca3cf78798e8505 , < 012936502a9cb7b0604e85bb961eb15e2bb40dd9 (git) Affected: 48e0d3735aa557a8adaf94632ca3cf78798e8505 , < ee53a7a88027cea765c68f3b00a50b8f58d6f786 (git) Affected: 48e0d3735aa557a8adaf94632ca3cf78798e8505 , < f26273428657ef4ca74740e578ae45a3be492f6f (git) Affected: 48e0d3735aa557a8adaf94632ca3cf78798e8505 , < b636aff94a67be46582d4321d11743f1a10cc2c1 (git) Affected: 48e0d3735aa557a8adaf94632ca3cf78798e8505 , < 3a7d4959560a2ee493ef222e3b63d359365f41ec (git) Affected: 48e0d3735aa557a8adaf94632ca3cf78798e8505 , < d28f4091ea7ec3510fd6a3c6d433234e7a2bef14 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/mtu3/mtu3_qmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "26ca30516b2c49dd04c134cbdf122311c538df98",
"status": "affected",
"version": "48e0d3735aa557a8adaf94632ca3cf78798e8505",
"versionType": "git"
},
{
"lessThan": "012936502a9cb7b0604e85bb961eb15e2bb40dd9",
"status": "affected",
"version": "48e0d3735aa557a8adaf94632ca3cf78798e8505",
"versionType": "git"
},
{
"lessThan": "ee53a7a88027cea765c68f3b00a50b8f58d6f786",
"status": "affected",
"version": "48e0d3735aa557a8adaf94632ca3cf78798e8505",
"versionType": "git"
},
{
"lessThan": "f26273428657ef4ca74740e578ae45a3be492f6f",
"status": "affected",
"version": "48e0d3735aa557a8adaf94632ca3cf78798e8505",
"versionType": "git"
},
{
"lessThan": "b636aff94a67be46582d4321d11743f1a10cc2c1",
"status": "affected",
"version": "48e0d3735aa557a8adaf94632ca3cf78798e8505",
"versionType": "git"
},
{
"lessThan": "3a7d4959560a2ee493ef222e3b63d359365f41ec",
"status": "affected",
"version": "48e0d3735aa557a8adaf94632ca3cf78798e8505",
"versionType": "git"
},
{
"lessThan": "d28f4091ea7ec3510fd6a3c6d433234e7a2bef14",
"status": "affected",
"version": "48e0d3735aa557a8adaf94632ca3cf78798e8505",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/mtu3/mtu3_qmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: mtu3: fix kernel panic at qmu transfer done irq handler\n\nWhen handle qmu transfer irq, it will unlock @mtu-\u003elock before give back\nrequest, if another thread handle disconnect event at the same time, and\ntry to disable ep, it may lock @mtu-\u003elock and free qmu ring, then qmu\nirq hanlder may get a NULL gpd, avoid the KE by checking gpd\u0027s value before\nhandling it.\n\ne.g.\nqmu done irq on cpu0 thread running on cpu1\n\nqmu_done_tx()\n handle gpd [0]\n mtu3_requ_complete() mtu3_gadget_ep_disable()\n unlock @mtu-\u003elock\n give back request lock @mtu-\u003elock\n mtu3_ep_disable()\n mtu3_gpd_ring_free()\n unlock @mtu-\u003elock\n lock @mtu-\u003elock\n get next gpd [1]\n\n[1]: goto [0] to handle next gpd, and next gpd may be NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:07:08.207Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/26ca30516b2c49dd04c134cbdf122311c538df98"
},
{
"url": "https://git.kernel.org/stable/c/012936502a9cb7b0604e85bb961eb15e2bb40dd9"
},
{
"url": "https://git.kernel.org/stable/c/ee53a7a88027cea765c68f3b00a50b8f58d6f786"
},
{
"url": "https://git.kernel.org/stable/c/f26273428657ef4ca74740e578ae45a3be492f6f"
},
{
"url": "https://git.kernel.org/stable/c/b636aff94a67be46582d4321d11743f1a10cc2c1"
},
{
"url": "https://git.kernel.org/stable/c/3a7d4959560a2ee493ef222e3b63d359365f41ec"
},
{
"url": "https://git.kernel.org/stable/c/d28f4091ea7ec3510fd6a3c6d433234e7a2bef14"
}
],
"title": "usb: mtu3: fix kernel panic at qmu transfer done irq handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54159",
"datePublished": "2025-12-24T13:07:08.207Z",
"dateReserved": "2025-12-24T13:02:52.531Z",
"dateUpdated": "2025-12-24T13:07:08.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-42752 (GCVE-0-2023-42752)
Vulnerability from cvelistv5 – Published: 2023-10-13 01:41 – Updated: 2024-08-02 19:30
VLAI?
EPSS
Title
Kernel: integer overflow in igmpv3_newpack leading to exploitable memory access
Summary
An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers.
Severity ?
5.5 (Medium)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| n/a | Kernel |
Unaffected:
6.6-rc1
|
||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-42752"
},
{
"name": "RHBZ#2239828",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239828"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=915d975b2ffa"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c3b704d4a4a2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kernel",
"vendor": "n/a",
"versions": [
{
"status": "unaffected",
"version": "6.6-rc1"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://packages.fedoraproject.org/",
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Fedora",
"vendor": "Fedora"
}
],
"datePublic": "2023-09-19T00:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-23T02:24:21.308Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-42752"
},
{
"name": "RHBZ#2239828",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2239828"
},
{
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=915d975b2ffa"
},
{
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c3b704d4a4a2"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-20T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-09-19T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: integer overflow in igmpv3_newpack leading to exploitable memory access",
"x_redhatCweChain": "CWE-190: Integer Overflow or Wraparound"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-42752",
"datePublished": "2023-10-13T01:41:49.818Z",
"dateReserved": "2023-09-13T11:03:47.961Z",
"dateUpdated": "2024-08-02T19:30:24.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-54100 (GCVE-0-2023-54100)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
scsi: qedi: Fix use after free bug in qedi_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qedi: Fix use after free bug in qedi_remove()
In qedi_probe() we call __qedi_probe() which initializes
&qedi->recovery_work with qedi_recovery_handler() and
&qedi->board_disable_work with qedi_board_disable_work().
When qedi_schedule_recovery_handler() is called, schedule_delayed_work()
will finally start the work.
In qedi_remove(), which is called to remove the driver, the following
sequence may be observed:
Fix this by finishing the work before cleanup in qedi_remove().
CPU0 CPU1
|qedi_recovery_handler
qedi_remove |
__qedi_remove |
iscsi_host_free |
scsi_host_put |
//free shost |
|iscsi_host_for_each_session
|//use qedi->shost
Cancel recovery_work and board_disable_work in __qedi_remove().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4b1068f5d74b6cc92319bd7eba40809b1222e73f , < fa19c533ab19161298f0780bcc6523af88f6fd20
(git)
Affected: 4b1068f5d74b6cc92319bd7eba40809b1222e73f , < 5e756a59cee6a8a79b9059c5bdf0ecbf5bb8d151 (git) Affected: 4b1068f5d74b6cc92319bd7eba40809b1222e73f , < 3738a230831e861503119ee2691c4a7dc56ed60a (git) Affected: 4b1068f5d74b6cc92319bd7eba40809b1222e73f , < 89f6023fc321c958a0fb11f143a6eb4544ae3940 (git) Affected: 4b1068f5d74b6cc92319bd7eba40809b1222e73f , < 124027cd1a624ce0347adcd59241a9966a726b22 (git) Affected: 4b1068f5d74b6cc92319bd7eba40809b1222e73f , < c5749639f2d0a1f6cbe187d05f70c2e7c544d748 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qedi/qedi_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa19c533ab19161298f0780bcc6523af88f6fd20",
"status": "affected",
"version": "4b1068f5d74b6cc92319bd7eba40809b1222e73f",
"versionType": "git"
},
{
"lessThan": "5e756a59cee6a8a79b9059c5bdf0ecbf5bb8d151",
"status": "affected",
"version": "4b1068f5d74b6cc92319bd7eba40809b1222e73f",
"versionType": "git"
},
{
"lessThan": "3738a230831e861503119ee2691c4a7dc56ed60a",
"status": "affected",
"version": "4b1068f5d74b6cc92319bd7eba40809b1222e73f",
"versionType": "git"
},
{
"lessThan": "89f6023fc321c958a0fb11f143a6eb4544ae3940",
"status": "affected",
"version": "4b1068f5d74b6cc92319bd7eba40809b1222e73f",
"versionType": "git"
},
{
"lessThan": "124027cd1a624ce0347adcd59241a9966a726b22",
"status": "affected",
"version": "4b1068f5d74b6cc92319bd7eba40809b1222e73f",
"versionType": "git"
},
{
"lessThan": "c5749639f2d0a1f6cbe187d05f70c2e7c544d748",
"status": "affected",
"version": "4b1068f5d74b6cc92319bd7eba40809b1222e73f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qedi/qedi_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix use after free bug in qedi_remove()\n\nIn qedi_probe() we call __qedi_probe() which initializes\n\u0026qedi-\u003erecovery_work with qedi_recovery_handler() and\n\u0026qedi-\u003eboard_disable_work with qedi_board_disable_work().\n\nWhen qedi_schedule_recovery_handler() is called, schedule_delayed_work()\nwill finally start the work.\n\nIn qedi_remove(), which is called to remove the driver, the following\nsequence may be observed:\n\nFix this by finishing the work before cleanup in qedi_remove().\n\nCPU0 CPU1\n\n |qedi_recovery_handler\nqedi_remove |\n __qedi_remove |\niscsi_host_free |\nscsi_host_put |\n//free shost |\n |iscsi_host_for_each_session\n |//use qedi-\u003eshost\n\nCancel recovery_work and board_disable_work in __qedi_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:26.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa19c533ab19161298f0780bcc6523af88f6fd20"
},
{
"url": "https://git.kernel.org/stable/c/5e756a59cee6a8a79b9059c5bdf0ecbf5bb8d151"
},
{
"url": "https://git.kernel.org/stable/c/3738a230831e861503119ee2691c4a7dc56ed60a"
},
{
"url": "https://git.kernel.org/stable/c/89f6023fc321c958a0fb11f143a6eb4544ae3940"
},
{
"url": "https://git.kernel.org/stable/c/124027cd1a624ce0347adcd59241a9966a726b22"
},
{
"url": "https://git.kernel.org/stable/c/c5749639f2d0a1f6cbe187d05f70c2e7c544d748"
}
],
"title": "scsi: qedi: Fix use after free bug in qedi_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54100",
"datePublished": "2025-12-24T13:06:26.560Z",
"dateReserved": "2025-12-24T13:02:52.517Z",
"dateUpdated": "2025-12-24T13:06:26.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50724 (GCVE-0-2022-50724)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
regulator: core: fix resource leak in regulator_register()
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: fix resource leak in regulator_register()
I got some resource leak reports while doing fault injection test:
OF: ERROR: memory leak, expected refcount 1 instead of 100,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /i2c/pmic@64/regulators/buck1
unreferenced object 0xffff88810deea000 (size 512):
comm "490-i2c-rt5190a", pid 253, jiffies 4294859840 (age 5061.046s)
hex dump (first 32 bytes):
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................
backtrace:
[<00000000d78541e2>] kmalloc_trace+0x21/0x110
[<00000000b343d153>] device_private_init+0x32/0xd0
[<00000000be1f0c70>] device_add+0xb2d/0x1030
[<00000000e3e6344d>] regulator_register+0xaf2/0x12a0
[<00000000e2f5e754>] devm_regulator_register+0x57/0xb0
[<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]
unreferenced object 0xffff88810b617b80 (size 32):
comm "490-i2c-rt5190a", pid 253, jiffies 4294859904 (age 5060.983s)
hex dump (first 32 bytes):
72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S
55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+...
backtrace:
[<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0
[<0000000025c6a4e5>] kstrdup+0x3a/0x70
[<00000000790efb69>] create_regulator+0xc0/0x4e0
[<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440
[<0000000045796214>] regulator_register+0x10b3/0x12a0
[<00000000e2f5e754>] devm_regulator_register+0x57/0xb0
[<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]
After calling regulator_resolve_supply(), the 'rdev->supply' is set
by set_supply(), after this set, in the error path, the resources
need be released, so call regulator_put() to avoid the leaks.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0120ec32a7774b5061ced1a9a7ff833edd8b4cb6 , < 35593d60b1622834984c43add7646d4069671aa9
(git)
Affected: aea6cb99703e17019e025aa71643b4d3e0a24413 , < 6a03c31d08f95dca9633a552de167b9e625833a8 (git) Affected: aea6cb99703e17019e025aa71643b4d3e0a24413 , < c4c64d8abd656b9807b63178750fa91454602b86 (git) Affected: aea6cb99703e17019e025aa71643b4d3e0a24413 , < 90b713aadc1240bf2dd03d610d6c1d016a9123a2 (git) Affected: aea6cb99703e17019e025aa71643b4d3e0a24413 , < f86b2f216636790d5922458578825e4628fb570f (git) Affected: aea6cb99703e17019e025aa71643b4d3e0a24413 , < ba62319a42c50e6254e98b3f316464fac8e77968 (git) Affected: 1d58235c062309d51660fd04182d7a8ab6a48ad6 (git) Affected: 167c3b1f9793a1fb23e75e693f078420850306d4 (git) Affected: 3fc99e38fdbf6b693693f861aa55a50a74c2d202 (git) Affected: 96c6b5d5775637b3095ef934f871044811fd4db7 (git) Affected: f58ce31b05b4ca0c200a5cbe4724efe279405095 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35593d60b1622834984c43add7646d4069671aa9",
"status": "affected",
"version": "0120ec32a7774b5061ced1a9a7ff833edd8b4cb6",
"versionType": "git"
},
{
"lessThan": "6a03c31d08f95dca9633a552de167b9e625833a8",
"status": "affected",
"version": "aea6cb99703e17019e025aa71643b4d3e0a24413",
"versionType": "git"
},
{
"lessThan": "c4c64d8abd656b9807b63178750fa91454602b86",
"status": "affected",
"version": "aea6cb99703e17019e025aa71643b4d3e0a24413",
"versionType": "git"
},
{
"lessThan": "90b713aadc1240bf2dd03d610d6c1d016a9123a2",
"status": "affected",
"version": "aea6cb99703e17019e025aa71643b4d3e0a24413",
"versionType": "git"
},
{
"lessThan": "f86b2f216636790d5922458578825e4628fb570f",
"status": "affected",
"version": "aea6cb99703e17019e025aa71643b4d3e0a24413",
"versionType": "git"
},
{
"lessThan": "ba62319a42c50e6254e98b3f316464fac8e77968",
"status": "affected",
"version": "aea6cb99703e17019e025aa71643b4d3e0a24413",
"versionType": "git"
},
{
"status": "affected",
"version": "1d58235c062309d51660fd04182d7a8ab6a48ad6",
"versionType": "git"
},
{
"status": "affected",
"version": "167c3b1f9793a1fb23e75e693f078420850306d4",
"versionType": "git"
},
{
"status": "affected",
"version": "3fc99e38fdbf6b693693f861aa55a50a74c2d202",
"versionType": "git"
},
{
"status": "affected",
"version": "96c6b5d5775637b3095ef934f871044811fd4db7",
"versionType": "git"
},
{
"status": "affected",
"version": "f58ce31b05b4ca0c200a5cbe4724efe279405095",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.241",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix resource leak in regulator_register()\n\nI got some resource leak reports while doing fault injection test:\n\n OF: ERROR: memory leak, expected refcount 1 instead of 100,\n of_node_get()/of_node_put() unbalanced - destroy cset entry:\n attach overlay node /i2c/pmic@64/regulators/buck1\n\nunreferenced object 0xffff88810deea000 (size 512):\n comm \"490-i2c-rt5190a\", pid 253, jiffies 4294859840 (age 5061.046s)\n hex dump (first 32 bytes):\n 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\n ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................\n backtrace:\n [\u003c00000000d78541e2\u003e] kmalloc_trace+0x21/0x110\n [\u003c00000000b343d153\u003e] device_private_init+0x32/0xd0\n [\u003c00000000be1f0c70\u003e] device_add+0xb2d/0x1030\n [\u003c00000000e3e6344d\u003e] regulator_register+0xaf2/0x12a0\n [\u003c00000000e2f5e754\u003e] devm_regulator_register+0x57/0xb0\n [\u003c000000008b898197\u003e] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]\n\nunreferenced object 0xffff88810b617b80 (size 32):\n comm \"490-i2c-rt5190a\", pid 253, jiffies 4294859904 (age 5060.983s)\n hex dump (first 32 bytes):\n 72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S\n 55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+...\n backtrace:\n [\u003c000000009da9280d\u003e] __kmalloc_node_track_caller+0x44/0x1b0\n [\u003c0000000025c6a4e5\u003e] kstrdup+0x3a/0x70\n [\u003c00000000790efb69\u003e] create_regulator+0xc0/0x4e0\n [\u003c0000000005ed203a\u003e] regulator_resolve_supply+0x2d4/0x440\n [\u003c0000000045796214\u003e] regulator_register+0x10b3/0x12a0\n [\u003c00000000e2f5e754\u003e] devm_regulator_register+0x57/0xb0\n [\u003c000000008b898197\u003e] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]\n\nAfter calling regulator_resolve_supply(), the \u0027rdev-\u003esupply\u0027 is set\nby set_supply(), after this set, in the error path, the resources\nneed be released, so call regulator_put() to avoid the leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:46.251Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35593d60b1622834984c43add7646d4069671aa9"
},
{
"url": "https://git.kernel.org/stable/c/6a03c31d08f95dca9633a552de167b9e625833a8"
},
{
"url": "https://git.kernel.org/stable/c/c4c64d8abd656b9807b63178750fa91454602b86"
},
{
"url": "https://git.kernel.org/stable/c/90b713aadc1240bf2dd03d610d6c1d016a9123a2"
},
{
"url": "https://git.kernel.org/stable/c/f86b2f216636790d5922458578825e4628fb570f"
},
{
"url": "https://git.kernel.org/stable/c/ba62319a42c50e6254e98b3f316464fac8e77968"
}
],
"title": "regulator: core: fix resource leak in regulator_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50724",
"datePublished": "2025-12-24T12:22:46.251Z",
"dateReserved": "2025-12-24T12:20:40.330Z",
"dateUpdated": "2025-12-24T12:22:46.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53802 (GCVE-0-2023-53802)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
It is stated that ath9k_htc_rx_msg() either frees the provided skb or
passes its management to another callback function. However, the skb is
not freed in case there is no another callback function, and Syzkaller was
able to cause a memory leak. Also minor comment fix.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fb9987d0f748c983bb795a86f47522313f701a08 , < b11f95f65cc52ee3a756e6f6a88df37a203e25bd
(git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 68171c006c8645a3e0293a6c3e6037c6538ac1c5 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 564bc2222bf50eb6cdee715a5431bf4dc9f923c1 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < ec246dfe006b2a8f36353f7489e4f525114db9a5 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < c0c0614f143b568cd0e9525d53cf12e5dcd11987 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 5a84e51f72580fc70066b03f3dac38421e702a0b (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < bbfababb4f899fe1556eac195f9774b6fe675fb6 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b11f95f65cc52ee3a756e6f6a88df37a203e25bd",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "68171c006c8645a3e0293a6c3e6037c6538ac1c5",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "564bc2222bf50eb6cdee715a5431bf4dc9f923c1",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "ec246dfe006b2a8f36353f7489e4f525114db9a5",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "c0c0614f143b568cd0e9525d53cf12e5dcd11987",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "5a84e51f72580fc70066b03f3dac38421e702a0b",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "bbfababb4f899fe1556eac195f9774b6fe675fb6",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/htc_hst.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function\n\nIt is stated that ath9k_htc_rx_msg() either frees the provided skb or\npasses its management to another callback function. However, the skb is\nnot freed in case there is no another callback function, and Syzkaller was\nable to cause a memory leak. Also minor comment fix.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:58.582Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b11f95f65cc52ee3a756e6f6a88df37a203e25bd"
},
{
"url": "https://git.kernel.org/stable/c/68171c006c8645a3e0293a6c3e6037c6538ac1c5"
},
{
"url": "https://git.kernel.org/stable/c/564bc2222bf50eb6cdee715a5431bf4dc9f923c1"
},
{
"url": "https://git.kernel.org/stable/c/ec246dfe006b2a8f36353f7489e4f525114db9a5"
},
{
"url": "https://git.kernel.org/stable/c/c0c0614f143b568cd0e9525d53cf12e5dcd11987"
},
{
"url": "https://git.kernel.org/stable/c/5a84e51f72580fc70066b03f3dac38421e702a0b"
},
{
"url": "https://git.kernel.org/stable/c/bbfababb4f899fe1556eac195f9774b6fe675fb6"
},
{
"url": "https://git.kernel.org/stable/c/9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69"
}
],
"title": "wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53802",
"datePublished": "2025-12-09T00:00:58.582Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:58.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54040 (GCVE-0-2023-54040)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
ice: fix wrong fallback logic for FDIR
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix wrong fallback logic for FDIR
When adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure,
the inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr
returns failure, the fdir context info for irq handler will not be cleared
which may lead to inconsistent or memory leak issue. This patch refines
failure cases to resolve this issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1f7ea1cd6a3748427512ccc9582e18cd9efea966 , < 391d28c0e38c0e5b11a4240a2b4976cf63e87f45
(git)
Affected: 1f7ea1cd6a3748427512ccc9582e18cd9efea966 , < aad3b871efe26f36f45f8b4649653b5d3fd9c35e (git) Affected: 1f7ea1cd6a3748427512ccc9582e18cd9efea966 , < cbfed5f114b5310f221979fc8190f55c6abc3400 (git) Affected: 1f7ea1cd6a3748427512ccc9582e18cd9efea966 , < b4a01ace20f5c93c724abffc0a83ec84f514b98d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "391d28c0e38c0e5b11a4240a2b4976cf63e87f45",
"status": "affected",
"version": "1f7ea1cd6a3748427512ccc9582e18cd9efea966",
"versionType": "git"
},
{
"lessThan": "aad3b871efe26f36f45f8b4649653b5d3fd9c35e",
"status": "affected",
"version": "1f7ea1cd6a3748427512ccc9582e18cd9efea966",
"versionType": "git"
},
{
"lessThan": "cbfed5f114b5310f221979fc8190f55c6abc3400",
"status": "affected",
"version": "1f7ea1cd6a3748427512ccc9582e18cd9efea966",
"versionType": "git"
},
{
"lessThan": "b4a01ace20f5c93c724abffc0a83ec84f514b98d",
"status": "affected",
"version": "1f7ea1cd6a3748427512ccc9582e18cd9efea966",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.107",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix wrong fallback logic for FDIR\n\nWhen adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure,\nthe inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr\nreturns failure, the fdir context info for irq handler will not be cleared\nwhich may lead to inconsistent or memory leak issue. This patch refines\nfailure cases to resolve this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:06.094Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/391d28c0e38c0e5b11a4240a2b4976cf63e87f45"
},
{
"url": "https://git.kernel.org/stable/c/aad3b871efe26f36f45f8b4649653b5d3fd9c35e"
},
{
"url": "https://git.kernel.org/stable/c/cbfed5f114b5310f221979fc8190f55c6abc3400"
},
{
"url": "https://git.kernel.org/stable/c/b4a01ace20f5c93c724abffc0a83ec84f514b98d"
}
],
"title": "ice: fix wrong fallback logic for FDIR",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54040",
"datePublished": "2025-12-24T10:56:06.094Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:06.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40139 (GCVE-0-2025-40139)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().
smc_clc_prfx_set() is called during connect() and not under RCU
nor RTNL.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()
after kernel_getsockname().
Note that the returned value of smc_clc_prfx_set() is not used
in the caller.
While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()
not to touch dst there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0736993bfe5c7a9c744ae3fac62d769dfdae54e1",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
},
{
"lessThan": "935d783e5de9b64587f3adb25641dd8385e64ddb",
"status": "affected",
"version": "a046d57da19f812216f393e7c535f5858f793ac3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_clc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().\n\nsmc_clc_prfx_set() is called during connect() and not under RCU\nnor RTNL.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()\nafter kernel_getsockname().\n\nNote that the returned value of smc_clc_prfx_set() is not used\nin the caller.\n\nWhile at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()\nnot to touch dst there."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:47.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0736993bfe5c7a9c744ae3fac62d769dfdae54e1"
},
{
"url": "https://git.kernel.org/stable/c/935d783e5de9b64587f3adb25641dd8385e64ddb"
}
],
"title": "smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40139",
"datePublished": "2025-11-12T10:23:24.216Z",
"dateReserved": "2025-04-16T07:20:57.171Z",
"dateUpdated": "2025-12-01T06:18:47.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53842 (GCVE-0-2023-53842)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove
The MBHC resources must be released on component probe failure and
removal so can not be tied to the lifetime of the component device.
This is specifically needed to allow probe deferrals of the sound card
which otherwise fails when reprobing the codec component:
snd-sc8280xp sound: ASoC: failed to instantiate card -517
genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr)
wcd938x_codec audio-codec: Failed to request mbhc interrupts -16
wcd938x_codec audio-codec: mbhc initialization failed
wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16
snd-sc8280xp sound: ASoC: failed to instantiate card -16
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < 90ab6446eb522e31421b77bf8f45714f5668f9a3
(git)
Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < 17feff71d06c96dea1fa72451c20d411e9d5ac8f (git) Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < ce4059e1c0aca972446e06c09ee09a0d2ba5df54 (git) Affected: 0e5c9e7ff899808afa4e2b08c2e6ccc469bed681 , < a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd-mbhc-v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90ab6446eb522e31421b77bf8f45714f5668f9a3",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "17feff71d06c96dea1fa72451c20d411e9d5ac8f",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "ce4059e1c0aca972446e06c09ee09a0d2ba5df54",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
},
{
"lessThan": "a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30",
"status": "affected",
"version": "0e5c9e7ff899808afa4e2b08c2e6ccc469bed681",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/wcd-mbhc-v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove\n\nThe MBHC resources must be released on component probe failure and\nremoval so can not be tied to the lifetime of the component device.\n\nThis is specifically needed to allow probe deferrals of the sound card\nwhich otherwise fails when reprobing the codec component:\n\n snd-sc8280xp sound: ASoC: failed to instantiate card -517\n genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr)\n wcd938x_codec audio-codec: Failed to request mbhc interrupts -16\n wcd938x_codec audio-codec: mbhc initialization failed\n wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16\n snd-sc8280xp sound: ASoC: failed to instantiate card -16"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:04.183Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90ab6446eb522e31421b77bf8f45714f5668f9a3"
},
{
"url": "https://git.kernel.org/stable/c/17feff71d06c96dea1fa72451c20d411e9d5ac8f"
},
{
"url": "https://git.kernel.org/stable/c/ce4059e1c0aca972446e06c09ee09a0d2ba5df54"
},
{
"url": "https://git.kernel.org/stable/c/a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30"
}
],
"title": "ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53842",
"datePublished": "2025-12-09T01:30:04.183Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:30:04.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50836 (GCVE-0-2022-50836)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10
VLAI?
EPSS
Title
remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
The kfree() should be called when of_irq_get_byname() fails or
devm_request_threaded_irq() fails in qcom_add_sysmon_subdev(),
otherwise there will be a memory leak, so add kfree() to fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
027045a6e2b7cd81216e8a559534a30fb0782702 , < 27441fab2651cd909d8a5440ca079bc50245f427
(git)
Affected: 027045a6e2b7cd81216e8a559534a30fb0782702 , < e4539eb5c0c342567183fe386d0699c8dab49490 (git) Affected: 027045a6e2b7cd81216e8a559534a30fb0782702 , < 131c0a3ead78d45f0f39ddb42cf1bd9be26239b0 (git) Affected: 027045a6e2b7cd81216e8a559534a30fb0782702 , < 1a62bebe0705556d37cfa8409ddc759b11d404f6 (git) Affected: 027045a6e2b7cd81216e8a559534a30fb0782702 , < ec97e9a5c2f25d2f9f9d7005e9ac67f23cc751cd (git) Affected: 027045a6e2b7cd81216e8a559534a30fb0782702 , < e01ce676aaef3b13d02343d7e70f9637d93a3367 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/qcom_sysmon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27441fab2651cd909d8a5440ca079bc50245f427",
"status": "affected",
"version": "027045a6e2b7cd81216e8a559534a30fb0782702",
"versionType": "git"
},
{
"lessThan": "e4539eb5c0c342567183fe386d0699c8dab49490",
"status": "affected",
"version": "027045a6e2b7cd81216e8a559534a30fb0782702",
"versionType": "git"
},
{
"lessThan": "131c0a3ead78d45f0f39ddb42cf1bd9be26239b0",
"status": "affected",
"version": "027045a6e2b7cd81216e8a559534a30fb0782702",
"versionType": "git"
},
{
"lessThan": "1a62bebe0705556d37cfa8409ddc759b11d404f6",
"status": "affected",
"version": "027045a6e2b7cd81216e8a559534a30fb0782702",
"versionType": "git"
},
{
"lessThan": "ec97e9a5c2f25d2f9f9d7005e9ac67f23cc751cd",
"status": "affected",
"version": "027045a6e2b7cd81216e8a559534a30fb0782702",
"versionType": "git"
},
{
"lessThan": "e01ce676aaef3b13d02343d7e70f9637d93a3367",
"status": "affected",
"version": "027045a6e2b7cd81216e8a559534a30fb0782702",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/qcom_sysmon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()\n\nThe kfree() should be called when of_irq_get_byname() fails or\ndevm_request_threaded_irq() fails in qcom_add_sysmon_subdev(),\notherwise there will be a memory leak, so add kfree() to fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:10:56.394Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27441fab2651cd909d8a5440ca079bc50245f427"
},
{
"url": "https://git.kernel.org/stable/c/e4539eb5c0c342567183fe386d0699c8dab49490"
},
{
"url": "https://git.kernel.org/stable/c/131c0a3ead78d45f0f39ddb42cf1bd9be26239b0"
},
{
"url": "https://git.kernel.org/stable/c/1a62bebe0705556d37cfa8409ddc759b11d404f6"
},
{
"url": "https://git.kernel.org/stable/c/ec97e9a5c2f25d2f9f9d7005e9ac67f23cc751cd"
},
{
"url": "https://git.kernel.org/stable/c/e01ce676aaef3b13d02343d7e70f9637d93a3367"
}
],
"title": "remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50836",
"datePublished": "2025-12-30T12:10:56.394Z",
"dateReserved": "2025-12-30T12:06:07.132Z",
"dateUpdated": "2025-12-30T12:10:56.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40248 (GCVE-0-2025-40248)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38
VLAI?
EPSS
Title
vsock: Ignore signal/timeout on connect() if already established
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Ignore signal/timeout on connect() if already established
During connect(), acting on a signal/timeout by disconnecting an already
established socket leads to several issues:
1. connect() invoking vsock_transport_cancel_pkt() ->
virtio_transport_purge_skbs() may race with sendmsg() invoking
virtio_transport_get_credit(). This results in a permanently elevated
`vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.
2. connect() resetting a connected socket's state may race with socket
being placed in a sockmap. A disconnected socket remaining in a sockmap
breaks sockmap's assumptions. And gives rise to WARNs.
3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a
transport change/drop after TCP_ESTABLISHED. Which poses a problem for
any simultaneous sendmsg() or connect() and may result in a
use-after-free/null-ptr-deref.
Do not disconnect socket on signal/timeout. Keep the logic for unconnected
sockets: they don't linger, can't be placed in a sockmap, are rejected by
sendmsg().
[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/
[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/
[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d021c344051af91f42c5ba9fdedc176740cbd238 , < 3f71753935d648082a8279a97d30efe6b85be680
(git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < da664101fb4a0de5cb70d2bae6a650df954df2af (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 67432915145848658149683101104e32f9fd6559 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < eeca93f06df89be5a36305b7b9dae1ed65550dfc (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 5998da5a8208ae9ad7838ba322bccb2bdcd95e81 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < f1c170cae285e4b8f61be043bb17addc3d0a14b5 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < ab6b19f690d89ae4709fba73a3c4a7911f495b7a (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 002541ef650b742a198e4be363881439bb9d86b4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f71753935d648082a8279a97d30efe6b85be680",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "da664101fb4a0de5cb70d2bae6a650df954df2af",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "67432915145848658149683101104e32f9fd6559",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "eeca93f06df89be5a36305b7b9dae1ed65550dfc",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "5998da5a8208ae9ad7838ba322bccb2bdcd95e81",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "f1c170cae285e4b8f61be043bb17addc3d0a14b5",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "ab6b19f690d89ae4709fba73a3c4a7911f495b7a",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "002541ef650b742a198e4be363881439bb9d86b4",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Ignore signal/timeout on connect() if already established\n\nDuring connect(), acting on a signal/timeout by disconnecting an already\nestablished socket leads to several issues:\n\n1. connect() invoking vsock_transport_cancel_pkt() -\u003e\n virtio_transport_purge_skbs() may race with sendmsg() invoking\n virtio_transport_get_credit(). This results in a permanently elevated\n `vvs-\u003ebytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.\n\n2. connect() resetting a connected socket\u0027s state may race with socket\n being placed in a sockmap. A disconnected socket remaining in a sockmap\n breaks sockmap\u0027s assumptions. And gives rise to WARNs.\n\n3. connect() transitioning SS_CONNECTED -\u003e SS_UNCONNECTED allows for a\n transport change/drop after TCP_ESTABLISHED. Which poses a problem for\n any simultaneous sendmsg() or connect() and may result in a\n use-after-free/null-ptr-deref.\n\nDo not disconnect socket on signal/timeout. Keep the logic for unconnected\nsockets: they don\u0027t linger, can\u0027t be placed in a sockmap, are rejected by\nsendmsg().\n\n[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/\n[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/\n[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:38:46.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f71753935d648082a8279a97d30efe6b85be680"
},
{
"url": "https://git.kernel.org/stable/c/da664101fb4a0de5cb70d2bae6a650df954df2af"
},
{
"url": "https://git.kernel.org/stable/c/67432915145848658149683101104e32f9fd6559"
},
{
"url": "https://git.kernel.org/stable/c/eeca93f06df89be5a36305b7b9dae1ed65550dfc"
},
{
"url": "https://git.kernel.org/stable/c/5998da5a8208ae9ad7838ba322bccb2bdcd95e81"
},
{
"url": "https://git.kernel.org/stable/c/f1c170cae285e4b8f61be043bb17addc3d0a14b5"
},
{
"url": "https://git.kernel.org/stable/c/ab6b19f690d89ae4709fba73a3c4a7911f495b7a"
},
{
"url": "https://git.kernel.org/stable/c/002541ef650b742a198e4be363881439bb9d86b4"
}
],
"title": "vsock: Ignore signal/timeout on connect() if already established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40248",
"datePublished": "2025-12-04T16:08:11.509Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2025-12-06T21:38:46.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50732 (GCVE-0-2022-50732)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
staging: rtl8192u: Fix use after free in ieee80211_rx()
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8192u: Fix use after free in ieee80211_rx()
We cannot dereference the "skb" pointer after calling
ieee80211_monitor_rx(), because it is a use after free.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < 9c03db0ec84b7964a11b20706665c99a5fead332
(git)
Affected: 8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < fdc62d31d50e4ce5d8f363fcb8299ba0e00ee6fd (git) Affected: 8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < a0df8d44b555ae09729d6533fd4532977563c7b9 (git) Affected: 8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < 288ada16a93aab5aa2ebea8190aafdb35b716854 (git) Affected: 8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < daa8045a991363ccdae5615d170f35aa1135e7a7 (git) Affected: 8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < b0aaec894a909c88117c8bda6c7c9b26cf7c744b (git) Affected: 8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < de174163c0d319ff06d622e79130a0017c8f5a6e (git) Affected: 8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < 73df1172bbcc8d45cd28e3b1a9ca2edb2f9f7ce6 (git) Affected: 8fc8598e61f6f384f3eaf1d9b09500c12af47b37 , < bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9c03db0ec84b7964a11b20706665c99a5fead332",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
},
{
"lessThan": "fdc62d31d50e4ce5d8f363fcb8299ba0e00ee6fd",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
},
{
"lessThan": "a0df8d44b555ae09729d6533fd4532977563c7b9",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
},
{
"lessThan": "288ada16a93aab5aa2ebea8190aafdb35b716854",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
},
{
"lessThan": "daa8045a991363ccdae5615d170f35aa1135e7a7",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
},
{
"lessThan": "b0aaec894a909c88117c8bda6c7c9b26cf7c744b",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
},
{
"lessThan": "de174163c0d319ff06d622e79130a0017c8f5a6e",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
},
{
"lessThan": "73df1172bbcc8d45cd28e3b1a9ca2edb2f9f7ce6",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
},
{
"lessThan": "bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac",
"status": "affected",
"version": "8fc8598e61f6f384f3eaf1d9b09500c12af47b37",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8192u: Fix use after free in ieee80211_rx()\n\nWe cannot dereference the \"skb\" pointer after calling\nieee80211_monitor_rx(), because it is a use after free."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:51.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9c03db0ec84b7964a11b20706665c99a5fead332"
},
{
"url": "https://git.kernel.org/stable/c/fdc62d31d50e4ce5d8f363fcb8299ba0e00ee6fd"
},
{
"url": "https://git.kernel.org/stable/c/a0df8d44b555ae09729d6533fd4532977563c7b9"
},
{
"url": "https://git.kernel.org/stable/c/288ada16a93aab5aa2ebea8190aafdb35b716854"
},
{
"url": "https://git.kernel.org/stable/c/daa8045a991363ccdae5615d170f35aa1135e7a7"
},
{
"url": "https://git.kernel.org/stable/c/b0aaec894a909c88117c8bda6c7c9b26cf7c744b"
},
{
"url": "https://git.kernel.org/stable/c/de174163c0d319ff06d622e79130a0017c8f5a6e"
},
{
"url": "https://git.kernel.org/stable/c/73df1172bbcc8d45cd28e3b1a9ca2edb2f9f7ce6"
},
{
"url": "https://git.kernel.org/stable/c/bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac"
}
],
"title": "staging: rtl8192u: Fix use after free in ieee80211_rx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50732",
"datePublished": "2025-12-24T12:22:51.933Z",
"dateReserved": "2025-12-24T12:20:40.331Z",
"dateUpdated": "2025-12-24T12:22:51.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50738 (GCVE-0-2022-50738)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
vhost-vdpa: fix an iotlb memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
vhost-vdpa: fix an iotlb memory leak
Before commit 3d5698793897 ("vhost-vdpa: introduce asid based IOTLB")
we called vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL - 1) during
release to free all the resources allocated when processing user IOTLB
messages through vhost_vdpa_process_iotlb_update().
That commit changed the handling of IOTLB a bit, and we accidentally
removed some code called during the release.
We partially fixed this with commit 037d4305569a ("vhost-vdpa: call
vhost_vdpa_cleanup during the release") but a potential memory leak is
still there as showed by kmemleak if the application does not send
VHOST_IOTLB_INVALIDATE or crashes:
unreferenced object 0xffff888007fbaa30 (size 16):
comm "blkio-bench", pid 914, jiffies 4294993521 (age 885.500s)
hex dump (first 16 bytes):
40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00 @sA.............
backtrace:
[<0000000087736d2a>] kmem_cache_alloc_trace+0x142/0x1c0
[<0000000060740f50>] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa]
[<0000000083e8e205>] vhost_chr_write_iter+0xc0/0x4a0 [vhost]
[<000000008f2f414a>] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa]
[<00000000de1cd4a0>] vfs_write+0x216/0x4b0
[<00000000a2850200>] ksys_write+0x71/0xf0
[<00000000de8e720b>] __x64_sys_write+0x19/0x20
[<0000000018b12cbb>] do_syscall_64+0x3f/0x90
[<00000000986ec465>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Let's fix this calling vhost_vdpa_iotlb_unmap() on the whole range in
vhost_vdpa_remove_as(). We move that call before vhost_dev_cleanup()
since we need a valid v->vdev.mm in vhost_vdpa_pa_unmap().
vhost_iotlb_reset() call can be removed, since vhost_vdpa_iotlb_unmap()
on the whole range removes all the entries.
The kmemleak log reported was observed with a vDPA device that has `use_va`
set to true (e.g. VDUSE). This patch has been tested with both types of
devices.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3d5698793897a2b9c0060d899881d1a0591630d5 , < 4e92cb33bfb51eee5f28bb10846c46f266a4bb67
(git)
Affected: 3d5698793897a2b9c0060d899881d1a0591630d5 , < a2907867e2c86067accd2f011d6f23ee5533aa6c (git) Affected: 3d5698793897a2b9c0060d899881d1a0591630d5 , < c070c1912a83432530cbb4271d5b9b11fa36b67a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e92cb33bfb51eee5f28bb10846c46f266a4bb67",
"status": "affected",
"version": "3d5698793897a2b9c0060d899881d1a0591630d5",
"versionType": "git"
},
{
"lessThan": "a2907867e2c86067accd2f011d6f23ee5533aa6c",
"status": "affected",
"version": "3d5698793897a2b9c0060d899881d1a0591630d5",
"versionType": "git"
},
{
"lessThan": "c070c1912a83432530cbb4271d5b9b11fa36b67a",
"status": "affected",
"version": "3d5698793897a2b9c0060d899881d1a0591630d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vhost/vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-vdpa: fix an iotlb memory leak\n\nBefore commit 3d5698793897 (\"vhost-vdpa: introduce asid based IOTLB\")\nwe called vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL - 1) during\nrelease to free all the resources allocated when processing user IOTLB\nmessages through vhost_vdpa_process_iotlb_update().\nThat commit changed the handling of IOTLB a bit, and we accidentally\nremoved some code called during the release.\n\nWe partially fixed this with commit 037d4305569a (\"vhost-vdpa: call\nvhost_vdpa_cleanup during the release\") but a potential memory leak is\nstill there as showed by kmemleak if the application does not send\nVHOST_IOTLB_INVALIDATE or crashes:\n\n unreferenced object 0xffff888007fbaa30 (size 16):\n comm \"blkio-bench\", pid 914, jiffies 4294993521 (age 885.500s)\n hex dump (first 16 bytes):\n 40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00 @sA.............\n backtrace:\n [\u003c0000000087736d2a\u003e] kmem_cache_alloc_trace+0x142/0x1c0\n [\u003c0000000060740f50\u003e] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa]\n [\u003c0000000083e8e205\u003e] vhost_chr_write_iter+0xc0/0x4a0 [vhost]\n [\u003c000000008f2f414a\u003e] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa]\n [\u003c00000000de1cd4a0\u003e] vfs_write+0x216/0x4b0\n [\u003c00000000a2850200\u003e] ksys_write+0x71/0xf0\n [\u003c00000000de8e720b\u003e] __x64_sys_write+0x19/0x20\n [\u003c0000000018b12cbb\u003e] do_syscall_64+0x3f/0x90\n [\u003c00000000986ec465\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nLet\u0027s fix this calling vhost_vdpa_iotlb_unmap() on the whole range in\nvhost_vdpa_remove_as(). We move that call before vhost_dev_cleanup()\nsince we need a valid v-\u003evdev.mm in vhost_vdpa_pa_unmap().\nvhost_iotlb_reset() call can be removed, since vhost_vdpa_iotlb_unmap()\non the whole range removes all the entries.\n\nThe kmemleak log reported was observed with a vDPA device that has `use_va`\nset to true (e.g. VDUSE). This patch has been tested with both types of\ndevices."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:36.801Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e92cb33bfb51eee5f28bb10846c46f266a4bb67"
},
{
"url": "https://git.kernel.org/stable/c/a2907867e2c86067accd2f011d6f23ee5533aa6c"
},
{
"url": "https://git.kernel.org/stable/c/c070c1912a83432530cbb4271d5b9b11fa36b67a"
}
],
"title": "vhost-vdpa: fix an iotlb memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50738",
"datePublished": "2025-12-24T13:05:36.801Z",
"dateReserved": "2025-12-24T13:02:21.542Z",
"dateUpdated": "2025-12-24T13:05:36.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68305 (GCVE-0-2025-68305)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
There is a potential race condition between sock bind and socket write
iter. bind may free the same cmd via mgmt_pending before write iter sends
the cmd, just as syzbot reported in UAF[1].
Here we use hci_dev_lock to synchronize the two, thereby avoiding the
UAF mentioned in [1].
[1]
syzbot reported:
BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
Read of size 8 at addr ffff888077164818 by task syz.0.17/5989
Call Trace:
mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316
set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Allocated by task 5989:
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
sock_write_iter+0x279/0x360 net/socket.c:1195
Freed by task 5991:
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bdd56875c6926d8009914f427df71797693e90d4 , < fe68510fc99bb4b88c9c611f83699749002d515a
(git)
Affected: 4e83f2dbb2bf677e614109df24426c4dded472d4 , < e90c05fc5bbea956450a05cc3b36b8fa29cf195e (git) Affected: 6fe26f694c824b8a4dbf50c635bee1302e3f099c , < 69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7 (git) Affected: 6fe26f694c824b8a4dbf50c635bee1302e3f099c , < 89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392 (git) Affected: d7882db79135c829a922daf3571f33ea1e056ae3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fe68510fc99bb4b88c9c611f83699749002d515a",
"status": "affected",
"version": "bdd56875c6926d8009914f427df71797693e90d4",
"versionType": "git"
},
{
"lessThan": "e90c05fc5bbea956450a05cc3b36b8fa29cf195e",
"status": "affected",
"version": "4e83f2dbb2bf677e614109df24426c4dded472d4",
"versionType": "git"
},
{
"lessThan": "69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7",
"status": "affected",
"version": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
"versionType": "git"
},
{
"lessThan": "89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392",
"status": "affected",
"version": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
"versionType": "git"
},
{
"status": "affected",
"version": "d7882db79135c829a922daf3571f33ea1e056ae3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "6.6.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sock: Prevent race in socket write iter and sock bind\n\nThere is a potential race condition between sock bind and socket write\niter. bind may free the same cmd via mgmt_pending before write iter sends\nthe cmd, just as syzbot reported in UAF[1].\n\nHere we use hci_dev_lock to synchronize the two, thereby avoiding the\nUAF mentioned in [1].\n\n[1]\nsyzbot reported:\nBUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\nRead of size 8 at addr ffff888077164818 by task syz.0.17/5989\nCall Trace:\n mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\n set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nAllocated by task 5989:\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nFreed by task 5991:\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:22.812Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fe68510fc99bb4b88c9c611f83699749002d515a"
},
{
"url": "https://git.kernel.org/stable/c/e90c05fc5bbea956450a05cc3b36b8fa29cf195e"
},
{
"url": "https://git.kernel.org/stable/c/69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7"
},
{
"url": "https://git.kernel.org/stable/c/89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392"
}
],
"title": "Bluetooth: hci_sock: Prevent race in socket write iter and sock bind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68305",
"datePublished": "2025-12-16T15:06:22.812Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:22.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50842 (GCVE-0-2022-50842)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
drm/virtio: Check whether transferred 2D BO is shmem
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/virtio: Check whether transferred 2D BO is shmem
Transferred 2D BO always must be a shmem BO. Add check for that to prevent
NULL dereference if userspace passes a VRAM BO.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
f651c8b055423057d9f41525dfdc37b4796015d1 , < f134f261d76ae3d5ecf68db642eaa746ceb84cfb
(git)
Affected: f651c8b055423057d9f41525dfdc37b4796015d1 , < f122bcb34f1a4b02ef3d95058d8fd1316ea03785 (git) Affected: f651c8b055423057d9f41525dfdc37b4796015d1 , < 989164305b933af06d69bb91044dafbd01025371 (git) Affected: f651c8b055423057d9f41525dfdc37b4796015d1 , < 36e133af33ea54193378b190cf92c47c12a43d34 (git) Affected: f651c8b055423057d9f41525dfdc37b4796015d1 , < e473216b42aa1fd9fc6b94b608b42c210c655908 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_vq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f134f261d76ae3d5ecf68db642eaa746ceb84cfb",
"status": "affected",
"version": "f651c8b055423057d9f41525dfdc37b4796015d1",
"versionType": "git"
},
{
"lessThan": "f122bcb34f1a4b02ef3d95058d8fd1316ea03785",
"status": "affected",
"version": "f651c8b055423057d9f41525dfdc37b4796015d1",
"versionType": "git"
},
{
"lessThan": "989164305b933af06d69bb91044dafbd01025371",
"status": "affected",
"version": "f651c8b055423057d9f41525dfdc37b4796015d1",
"versionType": "git"
},
{
"lessThan": "36e133af33ea54193378b190cf92c47c12a43d34",
"status": "affected",
"version": "f651c8b055423057d9f41525dfdc37b4796015d1",
"versionType": "git"
},
{
"lessThan": "e473216b42aa1fd9fc6b94b608b42c210c655908",
"status": "affected",
"version": "f651c8b055423057d9f41525dfdc37b4796015d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/virtio/virtgpu_vq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Check whether transferred 2D BO is shmem\n\nTransferred 2D BO always must be a shmem BO. Add check for that to prevent\nNULL dereference if userspace passes a VRAM BO."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:57.381Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f134f261d76ae3d5ecf68db642eaa746ceb84cfb"
},
{
"url": "https://git.kernel.org/stable/c/f122bcb34f1a4b02ef3d95058d8fd1316ea03785"
},
{
"url": "https://git.kernel.org/stable/c/989164305b933af06d69bb91044dafbd01025371"
},
{
"url": "https://git.kernel.org/stable/c/36e133af33ea54193378b190cf92c47c12a43d34"
},
{
"url": "https://git.kernel.org/stable/c/e473216b42aa1fd9fc6b94b608b42c210c655908"
}
],
"title": "drm/virtio: Check whether transferred 2D BO is shmem",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50842",
"datePublished": "2025-12-30T12:11:00.439Z",
"dateReserved": "2025-12-30T12:06:07.133Z",
"dateUpdated": "2026-01-02T15:04:57.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53862 (GCVE-0-2023-53862)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
Syzbot found a kernel BUG in hfs_bnode_put():
kernel BUG at fs/hfs/bnode.c:466!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: writeback wb_workfn (flush-7:0)
RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466
Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56
RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293
RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1
R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80
R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
hfs_write_inode+0x1bc/0xb40
write_inode fs/fs-writeback.c:1440 [inline]
__writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652
writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878
__writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949
wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054
wb_check_start_all fs/fs-writeback.c:2176 [inline]
wb_do_writeback fs/fs-writeback.c:2202 [inline]
wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235
process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The BUG_ON() is triggered at here:
/* Dispose of resources used by a node */
void hfs_bnode_put(struct hfs_bnode *node)
{
if (node) {
<skipped>
BUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!!
<skipped>
}
}
By tracing the refcnt, I found the node is created by hfs_bmap_alloc()
with refcnt 1. Then the node is used by hfs_btree_write(). There is a
missing of hfs_bnode_get() after find the node. The issue happened in
following path:
<alloc>
hfs_bmap_alloc
hfs_bnode_find
__hfs_bnode_create <- allocate a new node with refcnt 1.
hfs_bnode_put <- decrease the refcnt
<write>
hfs_btree_write
hfs_bnode_find
__hfs_bnode_create
hfs_bnode_findhash <- find the node without refcnt increased.
hfs_bnode_put <- trigger the BUG_ON() since refcnt is 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 062af3e9930762d1fd22946748d34e0d859e4a8e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3a9065a33988c02789722be612f7c42fb8ebbb22 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eda6879272e4df5456afc36642052ea066f58410 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dc9f78b6d254427a06e568f2887b1011ef3143ef (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2cab8db14566cf6a516c1f103a60cf6b7f54b1e5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8140cdc57bc5844cd5e1392673ec2dbf8fdc6940 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 38d72e6604b9f96dffcc0565090cc01622a37b2a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a9dc087fd3c484fd1ed18c5efb290efaaf44ce03 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "062af3e9930762d1fd22946748d34e0d859e4a8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3a9065a33988c02789722be612f7c42fb8ebbb22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "eda6879272e4df5456afc36642052ea066f58410",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dc9f78b6d254427a06e568f2887b1011ef3143ef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2cab8db14566cf6a516c1f103a60cf6b7f54b1e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8140cdc57bc5844cd5e1392673ec2dbf8fdc6940",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "38d72e6604b9f96dffcc0565090cc01622a37b2a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9dc087fd3c484fd1ed18c5efb290efaaf44ce03",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/bnode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix missing hfs_bnode_get() in __hfs_bnode_create\n\nSyzbot found a kernel BUG in hfs_bnode_put():\n\n kernel BUG at fs/hfs/bnode.c:466!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Workqueue: writeback wb_workfn (flush-7:0)\n RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466\n Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff \u003c0f\u003e 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56\n RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293\n RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1\n R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80\n R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00\n FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n hfs_write_inode+0x1bc/0xb40\n write_inode fs/fs-writeback.c:1440 [inline]\n __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652\n writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878\n __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949\n wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054\n wb_check_start_all fs/fs-writeback.c:2176 [inline]\n wb_do_writeback fs/fs-writeback.c:2202 [inline]\n wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235\n process_one_work+0x877/0xdb0 kernel/workqueue.c:2289\n worker_thread+0xb14/0x1330 kernel/workqueue.c:2436\n kthread+0x266/0x300 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n \u003c/TASK\u003e\n\nThe BUG_ON() is triggered at here:\n\n/* Dispose of resources used by a node */\nvoid hfs_bnode_put(struct hfs_bnode *node)\n{\n\tif (node) {\n \t\t\u003cskipped\u003e\n \t\tBUG_ON(!atomic_read(\u0026node-\u003erefcnt)); \u003c- we have issue here!!!!\n \t\t\u003cskipped\u003e\n \t}\n}\n\nBy tracing the refcnt, I found the node is created by hfs_bmap_alloc()\nwith refcnt 1. Then the node is used by hfs_btree_write(). There is a\nmissing of hfs_bnode_get() after find the node. The issue happened in\nfollowing path:\n\n\u003calloc\u003e\n hfs_bmap_alloc\n hfs_bnode_find\n __hfs_bnode_create \u003c- allocate a new node with refcnt 1.\n hfs_bnode_put \u003c- decrease the refcnt\n\n\u003cwrite\u003e\n hfs_btree_write\n hfs_bnode_find\n __hfs_bnode_create\n hfs_bnode_findhash \u003c- find the node without refcnt increased.\n hfs_bnode_put\t \u003c- trigger the BUG_ON() since refcnt is 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:06.625Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/062af3e9930762d1fd22946748d34e0d859e4a8e"
},
{
"url": "https://git.kernel.org/stable/c/3a9065a33988c02789722be612f7c42fb8ebbb22"
},
{
"url": "https://git.kernel.org/stable/c/eda6879272e4df5456afc36642052ea066f58410"
},
{
"url": "https://git.kernel.org/stable/c/dc9f78b6d254427a06e568f2887b1011ef3143ef"
},
{
"url": "https://git.kernel.org/stable/c/2cab8db14566cf6a516c1f103a60cf6b7f54b1e5"
},
{
"url": "https://git.kernel.org/stable/c/8140cdc57bc5844cd5e1392673ec2dbf8fdc6940"
},
{
"url": "https://git.kernel.org/stable/c/38d72e6604b9f96dffcc0565090cc01622a37b2a"
},
{
"url": "https://git.kernel.org/stable/c/a9dc087fd3c484fd1ed18c5efb290efaaf44ce03"
}
],
"title": "hfs: fix missing hfs_bnode_get() in __hfs_bnode_create",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53862",
"datePublished": "2025-12-09T01:30:30.902Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2026-01-05T10:33:06.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4132 (GCVE-0-2023-4132)
Vulnerability from cvelistv5 – Published: 2023-08-03 14:32 – Updated: 2025-11-07 13:03
VLAI?
EPSS
Title
Kernel: smsusb: use-after-free caused by do_submit_urb()
Summary
A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.
Severity ?
5.5 (Medium)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
0:4.18.0-513.5.1.rt7.307.el8_9 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::nfv cpe:/a:redhat:enterprise_linux:8::realtime |
|||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Red Hat would like to thank Duoming Zhou for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-25T15:30:20.281573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:27:22.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2023:6901",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6901"
},
{
"name": "RHSA-2023:7077",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7077"
},
{
"name": "RHSA-2024:0575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"name": "RHSA-2024:0724",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0724"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-4132"
},
{
"name": "RHBZ#2221707",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221707"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231020-0005/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5480"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5492"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::nfv",
"cpe:/a:redhat:enterprise_linux:8::realtime"
],
"defaultStatus": "affected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-513.5.1.rt7.307.el8_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb",
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-513.5.1.el8_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/o:redhat:rhev_hypervisor:4.4::el8"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.91.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:8.8::crb",
"cpe:/o:redhat:rhel_eus:8.8::baseos"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-477.43.1.el8_8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:8.6::crb",
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/o:redhat:rhev_hypervisor:4.4::el8"
],
"defaultStatus": "affected",
"packageName": "kernel",
"product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:4.18.0-372.91.1.el8_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "kernel",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "kernel-rt",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Duoming Zhou for reporting this issue."
}
],
"datePublic": "2023-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T13:03:42.247Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2023:6901",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:6901"
},
{
"name": "RHSA-2023:7077",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2023:7077"
},
{
"name": "RHSA-2024:0575",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0575"
},
{
"name": "RHSA-2024:0724",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2024:0724"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-4132"
},
{
"name": "RHBZ#2221707",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221707"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-10T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2023-02-08T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Kernel: smsusb: use-after-free caused by do_submit_urb()",
"x_redhatCweChain": "CWE-416: Use After Free"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-4132",
"datePublished": "2023-08-03T14:32:15.246Z",
"dateReserved": "2023-08-03T08:51:00.805Z",
"dateUpdated": "2025-11-07T13:03:42.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68290 (GCVE-0-2025-68290)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
most: usb: fix double free on late probe failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
most: usb: fix double free on late probe failure
The MOST subsystem has a non-standard registration function which frees
the interface on registration failures and on deregistration.
This unsurprisingly leads to bugs in the MOST drivers, and a couple of
recent changes turned a reference underflow and use-after-free in the
USB driver into several double free and a use-after-free on late probe
failures.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154
(git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < a4c4118c2af284835b16431bbfe77e0130c06fef (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 0dece48660be16918ecf2dbdc7193e8be03e1693 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 993bfdc3842893c394de13c8200c338ebb979589 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 2274767dc02b756b25e3db1e31c0ed47c2a78442 (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 8d8ffefe3d5d8b7b73efb866db61130107299c5c (git) Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < baadf2a5c26e802a46573eaad331b427b49aaa36 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "a4c4118c2af284835b16431bbfe77e0130c06fef",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "0dece48660be16918ecf2dbdc7193e8be03e1693",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "993bfdc3842893c394de13c8200c338ebb979589",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "2274767dc02b756b25e3db1e31c0ed47c2a78442",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "8d8ffefe3d5d8b7b73efb866db61130107299c5c",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
},
{
"lessThan": "baadf2a5c26e802a46573eaad331b427b49aaa36",
"status": "affected",
"version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/most/most_usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: fix double free on late probe failure\n\nThe MOST subsystem has a non-standard registration function which frees\nthe interface on registration failures and on deregistration.\n\nThis unsurprisingly leads to bugs in the MOST drivers, and a couple of\nrecent changes turned a reference underflow and use-after-free in the\nUSB driver into several double free and a use-after-free on late probe\nfailures."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:11.202Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154"
},
{
"url": "https://git.kernel.org/stable/c/a4c4118c2af284835b16431bbfe77e0130c06fef"
},
{
"url": "https://git.kernel.org/stable/c/0dece48660be16918ecf2dbdc7193e8be03e1693"
},
{
"url": "https://git.kernel.org/stable/c/993bfdc3842893c394de13c8200c338ebb979589"
},
{
"url": "https://git.kernel.org/stable/c/2274767dc02b756b25e3db1e31c0ed47c2a78442"
},
{
"url": "https://git.kernel.org/stable/c/8d8ffefe3d5d8b7b73efb866db61130107299c5c"
},
{
"url": "https://git.kernel.org/stable/c/baadf2a5c26e802a46573eaad331b427b49aaa36"
}
],
"title": "most: usb: fix double free on late probe failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68290",
"datePublished": "2025-12-16T15:06:11.202Z",
"dateReserved": "2025-12-16T14:48:05.292Z",
"dateUpdated": "2025-12-16T15:06:11.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68233 (GCVE-0-2025-68233)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:04 – Updated: 2025-12-16 14:04
VLAI?
EPSS
Title
drm/tegra: Add call to put_pid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/tegra: Add call to put_pid()
Add a call to put_pid() corresponding to get_task_pid().
host1x_memory_context_alloc() does not take ownership of the PID so we
need to free it here to avoid leaking.
[mperttunen@nvidia.com: reword commit message]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e09db97889ec647ad373f7a7422c83099c6120c5 , < 6b572e5154af08ee13f8d2673e86f83bc5ff86cd
(git)
Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 2e78580e6e7deac6556236ef96db5bbf7b46857e (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5 (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 27ea5c2c75c3419a9a019240ca44b9256f628df1 (git) Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/uapi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6b572e5154af08ee13f8d2673e86f83bc5ff86cd",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "2e78580e6e7deac6556236ef96db5bbf7b46857e",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "27ea5c2c75c3419a9a019240ca44b9256f628df1",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
},
{
"lessThan": "6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a",
"status": "affected",
"version": "e09db97889ec647ad373f7a7422c83099c6120c5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/tegra/uapi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Add call to put_pid()\n\nAdd a call to put_pid() corresponding to get_task_pid().\nhost1x_memory_context_alloc() does not take ownership of the PID so we\nneed to free it here to avoid leaking.\n\n[mperttunen@nvidia.com: reword commit message]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:04:13.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6b572e5154af08ee13f8d2673e86f83bc5ff86cd"
},
{
"url": "https://git.kernel.org/stable/c/2e78580e6e7deac6556236ef96db5bbf7b46857e"
},
{
"url": "https://git.kernel.org/stable/c/cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5"
},
{
"url": "https://git.kernel.org/stable/c/27ea5c2c75c3419a9a019240ca44b9256f628df1"
},
{
"url": "https://git.kernel.org/stable/c/6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a"
}
],
"title": "drm/tegra: Add call to put_pid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68233",
"datePublished": "2025-12-16T14:04:13.490Z",
"dateReserved": "2025-12-16T13:41:40.258Z",
"dateUpdated": "2025-12-16T14:04:13.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54016 (GCVE-0-2023-54016)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
wifi: ath12k: Fix memory leak in rx_desc and tx_desc
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Fix memory leak in rx_desc and tx_desc
Currently when ath12k_dp_cc_desc_init() is called we allocate
memory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during
descriptor cleanup rx_descs and tx_descs memory is not freed.
This is cause of memory leak. These allocated memory should be
freed in ath12k_dp_cc_cleanup.
In ath12k_dp_cc_desc_init(), we can save base address of rx_descs
and tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and
tx_descs memory using their base address.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c",
"drivers/net/wireless/ath/ath12k/dp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e16be2d34883eecfe7fd888fcdb76c7a5db5d187",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "afb522b36e76acaa9f8fc06d0a9742d841c47c16",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c",
"drivers/net/wireless/ath/ath12k/dp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Fix memory leak in rx_desc and tx_desc\n\nCurrently when ath12k_dp_cc_desc_init() is called we allocate\nmemory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during\ndescriptor cleanup rx_descs and tx_descs memory is not freed.\n\nThis is cause of memory leak. These allocated memory should be\nfreed in ath12k_dp_cc_cleanup.\n\nIn ath12k_dp_cc_desc_init(), we can save base address of rx_descs\nand tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and\ntx_descs memory using their base address.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:28.474Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e16be2d34883eecfe7fd888fcdb76c7a5db5d187"
},
{
"url": "https://git.kernel.org/stable/c/afb522b36e76acaa9f8fc06d0a9742d841c47c16"
}
],
"title": "wifi: ath12k: Fix memory leak in rx_desc and tx_desc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54016",
"datePublished": "2025-12-24T10:55:47.691Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:28.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54051 (GCVE-0-2023-54051)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
net: do not allow gso_size to be set to GSO_BY_FRAGS
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: do not allow gso_size to be set to GSO_BY_FRAGS
One missing check in virtio_net_hdr_to_skb() allowed
syzbot to crash kernels again [1]
Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff),
because this magic value is used by the kernel.
[1]
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500
Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01
RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000
RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070
RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff
R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6
R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff
FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109
ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120
skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53
__skb_gso_segment+0x339/0x710 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625
__dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329
dev_queue_xmit include/linux/netdevice.h:3082 [inline]
packet_xmit+0x257/0x380 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3087 [inline]
packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:727 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:750
____sys_sendmsg+0x6ac/0x940 net/socket.c:2496
___sys_sendmsg+0x135/0x1d0 net/socket.c:2550
__sys_sendmsg+0x117/0x1e0 net/socket.c:2579
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff27cdb34d9
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3953c46c3ac7eef31a9935427371c6f54a22f1ba , < a5f9e5804d239d288d983db36bbed45ed10729a0
(git)
Affected: 3953c46c3ac7eef31a9935427371c6f54a22f1ba , < 4c9bfadb4301daaceb6c575fa6ad3bc82c152e79 (git) Affected: 3953c46c3ac7eef31a9935427371c6f54a22f1ba , < 210ff31342ade546d8d9d0ec4d3cf9cb50ae632d (git) Affected: 3953c46c3ac7eef31a9935427371c6f54a22f1ba , < 0a593e8a9d24360fbc469c5897d0791aa2f20ed3 (git) Affected: 3953c46c3ac7eef31a9935427371c6f54a22f1ba , < 578371ce0d7f67ea1e65817c04478aaab0d36b68 (git) Affected: 3953c46c3ac7eef31a9935427371c6f54a22f1ba , < 2e03a92b241102aaf490439aa1b00239f84f530f (git) Affected: 3953c46c3ac7eef31a9935427371c6f54a22f1ba , < e3636862f5595b3d2f02650f7b21d39043a34f3e (git) Affected: 3953c46c3ac7eef31a9935427371c6f54a22f1ba , < b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/virtio_net.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a5f9e5804d239d288d983db36bbed45ed10729a0",
"status": "affected",
"version": "3953c46c3ac7eef31a9935427371c6f54a22f1ba",
"versionType": "git"
},
{
"lessThan": "4c9bfadb4301daaceb6c575fa6ad3bc82c152e79",
"status": "affected",
"version": "3953c46c3ac7eef31a9935427371c6f54a22f1ba",
"versionType": "git"
},
{
"lessThan": "210ff31342ade546d8d9d0ec4d3cf9cb50ae632d",
"status": "affected",
"version": "3953c46c3ac7eef31a9935427371c6f54a22f1ba",
"versionType": "git"
},
{
"lessThan": "0a593e8a9d24360fbc469c5897d0791aa2f20ed3",
"status": "affected",
"version": "3953c46c3ac7eef31a9935427371c6f54a22f1ba",
"versionType": "git"
},
{
"lessThan": "578371ce0d7f67ea1e65817c04478aaab0d36b68",
"status": "affected",
"version": "3953c46c3ac7eef31a9935427371c6f54a22f1ba",
"versionType": "git"
},
{
"lessThan": "2e03a92b241102aaf490439aa1b00239f84f530f",
"status": "affected",
"version": "3953c46c3ac7eef31a9935427371c6f54a22f1ba",
"versionType": "git"
},
{
"lessThan": "e3636862f5595b3d2f02650f7b21d39043a34f3e",
"status": "affected",
"version": "3953c46c3ac7eef31a9935427371c6f54a22f1ba",
"versionType": "git"
},
{
"lessThan": "b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9",
"status": "affected",
"version": "3953c46c3ac7eef31a9935427371c6f54a22f1ba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/virtio_net.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: do not allow gso_size to be set to GSO_BY_FRAGS\n\nOne missing check in virtio_net_hdr_to_skb() allowed\nsyzbot to crash kernels again [1]\n\nDo not allow gso_size to be set to GSO_BY_FRAGS (0xffff),\nbecause this magic value is used by the kernel.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023\nRIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500\nCode: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01\nRSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000\nRDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070\nRBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6\nR13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff\nFS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\nudp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x292/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625\n__dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329\ndev_queue_xmit include/linux/netdevice.h:3082 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:727 [inline]\nsock_sendmsg+0xd9/0x180 net/socket.c:750\n____sys_sendmsg+0x6ac/0x940 net/socket.c:2496\n___sys_sendmsg+0x135/0x1d0 net/socket.c:2550\n__sys_sendmsg+0x117/0x1e0 net/socket.c:2579\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7ff27cdb34d9"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:01.043Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a5f9e5804d239d288d983db36bbed45ed10729a0"
},
{
"url": "https://git.kernel.org/stable/c/4c9bfadb4301daaceb6c575fa6ad3bc82c152e79"
},
{
"url": "https://git.kernel.org/stable/c/210ff31342ade546d8d9d0ec4d3cf9cb50ae632d"
},
{
"url": "https://git.kernel.org/stable/c/0a593e8a9d24360fbc469c5897d0791aa2f20ed3"
},
{
"url": "https://git.kernel.org/stable/c/578371ce0d7f67ea1e65817c04478aaab0d36b68"
},
{
"url": "https://git.kernel.org/stable/c/2e03a92b241102aaf490439aa1b00239f84f530f"
},
{
"url": "https://git.kernel.org/stable/c/e3636862f5595b3d2f02650f7b21d39043a34f3e"
},
{
"url": "https://git.kernel.org/stable/c/b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9"
}
],
"title": "net: do not allow gso_size to be set to GSO_BY_FRAGS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54051",
"datePublished": "2025-12-24T12:23:01.043Z",
"dateReserved": "2025-12-24T12:21:05.090Z",
"dateUpdated": "2025-12-24T12:23:01.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54113 (GCVE-0-2023-54113)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
rcu: dump vmalloc memory info safely
Summary
In the Linux kernel, the following vulnerability has been resolved:
rcu: dump vmalloc memory info safely
Currently, for double invoke call_rcu(), will dump rcu_head objects memory
info, if the objects is not allocated from the slab allocator, the
vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to
be held, since the call_rcu() can be invoked in interrupt context,
therefore, there is a possibility of spinlock deadlock scenarios.
And in Preempt-RT kernel, the rcutorture test also trigger the following
lockdep warning:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0
preempt_count: 1, expected: 0
RCU nest depth: 1, expected: 1
3 locks held by swapper/0/1:
#0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0
#1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370
#2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70
irq event stamp: 565512
hardirqs last enabled at (565511): [<ffffffffb379b138>] __call_rcu_common+0x218/0x940
hardirqs last disabled at (565512): [<ffffffffb5804262>] rcu_torture_init+0x20b2/0x2370
softirqs last enabled at (399112): [<ffffffffb36b2586>] __local_bh_enable_ip+0x126/0x170
softirqs last disabled at (399106): [<ffffffffb43fef59>] inet_register_protosw+0x9/0x1d0
Preemption disabled at:
[<ffffffffb58040c3>] rcu_torture_init+0x1f13/0x2370
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x68/0xb0
dump_stack+0x14/0x20
__might_resched+0x1aa/0x280
? __pfx_rcu_torture_err_cb+0x10/0x10
rt_spin_lock+0x53/0x130
? find_vmap_area+0x1f/0x70
find_vmap_area+0x1f/0x70
vmalloc_dump_obj+0x20/0x60
mem_dump_obj+0x22/0x90
__call_rcu_common+0x5bf/0x940
? debug_smp_processor_id+0x1b/0x30
call_rcu_hurry+0x14/0x20
rcu_torture_init+0x1f82/0x2370
? __pfx_rcu_torture_leak_cb+0x10/0x10
? __pfx_rcu_torture_leak_cb+0x10/0x10
? __pfx_rcu_torture_init+0x10/0x10
do_one_initcall+0x6c/0x300
? debug_smp_processor_id+0x1b/0x30
kernel_init_freeable+0x2b9/0x540
? __pfx_kernel_init+0x10/0x10
kernel_init+0x1f/0x150
ret_from_fork+0x40/0x50
? __pfx_kernel_init+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
The previous patch fixes this by using the deadlock-safe best-effort
version of find_vm_area. However, in case of failure print the fact that
the pointer was a vmalloc pointer so that we print at least something.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
98f180837a896ecedf8f7e12af22b57f271d43c9 , < 0a22f9c17b1aa2a35b5eedee928f7841595b55cd
(git)
Affected: 98f180837a896ecedf8f7e12af22b57f271d43c9 , < 3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d (git) Affected: 98f180837a896ecedf8f7e12af22b57f271d43c9 , < dddca4c46ec92f83449bc91dd199f46a89e066be (git) Affected: 98f180837a896ecedf8f7e12af22b57f271d43c9 , < 8fb1601ec0a2c4c34fc2170af767e5c2a6400573 (git) Affected: 98f180837a896ecedf8f7e12af22b57f271d43c9 , < c83ad36a18c02c0f51280b50272327807916987f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a22f9c17b1aa2a35b5eedee928f7841595b55cd",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
},
{
"lessThan": "3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
},
{
"lessThan": "dddca4c46ec92f83449bc91dd199f46a89e066be",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
},
{
"lessThan": "8fb1601ec0a2c4c34fc2170af767e5c2a6400573",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
},
{
"lessThan": "c83ad36a18c02c0f51280b50272327807916987f",
"status": "affected",
"version": "98f180837a896ecedf8f7e12af22b57f271d43c9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: dump vmalloc memory info safely\n\nCurrently, for double invoke call_rcu(), will dump rcu_head objects memory\ninfo, if the objects is not allocated from the slab allocator, the\nvmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to\nbe held, since the call_rcu() can be invoked in interrupt context,\ntherefore, there is a possibility of spinlock deadlock scenarios.\n\nAnd in Preempt-RT kernel, the rcutorture test also trigger the following\nlockdep warning:\n\nBUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48\nin_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0\npreempt_count: 1, expected: 0\nRCU nest depth: 1, expected: 1\n3 locks held by swapper/0/1:\n #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0\n #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370\n #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70\nirq event stamp: 565512\nhardirqs last enabled at (565511): [\u003cffffffffb379b138\u003e] __call_rcu_common+0x218/0x940\nhardirqs last disabled at (565512): [\u003cffffffffb5804262\u003e] rcu_torture_init+0x20b2/0x2370\nsoftirqs last enabled at (399112): [\u003cffffffffb36b2586\u003e] __local_bh_enable_ip+0x126/0x170\nsoftirqs last disabled at (399106): [\u003cffffffffb43fef59\u003e] inet_register_protosw+0x9/0x1d0\nPreemption disabled at:\n[\u003cffffffffb58040c3\u003e] rcu_torture_init+0x1f13/0x2370\nCPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x68/0xb0\n dump_stack+0x14/0x20\n __might_resched+0x1aa/0x280\n ? __pfx_rcu_torture_err_cb+0x10/0x10\n rt_spin_lock+0x53/0x130\n ? find_vmap_area+0x1f/0x70\n find_vmap_area+0x1f/0x70\n vmalloc_dump_obj+0x20/0x60\n mem_dump_obj+0x22/0x90\n __call_rcu_common+0x5bf/0x940\n ? debug_smp_processor_id+0x1b/0x30\n call_rcu_hurry+0x14/0x20\n rcu_torture_init+0x1f82/0x2370\n ? __pfx_rcu_torture_leak_cb+0x10/0x10\n ? __pfx_rcu_torture_leak_cb+0x10/0x10\n ? __pfx_rcu_torture_init+0x10/0x10\n do_one_initcall+0x6c/0x300\n ? debug_smp_processor_id+0x1b/0x30\n kernel_init_freeable+0x2b9/0x540\n ? __pfx_kernel_init+0x10/0x10\n kernel_init+0x1f/0x150\n ret_from_fork+0x40/0x50\n ? __pfx_kernel_init+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \u003c/TASK\u003e\n\nThe previous patch fixes this by using the deadlock-safe best-effort\nversion of find_vm_area. However, in case of failure print the fact that\nthe pointer was a vmalloc pointer so that we print at least something."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:35.514Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a22f9c17b1aa2a35b5eedee928f7841595b55cd"
},
{
"url": "https://git.kernel.org/stable/c/3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d"
},
{
"url": "https://git.kernel.org/stable/c/dddca4c46ec92f83449bc91dd199f46a89e066be"
},
{
"url": "https://git.kernel.org/stable/c/8fb1601ec0a2c4c34fc2170af767e5c2a6400573"
},
{
"url": "https://git.kernel.org/stable/c/c83ad36a18c02c0f51280b50272327807916987f"
}
],
"title": "rcu: dump vmalloc memory info safely",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54113",
"datePublished": "2025-12-24T13:06:35.514Z",
"dateReserved": "2025-12-24T13:02:52.519Z",
"dateUpdated": "2025-12-24T13:06:35.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-23559 (GCVE-0-2023-23559)
Vulnerability from cvelistv5 – Published: 2023-01-13 00:00 – Updated: 2025-05-05 16:05
VLAI?
EPSS
Summary
In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.
Severity ?
7.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchwork.kernel.org/project/linux-wireless/patch/20230110173007.57110-1-szymon.heidrich%40gmail.com/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230302-0003/"
},
{
"name": "[debian-lts-announce] 20230502 [SECURITY] [DLA 3404-1] linux-5.10 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b870e73a56c4cccbec33224233eaf295839f228c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23559",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:29:21.290984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:05:27.474Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-25T00:41:20.856Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://patchwork.kernel.org/project/linux-wireless/patch/20230110173007.57110-1-szymon.heidrich%40gmail.com/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230302-0003/"
},
{
"name": "[debian-lts-announce] 20230502 [SECURITY] [DLA 3404-1] linux-5.10 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
},
{
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b870e73a56c4cccbec33224233eaf295839f228c"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-23559",
"datePublished": "2023-01-13T00:00:00.000Z",
"dateReserved": "2023-01-13T00:00:00.000Z",
"dateUpdated": "2025-05-05T16:05:27.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68197 (GCVE-0-2025-68197)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43
VLAI?
EPSS
Title
bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()
With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER
for FW trace data type that has not been initialized. This will result
in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a
valid magic_byte pointer before proceeding.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "689ae5ba31293eebb7f21c0ef8939468ac72b5ce",
"status": "affected",
"version": "84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9",
"versionType": "git"
},
{
"lessThan": "ff02be05f78399c766be68ab0b2285ff90b2aaa8",
"status": "affected",
"version": "84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()\n\nWith older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER\nfor FW trace data type that has not been initialized. This will result\nin a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a\nvalid magic_byte pointer before proceeding."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:43:23.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/689ae5ba31293eebb7f21c0ef8939468ac72b5ce"
},
{
"url": "https://git.kernel.org/stable/c/ff02be05f78399c766be68ab0b2285ff90b2aaa8"
}
],
"title": "bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68197",
"datePublished": "2025-12-16T13:43:23.269Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2025-12-16T13:43:23.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68362 (GCVE-0-2025-68362)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.
If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.
Add length checks for both rtl8187 and rtl8187b descriptor headers
before attempting to access them, dropping the packet cleanly if the
check fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 118e12bf3e4288cf845cd3759bd9d4c99f91aab5
(git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 6a96bd0d94305fd04a6ac64446ec113bae289384 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < e2f3ea15e804607e0a4a34a2f6c331c8750b68bc (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < dc153401fb26c1640a2b279c47b65e1c416af276 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 4758770a673c60d8f615809304d72e1432fa6355 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 638d4148e166d114a4cd7becaae992ce1a815ed8 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15 (git) Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < b647d2574e4583c2e3b0ab35568f60c88e910840 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "118e12bf3e4288cf845cd3759bd9d4c99f91aab5",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "6a96bd0d94305fd04a6ac64446ec113bae289384",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "e2f3ea15e804607e0a4a34a2f6c331c8750b68bc",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "dc153401fb26c1640a2b279c47b65e1c416af276",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "4758770a673c60d8f615809304d72e1432fa6355",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "638d4148e166d114a4cd7becaae992ce1a815ed8",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
},
{
"lessThan": "b647d2574e4583c2e3b0ab35568f60c88e910840",
"status": "affected",
"version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()\n\nThe rtl8187_rx_cb() calculates the rx descriptor header address\nby subtracting its size from the skb tail pointer.\nHowever, it does not validate if the received packet\n(skb-\u003elen from urb-\u003eactual_length) is large enough to contain this\nheader.\n\nIf a truncated packet is received, this will lead to a buffer\nunderflow, reading memory before the start of the skb data area,\nand causing a kernel panic.\n\nAdd length checks for both rtl8187 and rtl8187b descriptor headers\nbefore attempting to access them, dropping the packet cleanly if the\ncheck fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:28.472Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/118e12bf3e4288cf845cd3759bd9d4c99f91aab5"
},
{
"url": "https://git.kernel.org/stable/c/6a96bd0d94305fd04a6ac64446ec113bae289384"
},
{
"url": "https://git.kernel.org/stable/c/e2f3ea15e804607e0a4a34a2f6c331c8750b68bc"
},
{
"url": "https://git.kernel.org/stable/c/dc153401fb26c1640a2b279c47b65e1c416af276"
},
{
"url": "https://git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355"
},
{
"url": "https://git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8"
},
{
"url": "https://git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15"
},
{
"url": "https://git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840"
}
],
"title": "wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68362",
"datePublished": "2025-12-24T10:32:50.492Z",
"dateReserved": "2025-12-16T14:48:05.307Z",
"dateUpdated": "2026-01-19T12:18:28.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40053 (GCVE-0-2025-40053)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:17
VLAI?
EPSS
Title
net: dlink: handle copy_thresh allocation failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dlink: handle copy_thresh allocation failure
The driver did not handle failure of `netdev_alloc_skb_ip_align()`.
If the allocation failed, dereferencing `skb->protocol` could lead to
a NULL pointer dereference.
This patch tries to allocate `skb`. If the allocation fails, it falls
back to the normal path.
Tested-on: D-Link DGE-550T Rev-A3
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 84fd710a704f3d53d4120e452e86cea558cf73a8
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5aa9b885602811a026a3f45c92ea2b4b04c54f09 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9d49e4b14609e1a20d931e718962c4b6b5485174 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ea87151df398d407a632c7bf63013290f01c5009 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7ed5010fef0930f4322d620052edc854ef3ec41f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd7b6b2c920d7fd370a612be416a904d6e1ebe55 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8169a6011c5fecc6cb1c3654c541c567d3318de8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/dlink/dl2k.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84fd710a704f3d53d4120e452e86cea558cf73a8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5aa9b885602811a026a3f45c92ea2b4b04c54f09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9d49e4b14609e1a20d931e718962c4b6b5485174",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ea87151df398d407a632c7bf63013290f01c5009",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7ed5010fef0930f4322d620052edc854ef3ec41f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fd7b6b2c920d7fd370a612be416a904d6e1ebe55",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8169a6011c5fecc6cb1c3654c541c567d3318de8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/dlink/dl2k.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dlink: handle copy_thresh allocation failure\n\nThe driver did not handle failure of `netdev_alloc_skb_ip_align()`.\nIf the allocation failed, dereferencing `skb-\u003eprotocol` could lead to\na NULL pointer dereference.\n\nThis patch tries to allocate `skb`. If the allocation fails, it falls\nback to the normal path.\n\nTested-on: D-Link DGE-550T Rev-A3"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:17:00.436Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84fd710a704f3d53d4120e452e86cea558cf73a8"
},
{
"url": "https://git.kernel.org/stable/c/5aa9b885602811a026a3f45c92ea2b4b04c54f09"
},
{
"url": "https://git.kernel.org/stable/c/9d49e4b14609e1a20d931e718962c4b6b5485174"
},
{
"url": "https://git.kernel.org/stable/c/ea87151df398d407a632c7bf63013290f01c5009"
},
{
"url": "https://git.kernel.org/stable/c/7ed5010fef0930f4322d620052edc854ef3ec41f"
},
{
"url": "https://git.kernel.org/stable/c/fd7b6b2c920d7fd370a612be416a904d6e1ebe55"
},
{
"url": "https://git.kernel.org/stable/c/8169a6011c5fecc6cb1c3654c541c567d3318de8"
}
],
"title": "net: dlink: handle copy_thresh allocation failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40053",
"datePublished": "2025-10-28T11:48:28.444Z",
"dateReserved": "2025-04-16T07:20:57.157Z",
"dateUpdated": "2025-12-01T06:17:00.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54049 (GCVE-0-2023-54049)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
rpmsg: glink: Add check for kstrdup
Summary
In the Linux kernel, the following vulnerability has been resolved:
rpmsg: glink: Add check for kstrdup
Add check for the return value of kstrdup() and return the error
if it fails in order to avoid NULL pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < 5197498c902502127a47abda5359dd7f1d41946f
(git)
Affected: b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < 13928a837e0f014dac0322dd9f8a67c486e7f232 (git) Affected: b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < efa7f31669f04084ed5996ed467ba529f4c90467 (git) Affected: b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < 71ac2ffd7f80fdd350486f6645dc48456e55a59b (git) Affected: b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < abd740db896b3c588dced175af98b95852c1854b (git) Affected: b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < cae0787e408c30a575760a531ccb69a6b48bbfaf (git) Affected: b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < 174cf8853857c190a3c4f1f1d2d06cfd095fe859 (git) Affected: b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < e3734a9558afac91df3c655a6f2376b9d14933b7 (git) Affected: b4f8e52b89f69f5563ac4cb9ffdacc4418917af1 , < b5c9ee8296a3760760c7b5d2e305f91412adc795 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rpmsg/qcom_glink_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5197498c902502127a47abda5359dd7f1d41946f",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
},
{
"lessThan": "13928a837e0f014dac0322dd9f8a67c486e7f232",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
},
{
"lessThan": "efa7f31669f04084ed5996ed467ba529f4c90467",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
},
{
"lessThan": "71ac2ffd7f80fdd350486f6645dc48456e55a59b",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
},
{
"lessThan": "abd740db896b3c588dced175af98b95852c1854b",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
},
{
"lessThan": "cae0787e408c30a575760a531ccb69a6b48bbfaf",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
},
{
"lessThan": "174cf8853857c190a3c4f1f1d2d06cfd095fe859",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
},
{
"lessThan": "e3734a9558afac91df3c655a6f2376b9d14933b7",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
},
{
"lessThan": "b5c9ee8296a3760760c7b5d2e305f91412adc795",
"status": "affected",
"version": "b4f8e52b89f69f5563ac4cb9ffdacc4418917af1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rpmsg/qcom_glink_native.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpmsg: glink: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:59.585Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5197498c902502127a47abda5359dd7f1d41946f"
},
{
"url": "https://git.kernel.org/stable/c/13928a837e0f014dac0322dd9f8a67c486e7f232"
},
{
"url": "https://git.kernel.org/stable/c/efa7f31669f04084ed5996ed467ba529f4c90467"
},
{
"url": "https://git.kernel.org/stable/c/71ac2ffd7f80fdd350486f6645dc48456e55a59b"
},
{
"url": "https://git.kernel.org/stable/c/abd740db896b3c588dced175af98b95852c1854b"
},
{
"url": "https://git.kernel.org/stable/c/cae0787e408c30a575760a531ccb69a6b48bbfaf"
},
{
"url": "https://git.kernel.org/stable/c/174cf8853857c190a3c4f1f1d2d06cfd095fe859"
},
{
"url": "https://git.kernel.org/stable/c/e3734a9558afac91df3c655a6f2376b9d14933b7"
},
{
"url": "https://git.kernel.org/stable/c/b5c9ee8296a3760760c7b5d2e305f91412adc795"
}
],
"title": "rpmsg: glink: Add check for kstrdup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54049",
"datePublished": "2025-12-24T12:22:59.585Z",
"dateReserved": "2025-12-24T12:21:05.090Z",
"dateUpdated": "2025-12-24T12:22:59.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54204 (GCVE-0-2023-54204)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
mmc: sunplus: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: sunplus: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value,
1. the memory allocated in mmc_alloc_host() will be leaked
2. null-ptr-deref will happen when calling mmc_remove_host()
in remove function spmmc_drv_remove() because deleting not
added device.
Fix this by checking the return value of mmc_add_host(). Moreover,
I fixed the error handling path of spmmc_drv_probe() to clean up.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/sunplus-mmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "741a951f41929f39cae70c66d86d0754d3129d0a",
"status": "affected",
"version": "4e268fed8b1861616af28f9cfb4eed8ca5d7af6c",
"versionType": "git"
},
{
"lessThan": "dce6d8f985fa1ef5c2af47f4f86ea65511b78656",
"status": "affected",
"version": "4e268fed8b1861616af28f9cfb4eed8ca5d7af6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/sunplus-mmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: sunplus: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\n1. the memory allocated in mmc_alloc_host() will be leaked\n2. null-ptr-deref will happen when calling mmc_remove_host()\nin remove function spmmc_drv_remove() because deleting not\nadded device.\n\nFix this by checking the return value of mmc_add_host(). Moreover,\nI fixed the error handling path of spmmc_drv_probe() to clean up."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:04.622Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/741a951f41929f39cae70c66d86d0754d3129d0a"
},
{
"url": "https://git.kernel.org/stable/c/dce6d8f985fa1ef5c2af47f4f86ea65511b78656"
}
],
"title": "mmc: sunplus: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54204",
"datePublished": "2025-12-30T12:11:04.622Z",
"dateReserved": "2025-12-30T12:06:44.499Z",
"dateUpdated": "2025-12-30T12:11:04.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40310 (GCVE-0-2025-40310)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-26 16:17
VLAI?
EPSS
Title
amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw
Summary
In the Linux kernel, the following vulnerability has been resolved:
amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw
There is race in amdgpu_amdkfd_device_fini_sw and interrupt.
if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and
kfree(kfd), and KGD interrupt generated.
kernel panic log:
BUG: kernel NULL pointer dereference, address: 0000000000000098
amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP
PGD d78c68067 P4D d78c68067
kfd kfd: amdgpu: Allocated 3969056 bytes on gart
PUD 1465b8067 PMD @
Oops: @002 [#1] SMP NOPTI
kfd kfd: amdgpu: Total number of KFD nodes to be created: 4
CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K
RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40
Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 <fO> OF b1 17 75 Ba 4c 89 e@ 41 Sc
89 c6 e8 07 38 5d
RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018
0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098
ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020
0000000000000000 R11: 0000000000000000 R12: 0900000000000002
ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00
CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033
CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0
0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu]
? amdgpu_fence_process+0xa4/0x150 [amdgpu]
kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace
amdgpu_irq_dispatch+0x165/0x210 [amdgpu]
amdgpu_ih_process+0x80/0x100 [amdgpu]
amdgpu: Virtual CRAT table created for GPU
amdgpu_irq_handler+0x1f/@x60 [amdgpu]
__handle_irq_event_percpu+0x3d/0x170
amdgpu: Topology: Add dGPU node [0x74a2:0x1002]
handle_irq_event+0x5a/@xcO
handle_edge_irq+0x93/0x240
kfd kfd: amdgpu: KFD node 1 partition @ size 49148M
asm_call_irq_on_stack+0xf/@x20
</IRQ>
common_interrupt+0xb3/0x130
asm_common_interrupt+0x1le/0x40
5.10.134-010.a1i5000.a18.x86_64 #1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 93f8d67ef8b50334a26129df4da5a4cb60ad4090
(git)
Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < bc9e789053abe463f8cf74eee5fc2f157c11a79f (git) Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 2f89a2d15550b653caaeeab7ab68c4d7583fd4fe (git) Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 99d7181bca34e96fbf61bdb6844918bdd4df2814 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93f8d67ef8b50334a26129df4da5a4cb60ad4090",
"status": "affected",
"version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
"versionType": "git"
},
{
"lessThan": "bc9e789053abe463f8cf74eee5fc2f157c11a79f",
"status": "affected",
"version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
"versionType": "git"
},
{
"lessThan": "2f89a2d15550b653caaeeab7ab68c4d7583fd4fe",
"status": "affected",
"version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
"versionType": "git"
},
{
"lessThan": "99d7181bca34e96fbf61bdb6844918bdd4df2814",
"status": "affected",
"version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw\n\nThere is race in amdgpu_amdkfd_device_fini_sw and interrupt.\nif amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and\n kfree(kfd), and KGD interrupt generated.\n\nkernel panic log:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000098\namdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP\n\nPGD d78c68067 P4D d78c68067\n\nkfd kfd: amdgpu: Allocated 3969056 bytes on gart\n\nPUD 1465b8067 PMD @\n\nOops: @002 [#1] SMP NOPTI\n\nkfd kfd: amdgpu: Total number of KFD nodes to be created: 4\nCPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K\n\nRIP: 0010:_raw_spin_lock_irqsave+0x12/0x40\n\nCode: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 \u003cfO\u003e OF b1 17 75 Ba 4c 89 e@ 41 Sc\n\n89 c6 e8 07 38 5d\n\nRSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046\n\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018\n0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098\nffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020\n0000000000000000 R11: 0000000000000000 R12: 0900000000000002\nffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00\n\nCS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033\n\nCR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0\n0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400\n\nPKRU: 55555554\n\nCall Trace:\n\n\u003cIRQ\u003e\n\nkgd2kfd_interrupt+@x6b/0x1f@ [amdgpu]\n\n? amdgpu_fence_process+0xa4/0x150 [amdgpu]\n\nkfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace\n\namdgpu_irq_dispatch+0x165/0x210 [amdgpu]\n\namdgpu_ih_process+0x80/0x100 [amdgpu]\n\namdgpu: Virtual CRAT table created for GPU\n\namdgpu_irq_handler+0x1f/@x60 [amdgpu]\n\n__handle_irq_event_percpu+0x3d/0x170\n\namdgpu: Topology: Add dGPU node [0x74a2:0x1002]\n\nhandle_irq_event+0x5a/@xcO\n\nhandle_edge_irq+0x93/0x240\n\nkfd kfd: amdgpu: KFD node 1 partition @ size 49148M\n\nasm_call_irq_on_stack+0xf/@x20\n\n\u003c/IRQ\u003e\n\ncommon_interrupt+0xb3/0x130\n\nasm_common_interrupt+0x1le/0x40\n\n5.10.134-010.a1i5000.a18.x86_64 #1"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:48.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93f8d67ef8b50334a26129df4da5a4cb60ad4090"
},
{
"url": "https://git.kernel.org/stable/c/bc9e789053abe463f8cf74eee5fc2f157c11a79f"
},
{
"url": "https://git.kernel.org/stable/c/2f89a2d15550b653caaeeab7ab68c4d7583fd4fe"
},
{
"url": "https://git.kernel.org/stable/c/99d7181bca34e96fbf61bdb6844918bdd4df2814"
}
],
"title": "amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40310",
"datePublished": "2025-12-08T00:46:35.862Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-26T16:17:48.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40311 (GCVE-0-2025-40311)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
accel/habanalabs: support mapping cb with vmalloc-backed coherent memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/habanalabs: support mapping cb with vmalloc-backed coherent memory
When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return
addresses from the vmalloc range. If such an address is mapped without
VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the
VM_PFNMAP restriction.
Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP
in the VMA before mapping. This ensures safe mapping and avoids kernel
crashes. The memory is still driver-allocated and cannot be accessed
directly by userspace.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 7ec8ac9f73d4a9438c2186768d6de27ace37531e
(git)
Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < d1dfe21a332d38a6a09658ec29a55940afb5fe36 (git) Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9 (git) Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 513024d5a0e34fd34247043f1876b6138ca52847 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/habanalabs/gaudi/gaudi.c",
"drivers/accel/habanalabs/gaudi2/gaudi2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ec8ac9f73d4a9438c2186768d6de27ace37531e",
"status": "affected",
"version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
"versionType": "git"
},
{
"lessThan": "d1dfe21a332d38a6a09658ec29a55940afb5fe36",
"status": "affected",
"version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
"versionType": "git"
},
{
"lessThan": "73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9",
"status": "affected",
"version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
"versionType": "git"
},
{
"lessThan": "513024d5a0e34fd34247043f1876b6138ca52847",
"status": "affected",
"version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/habanalabs/gaudi/gaudi.c",
"drivers/accel/habanalabs/gaudi2/gaudi2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/habanalabs: support mapping cb with vmalloc-backed coherent memory\n\nWhen IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return\naddresses from the vmalloc range. If such an address is mapped without\nVM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the\nVM_PFNMAP restriction.\n\nFix this by checking for vmalloc addresses and setting VM_MIXEDMAP\nin the VMA before mapping. This ensures safe mapping and avoids kernel\ncrashes. The memory is still driver-allocated and cannot be accessed\ndirectly by userspace."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:00.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ec8ac9f73d4a9438c2186768d6de27ace37531e"
},
{
"url": "https://git.kernel.org/stable/c/d1dfe21a332d38a6a09658ec29a55940afb5fe36"
},
{
"url": "https://git.kernel.org/stable/c/73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9"
},
{
"url": "https://git.kernel.org/stable/c/513024d5a0e34fd34247043f1876b6138ca52847"
}
],
"title": "accel/habanalabs: support mapping cb with vmalloc-backed coherent memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40311",
"datePublished": "2025-12-08T00:46:36.903Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:52:00.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50644 (GCVE-0-2022-50644)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
pm_runtime_get_sync() will increment pm usage counter.
Forgetting to putting operation will result in reference leak.
Add missing pm_runtime_put_sync in some error paths.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 27abe45df1dc394c184688d816cbbf2f194d4c6a
(git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < d84f77ef7d57658d7346f8c4797a570aa5e35fa6 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 25fe7b0d596b343e7a5504ba11767115fff8494f (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < fc39ebf85d0349366b807fe2be848041c8523f03 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 6d01017247eee3fba399f601b0bcb38e4fb88a72 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 3441076f83aace85f5d6ccd9ffb301ac6b874776 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < a9f69663ad571cbd7814dde38e3fcb4876341ed6 (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < c01ae99a4e3a0cdf70f7cd758a60a2243eac562c (git) Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/ti/clk-dra7-atl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "27abe45df1dc394c184688d816cbbf2f194d4c6a",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "d84f77ef7d57658d7346f8c4797a570aa5e35fa6",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "25fe7b0d596b343e7a5504ba11767115fff8494f",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "fc39ebf85d0349366b807fe2be848041c8523f03",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "6d01017247eee3fba399f601b0bcb38e4fb88a72",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "3441076f83aace85f5d6ccd9ffb301ac6b874776",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "a9f69663ad571cbd7814dde38e3fcb4876341ed6",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "c01ae99a4e3a0cdf70f7cd758a60a2243eac562c",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
},
{
"lessThan": "9c59a01caba26ec06fefd6ca1f22d5fd1de57d63",
"status": "affected",
"version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/ti/clk-dra7-atl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe\n\npm_runtime_get_sync() will increment pm usage counter.\nForgetting to putting operation will result in reference leak.\nAdd missing pm_runtime_put_sync in some error paths."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:18.729Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/27abe45df1dc394c184688d816cbbf2f194d4c6a"
},
{
"url": "https://git.kernel.org/stable/c/d84f77ef7d57658d7346f8c4797a570aa5e35fa6"
},
{
"url": "https://git.kernel.org/stable/c/25fe7b0d596b343e7a5504ba11767115fff8494f"
},
{
"url": "https://git.kernel.org/stable/c/fc39ebf85d0349366b807fe2be848041c8523f03"
},
{
"url": "https://git.kernel.org/stable/c/6d01017247eee3fba399f601b0bcb38e4fb88a72"
},
{
"url": "https://git.kernel.org/stable/c/3441076f83aace85f5d6ccd9ffb301ac6b874776"
},
{
"url": "https://git.kernel.org/stable/c/a9f69663ad571cbd7814dde38e3fcb4876341ed6"
},
{
"url": "https://git.kernel.org/stable/c/c01ae99a4e3a0cdf70f7cd758a60a2243eac562c"
},
{
"url": "https://git.kernel.org/stable/c/9c59a01caba26ec06fefd6ca1f22d5fd1de57d63"
}
],
"title": "clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50644",
"datePublished": "2025-12-09T00:00:18.729Z",
"dateReserved": "2025-12-08T23:57:43.371Z",
"dateUpdated": "2025-12-09T00:00:18.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53849 (GCVE-0-2023-53849)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
drm/msm: fix workqueue leak on bind errors
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: fix workqueue leak on bind errors
Make sure to destroy the workqueue also in case of early errors during
bind (e.g. a subcomponent failing to bind).
Since commit c3b790ea07a1 ("drm: Manage drm_mode_config_init with
drmm_") the mode config will be freed when the drm device is released
also when using the legacy interface, but add an explicit cleanup for
consistency and to facilitate backporting.
Patchwork: https://patchwork.freedesktop.org/patch/525093/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
060530f1ea6740eb767085008d183f89ccdd289c , < 6e1476225ec02eeebc4b79f793506f80bc4bca8f
(git)
Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < 28e34db2f3e0130872e2384dd9df9f82bd89e967 (git) Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < 8551c4b7c8ffb42f759547e5c39da5980abf2432 (git) Affected: 060530f1ea6740eb767085008d183f89ccdd289c , < a75b49db6529b2af049eafd938fae888451c3685 (git) Affected: 3e796097404e325fa8d4f48a2af61f2e01e3ef02 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e1476225ec02eeebc4b79f793506f80bc4bca8f",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "28e34db2f3e0130872e2384dd9df9f82bd89e967",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "8551c4b7c8ffb42f759547e5c39da5980abf2432",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"lessThan": "a75b49db6529b2af049eafd938fae888451c3685",
"status": "affected",
"version": "060530f1ea6740eb767085008d183f89ccdd289c",
"versionType": "git"
},
{
"status": "affected",
"version": "3e796097404e325fa8d4f48a2af61f2e01e3ef02",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.41",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: fix workqueue leak on bind errors\n\nMake sure to destroy the workqueue also in case of early errors during\nbind (e.g. a subcomponent failing to bind).\n\nSince commit c3b790ea07a1 (\"drm: Manage drm_mode_config_init with\ndrmm_\") the mode config will be freed when the drm device is released\nalso when using the legacy interface, but add an explicit cleanup for\nconsistency and to facilitate backporting.\n\nPatchwork: https://patchwork.freedesktop.org/patch/525093/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:13.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e1476225ec02eeebc4b79f793506f80bc4bca8f"
},
{
"url": "https://git.kernel.org/stable/c/28e34db2f3e0130872e2384dd9df9f82bd89e967"
},
{
"url": "https://git.kernel.org/stable/c/8551c4b7c8ffb42f759547e5c39da5980abf2432"
},
{
"url": "https://git.kernel.org/stable/c/a75b49db6529b2af049eafd938fae888451c3685"
}
],
"title": "drm/msm: fix workqueue leak on bind errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53849",
"datePublished": "2025-12-09T01:30:13.402Z",
"dateReserved": "2025-12-09T01:27:17.827Z",
"dateUpdated": "2025-12-09T01:30:13.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40351 (GCVE-0-2025-40351)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
The syzbot reported issue in hfsplus_delete_cat():
[ 70.682285][ T9333] =====================================================
[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220
[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220
[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0
[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310
[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810
[ 70.685447][ T9333] do_rmdir+0x964/0xea0
[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0
[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0
[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.687646][ T9333]
[ 70.687856][ T9333] Uninit was stored to memory at:
[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800
[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600
[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70
[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0
[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30
[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0
[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0
[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.692773][ T9333]
[ 70.692990][ T9333] Uninit was stored to memory at:
[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0
[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800
[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700
[ 70.694911][ T9333] mount_bdev+0x37b/0x530
[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60
[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0
[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0
[ 70.696588][ T9333] do_new_mount+0x73e/0x1630
[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0
[ 70.697425][ T9333] __se_sys_mount+0x733/0x830
[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150
[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0
[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.699730][ T9333]
[ 70.699946][ T9333] Uninit was created at:
[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60
[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0
[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0
[ 70.701774][ T9333] allocate_slab+0x30e/0x1390
[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0
[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20
[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0
[ 70.703598][ T9333] alloc_inode+0x82/0x490
[ 70.703984][ T9333] iget_locked+0x22e/0x1320
[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0
[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0
[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700
[ 70.705776][ T9333] mount_bdev+0x37b/0x530
[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60
[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0
[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0
[ 70.707444][ T9333] do_new_mount+0x73e/0x1630
[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0
[ 70.708270][ T9333] __se_sys_mount+0x733/0x830
[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150
[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0
[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0
[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.710611][ T9333]
[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17
[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.712490][ T9333] =====================================================
[ 70.713085][ T9333] Disabling lock debugging due to kernel taint
[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...
[ 70.714159][ T9333]
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d7d673a591701f131e53d4fd4e2b9352f1316642 , < a2bee43b451615531ae6f3cf45054f02915ef885
(git)
Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < b07630afe1671096dc64064190cae3b6165cf6e4 (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 9df3c241fbf69edce968b20eeeeb3f6da34af041 (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 1b9e5ade272f8be6421c9eea4c4f6810180017f9 (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 2bb8bc99b1a7a46d83f95c46f530305f6df84eaf (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 295527bfdefd5bf31ec8218e2891a65777141d05 (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 4891bf2b09c313622a6e07d7f108aa5e123c768d (git) Affected: d7d673a591701f131e53d4fd4e2b9352f1316642 , < 9b3d15a758910bb98ba8feb4109d99cc67450ee4 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2bee43b451615531ae6f3cf45054f02915ef885",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "b07630afe1671096dc64064190cae3b6165cf6e4",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "9df3c241fbf69edce968b20eeeeb3f6da34af041",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "1b9e5ade272f8be6421c9eea4c4f6810180017f9",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "2bb8bc99b1a7a46d83f95c46f530305f6df84eaf",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "295527bfdefd5bf31ec8218e2891a65777141d05",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "4891bf2b09c313622a6e07d7f108aa5e123c768d",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
},
{
"lessThan": "9b3d15a758910bb98ba8feb4109d99cc67450ee4",
"status": "affected",
"version": "d7d673a591701f131e53d4fd4e2b9352f1316642",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()\n\nThe syzbot reported issue in hfsplus_delete_cat():\n\n[ 70.682285][ T9333] =====================================================\n[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220\n[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220\n[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0\n[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310\n[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810\n[ 70.685447][ T9333] do_rmdir+0x964/0xea0\n[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0\n[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0\n[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.687646][ T9333]\n[ 70.687856][ T9333] Uninit was stored to memory at:\n[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0\n[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800\n[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600\n[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70\n[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0\n[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30\n[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0\n[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0\n[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.692773][ T9333]\n[ 70.692990][ T9333] Uninit was stored to memory at:\n[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0\n[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800\n[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700\n[ 70.694911][ T9333] mount_bdev+0x37b/0x530\n[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60\n[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0\n[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0\n[ 70.696588][ T9333] do_new_mount+0x73e/0x1630\n[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0\n[ 70.697425][ T9333] __se_sys_mount+0x733/0x830\n[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150\n[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0\n[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.699730][ T9333]\n[ 70.699946][ T9333] Uninit was created at:\n[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60\n[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0\n[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0\n[ 70.701774][ T9333] allocate_slab+0x30e/0x1390\n[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0\n[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20\n[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0\n[ 70.703598][ T9333] alloc_inode+0x82/0x490\n[ 70.703984][ T9333] iget_locked+0x22e/0x1320\n[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0\n[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0\n[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700\n[ 70.705776][ T9333] mount_bdev+0x37b/0x530\n[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60\n[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0\n[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0\n[ 70.707444][ T9333] do_new_mount+0x73e/0x1630\n[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0\n[ 70.708270][ T9333] __se_sys_mount+0x733/0x830\n[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150\n[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0\n[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0\n[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 70.710611][ T9333]\n[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17\n[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 70.712490][ T9333] =====================================================\n[ 70.713085][ T9333] Disabling lock debugging due to kernel taint\n[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ...\n[ 70.714159][ T9333] \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:46.209Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2bee43b451615531ae6f3cf45054f02915ef885"
},
{
"url": "https://git.kernel.org/stable/c/b07630afe1671096dc64064190cae3b6165cf6e4"
},
{
"url": "https://git.kernel.org/stable/c/9df3c241fbf69edce968b20eeeeb3f6da34af041"
},
{
"url": "https://git.kernel.org/stable/c/1b9e5ade272f8be6421c9eea4c4f6810180017f9"
},
{
"url": "https://git.kernel.org/stable/c/2bb8bc99b1a7a46d83f95c46f530305f6df84eaf"
},
{
"url": "https://git.kernel.org/stable/c/295527bfdefd5bf31ec8218e2891a65777141d05"
},
{
"url": "https://git.kernel.org/stable/c/4891bf2b09c313622a6e07d7f108aa5e123c768d"
},
{
"url": "https://git.kernel.org/stable/c/9b3d15a758910bb98ba8feb4109d99cc67450ee4"
}
],
"title": "hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40351",
"datePublished": "2025-12-16T13:30:24.764Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:46.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50779 (GCVE-0-2022-50779)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
Summary
In the Linux kernel, the following vulnerability has been resolved:
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
When insert and remove the orangefs module, then debug_help_string will
be leaked:
unreferenced object 0xffff8881652ba000 (size 4096):
comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s)
hex dump (first 32 bytes):
43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key
77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow
backtrace:
[<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0
[<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs]
[<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t]
[<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0
[<000000001d0614ae>] do_init_module+0xdf/0x320
[<00000000efef068c>] load_module+0x2f98/0x3330
[<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0
[<00000000a0da6f99>] do_syscall_64+0x35/0x80
[<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
When remove the module, should always free debug_help_string. Should
always free the allocated buffer when change the free_debug_help_string.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < 44d3eac26a5e5268d11cc342dc202b0d31505c0a
(git)
Affected: dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < f2b8a6aac561a49fe02c99683c40a8b87a9f68fc (git) Affected: dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < ba9d3b9cec20957fd86bb1bf525b4ea8b64b2dea (git) Affected: dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < 2e7c09121064df93c58bbc49d3d0f608d3f584bd (git) Affected: dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < b8affa0c6405ee968dcb6030bee2cf719a464752 (git) Affected: dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < 39529b79b023713d4f2d3479dc0ca43ba99df726 (git) Affected: dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < 3fc221d9a16339a913a0341d3efc7fef339073e1 (git) Affected: dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < 19be31668552a198e887762e25bdcc560800ecb4 (git) Affected: dc0336214eb07ee9de2a41dd4c81c744ffa419ac , < d23417a5bf3a3afc55de5442eb46e1e60458b0a1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/orangefs/orangefs-debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "44d3eac26a5e5268d11cc342dc202b0d31505c0a",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
},
{
"lessThan": "f2b8a6aac561a49fe02c99683c40a8b87a9f68fc",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
},
{
"lessThan": "ba9d3b9cec20957fd86bb1bf525b4ea8b64b2dea",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
},
{
"lessThan": "2e7c09121064df93c58bbc49d3d0f608d3f584bd",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
},
{
"lessThan": "b8affa0c6405ee968dcb6030bee2cf719a464752",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
},
{
"lessThan": "39529b79b023713d4f2d3479dc0ca43ba99df726",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
},
{
"lessThan": "3fc221d9a16339a913a0341d3efc7fef339073e1",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
},
{
"lessThan": "19be31668552a198e887762e25bdcc560800ecb4",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
},
{
"lessThan": "d23417a5bf3a3afc55de5442eb46e1e60458b0a1",
"status": "affected",
"version": "dc0336214eb07ee9de2a41dd4c81c744ffa419ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/orangefs/orangefs-debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\norangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()\n\nWhen insert and remove the orangefs module, then debug_help_string will\nbe leaked:\n\n unreferenced object 0xffff8881652ba000 (size 4096):\n comm \"insmod\", pid 1701, jiffies 4294893639 (age 13218.530s)\n hex dump (first 32 bytes):\n 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key\n 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow\n backtrace:\n [\u003c0000000004e6f8e3\u003e] kmalloc_trace+0x27/0xa0\n [\u003c0000000006f75d85\u003e] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs]\n [\u003c0000000091270a2a\u003e] _sub_I_65535_1+0x57/0xf70 [crc_itu_t]\n [\u003c000000004b1ee1a3\u003e] do_one_initcall+0x87/0x2a0\n [\u003c000000001d0614ae\u003e] do_init_module+0xdf/0x320\n [\u003c00000000efef068c\u003e] load_module+0x2f98/0x3330\n [\u003c000000006533b44d\u003e] __do_sys_finit_module+0x113/0x1b0\n [\u003c00000000a0da6f99\u003e] do_syscall_64+0x35/0x80\n [\u003c000000007790b19b\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nWhen remove the module, should always free debug_help_string. Should\nalways free the allocated buffer when change the free_debug_help_string."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:42.632Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/44d3eac26a5e5268d11cc342dc202b0d31505c0a"
},
{
"url": "https://git.kernel.org/stable/c/f2b8a6aac561a49fe02c99683c40a8b87a9f68fc"
},
{
"url": "https://git.kernel.org/stable/c/ba9d3b9cec20957fd86bb1bf525b4ea8b64b2dea"
},
{
"url": "https://git.kernel.org/stable/c/2e7c09121064df93c58bbc49d3d0f608d3f584bd"
},
{
"url": "https://git.kernel.org/stable/c/b8affa0c6405ee968dcb6030bee2cf719a464752"
},
{
"url": "https://git.kernel.org/stable/c/39529b79b023713d4f2d3479dc0ca43ba99df726"
},
{
"url": "https://git.kernel.org/stable/c/3fc221d9a16339a913a0341d3efc7fef339073e1"
},
{
"url": "https://git.kernel.org/stable/c/19be31668552a198e887762e25bdcc560800ecb4"
},
{
"url": "https://git.kernel.org/stable/c/d23417a5bf3a3afc55de5442eb46e1e60458b0a1"
}
],
"title": "orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50779",
"datePublished": "2025-12-24T13:06:07.873Z",
"dateReserved": "2025-12-24T13:02:21.547Z",
"dateUpdated": "2026-01-02T15:04:42.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50761 (GCVE-0-2022-50761)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05
VLAI?
EPSS
Title
x86/xen: Fix memory leak in xen_init_lock_cpu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/xen: Fix memory leak in xen_init_lock_cpu()
In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(),
if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead
to a memory leak issue, fix it.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < 9278bdbb566656b3704704f8dd6cbc24a6fcc569
(git)
Affected: 2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < 07764d00c869a3390bd4f80412cc8b0e669e6c58 (git) Affected: 2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < 53ff99c76be611acea37d33133c9136969914865 (git) Affected: 2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < 29198f667f4486f9e227e11faf1411fcf4c82a66 (git) Affected: 2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < 70e7f308d7a8e915c7fbc0f1d959968eab8000cd (git) Affected: 2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < 70966d6b0f59f795b08a70adf5e4478348ecbfbb (git) Affected: 2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < 798fc3cf98ca07e448956f39295c5d686ab4b054 (git) Affected: 2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < b44457b83a034efef58ffa5f3131d4615f1a9837 (git) Affected: 2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79 , < ca84ce153d887b1dc8b118029976cc9faf2a9b40 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/xen/spinlock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9278bdbb566656b3704704f8dd6cbc24a6fcc569",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
},
{
"lessThan": "07764d00c869a3390bd4f80412cc8b0e669e6c58",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
},
{
"lessThan": "53ff99c76be611acea37d33133c9136969914865",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
},
{
"lessThan": "29198f667f4486f9e227e11faf1411fcf4c82a66",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
},
{
"lessThan": "70e7f308d7a8e915c7fbc0f1d959968eab8000cd",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
},
{
"lessThan": "70966d6b0f59f795b08a70adf5e4478348ecbfbb",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
},
{
"lessThan": "798fc3cf98ca07e448956f39295c5d686ab4b054",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
},
{
"lessThan": "b44457b83a034efef58ffa5f3131d4615f1a9837",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
},
{
"lessThan": "ca84ce153d887b1dc8b118029976cc9faf2a9b40",
"status": "affected",
"version": "2d9e1e2f58b5612aa4eab0ab54c84308a29dbd79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/xen/spinlock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.27"
},
{
"lessThan": "2.6.27",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/xen: Fix memory leak in xen_init_lock_cpu()\n\nIn xen_init_lock_cpu(), the @name has allocated new string by kasprintf(),\nif bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead\nto a memory leak issue, fix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:05:53.312Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9278bdbb566656b3704704f8dd6cbc24a6fcc569"
},
{
"url": "https://git.kernel.org/stable/c/07764d00c869a3390bd4f80412cc8b0e669e6c58"
},
{
"url": "https://git.kernel.org/stable/c/53ff99c76be611acea37d33133c9136969914865"
},
{
"url": "https://git.kernel.org/stable/c/29198f667f4486f9e227e11faf1411fcf4c82a66"
},
{
"url": "https://git.kernel.org/stable/c/70e7f308d7a8e915c7fbc0f1d959968eab8000cd"
},
{
"url": "https://git.kernel.org/stable/c/70966d6b0f59f795b08a70adf5e4478348ecbfbb"
},
{
"url": "https://git.kernel.org/stable/c/798fc3cf98ca07e448956f39295c5d686ab4b054"
},
{
"url": "https://git.kernel.org/stable/c/b44457b83a034efef58ffa5f3131d4615f1a9837"
},
{
"url": "https://git.kernel.org/stable/c/ca84ce153d887b1dc8b118029976cc9faf2a9b40"
}
],
"title": "x86/xen: Fix memory leak in xen_init_lock_cpu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50761",
"datePublished": "2025-12-24T13:05:53.312Z",
"dateReserved": "2025-12-24T13:02:21.545Z",
"dateUpdated": "2025-12-24T13:05:53.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54055 (GCVE-0-2023-54055)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
RDMA/irdma: Fix memory leak of PBLE objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/irdma: Fix memory leak of PBLE objects
On rmmod of irdma, the PBLE object memory is not being freed. PBLE object
memory are not statically pre-allocated at function initialization time
unlike other HMC objects. PBLEs objects and the Segment Descriptors (SD)
for it can be dynamically allocated during scale up and SD's remain
allocated till function deinitialization.
Fix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table
and skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
44d9e52977a1b90b0db1c7f8b197c218e9226520 , < 810250c9c6616fe131099c0e51c61f2110ed07bf
(git)
Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < ee02fa4a71bdb95a444124e5c11eaa22f1f44738 (git) Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < adf58bd4018fbcd990c62e840afd2f178eefad60 (git) Affected: 44d9e52977a1b90b0db1c7f8b197c218e9226520 , < b69a6979dbaa2453675fe9c71bdc2497fedb11f9 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "810250c9c6616fe131099c0e51c61f2110ed07bf",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "ee02fa4a71bdb95a444124e5c11eaa22f1f44738",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "adf58bd4018fbcd990c62e840afd2f178eefad60",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
},
{
"lessThan": "b69a6979dbaa2453675fe9c71bdc2497fedb11f9",
"status": "affected",
"version": "44d9e52977a1b90b0db1c7f8b197c218e9226520",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/irdma/hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix memory leak of PBLE objects\n\nOn rmmod of irdma, the PBLE object memory is not being freed. PBLE object\nmemory are not statically pre-allocated at function initialization time\nunlike other HMC objects. PBLEs objects and the Segment Descriptors (SD)\nfor it can be dynamically allocated during scale up and SD\u0027s remain\nallocated till function deinitialization.\n\nFix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table\nand skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:03.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/810250c9c6616fe131099c0e51c61f2110ed07bf"
},
{
"url": "https://git.kernel.org/stable/c/ee02fa4a71bdb95a444124e5c11eaa22f1f44738"
},
{
"url": "https://git.kernel.org/stable/c/adf58bd4018fbcd990c62e840afd2f178eefad60"
},
{
"url": "https://git.kernel.org/stable/c/b69a6979dbaa2453675fe9c71bdc2497fedb11f9"
}
],
"title": "RDMA/irdma: Fix memory leak of PBLE objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54055",
"datePublished": "2025-12-24T12:23:03.872Z",
"dateReserved": "2025-12-24T12:21:05.090Z",
"dateUpdated": "2025-12-24T12:23:03.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53797 (GCVE-0-2023-53797)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
HID: wacom: Use ktime_t rather than int when dealing with timestamps
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: wacom: Use ktime_t rather than int when dealing with timestamps
Code which interacts with timestamps needs to use the ktime_t type
returned by functions like ktime_get. The int type does not offer
enough space to store these values, and attempting to use it is a
recipe for problems. In this particular case, overflows would occur
when calculating/storing timestamps leading to incorrect values being
reported to userspace. In some cases these bad timestamps cause input
handling in userspace to appear hung.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f9e27d4bdb1fe257c1453d02560e3adc3e5b6023 , < 99036f1aed7e82773904f5d91a9897bb3e507fd9
(git)
Affected: 4502ebbdc0e21e44a8a706428e420ae9c1bb9bba , < 9598a647ecc8f300b0540abf9d3b3439859d163b (git) Affected: 5047a228d4c8e2b5d1b856f21a00ecf717945a9c , < 67ce7724637c6adb66f788677cb50b82615de0ac (git) Affected: fb98336e23c11e9c8c7dd5425ec71adbbef7f773 , < d89750b19681581796dfbe3689bbb5d439b99b24 (git) Affected: 694d3e4387bfa69925e075053894385351106e64 , < bdeaa883b765709f231f47f9d6cc76c837a15396 (git) Affected: 17d793f3ed53080dab6bbeabfc82de890c901001 , < d0198363f9108e4adb2511e607ba91e44779e8b1 (git) Affected: 17d793f3ed53080dab6bbeabfc82de890c901001 , < 9a6c0e28e215535b2938c61ded54603b4e5814c5 (git) Affected: 82a136c35506dc788a6c03ffeb11b10c907b0e26 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c",
"drivers/hid/wacom_wac.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99036f1aed7e82773904f5d91a9897bb3e507fd9",
"status": "affected",
"version": "f9e27d4bdb1fe257c1453d02560e3adc3e5b6023",
"versionType": "git"
},
{
"lessThan": "9598a647ecc8f300b0540abf9d3b3439859d163b",
"status": "affected",
"version": "4502ebbdc0e21e44a8a706428e420ae9c1bb9bba",
"versionType": "git"
},
{
"lessThan": "67ce7724637c6adb66f788677cb50b82615de0ac",
"status": "affected",
"version": "5047a228d4c8e2b5d1b856f21a00ecf717945a9c",
"versionType": "git"
},
{
"lessThan": "d89750b19681581796dfbe3689bbb5d439b99b24",
"status": "affected",
"version": "fb98336e23c11e9c8c7dd5425ec71adbbef7f773",
"versionType": "git"
},
{
"lessThan": "bdeaa883b765709f231f47f9d6cc76c837a15396",
"status": "affected",
"version": "694d3e4387bfa69925e075053894385351106e64",
"versionType": "git"
},
{
"lessThan": "d0198363f9108e4adb2511e607ba91e44779e8b1",
"status": "affected",
"version": "17d793f3ed53080dab6bbeabfc82de890c901001",
"versionType": "git"
},
{
"lessThan": "9a6c0e28e215535b2938c61ded54603b4e5814c5",
"status": "affected",
"version": "17d793f3ed53080dab6bbeabfc82de890c901001",
"versionType": "git"
},
{
"status": "affected",
"version": "82a136c35506dc788a6c03ffeb11b10c907b0e26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c",
"drivers/hid/wacom_wac.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.120",
"versionStartIncluding": "5.15.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.37",
"versionStartIncluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.11",
"versionStartIncluding": "6.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: Use ktime_t rather than int when dealing with timestamps\n\nCode which interacts with timestamps needs to use the ktime_t type\nreturned by functions like ktime_get. The int type does not offer\nenough space to store these values, and attempting to use it is a\nrecipe for problems. In this particular case, overflows would occur\nwhen calculating/storing timestamps leading to incorrect values being\nreported to userspace. In some cases these bad timestamps cause input\nhandling in userspace to appear hung."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:53.868Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99036f1aed7e82773904f5d91a9897bb3e507fd9"
},
{
"url": "https://git.kernel.org/stable/c/9598a647ecc8f300b0540abf9d3b3439859d163b"
},
{
"url": "https://git.kernel.org/stable/c/67ce7724637c6adb66f788677cb50b82615de0ac"
},
{
"url": "https://git.kernel.org/stable/c/d89750b19681581796dfbe3689bbb5d439b99b24"
},
{
"url": "https://git.kernel.org/stable/c/bdeaa883b765709f231f47f9d6cc76c837a15396"
},
{
"url": "https://git.kernel.org/stable/c/d0198363f9108e4adb2511e607ba91e44779e8b1"
},
{
"url": "https://git.kernel.org/stable/c/9a6c0e28e215535b2938c61ded54603b4e5814c5"
}
],
"title": "HID: wacom: Use ktime_t rather than int when dealing with timestamps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53797",
"datePublished": "2025-12-09T00:00:53.868Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:53.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50701 (GCVE-0-2022-50701)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host
SDIO may need addtional 511 bytes to align bus operation. If the tailroom
of this skb is not big enough, we would access invalid memory region.
For low level operation, increase skb size to keep valid memory access in
SDIO host.
Error message:
[69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0
[69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451
[69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1
[69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300]
[69.951] Call Trace:
[69.951] <TASK>
[69.952] dump_stack_lvl+0x49/0x63
[69.952] print_report+0x171/0x4a8
[69.952] kasan_report+0xb4/0x130
[69.952] kasan_check_range+0x149/0x1e0
[69.952] memcpy+0x24/0x70
[69.952] sg_copy_buffer+0xe9/0x1a0
[69.952] sg_copy_to_buffer+0x12/0x20
[69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300]
[69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300]
[69.952] process_one_work+0x7ee/0x1320
[69.952] worker_thread+0x53c/0x1240
[69.952] kthread+0x2b8/0x370
[69.952] ret_from_fork+0x1f/0x30
[69.952] </TASK>
[69.952] Allocated by task 854:
[69.952] kasan_save_stack+0x26/0x50
[69.952] kasan_set_track+0x25/0x30
[69.952] kasan_save_alloc_info+0x1b/0x30
[69.952] __kasan_kmalloc+0x87/0xa0
[69.952] __kmalloc_node_track_caller+0x63/0x150
[69.952] kmalloc_reserve+0x31/0xd0
[69.952] __alloc_skb+0xfc/0x2b0
[69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76]
[69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76]
[69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76]
[69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib]
[69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib]
[69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common]
[69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s]
[69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common]
[69.953] process_one_work+0x7ee/0x1320
[69.953] worker_thread+0x53c/0x1240
[69.953] kthread+0x2b8/0x370
[69.953] ret_from_fork+0x1f/0x30
[69.953] The buggy address belongs to the object at ffff88811c9ce800
which belongs to the cache kmalloc-2k of size 2048
[69.953] The buggy address is located 0 bytes to the right of
2048-byte region [ffff88811c9ce800, ffff88811c9cf000)
[69.953] Memory state around the buggy address:
[69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[69.953] ^
[69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
764dee47e2c1ed828c8a51cbf58f89b5e3ded11b , < 8b5174a7f25d03df0ffa171ff86de383a89e8e89
(git)
Affected: 764dee47e2c1ed828c8a51cbf58f89b5e3ded11b , < 0b358e36433d2c46a65488a146bf8b4623fc5bbb (git) Affected: 764dee47e2c1ed828c8a51cbf58f89b5e3ded11b , < aec4cf2ea0797e28f18f8dbe01943a56d987fe56 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/sdio_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8b5174a7f25d03df0ffa171ff86de383a89e8e89",
"status": "affected",
"version": "764dee47e2c1ed828c8a51cbf58f89b5e3ded11b",
"versionType": "git"
},
{
"lessThan": "0b358e36433d2c46a65488a146bf8b4623fc5bbb",
"status": "affected",
"version": "764dee47e2c1ed828c8a51cbf58f89b5e3ded11b",
"versionType": "git"
},
{
"lessThan": "aec4cf2ea0797e28f18f8dbe01943a56d987fe56",
"status": "affected",
"version": "764dee47e2c1ed828c8a51cbf58f89b5e3ded11b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/sdio_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host\n\nSDIO may need addtional 511 bytes to align bus operation. If the tailroom\nof this skb is not big enough, we would access invalid memory region.\nFor low level operation, increase skb size to keep valid memory access in\nSDIO host.\n\nError message:\n[69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0\n[69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451\n[69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1\n[69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300]\n[69.951] Call Trace:\n[69.951] \u003cTASK\u003e\n[69.952] dump_stack_lvl+0x49/0x63\n[69.952] print_report+0x171/0x4a8\n[69.952] kasan_report+0xb4/0x130\n[69.952] kasan_check_range+0x149/0x1e0\n[69.952] memcpy+0x24/0x70\n[69.952] sg_copy_buffer+0xe9/0x1a0\n[69.952] sg_copy_to_buffer+0x12/0x20\n[69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300]\n[69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300]\n[69.952] process_one_work+0x7ee/0x1320\n[69.952] worker_thread+0x53c/0x1240\n[69.952] kthread+0x2b8/0x370\n[69.952] ret_from_fork+0x1f/0x30\n[69.952] \u003c/TASK\u003e\n\n[69.952] Allocated by task 854:\n[69.952] kasan_save_stack+0x26/0x50\n[69.952] kasan_set_track+0x25/0x30\n[69.952] kasan_save_alloc_info+0x1b/0x30\n[69.952] __kasan_kmalloc+0x87/0xa0\n[69.952] __kmalloc_node_track_caller+0x63/0x150\n[69.952] kmalloc_reserve+0x31/0xd0\n[69.952] __alloc_skb+0xfc/0x2b0\n[69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76]\n[69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76]\n[69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76]\n[69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib]\n[69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib]\n[69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common]\n[69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s]\n[69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common]\n[69.953] process_one_work+0x7ee/0x1320\n[69.953] worker_thread+0x53c/0x1240\n[69.953] kthread+0x2b8/0x370\n[69.953] ret_from_fork+0x1f/0x30\n[69.953] The buggy address belongs to the object at ffff88811c9ce800\n which belongs to the cache kmalloc-2k of size 2048\n[69.953] The buggy address is located 0 bytes to the right of\n 2048-byte region [ffff88811c9ce800, ffff88811c9cf000)\n\n[69.953] Memory state around the buggy address:\n[69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[69.953] \u003effff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[69.953] ^\n[69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:17.090Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8b5174a7f25d03df0ffa171ff86de383a89e8e89"
},
{
"url": "https://git.kernel.org/stable/c/0b358e36433d2c46a65488a146bf8b4623fc5bbb"
},
{
"url": "https://git.kernel.org/stable/c/aec4cf2ea0797e28f18f8dbe01943a56d987fe56"
}
],
"title": "wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50701",
"datePublished": "2025-12-24T10:55:17.090Z",
"dateReserved": "2025-12-24T10:53:15.517Z",
"dateUpdated": "2025-12-24T10:55:17.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54267 (GCVE-0-2023-54267)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT
lppaca_shared_proc() takes a pointer to the lppaca which is typically
accessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads
to checking if preemption is enabled, for example:
BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693
caller is lparcfg_data+0x408/0x19a0
CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2
Call Trace:
dump_stack_lvl+0x154/0x200 (unreliable)
check_preemption_disabled+0x214/0x220
lparcfg_data+0x408/0x19a0
...
This isn't actually a problem however, as it does not matter which
lppaca is accessed, the shared proc state will be the same.
vcpudispatch_stats_procfs_init() already works around this by disabling
preemption, but the lparcfg code does not, erroring any time
/proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled.
Instead of disabling preemption on the caller side, rework
lppaca_shared_proc() to not take a pointer and instead directly access
the lppaca, bypassing any potential preemption checks.
[mpe: Rework to avoid needing a definition in paca.h and lppaca.h]
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f13c13a005127b5dc5daaca190277a062d946e63 , < 953c54dfdc5d3eb7243ed902b50acb5ea1db4355
(git)
Affected: f13c13a005127b5dc5daaca190277a062d946e63 , < 2935443dc9c28499223d8c881474259e4b998f2a (git) Affected: f13c13a005127b5dc5daaca190277a062d946e63 , < 4c8568cf4c45b415854195c8832b557cdefba57a (git) Affected: f13c13a005127b5dc5daaca190277a062d946e63 , < 3c5e8e666794d7dde6d14ea846c6c04f2bb34900 (git) Affected: f13c13a005127b5dc5daaca190277a062d946e63 , < f45ee5c074013a0fbfce77a5af5efddb01f5d4f4 (git) Affected: f13c13a005127b5dc5daaca190277a062d946e63 , < eac030b22ea12cdfcbb2e941c21c03964403c63f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/lppaca.h",
"arch/powerpc/platforms/pseries/lpar.c",
"arch/powerpc/platforms/pseries/lparcfg.c",
"arch/powerpc/platforms/pseries/setup.c",
"drivers/cpuidle/cpuidle-pseries.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "953c54dfdc5d3eb7243ed902b50acb5ea1db4355",
"status": "affected",
"version": "f13c13a005127b5dc5daaca190277a062d946e63",
"versionType": "git"
},
{
"lessThan": "2935443dc9c28499223d8c881474259e4b998f2a",
"status": "affected",
"version": "f13c13a005127b5dc5daaca190277a062d946e63",
"versionType": "git"
},
{
"lessThan": "4c8568cf4c45b415854195c8832b557cdefba57a",
"status": "affected",
"version": "f13c13a005127b5dc5daaca190277a062d946e63",
"versionType": "git"
},
{
"lessThan": "3c5e8e666794d7dde6d14ea846c6c04f2bb34900",
"status": "affected",
"version": "f13c13a005127b5dc5daaca190277a062d946e63",
"versionType": "git"
},
{
"lessThan": "f45ee5c074013a0fbfce77a5af5efddb01f5d4f4",
"status": "affected",
"version": "f13c13a005127b5dc5daaca190277a062d946e63",
"versionType": "git"
},
{
"lessThan": "eac030b22ea12cdfcbb2e941c21c03964403c63f",
"status": "affected",
"version": "f13c13a005127b5dc5daaca190277a062d946e63",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/lppaca.h",
"arch/powerpc/platforms/pseries/lpar.c",
"arch/powerpc/platforms/pseries/lparcfg.c",
"arch/powerpc/platforms/pseries/setup.c",
"drivers/cpuidle/cpuidle-pseries.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT\n\nlppaca_shared_proc() takes a pointer to the lppaca which is typically\naccessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads\nto checking if preemption is enabled, for example:\n\n BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693\n caller is lparcfg_data+0x408/0x19a0\n CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2\n Call Trace:\n dump_stack_lvl+0x154/0x200 (unreliable)\n check_preemption_disabled+0x214/0x220\n lparcfg_data+0x408/0x19a0\n ...\n\nThis isn\u0027t actually a problem however, as it does not matter which\nlppaca is accessed, the shared proc state will be the same.\nvcpudispatch_stats_procfs_init() already works around this by disabling\npreemption, but the lparcfg code does not, erroring any time\n/proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled.\n\nInstead of disabling preemption on the caller side, rework\nlppaca_shared_proc() to not take a pointer and instead directly access\nthe lppaca, bypassing any potential preemption checks.\n\n[mpe: Rework to avoid needing a definition in paca.h and lppaca.h]"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:58.914Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/953c54dfdc5d3eb7243ed902b50acb5ea1db4355"
},
{
"url": "https://git.kernel.org/stable/c/2935443dc9c28499223d8c881474259e4b998f2a"
},
{
"url": "https://git.kernel.org/stable/c/4c8568cf4c45b415854195c8832b557cdefba57a"
},
{
"url": "https://git.kernel.org/stable/c/3c5e8e666794d7dde6d14ea846c6c04f2bb34900"
},
{
"url": "https://git.kernel.org/stable/c/f45ee5c074013a0fbfce77a5af5efddb01f5d4f4"
},
{
"url": "https://git.kernel.org/stable/c/eac030b22ea12cdfcbb2e941c21c03964403c63f"
}
],
"title": "powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54267",
"datePublished": "2025-12-30T12:15:58.914Z",
"dateReserved": "2025-12-30T12:06:44.518Z",
"dateUpdated": "2025-12-30T12:15:58.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40280 (GCVE-0-2025-40280)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
tipc: Fix use-after-free in tipc_mon_reinit_self().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: Fix use-after-free in tipc_mon_reinit_self().
syzbot reported use-after-free of tipc_net(net)->monitors[]
in tipc_mon_reinit_self(). [0]
The array is protected by RTNL, but tipc_mon_reinit_self()
iterates over it without RTNL.
tipc_mon_reinit_self() is called from tipc_net_finalize(),
which is always under RTNL except for tipc_net_finalize_work().
Let's hold RTNL in tipc_net_finalize_work().
[0]:
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989
CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: events tipc_net_finalize_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568
kasan_check_byte include/linux/kasan.h:399 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162
rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]
rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]
rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244
rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243
write_lock_bh include/linux/rwlock_rt.h:99 [inline]
tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718
tipc_net_finalize+0x115/0x190 net/tipc/net.c:140
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6089:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657
tipc_enable_bearer net/tipc/bearer.c:357 [inline]
__tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047
__tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]
tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393
tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]
tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321
genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:729
____sys_sendmsg+0x508/0x820 net/socket.c:2614
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
__sys_sendmsg net/socket.c:2700 [inline]
__do_sys_sendmsg net/socket.c:2705 [inline]
__se_sys_sendmsg net/socket.c:2703 [inline]
__x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
28845c28f842e9e55e75b2c116bff714bb039055 , < 5f541300b02ef8b2af34f6f7d41ce617f3571e88
(git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < b2e77c789c234e7fe49057d2ced8f32e2d2c7901 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 51b8f0ab888f8aa5dfac954918864eeda8c12c19 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 499b5fa78d525c4450ebb76db83207db71efea77 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < c92dbf85627b5c29e52d9c120a24e785801716df (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < f0104977fed25ebe001fd63dab2b6b7fefad3373 (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < fdf7c4c9af4f246323ce854e84b6aec198d49f7e (git) Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 0725e6afb55128be21a2ca36e9674f573ccec173 (git) Affected: 295c9b554f6dfcd2d368fae6e6fa22ee5b79c123 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f541300b02ef8b2af34f6f7d41ce617f3571e88",
"status": "affected",
"version": "28845c28f842e9e55e75b2c116bff714bb039055",
"versionType": "git"
},
{
"lessThan": "b2e77c789c234e7fe49057d2ced8f32e2d2c7901",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "51b8f0ab888f8aa5dfac954918864eeda8c12c19",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "499b5fa78d525c4450ebb76db83207db71efea77",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "c92dbf85627b5c29e52d9c120a24e785801716df",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "f0104977fed25ebe001fd63dab2b6b7fefad3373",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "fdf7c4c9af4f246323ce854e84b6aec198d49f7e",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"lessThan": "0725e6afb55128be21a2ca36e9674f573ccec173",
"status": "affected",
"version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
"versionType": "git"
},
{
"status": "affected",
"version": "295c9b554f6dfcd2d368fae6e6fa22ee5b79c123",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/net.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "5.4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.99",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_mon_reinit_self().\n\nsyzbot reported use-after-free of tipc_net(net)-\u003emonitors[]\nin tipc_mon_reinit_self(). [0]\n\nThe array is protected by RTNL, but tipc_mon_reinit_self()\niterates over it without RTNL.\n\ntipc_mon_reinit_self() is called from tipc_net_finalize(),\nwhich is always under RTNL except for tipc_net_finalize_work().\n\nLet\u0027s hold RTNL in tipc_net_finalize_work().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\nRead of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989\n\nCPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568\n kasan_check_byte include/linux/kasan.h:399 [inline]\n lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\n rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]\n rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]\n rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244\n rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243\n write_lock_bh include/linux/rwlock_rt.h:99 [inline]\n tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718\n tipc_net_finalize+0x115/0x190 net/tipc/net.c:140\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 6089:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657\n tipc_enable_bearer net/tipc/bearer.c:357 [inline]\n __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047\n __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]\n tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393\n tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]\n tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321\n genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:729\n ____sys_sendmsg+0x508/0x820 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:04.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88"
},
{
"url": "https://git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901"
},
{
"url": "https://git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19"
},
{
"url": "https://git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77"
},
{
"url": "https://git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df"
},
{
"url": "https://git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373"
},
{
"url": "https://git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e"
},
{
"url": "https://git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173"
}
],
"title": "tipc: Fix use-after-free in tipc_mon_reinit_self().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40280",
"datePublished": "2025-12-06T21:51:04.091Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:04.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53863 (GCVE-0-2023-53863)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
netlink: do not hard code device address lenth in fdb dumps
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: do not hard code device address lenth in fdb dumps
syzbot reports that some netdev devices do not have a six bytes
address [1]
Replace ETH_ALEN by dev->addr_len.
[1] (Case of a device where dev->addr_len = 4)
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copyout+0xb8/0x100 lib/iov_iter.c:169
_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
copy_to_iter include/linux/uio.h:206 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
sock_recvmsg_nosec net/socket.c:1019 [inline]
sock_recvmsg net/socket.c:1040 [inline]
____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
___sys_recvmsg+0x223/0x840 net/socket.c:2764
do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was stored to memory at:
__nla_put lib/nlattr.c:1009 [inline]
nla_put+0x1c6/0x230 lib/nlattr.c:1067
nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
___sys_recvmsg+0x223/0x840 net/socket.c:2764
do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
slab_alloc_node mm/slub.c:3451 [inline]
__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
kmalloc include/linux/slab.h:559 [inline]
__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
notifier_call_chain kernel/notifier.c:93 [inline]
raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
do_set_master net/core/rtnetlink.c:2626 [inline]
rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0xf28/0x1230 net/netlink/af_
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d83b060360485454fcd6870340ec01d6f96f2295 , < 61d1bf3c34bf5fe936c50d1a4bc460babcc85e88
(git)
Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < bd1de6107f10e7d4c2aabe3397b58d63672fc511 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 44db85c6e1a184b99a2cdf56b525ac63c4962c22 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 619384319b137908d1008c92426c9daa95c06b90 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < e9331c8fa4c69f09d2c71682af75586f77266e81 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < b6f2d4618fc697886ad41e215ae20638153e42d0 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < 73862118bd9dec850aa8e775145647ddd23aedf8 (git) Affected: d83b060360485454fcd6870340ec01d6f96f2295 , < aa5406950726e336c5c9585b09799a734b6e77bf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/rtnetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "61d1bf3c34bf5fe936c50d1a4bc460babcc85e88",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "bd1de6107f10e7d4c2aabe3397b58d63672fc511",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "44db85c6e1a184b99a2cdf56b525ac63c4962c22",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "619384319b137908d1008c92426c9daa95c06b90",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "e9331c8fa4c69f09d2c71682af75586f77266e81",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "b6f2d4618fc697886ad41e215ae20638153e42d0",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "73862118bd9dec850aa8e775145647ddd23aedf8",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
},
{
"lessThan": "aa5406950726e336c5c9585b09799a734b6e77bf",
"status": "affected",
"version": "d83b060360485454fcd6870340ec01d6f96f2295",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/rtnetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: do not hard code device address lenth in fdb dumps\n\nsyzbot reports that some netdev devices do not have a six bytes\naddress [1]\n\nReplace ETH_ALEN by dev-\u003eaddr_len.\n\n[1] (Case of a device where dev-\u003eaddr_len = 4)\n\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169\ninstrument_copy_to_user include/linux/instrumented.h:114 [inline]\ncopyout+0xb8/0x100 lib/iov_iter.c:169\n_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536\ncopy_to_iter include/linux/uio.h:206 [inline]\nsimple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513\n__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\nskb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527\nskb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\nnetlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970\nsock_recvmsg_nosec net/socket.c:1019 [inline]\nsock_recvmsg net/socket.c:1040 [inline]\n____sys_recvmsg+0x283/0x7f0 net/socket.c:2722\n___sys_recvmsg+0x223/0x840 net/socket.c:2764\ndo_recvmmsg+0x4f9/0xfd0 net/socket.c:2858\n__sys_recvmmsg net/socket.c:2937 [inline]\n__do_sys_recvmmsg net/socket.c:2960 [inline]\n__se_sys_recvmmsg net/socket.c:2953 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was stored to memory at:\n__nla_put lib/nlattr.c:1009 [inline]\nnla_put+0x1c6/0x230 lib/nlattr.c:1067\nnlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071\nnlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]\nndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456\nrtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629\nnetlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268\nnetlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995\nsock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019\n____sys_recvmsg+0x664/0x7f0 net/socket.c:2720\n___sys_recvmsg+0x223/0x840 net/socket.c:2764\ndo_recvmmsg+0x4f9/0xfd0 net/socket.c:2858\n__sys_recvmmsg net/socket.c:2937 [inline]\n__do_sys_recvmmsg net/socket.c:2960 [inline]\n__se_sys_recvmmsg net/socket.c:2953 [inline]\n__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUninit was created at:\nslab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716\nslab_alloc_node mm/slub.c:3451 [inline]\n__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490\nkmalloc_trace+0x51/0x200 mm/slab_common.c:1057\nkmalloc include/linux/slab.h:559 [inline]\n__hw_addr_create net/core/dev_addr_lists.c:60 [inline]\n__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118\n__dev_mc_add net/core/dev_addr_lists.c:867 [inline]\ndev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885\nigmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680\nipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754\nipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708\naddrconf_type_change net/ipv6/addrconf.c:3731 [inline]\naddrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699\nnotifier_call_chain kernel/notifier.c:93 [inline]\nraw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461\ncall_netdevice_notifiers_info net/core/dev.c:1935 [inline]\ncall_netdevice_notifiers_extack net/core/dev.c:1973 [inline]\ncall_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987\nbond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906\ndo_set_master net/core/rtnetlink.c:2626 [inline]\nrtnl_newlink_create net/core/rtnetlink.c:3460 [inline]\n__rtnl_newlink net/core/rtnetlink.c:3660 [inline]\nrtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673\nrtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395\nnetlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546\nrtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413\nnetlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\nnetlink_unicast+0xf28/0x1230 net/netlink/af_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:32.109Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/61d1bf3c34bf5fe936c50d1a4bc460babcc85e88"
},
{
"url": "https://git.kernel.org/stable/c/c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3"
},
{
"url": "https://git.kernel.org/stable/c/bd1de6107f10e7d4c2aabe3397b58d63672fc511"
},
{
"url": "https://git.kernel.org/stable/c/44db85c6e1a184b99a2cdf56b525ac63c4962c22"
},
{
"url": "https://git.kernel.org/stable/c/619384319b137908d1008c92426c9daa95c06b90"
},
{
"url": "https://git.kernel.org/stable/c/e9331c8fa4c69f09d2c71682af75586f77266e81"
},
{
"url": "https://git.kernel.org/stable/c/b6f2d4618fc697886ad41e215ae20638153e42d0"
},
{
"url": "https://git.kernel.org/stable/c/73862118bd9dec850aa8e775145647ddd23aedf8"
},
{
"url": "https://git.kernel.org/stable/c/aa5406950726e336c5c9585b09799a734b6e77bf"
}
],
"title": "netlink: do not hard code device address lenth in fdb dumps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53863",
"datePublished": "2025-12-09T01:30:32.109Z",
"dateReserved": "2025-12-09T01:27:17.829Z",
"dateUpdated": "2025-12-09T01:30:32.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68201 (GCVE-0-2025-68201)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
drm/amdgpu: remove two invalid BUG_ON()s
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: remove two invalid BUG_ON()s
Those can be triggered trivially by userspace.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd
(git)
Affected: 3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < a41bdba05899c7f455cd960ef0713acc335370dc (git) Affected: 3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < 5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd",
"status": "affected",
"version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
"versionType": "git"
},
{
"lessThan": "a41bdba05899c7f455cd960ef0713acc335370dc",
"status": "affected",
"version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
"versionType": "git"
},
{
"lessThan": "5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5",
"status": "affected",
"version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c",
"drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: remove two invalid BUG_ON()s\n\nThose can be triggered trivially by userspace."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:24.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd"
},
{
"url": "https://git.kernel.org/stable/c/a41bdba05899c7f455cd960ef0713acc335370dc"
},
{
"url": "https://git.kernel.org/stable/c/5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5"
}
],
"title": "drm/amdgpu: remove two invalid BUG_ON()s",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68201",
"datePublished": "2025-12-16T13:48:29.708Z",
"dateReserved": "2025-12-16T13:41:40.254Z",
"dateUpdated": "2026-01-02T15:34:24.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54266 (GCVE-0-2023-54266)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
'read' is freed when it is known to be NULL, but not when a read error
occurs.
Revert the logic to avoid a small leak, should a m920x_read() call fail.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
82ce3084892c0c0e006ec61f6144f2cc4e5ece88 , < 809623fedc31f4e74039d93bb75a8993635d7534
(git)
Affected: 7dca4428d7eb33c89979e620228fe557593fde66 , < c0178e938f110cdf6937f26975c0c951dbb1d9db (git) Affected: fe791612afabaeee9b911bd7b955985bcf5ff314 , < 75d6ef197c488cd852493b4a419274e3489da79d (git) Affected: 830e5d1b4344c2575020ee4bdf63fb48e2b56ce3 , < d13a84874a2e0236c9325b3adc8e126d0888ad6b (git) Affected: 0c044e39d52abfbb4cb43dbc5a09c1dc1ed24648 , < 7ca7cd02114ac8caa6b0a64734b9af6be1559353 (git) Affected: a2ab06d7c4d6bfd0b545a768247a70463e977e27 , < 2b6e20ef0585a467c24c7e4fde28518e5b33225a (git) Affected: a2ab06d7c4d6bfd0b545a768247a70463e977e27 , < 4feed3dfca722c6d74865a37cab853c58e6aa190 (git) Affected: a2ab06d7c4d6bfd0b545a768247a70463e977e27 , < 2cc9f11aeae2887a4db25c27323fc445f4b49e86 (git) Affected: a2ab06d7c4d6bfd0b545a768247a70463e977e27 , < ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8 (git) Affected: 08cb4f0da9926277101d18d817048e1328ac2563 (git) Affected: 273cac7a89712ba6b898214af150b71dc33abe0c (git) Affected: b7e221dc8f23727e00a7fb6709b3318547a7c4d8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/m920x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "809623fedc31f4e74039d93bb75a8993635d7534",
"status": "affected",
"version": "82ce3084892c0c0e006ec61f6144f2cc4e5ece88",
"versionType": "git"
},
{
"lessThan": "c0178e938f110cdf6937f26975c0c951dbb1d9db",
"status": "affected",
"version": "7dca4428d7eb33c89979e620228fe557593fde66",
"versionType": "git"
},
{
"lessThan": "75d6ef197c488cd852493b4a419274e3489da79d",
"status": "affected",
"version": "fe791612afabaeee9b911bd7b955985bcf5ff314",
"versionType": "git"
},
{
"lessThan": "d13a84874a2e0236c9325b3adc8e126d0888ad6b",
"status": "affected",
"version": "830e5d1b4344c2575020ee4bdf63fb48e2b56ce3",
"versionType": "git"
},
{
"lessThan": "7ca7cd02114ac8caa6b0a64734b9af6be1559353",
"status": "affected",
"version": "0c044e39d52abfbb4cb43dbc5a09c1dc1ed24648",
"versionType": "git"
},
{
"lessThan": "2b6e20ef0585a467c24c7e4fde28518e5b33225a",
"status": "affected",
"version": "a2ab06d7c4d6bfd0b545a768247a70463e977e27",
"versionType": "git"
},
{
"lessThan": "4feed3dfca722c6d74865a37cab853c58e6aa190",
"status": "affected",
"version": "a2ab06d7c4d6bfd0b545a768247a70463e977e27",
"versionType": "git"
},
{
"lessThan": "2cc9f11aeae2887a4db25c27323fc445f4b49e86",
"status": "affected",
"version": "a2ab06d7c4d6bfd0b545a768247a70463e977e27",
"versionType": "git"
},
{
"lessThan": "ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8",
"status": "affected",
"version": "a2ab06d7c4d6bfd0b545a768247a70463e977e27",
"versionType": "git"
},
{
"status": "affected",
"version": "08cb4f0da9926277101d18d817048e1328ac2563",
"versionType": "git"
},
{
"status": "affected",
"version": "273cac7a89712ba6b898214af150b71dc33abe0c",
"versionType": "git"
},
{
"status": "affected",
"version": "b7e221dc8f23727e00a7fb6709b3318547a7c4d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/usb/dvb-usb/m920x.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14.263",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19.226",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.4.174",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.10.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.15.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.300",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.298",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()\n\n\u0027read\u0027 is freed when it is known to be NULL, but not when a read error\noccurs.\n\nRevert the logic to avoid a small leak, should a m920x_read() call fail."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:58.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/809623fedc31f4e74039d93bb75a8993635d7534"
},
{
"url": "https://git.kernel.org/stable/c/c0178e938f110cdf6937f26975c0c951dbb1d9db"
},
{
"url": "https://git.kernel.org/stable/c/75d6ef197c488cd852493b4a419274e3489da79d"
},
{
"url": "https://git.kernel.org/stable/c/d13a84874a2e0236c9325b3adc8e126d0888ad6b"
},
{
"url": "https://git.kernel.org/stable/c/7ca7cd02114ac8caa6b0a64734b9af6be1559353"
},
{
"url": "https://git.kernel.org/stable/c/2b6e20ef0585a467c24c7e4fde28518e5b33225a"
},
{
"url": "https://git.kernel.org/stable/c/4feed3dfca722c6d74865a37cab853c58e6aa190"
},
{
"url": "https://git.kernel.org/stable/c/2cc9f11aeae2887a4db25c27323fc445f4b49e86"
},
{
"url": "https://git.kernel.org/stable/c/ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8"
}
],
"title": "media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54266",
"datePublished": "2025-12-30T12:15:58.235Z",
"dateReserved": "2025-12-30T12:06:44.518Z",
"dateUpdated": "2025-12-30T12:15:58.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68306 (GCVE-0-2025-68306)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface
When performing reset tests and encountering abnormal card drop issues
that lead to a kernel crash, it is necessary to perform a null check
before releasing resources to avoid attempting to release a null pointer.
<4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)
<4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]
<4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
<4>[ 29.158162] pc : klist_remove+0x90/0x158
<4>[ 29.158174] lr : klist_remove+0x88/0x158
<4>[ 29.158180] sp : ffffffc0846b3c00
<4>[ 29.158185] pmr_save: 000000e0
<4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058
<4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0
<4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290
<4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781
<4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428
<4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018
<4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000
<4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d
<4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e
<4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c
<4>[ 29.158285] Call trace:
<4>[ 29.158290] klist_remove+0x90/0x158
<4>[ 29.158298] device_release_driver_internal+0x20c/0x268
<4>[ 29.158308] device_release_driver+0x1c/0x30
<4>[ 29.158316] usb_driver_release_interface+0x70/0x88
<4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]
<4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]
<4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]
<4>[ 29.158430] process_scheduled_works+0x258/0x4e8
<4>[ 29.158441] worker_thread+0x300/0x428
<4>[ 29.158448] kthread+0x108/0x1d0
<4>[ 29.158455] ret_from_fork+0x10/0x20
<0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)
<4>[ 29.158474] ---[ end trace 0000000000000000 ]---
<0>[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception
<2>[ 29.167144] SMP: stopping secondary CPUs
<4>[ 29.167158] ------------[ cut here ]------------
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < 421e88a0d85782786b7a1764c75518b4845e07b3
(git)
Affected: ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < faae9f2ea8806f2499186448adbf94689b47b82b (git) Affected: ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < 4015b979767125cf8a2233a145a3b3af78bfd8fb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c",
"include/net/bluetooth/hci_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "421e88a0d85782786b7a1764c75518b4845e07b3",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
},
{
"lessThan": "faae9f2ea8806f2499186448adbf94689b47b82b",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
},
{
"lessThan": "4015b979767125cf8a2233a145a3b3af78bfd8fb",
"status": "affected",
"version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c",
"include/net/bluetooth/hci_core.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface\n\nWhen performing reset tests and encountering abnormal card drop issues\nthat lead to a kernel crash, it is necessary to perform a null check\nbefore releasing resources to avoid attempting to release a null pointer.\n\n\u003c4\u003e[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)\n\u003c4\u003e[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]\n\u003c4\u003e[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\u003c4\u003e[ 29.158162] pc : klist_remove+0x90/0x158\n\u003c4\u003e[ 29.158174] lr : klist_remove+0x88/0x158\n\u003c4\u003e[ 29.158180] sp : ffffffc0846b3c00\n\u003c4\u003e[ 29.158185] pmr_save: 000000e0\n\u003c4\u003e[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058\n\u003c4\u003e[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0\n\u003c4\u003e[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290\n\u003c4\u003e[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781\n\u003c4\u003e[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428\n\u003c4\u003e[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018\n\u003c4\u003e[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000\n\u003c4\u003e[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d\n\u003c4\u003e[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e\n\u003c4\u003e[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c\n\u003c4\u003e[ 29.158285] Call trace:\n\u003c4\u003e[ 29.158290] klist_remove+0x90/0x158\n\u003c4\u003e[ 29.158298] device_release_driver_internal+0x20c/0x268\n\u003c4\u003e[ 29.158308] device_release_driver+0x1c/0x30\n\u003c4\u003e[ 29.158316] usb_driver_release_interface+0x70/0x88\n\u003c4\u003e[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]\n\u003c4\u003e[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]\n\u003c4\u003e[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]\n\u003c4\u003e[ 29.158430] process_scheduled_works+0x258/0x4e8\n\u003c4\u003e[ 29.158441] worker_thread+0x300/0x428\n\u003c4\u003e[ 29.158448] kthread+0x108/0x1d0\n\u003c4\u003e[ 29.158455] ret_from_fork+0x10/0x20\n\u003c0\u003e[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)\n\u003c4\u003e[ 29.158474] ---[ end trace 0000000000000000 ]---\n\u003c0\u003e[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception\n\u003c2\u003e[ 29.167144] SMP: stopping secondary CPUs\n\u003c4\u003e[ 29.167158] ------------[ cut here ]------------"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:23.486Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/421e88a0d85782786b7a1764c75518b4845e07b3"
},
{
"url": "https://git.kernel.org/stable/c/faae9f2ea8806f2499186448adbf94689b47b82b"
},
{
"url": "https://git.kernel.org/stable/c/4015b979767125cf8a2233a145a3b3af78bfd8fb"
}
],
"title": "Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68306",
"datePublished": "2025-12-16T15:06:23.486Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:23.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53788 (GCVE-0-2023-53788)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
tuning_ctl_set() might have buffer overrun at (X) if it didn't break
from loop by matching (A).
static int tuning_ctl_set(...)
{
for (i = 0; i < TUNING_CTLS_COUNT; i++)
(A) if (nid == ca0132_tuning_ctls[i].nid)
break;
snd_hda_power_up(...);
(X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);
snd_hda_power_down(...); ^
return 1;
}
We will get below error by cppcheck
sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12
for (i = 0; i < TUNING_CTLS_COUNT; i++)
^
sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds
dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,
^
This patch cares non match case.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
44f0c9782cc6ab71ea947f8f710a46f2078a151c , < ff5e8b49348f6a550c136b74efaf8b3c1d3ceaea
(git)
Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 3590498117a11aa1f92a97e8a04d95320e347ebd (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < baef27176ea5fdc7ad0947e2dc7733855e35db71 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < d23f65f08247068576a01e28b297e995b7dc3965 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 32854bc91ae7debcdefdc7ae881ed83385a04792 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 734a3deb6614e3597e7e9ef7fb6006c593c5ee18 (git) Affected: 44f0c9782cc6ab71ea947f8f710a46f2078a151c , < 98e5eb110095ec77cb6d775051d181edbf9cd3cf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/hda/patch_ca0132.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff5e8b49348f6a550c136b74efaf8b3c1d3ceaea",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "3590498117a11aa1f92a97e8a04d95320e347ebd",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "baef27176ea5fdc7ad0947e2dc7733855e35db71",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "d23f65f08247068576a01e28b297e995b7dc3965",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "32854bc91ae7debcdefdc7ae881ed83385a04792",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "734a3deb6614e3597e7e9ef7fb6006c593c5ee18",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
},
{
"lessThan": "98e5eb110095ec77cb6d775051d181edbf9cd3cf",
"status": "affected",
"version": "44f0c9782cc6ab71ea947f8f710a46f2078a151c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/hda/patch_ca0132.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.280",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.312",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.280",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()\n\ntuning_ctl_set() might have buffer overrun at (X) if it didn\u0027t break\nfrom loop by matching (A).\n\n\tstatic int tuning_ctl_set(...)\n\t{\n\t\tfor (i = 0; i \u003c TUNING_CTLS_COUNT; i++)\n(A)\t\t\tif (nid == ca0132_tuning_ctls[i].nid)\n\t\t\t\tbreak;\n\n\t\tsnd_hda_power_up(...);\n(X)\t\tdspio_set_param(..., ca0132_tuning_ctls[i].mid, ...);\n\t\tsnd_hda_power_down(...); ^\n\n\t\treturn 1;\n\t}\n\nWe will get below error by cppcheck\n\n\tsound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12\n\t for (i = 0; i \u003c TUNING_CTLS_COUNT; i++)\n\t ^\n\tsound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds\n\t dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20,\n\t ^\nThis patch cares non match case."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:52.709Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff5e8b49348f6a550c136b74efaf8b3c1d3ceaea"
},
{
"url": "https://git.kernel.org/stable/c/3590498117a11aa1f92a97e8a04d95320e347ebd"
},
{
"url": "https://git.kernel.org/stable/c/7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99"
},
{
"url": "https://git.kernel.org/stable/c/baef27176ea5fdc7ad0947e2dc7733855e35db71"
},
{
"url": "https://git.kernel.org/stable/c/d23f65f08247068576a01e28b297e995b7dc3965"
},
{
"url": "https://git.kernel.org/stable/c/32854bc91ae7debcdefdc7ae881ed83385a04792"
},
{
"url": "https://git.kernel.org/stable/c/734a3deb6614e3597e7e9ef7fb6006c593c5ee18"
},
{
"url": "https://git.kernel.org/stable/c/98e5eb110095ec77cb6d775051d181edbf9cd3cf"
}
],
"title": "ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53788",
"datePublished": "2025-12-09T00:00:43.777Z",
"dateReserved": "2025-12-08T23:58:35.273Z",
"dateUpdated": "2026-01-05T10:32:52.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54220 (GCVE-0-2023-54220)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
serial: 8250: Fix oops for port->pm on uart_change_pm()
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: 8250: Fix oops for port->pm on uart_change_pm()
Unloading a hardware specific 8250 driver can produce error "Unable to
handle kernel paging request at virtual address" about ten seconds after
unloading the driver. This happens on uart_hangup() calling
uart_change_pm().
Turns out commit 04e82793f068 ("serial: 8250: Reinit port->pm on port
specific driver unbind") was only a partial fix. If the hardware specific
driver has initialized port->pm function, we need to clear port->pm too.
Just reinitializing port->ops does not do this. Otherwise serial8250_pm()
will call port->pm() instead of serial8250_do_pm().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
490bf37eaabb0a857ed1ae8e75d8854e41662f1c , < 66f3e55960698c874b0598277913b478ecd29573
(git)
Affected: c9e080c3005fd183c56ff8f4d75edb5da0765d2c , < 720a297b334e85d34099e83d1f375b92c3efedd6 (git) Affected: d5cd2928d31042a7c0a01464f9a8d95be736421d , < b653289ca6460a6552c8590b75dfa84a0140a46b (git) Affected: 2c86a1305c1406f45ea780d06953c484ea1d9e6e , < bd70d0b28010d560a8be96b44fea86fe2ba016ae (git) Affected: 1ba5594739d858e524ff0f398ee1ebfe0a8b9d41 , < 18e27df4f2b4e257c317ba8076f31a888f6cc64b (git) Affected: af4d6dbb1a92ea424ad1ba1d0c88c7fa2345d872 , < 0c05493341d6f2097f75f0a5dbb7b53a9e8c5f6c (git) Affected: 04e82793f068d2f0ffe62fcea03d007a8cdc16a7 , < 375806616f8c772c33d40e112530887b37c1a816 (git) Affected: 04e82793f068d2f0ffe62fcea03d007a8cdc16a7 , < dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534 (git) Affected: 8e596aed5f2f98cf3e6e98d6fe1d689f4a319308 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_port.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66f3e55960698c874b0598277913b478ecd29573",
"status": "affected",
"version": "490bf37eaabb0a857ed1ae8e75d8854e41662f1c",
"versionType": "git"
},
{
"lessThan": "720a297b334e85d34099e83d1f375b92c3efedd6",
"status": "affected",
"version": "c9e080c3005fd183c56ff8f4d75edb5da0765d2c",
"versionType": "git"
},
{
"lessThan": "b653289ca6460a6552c8590b75dfa84a0140a46b",
"status": "affected",
"version": "d5cd2928d31042a7c0a01464f9a8d95be736421d",
"versionType": "git"
},
{
"lessThan": "bd70d0b28010d560a8be96b44fea86fe2ba016ae",
"status": "affected",
"version": "2c86a1305c1406f45ea780d06953c484ea1d9e6e",
"versionType": "git"
},
{
"lessThan": "18e27df4f2b4e257c317ba8076f31a888f6cc64b",
"status": "affected",
"version": "1ba5594739d858e524ff0f398ee1ebfe0a8b9d41",
"versionType": "git"
},
{
"lessThan": "0c05493341d6f2097f75f0a5dbb7b53a9e8c5f6c",
"status": "affected",
"version": "af4d6dbb1a92ea424ad1ba1d0c88c7fa2345d872",
"versionType": "git"
},
{
"lessThan": "375806616f8c772c33d40e112530887b37c1a816",
"status": "affected",
"version": "04e82793f068d2f0ffe62fcea03d007a8cdc16a7",
"versionType": "git"
},
{
"lessThan": "dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534",
"status": "affected",
"version": "04e82793f068d2f0ffe62fcea03d007a8cdc16a7",
"versionType": "git"
},
{
"status": "affected",
"version": "8e596aed5f2f98cf3e6e98d6fe1d689f4a319308",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/serial/8250/8250_port.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: 8250: Fix oops for port-\u003epm on uart_change_pm()\n\nUnloading a hardware specific 8250 driver can produce error \"Unable to\nhandle kernel paging request at virtual address\" about ten seconds after\nunloading the driver. This happens on uart_hangup() calling\nuart_change_pm().\n\nTurns out commit 04e82793f068 (\"serial: 8250: Reinit port-\u003epm on port\nspecific driver unbind\") was only a partial fix. If the hardware specific\ndriver has initialized port-\u003epm function, we need to clear port-\u003epm too.\nJust reinitializing port-\u003eops does not do this. Otherwise serial8250_pm()\nwill call port-\u003epm() instead of serial8250_do_pm()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:15.385Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66f3e55960698c874b0598277913b478ecd29573"
},
{
"url": "https://git.kernel.org/stable/c/720a297b334e85d34099e83d1f375b92c3efedd6"
},
{
"url": "https://git.kernel.org/stable/c/b653289ca6460a6552c8590b75dfa84a0140a46b"
},
{
"url": "https://git.kernel.org/stable/c/bd70d0b28010d560a8be96b44fea86fe2ba016ae"
},
{
"url": "https://git.kernel.org/stable/c/18e27df4f2b4e257c317ba8076f31a888f6cc64b"
},
{
"url": "https://git.kernel.org/stable/c/0c05493341d6f2097f75f0a5dbb7b53a9e8c5f6c"
},
{
"url": "https://git.kernel.org/stable/c/375806616f8c772c33d40e112530887b37c1a816"
},
{
"url": "https://git.kernel.org/stable/c/dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534"
}
],
"title": "serial: 8250: Fix oops for port-\u003epm on uart_change_pm()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54220",
"datePublished": "2025-12-30T12:11:15.385Z",
"dateReserved": "2025-12-30T12:06:44.501Z",
"dateUpdated": "2025-12-30T12:11:15.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54091 (GCVE-0-2023-54091)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
drm/client: Fix memory leak in drm_client_target_cloned
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/client: Fix memory leak in drm_client_target_cloned
dmt_mode is allocated and never freed in this function.
It was found with the ast driver, but most drivers using generic fbdev
setup are probably affected.
This fixes the following kmemleak report:
backtrace:
[<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm]
[<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm]
[<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm]
[<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper]
[<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper]
[<00000000063a69aa>] drm_client_register+0x169/0x240 [drm]
[<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast]
[<00000000987f19bb>] local_pci_probe+0xdc/0x180
[<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0
[<0000000000b85301>] process_one_work+0x8b7/0x1540
[<000000003375b17c>] worker_thread+0x70a/0xed0
[<00000000b0d43cd9>] kthread+0x29f/0x340
[<000000008d770833>] ret_from_fork+0x1f/0x30
unreferenced object 0xff11000333089a00 (size 128):
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1d42bbc8f7f9ce4d852692ef7aa336b133b0830a , < d3009700f48602b557eade1f22c98b6bc20247e8
(git)
Affected: 1d42bbc8f7f9ce4d852692ef7aa336b133b0830a , < a4b978249e8fa94956fce8b70a709f7797716f62 (git) Affected: 1d42bbc8f7f9ce4d852692ef7aa336b133b0830a , < 52daf6ba2e0d201640cb1ce42049c5c4426b4d6e (git) Affected: 1d42bbc8f7f9ce4d852692ef7aa336b133b0830a , < 105275879a80503686a8108af2f5c579a1c5aef4 (git) Affected: 1d42bbc8f7f9ce4d852692ef7aa336b133b0830a , < a85e23a1ef63e45a18f0a30d7816fcb4a865ca95 (git) Affected: 1d42bbc8f7f9ce4d852692ef7aa336b133b0830a , < b5359d7a5087ac398fc429da6833133b4784c268 (git) Affected: 1d42bbc8f7f9ce4d852692ef7aa336b133b0830a , < 4b596a6e2d2e0f9c14e4122506dd715f43fcd727 (git) Affected: 1d42bbc8f7f9ce4d852692ef7aa336b133b0830a , < c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_client_modeset.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d3009700f48602b557eade1f22c98b6bc20247e8",
"status": "affected",
"version": "1d42bbc8f7f9ce4d852692ef7aa336b133b0830a",
"versionType": "git"
},
{
"lessThan": "a4b978249e8fa94956fce8b70a709f7797716f62",
"status": "affected",
"version": "1d42bbc8f7f9ce4d852692ef7aa336b133b0830a",
"versionType": "git"
},
{
"lessThan": "52daf6ba2e0d201640cb1ce42049c5c4426b4d6e",
"status": "affected",
"version": "1d42bbc8f7f9ce4d852692ef7aa336b133b0830a",
"versionType": "git"
},
{
"lessThan": "105275879a80503686a8108af2f5c579a1c5aef4",
"status": "affected",
"version": "1d42bbc8f7f9ce4d852692ef7aa336b133b0830a",
"versionType": "git"
},
{
"lessThan": "a85e23a1ef63e45a18f0a30d7816fcb4a865ca95",
"status": "affected",
"version": "1d42bbc8f7f9ce4d852692ef7aa336b133b0830a",
"versionType": "git"
},
{
"lessThan": "b5359d7a5087ac398fc429da6833133b4784c268",
"status": "affected",
"version": "1d42bbc8f7f9ce4d852692ef7aa336b133b0830a",
"versionType": "git"
},
{
"lessThan": "4b596a6e2d2e0f9c14e4122506dd715f43fcd727",
"status": "affected",
"version": "1d42bbc8f7f9ce4d852692ef7aa336b133b0830a",
"versionType": "git"
},
{
"lessThan": "c2a88e8bdf5f6239948d75283d0ae7e0c7945b03",
"status": "affected",
"version": "1d42bbc8f7f9ce4d852692ef7aa336b133b0830a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_client_modeset.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fix memory leak in drm_client_target_cloned\n\ndmt_mode is allocated and never freed in this function.\nIt was found with the ast driver, but most drivers using generic fbdev\nsetup are probably affected.\n\nThis fixes the following kmemleak report:\n backtrace:\n [\u003c00000000b391296d\u003e] drm_mode_duplicate+0x45/0x220 [drm]\n [\u003c00000000e45bb5b3\u003e] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm]\n [\u003c00000000ed2d3a37\u003e] drm_client_modeset_probe+0x6bd/0xf50 [drm]\n [\u003c0000000010e5cc9d\u003e] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper]\n [\u003c00000000909f82ca\u003e] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper]\n [\u003c00000000063a69aa\u003e] drm_client_register+0x169/0x240 [drm]\n [\u003c00000000a8c61525\u003e] ast_pci_probe+0x142/0x190 [ast]\n [\u003c00000000987f19bb\u003e] local_pci_probe+0xdc/0x180\n [\u003c000000004fca231b\u003e] work_for_cpu_fn+0x4e/0xa0\n [\u003c0000000000b85301\u003e] process_one_work+0x8b7/0x1540\n [\u003c000000003375b17c\u003e] worker_thread+0x70a/0xed0\n [\u003c00000000b0d43cd9\u003e] kthread+0x29f/0x340\n [\u003c000000008d770833\u003e] ret_from_fork+0x1f/0x30\nunreferenced object 0xff11000333089a00 (size 128):"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:20.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d3009700f48602b557eade1f22c98b6bc20247e8"
},
{
"url": "https://git.kernel.org/stable/c/a4b978249e8fa94956fce8b70a709f7797716f62"
},
{
"url": "https://git.kernel.org/stable/c/52daf6ba2e0d201640cb1ce42049c5c4426b4d6e"
},
{
"url": "https://git.kernel.org/stable/c/105275879a80503686a8108af2f5c579a1c5aef4"
},
{
"url": "https://git.kernel.org/stable/c/a85e23a1ef63e45a18f0a30d7816fcb4a865ca95"
},
{
"url": "https://git.kernel.org/stable/c/b5359d7a5087ac398fc429da6833133b4784c268"
},
{
"url": "https://git.kernel.org/stable/c/4b596a6e2d2e0f9c14e4122506dd715f43fcd727"
},
{
"url": "https://git.kernel.org/stable/c/c2a88e8bdf5f6239948d75283d0ae7e0c7945b03"
}
],
"title": "drm/client: Fix memory leak in drm_client_target_cloned",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54091",
"datePublished": "2025-12-24T13:06:20.376Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:20.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54001 (GCVE-0-2023-54001)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
staging: r8712: Fix memory leak in _r8712_init_xmit_priv()
Summary
In the Linux kernel, the following vulnerability has been resolved:
staging: r8712: Fix memory leak in _r8712_init_xmit_priv()
In the above mentioned routine, memory is allocated in several places.
If the first succeeds and a later one fails, the routine will leak memory.
This patch fixes commit 2865d42c78a9 ("staging: r8712u: Add the new driver
to the mainline kernel"). A potential memory leak in
r8712_xmit_resource_alloc() is also addressed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < fc511ae405f7ba29fbcb0246061ec15c272386e1
(git)
Affected: 2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < acacdbe0f740ca8c5d5da73d50870903a3ded677 (git) Affected: 2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < 41e05572e871b10dbdc168c76175c97982daf4a4 (git) Affected: 2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < 874555472c736813ba1f4baf0b4c09c8e26d81ea (git) Affected: 2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef , < ac83631230f77dda94154ed0ebfd368fc81c70a3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/rtl871x_xmit.c",
"drivers/staging/rtl8712/xmit_linux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fc511ae405f7ba29fbcb0246061ec15c272386e1",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
},
{
"lessThan": "acacdbe0f740ca8c5d5da73d50870903a3ded677",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
},
{
"lessThan": "41e05572e871b10dbdc168c76175c97982daf4a4",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
},
{
"lessThan": "874555472c736813ba1f4baf0b4c09c8e26d81ea",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
},
{
"lessThan": "ac83631230f77dda94154ed0ebfd368fc81c70a3",
"status": "affected",
"version": "2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/staging/rtl8712/rtl871x_xmit.c",
"drivers/staging/rtl8712/xmit_linux.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: r8712: Fix memory leak in _r8712_init_xmit_priv()\n\nIn the above mentioned routine, memory is allocated in several places.\nIf the first succeeds and a later one fails, the routine will leak memory.\nThis patch fixes commit 2865d42c78a9 (\"staging: r8712u: Add the new driver\nto the mainline kernel\"). A potential memory leak in\nr8712_xmit_resource_alloc() is also addressed."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:36.991Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fc511ae405f7ba29fbcb0246061ec15c272386e1"
},
{
"url": "https://git.kernel.org/stable/c/acacdbe0f740ca8c5d5da73d50870903a3ded677"
},
{
"url": "https://git.kernel.org/stable/c/41e05572e871b10dbdc168c76175c97982daf4a4"
},
{
"url": "https://git.kernel.org/stable/c/874555472c736813ba1f4baf0b4c09c8e26d81ea"
},
{
"url": "https://git.kernel.org/stable/c/ac83631230f77dda94154ed0ebfd368fc81c70a3"
}
],
"title": "staging: r8712: Fix memory leak in _r8712_init_xmit_priv()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54001",
"datePublished": "2025-12-24T10:55:36.991Z",
"dateReserved": "2025-12-24T10:53:46.177Z",
"dateUpdated": "2025-12-24T10:55:36.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68217 (GCVE-0-2025-68217)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
Input: pegasus-notetaker - fix potential out-of-bounds access
Summary
In the Linux kernel, the following vulnerability has been resolved:
Input: pegasus-notetaker - fix potential out-of-bounds access
In the pegasus_notetaker driver, the pegasus_probe() function allocates
the URB transfer buffer using the wMaxPacketSize value from
the endpoint descriptor. An attacker can use a malicious USB descriptor
to force the allocation of a very small buffer.
Subsequently, if the device sends an interrupt packet with a specific
pattern (e.g., where the first byte is 0x80 or 0x42),
the pegasus_parse_packet() function parses the packet without checking
the allocated buffer size. This leads to an out-of-bounds memory access.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1afca2b66aac7ac262d3511c68725e9e7053b40f , < c4e746651bd74c38f581e1cf31651119a94de8cd
(git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 36bc92b838ff72f62f2c17751a9013b29ead2513 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 015b719962696b793997e8deefac019f816aca77 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 084264e10e2ae8938a54355123ad977eb9df56d6 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 9ab67eff6d654e34ba6da07c64761aa87c2a3c26 (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 763c3f4d2394a697d14af1335d3bb42f05c9409f (git) Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 69aeb507312306f73495598a055293fa749d454e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/input/tablet/pegasus_notetaker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4e746651bd74c38f581e1cf31651119a94de8cd",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "36bc92b838ff72f62f2c17751a9013b29ead2513",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "015b719962696b793997e8deefac019f816aca77",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "084264e10e2ae8938a54355123ad977eb9df56d6",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "9ab67eff6d654e34ba6da07c64761aa87c2a3c26",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "763c3f4d2394a697d14af1335d3bb42f05c9409f",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
},
{
"lessThan": "69aeb507312306f73495598a055293fa749d454e",
"status": "affected",
"version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/input/tablet/pegasus_notetaker.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: pegasus-notetaker - fix potential out-of-bounds access\n\nIn the pegasus_notetaker driver, the pegasus_probe() function allocates\nthe URB transfer buffer using the wMaxPacketSize value from\nthe endpoint descriptor. An attacker can use a malicious USB descriptor\nto force the allocation of a very small buffer.\n\nSubsequently, if the device sends an interrupt packet with a specific\npattern (e.g., where the first byte is 0x80 or 0x42),\nthe pegasus_parse_packet() function parses the packet without checking\nthe allocated buffer size. This leads to an out-of-bounds memory access."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:12.011Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4e746651bd74c38f581e1cf31651119a94de8cd"
},
{
"url": "https://git.kernel.org/stable/c/36bc92b838ff72f62f2c17751a9013b29ead2513"
},
{
"url": "https://git.kernel.org/stable/c/015b719962696b793997e8deefac019f816aca77"
},
{
"url": "https://git.kernel.org/stable/c/084264e10e2ae8938a54355123ad977eb9df56d6"
},
{
"url": "https://git.kernel.org/stable/c/d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479"
},
{
"url": "https://git.kernel.org/stable/c/9ab67eff6d654e34ba6da07c64761aa87c2a3c26"
},
{
"url": "https://git.kernel.org/stable/c/763c3f4d2394a697d14af1335d3bb42f05c9409f"
},
{
"url": "https://git.kernel.org/stable/c/69aeb507312306f73495598a055293fa749d454e"
}
],
"title": "Input: pegasus-notetaker - fix potential out-of-bounds access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68217",
"datePublished": "2025-12-16T13:57:12.011Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2025-12-16T13:57:12.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68378 (GCVE-0-2025-68378)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33
VLAI?
EPSS
Title
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix stackmap overflow check in __bpf_get_stackid()
Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()
when copying stack trace data. The issue occurs when the perf trace
contains more stack entries than the stack map bucket can hold,
leading to an out-of-bounds write in the bucket's data array.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < d1f424a77b6bd27b361737ed73df49a0158f1590
(git)
Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 2a008f6de163279deffd488c1deab081bce5667c (git) Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 4669a8db976c8cbd5427fe9945f12c5fa5168ff3 (git) Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 23f852daa4bab4d579110e034e4d513f7d490846 (git) Affected: 90805175a206f784b6a77f16f07b07f6803e286b (git) Affected: 398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e (git) Affected: e750f78c4ed7cefbcefb9769b3b9e08033db39da (git) Affected: 6c4f243b58f5362e983386488b2d563764c567af (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1f424a77b6bd27b361737ed73df49a0158f1590",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "2a008f6de163279deffd488c1deab081bce5667c",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "4669a8db976c8cbd5427fe9945f12c5fa5168ff3",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"lessThan": "23f852daa4bab4d579110e034e4d513f7d490846",
"status": "affected",
"version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
"versionType": "git"
},
{
"status": "affected",
"version": "90805175a206f784b6a77f16f07b07f6803e286b",
"versionType": "git"
},
{
"status": "affected",
"version": "398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e",
"versionType": "git"
},
{
"status": "affected",
"version": "e750f78c4ed7cefbcefb9769b3b9e08033db39da",
"versionType": "git"
},
{
"status": "affected",
"version": "6c4f243b58f5362e983386488b2d563764c567af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/stackmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.110",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check in __bpf_get_stackid()\n\nSyzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()\nwhen copying stack trace data. The issue occurs when the perf trace\n contains more stack entries than the stack map bucket can hold,\n leading to an out-of-bounds write in the bucket\u0027s data array."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:33:06.859Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590"
},
{
"url": "https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c"
},
{
"url": "https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3"
},
{
"url": "https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846"
}
],
"title": "bpf: Fix stackmap overflow check in __bpf_get_stackid()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68378",
"datePublished": "2025-12-24T10:33:06.859Z",
"dateReserved": "2025-12-16T14:48:05.311Z",
"dateUpdated": "2025-12-24T10:33:06.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40338 (GCVE-0-2025-40338)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
ASoC: Intel: avs: Do not share the name pointer between components
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: Intel: avs: Do not share the name pointer between components
By sharing 'name' directly, tearing down components may lead to
use-after-free errors. Duplicate the name to avoid that.
At the same time, update the order of operations - since commit
cee28113db17 ("ASoC: dmaengine_pcm: Allow passing component name via
config") the framework does not override component->name if set before
invoking the initializer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/avs/pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "128bf29c992988f8b4f3829227339908fde5ec86",
"status": "affected",
"version": "f1b3b320bd6519b16e3480f74f2926d106e3bcba",
"versionType": "git"
},
{
"lessThan": "4dee5c1cc439b0d5ef87f741518268ad6a95b23d",
"status": "affected",
"version": "f1b3b320bd6519b16e3480f74f2926d106e3bcba",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/intel/avs/pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Do not share the name pointer between components\n\nBy sharing \u0027name\u0027 directly, tearing down components may lead to\nuse-after-free errors. Duplicate the name to avoid that.\n\nAt the same time, update the order of operations - since commit\ncee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via\nconfig\") the framework does not override component-\u003ename if set before\ninvoking the initializer."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:40.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/128bf29c992988f8b4f3829227339908fde5ec86"
},
{
"url": "https://git.kernel.org/stable/c/4dee5c1cc439b0d5ef87f741518268ad6a95b23d"
}
],
"title": "ASoC: Intel: avs: Do not share the name pointer between components",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40338",
"datePublished": "2025-12-09T04:09:54.753Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:40.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49604 (GCVE-0-2022-49604)
Vulnerability from cvelistv5 – Published: 2025-02-26 02:23 – Updated: 2025-10-01 19:36
VLAI?
EPSS
Title
ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
While reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Severity ?
4.7 (Medium)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < eb15262128b793e4b1d1c4514d3e6d19c3959764
(git)
Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < 7828309df0f89419a9349761a37c7d1b0da45697 (git) Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < b96ed5ccb09ae71103023ed13acefb194f609794 (git) Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < 93fbc06da1d819f3981a7bd7928c3641ea67b364 (git) Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < e364b5f6ffbfc457a997ad09a7baa16c19581edc (git) Affected: f87c10a8aa1e82498c42d0335524d6ae7cf5a52b , < 60c158dc7b1f0558f6cadd5b50d0386da0000d50 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:35:08.137133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:36:51.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb15262128b793e4b1d1c4514d3e6d19c3959764",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "7828309df0f89419a9349761a37c7d1b0da45697",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "b96ed5ccb09ae71103023ed13acefb194f609794",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "93fbc06da1d819f3981a7bd7928c3641ea67b364",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "e364b5f6ffbfc457a997ad09a7baa16c19581edc",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
},
{
"lessThan": "60c158dc7b1f0558f6cadd5b50d0386da0000d50",
"status": "affected",
"version": "f87c10a8aa1e82498c42d0335524d6ae7cf5a52b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"net/ipv4/route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.254",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.208",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip: Fix data-races around sysctl_ip_fwd_use_pmtu.\n\nWhile reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently.\nThus, we need to add READ_ONCE() to its readers."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:41:36.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb15262128b793e4b1d1c4514d3e6d19c3959764"
},
{
"url": "https://git.kernel.org/stable/c/7828309df0f89419a9349761a37c7d1b0da45697"
},
{
"url": "https://git.kernel.org/stable/c/b96ed5ccb09ae71103023ed13acefb194f609794"
},
{
"url": "https://git.kernel.org/stable/c/93fbc06da1d819f3981a7bd7928c3641ea67b364"
},
{
"url": "https://git.kernel.org/stable/c/e364b5f6ffbfc457a997ad09a7baa16c19581edc"
},
{
"url": "https://git.kernel.org/stable/c/60c158dc7b1f0558f6cadd5b50d0386da0000d50"
}
],
"title": "ip: Fix data-races around sysctl_ip_fwd_use_pmtu.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49604",
"datePublished": "2025-02-26T02:23:30.387Z",
"dateReserved": "2025-02-26T02:21:30.416Z",
"dateUpdated": "2025-10-01T19:36:51.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-54140 (GCVE-0-2023-54140)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
A syzbot stress test using a corrupted disk image reported that
mark_buffer_dirty() called from __nilfs_mark_inode_dirty() or
nilfs_palloc_commit_alloc_entry() may output a kernel warning, and can
panic if the kernel is booted with panic_on_warn.
This is because nilfs2 keeps buffer pointers in local structures for some
metadata and reuses them, but such buffers may be forcibly discarded by
nilfs_clear_dirty_page() in some critical situations.
This issue is reported to appear after commit 28a65b49eb53 ("nilfs2: do
not write dirty data after degenerating to read-only"), but the issue has
potentially existed before.
Fix this issue by checking the uptodate flag when attempting to reuse an
internally held buffer, and reloading the metadata instead of reusing the
buffer if the flag was lost.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8c26c4e2694a163d525976e804d81cd955bbb40c , < 473795610594f261e98920f0945550314df36f07
(git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < d95e403588738c7ec38f52b9f490b15e7745d393 (git) Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 99a73016a5e12a09586a96f998e91f9ea145cd00 (git) Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < f1d637b63d8a27ac3386f186a694907f2717fc13 (git) Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < b911bef132a06de01a745c6a24172d6db7216333 (git) Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 4da07e958bfda2d69d83db105780e8916e3ac02e (git) Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 46c11be2dca295742a5508ea910a77f7733fb7f4 (git) Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < b308b3eabc429649b5501d36290cea403fbd746c (git) Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < cdaac8e7e5a059f9b5e816cda257f08d0abffacd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/alloc.c",
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "473795610594f261e98920f0945550314df36f07",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
},
{
"lessThan": "d95e403588738c7ec38f52b9f490b15e7745d393",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
},
{
"lessThan": "99a73016a5e12a09586a96f998e91f9ea145cd00",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
},
{
"lessThan": "f1d637b63d8a27ac3386f186a694907f2717fc13",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
},
{
"lessThan": "b911bef132a06de01a745c6a24172d6db7216333",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
},
{
"lessThan": "4da07e958bfda2d69d83db105780e8916e3ac02e",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
},
{
"lessThan": "46c11be2dca295742a5508ea910a77f7733fb7f4",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
},
{
"lessThan": "b308b3eabc429649b5501d36290cea403fbd746c",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
},
{
"lessThan": "cdaac8e7e5a059f9b5e816cda257f08d0abffacd",
"status": "affected",
"version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/alloc.c",
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.52",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.131",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.52",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.15",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse\n\nA syzbot stress test using a corrupted disk image reported that\nmark_buffer_dirty() called from __nilfs_mark_inode_dirty() or\nnilfs_palloc_commit_alloc_entry() may output a kernel warning, and can\npanic if the kernel is booted with panic_on_warn.\n\nThis is because nilfs2 keeps buffer pointers in local structures for some\nmetadata and reuses them, but such buffers may be forcibly discarded by\nnilfs_clear_dirty_page() in some critical situations.\n\nThis issue is reported to appear after commit 28a65b49eb53 (\"nilfs2: do\nnot write dirty data after degenerating to read-only\"), but the issue has\npotentially existed before.\n\nFix this issue by checking the uptodate flag when attempting to reuse an\ninternally held buffer, and reloading the metadata instead of reusing the\nbuffer if the flag was lost."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:54.784Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/473795610594f261e98920f0945550314df36f07"
},
{
"url": "https://git.kernel.org/stable/c/d95e403588738c7ec38f52b9f490b15e7745d393"
},
{
"url": "https://git.kernel.org/stable/c/99a73016a5e12a09586a96f998e91f9ea145cd00"
},
{
"url": "https://git.kernel.org/stable/c/f1d637b63d8a27ac3386f186a694907f2717fc13"
},
{
"url": "https://git.kernel.org/stable/c/b911bef132a06de01a745c6a24172d6db7216333"
},
{
"url": "https://git.kernel.org/stable/c/4da07e958bfda2d69d83db105780e8916e3ac02e"
},
{
"url": "https://git.kernel.org/stable/c/46c11be2dca295742a5508ea910a77f7733fb7f4"
},
{
"url": "https://git.kernel.org/stable/c/b308b3eabc429649b5501d36290cea403fbd746c"
},
{
"url": "https://git.kernel.org/stable/c/cdaac8e7e5a059f9b5e816cda257f08d0abffacd"
}
],
"title": "nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54140",
"datePublished": "2025-12-24T13:06:54.784Z",
"dateReserved": "2025-12-24T13:02:52.522Z",
"dateUpdated": "2025-12-24T13:06:54.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54048 (GCVE-0-2023-54048)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
RDMA/bnxt_re: Prevent handling any completions after qp destroy
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Prevent handling any completions after qp destroy
HW may generate completions that indicates QP is destroyed.
Driver should not be scheduling any more completion handlers
for this QP, after the QP is destroyed. Since CQs are active
during the QP destroy, driver may still schedule completion
handlers. This can cause a race where the destroy_cq and poll_cq
running simultaneously.
Snippet of kernel panic while doing bnxt_re driver load unload in loop.
This indicates a poll after the CQ is freed.
[77786.481636] Call Trace:
[77786.481640] <TASK>
[77786.481644] bnxt_re_poll_cq+0x14a/0x620 [bnxt_re]
[77786.481658] ? kvm_clock_read+0x14/0x30
[77786.481693] __ib_process_cq+0x57/0x190 [ib_core]
[77786.481728] ib_cq_poll_work+0x26/0x80 [ib_core]
[77786.481761] process_one_work+0x1e5/0x3f0
[77786.481768] worker_thread+0x50/0x3a0
[77786.481785] ? __pfx_worker_thread+0x10/0x10
[77786.481790] kthread+0xe2/0x110
[77786.481794] ? __pfx_kthread+0x10/0x10
[77786.481797] ret_from_fork+0x2c/0x50
To avoid this, complete all completion handlers before returning the
destroy QP. If free_cq is called soon after destroy_qp, IB stack
will cancel the CQ work before invoking the destroy_cq verb and
this will prevent any race mentioned.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1ac5a404797523cedaf424a3aaa3cf8f9548dff8 , < b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7
(git)
Affected: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 , < b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba (git) Affected: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 , < 7faa6097694164380ed19600c7a7993d071270b9 (git) Affected: 1ac5a404797523cedaf424a3aaa3cf8f9548dff8 , < b5bbc6551297447d3cca55cf907079e206e9cd82 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/ib_verbs.c",
"drivers/infiniband/hw/bnxt_re/qplib_fp.c",
"drivers/infiniband/hw/bnxt_re/qplib_fp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
},
{
"lessThan": "b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
},
{
"lessThan": "7faa6097694164380ed19600c7a7993d071270b9",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
},
{
"lessThan": "b5bbc6551297447d3cca55cf907079e206e9cd82",
"status": "affected",
"version": "1ac5a404797523cedaf424a3aaa3cf8f9548dff8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/ib_verbs.c",
"drivers/infiniband/hw/bnxt_re/qplib_fp.c",
"drivers/infiniband/hw/bnxt_re/qplib_fp.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Prevent handling any completions after qp destroy\n\nHW may generate completions that indicates QP is destroyed.\nDriver should not be scheduling any more completion handlers\nfor this QP, after the QP is destroyed. Since CQs are active\nduring the QP destroy, driver may still schedule completion\nhandlers. This can cause a race where the destroy_cq and poll_cq\nrunning simultaneously.\n\nSnippet of kernel panic while doing bnxt_re driver load unload in loop.\nThis indicates a poll after the CQ is freed.\u00a0\n\n[77786.481636] Call Trace:\n[77786.481640] \u00a0\u003cTASK\u003e\n[77786.481644] \u00a0bnxt_re_poll_cq+0x14a/0x620 [bnxt_re]\n[77786.481658] \u00a0? kvm_clock_read+0x14/0x30\n[77786.481693] \u00a0__ib_process_cq+0x57/0x190 [ib_core]\n[77786.481728] \u00a0ib_cq_poll_work+0x26/0x80 [ib_core]\n[77786.481761] \u00a0process_one_work+0x1e5/0x3f0\n[77786.481768] \u00a0worker_thread+0x50/0x3a0\n[77786.481785] \u00a0? __pfx_worker_thread+0x10/0x10\n[77786.481790] \u00a0kthread+0xe2/0x110\n[77786.481794] \u00a0? __pfx_kthread+0x10/0x10\n[77786.481797] \u00a0ret_from_fork+0x2c/0x50\n\nTo avoid this, complete all completion handlers before returning the\ndestroy QP. If free_cq is called soon after destroy_qp, IB stack\nwill cancel the CQ work before invoking the destroy_cq verb and\nthis will prevent any race mentioned."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:58.910Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7"
},
{
"url": "https://git.kernel.org/stable/c/b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba"
},
{
"url": "https://git.kernel.org/stable/c/7faa6097694164380ed19600c7a7993d071270b9"
},
{
"url": "https://git.kernel.org/stable/c/b5bbc6551297447d3cca55cf907079e206e9cd82"
}
],
"title": "RDMA/bnxt_re: Prevent handling any completions after qp destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54048",
"datePublished": "2025-12-24T12:22:58.910Z",
"dateReserved": "2025-12-24T12:21:05.089Z",
"dateUpdated": "2025-12-24T12:22:58.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50823 (GCVE-0-2022-50823)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
clk: tegra: Fix refcount leak in tegra114_clock_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: tegra: Fix refcount leak in tegra114_clock_init
of_find_matching_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2cb5efefd6f7d3e7df9a7430b910a80515821256 , < 1f0e1cbbaffd729560716e9592aa5e609ea93bb6
(git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < ce699dcdac2bfdb6b238f2517ba41d9623b15f46 (git) Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < 8cc87a9c142ae0e276a3ff9ce50f78a1668da36f (git) Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < 5984b1d66126b024ee77482602ac6e51b53f4116 (git) Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < c01bfd23cc13a420b3f6a36bcab98410f49d480d (git) Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < e7a57fb92af52c4da69cd947752e8946e5ada50a (git) Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < 8e1fe30253930c6a67385c19802c5ab8706a76d9 (git) Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < a7d3fb5814c73d7d49913e4294f8f508a3038bb4 (git) Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < db16a80c76ea395766913082b1e3f939dde29b2c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra114.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f0e1cbbaffd729560716e9592aa5e609ea93bb6",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
},
{
"lessThan": "ce699dcdac2bfdb6b238f2517ba41d9623b15f46",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
},
{
"lessThan": "8cc87a9c142ae0e276a3ff9ce50f78a1668da36f",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
},
{
"lessThan": "5984b1d66126b024ee77482602ac6e51b53f4116",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
},
{
"lessThan": "c01bfd23cc13a420b3f6a36bcab98410f49d480d",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
},
{
"lessThan": "e7a57fb92af52c4da69cd947752e8946e5ada50a",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
},
{
"lessThan": "8e1fe30253930c6a67385c19802c5ab8706a76d9",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
},
{
"lessThan": "a7d3fb5814c73d7d49913e4294f8f508a3038bb4",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
},
{
"lessThan": "db16a80c76ea395766913082b1e3f939dde29b2c",
"status": "affected",
"version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/tegra/clk-tegra114.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: Fix refcount leak in tegra114_clock_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:36.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f0e1cbbaffd729560716e9592aa5e609ea93bb6"
},
{
"url": "https://git.kernel.org/stable/c/ce699dcdac2bfdb6b238f2517ba41d9623b15f46"
},
{
"url": "https://git.kernel.org/stable/c/8cc87a9c142ae0e276a3ff9ce50f78a1668da36f"
},
{
"url": "https://git.kernel.org/stable/c/5984b1d66126b024ee77482602ac6e51b53f4116"
},
{
"url": "https://git.kernel.org/stable/c/c01bfd23cc13a420b3f6a36bcab98410f49d480d"
},
{
"url": "https://git.kernel.org/stable/c/e7a57fb92af52c4da69cd947752e8946e5ada50a"
},
{
"url": "https://git.kernel.org/stable/c/8e1fe30253930c6a67385c19802c5ab8706a76d9"
},
{
"url": "https://git.kernel.org/stable/c/a7d3fb5814c73d7d49913e4294f8f508a3038bb4"
},
{
"url": "https://git.kernel.org/stable/c/db16a80c76ea395766913082b1e3f939dde29b2c"
}
],
"title": "clk: tegra: Fix refcount leak in tegra114_clock_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50823",
"datePublished": "2025-12-30T12:08:36.911Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2025-12-30T12:08:36.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50677 (GCVE-0-2022-50677)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
ipmi: fix use after free in _ipmi_destroy_user()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipmi: fix use after free in _ipmi_destroy_user()
The intf_free() function frees the "intf" pointer so we cannot
dereference it again on the next line.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f9d405a4bd6090ffbf3bba5e2da6b44c0e013cb3 , < 35ad87bfe330f7ef6a19f772223c63296d643172
(git)
Affected: b642ced2cad496c32ae1f62b85fc395391190820 , < d23006f2a56e11a3103de0ca8b843bf7fd7d76fc (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < f29d127b372e1b7662397d92341d9f7de198ff99 (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < bfce073089cb81482521c65061835aaa6d1a6cc0 (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < f7fde441198a9ecb130c3ccec91ee2131d6998ee (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < 1fc9b20a7688000fcf4d7fbaa58e415a3cdda961 (git) Affected: cbb79863fc3175ed5ac506465948b02a893a8235 , < a92ce570c81dc0feaeb12a429b4bc65686d17967 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_msghandler.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35ad87bfe330f7ef6a19f772223c63296d643172",
"status": "affected",
"version": "f9d405a4bd6090ffbf3bba5e2da6b44c0e013cb3",
"versionType": "git"
},
{
"lessThan": "d23006f2a56e11a3103de0ca8b843bf7fd7d76fc",
"status": "affected",
"version": "b642ced2cad496c32ae1f62b85fc395391190820",
"versionType": "git"
},
{
"lessThan": "f29d127b372e1b7662397d92341d9f7de198ff99",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
},
{
"lessThan": "bfce073089cb81482521c65061835aaa6d1a6cc0",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
},
{
"lessThan": "f7fde441198a9ecb130c3ccec91ee2131d6998ee",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
},
{
"lessThan": "1fc9b20a7688000fcf4d7fbaa58e415a3cdda961",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
},
{
"lessThan": "a92ce570c81dc0feaeb12a429b4bc65686d17967",
"status": "affected",
"version": "cbb79863fc3175ed5ac506465948b02a893a8235",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/ipmi/ipmi_msghandler.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmi: fix use after free in _ipmi_destroy_user()\n\nThe intf_free() function frees the \"intf\" pointer so we cannot\ndereference it again on the next line."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:30.418Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35ad87bfe330f7ef6a19f772223c63296d643172"
},
{
"url": "https://git.kernel.org/stable/c/d23006f2a56e11a3103de0ca8b843bf7fd7d76fc"
},
{
"url": "https://git.kernel.org/stable/c/f29d127b372e1b7662397d92341d9f7de198ff99"
},
{
"url": "https://git.kernel.org/stable/c/bfce073089cb81482521c65061835aaa6d1a6cc0"
},
{
"url": "https://git.kernel.org/stable/c/f7fde441198a9ecb130c3ccec91ee2131d6998ee"
},
{
"url": "https://git.kernel.org/stable/c/1fc9b20a7688000fcf4d7fbaa58e415a3cdda961"
},
{
"url": "https://git.kernel.org/stable/c/a92ce570c81dc0feaeb12a429b4bc65686d17967"
}
],
"title": "ipmi: fix use after free in _ipmi_destroy_user()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50677",
"datePublished": "2025-12-09T01:29:30.418Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:30.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54313 (GCVE-0-2023-54313)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
ovl: fix null pointer dereference in ovl_get_acl_rcu()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix null pointer dereference in ovl_get_acl_rcu()
Following process:
P1 P2
path_openat
link_path_walk
may_lookup
inode_permission(rcu)
ovl_permission
acl_permission_check
check_acl
get_cached_acl_rcu
ovl_get_inode_acl
realinode = ovl_inode_real(ovl_inode)
drop_cache
__dentry_kill(ovl_dentry)
iput(ovl_inode)
ovl_destroy_inode(ovl_inode)
dput(oi->__upperdentry)
dentry_kill(upperdentry)
dentry_unlink_inode
upperdentry->d_inode = NULL
ovl_inode_upper
upperdentry = ovl_i_dentry_upper(ovl_inode)
d_inode(upperdentry) // returns NULL
IS_POSIXACL(realinode) // NULL pointer dereference
, will trigger an null pointer dereference at realinode:
[ 205.472797] BUG: kernel NULL pointer dereference, address:
0000000000000028
[ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted
6.3.0-12064-g2edfa098e750-dirty #1216
[ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300
[ 205.489584] Call Trace:
[ 205.489812] <TASK>
[ 205.490014] ovl_get_inode_acl+0x26/0x30
[ 205.490466] get_cached_acl_rcu+0x61/0xa0
[ 205.490908] generic_permission+0x1bf/0x4e0
[ 205.491447] ovl_permission+0x79/0x1b0
[ 205.491917] inode_permission+0x15e/0x2c0
[ 205.492425] link_path_walk+0x115/0x550
[ 205.493311] path_lookupat.isra.0+0xb2/0x200
[ 205.493803] filename_lookup+0xda/0x240
[ 205.495747] vfs_fstatat+0x7b/0xb0
Fetch a reproducer in [Link].
Use the helper ovl_i_path_realinode() to get realinode and then do
non-nullptr checking.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
332f606b32b6291a944c8cf23b91f53a6e676525 , < d97481c7b2739a704848bb3c01f224dc71bdf78e
(git)
Affected: 332f606b32b6291a944c8cf23b91f53a6e676525 , < c4a5fb1ae5d3f02d3227afde2b9339994389463d (git) Affected: 332f606b32b6291a944c8cf23b91f53a6e676525 , < d536af163c53ce9f9bcfe87d2e9946f06f1a7ea4 (git) Affected: 332f606b32b6291a944c8cf23b91f53a6e676525 , < f4e19e595cc2e76a8a58413eb19d3d9c51328b53 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d97481c7b2739a704848bb3c01f224dc71bdf78e",
"status": "affected",
"version": "332f606b32b6291a944c8cf23b91f53a6e676525",
"versionType": "git"
},
{
"lessThan": "c4a5fb1ae5d3f02d3227afde2b9339994389463d",
"status": "affected",
"version": "332f606b32b6291a944c8cf23b91f53a6e676525",
"versionType": "git"
},
{
"lessThan": "d536af163c53ce9f9bcfe87d2e9946f06f1a7ea4",
"status": "affected",
"version": "332f606b32b6291a944c8cf23b91f53a6e676525",
"versionType": "git"
},
{
"lessThan": "f4e19e595cc2e76a8a58413eb19d3d9c51328b53",
"status": "affected",
"version": "332f606b32b6291a944c8cf23b91f53a6e676525",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix null pointer dereference in ovl_get_acl_rcu()\n\nFollowing process:\n P1 P2\n path_openat\n link_path_walk\n may_lookup\n inode_permission(rcu)\n ovl_permission\n acl_permission_check\n check_acl\n get_cached_acl_rcu\n\t ovl_get_inode_acl\n\t realinode = ovl_inode_real(ovl_inode)\n\t drop_cache\n\t\t __dentry_kill(ovl_dentry)\n\t\t\t\tiput(ovl_inode)\n\t\t ovl_destroy_inode(ovl_inode)\n\t\t dput(oi-\u003e__upperdentry)\n\t\t dentry_kill(upperdentry)\n\t\t dentry_unlink_inode\n\t\t\t\t upperdentry-\u003ed_inode = NULL\n\t ovl_inode_upper\n\t upperdentry = ovl_i_dentry_upper(ovl_inode)\n\t d_inode(upperdentry) // returns NULL\n\t IS_POSIXACL(realinode) // NULL pointer dereference\n, will trigger an null pointer dereference at realinode:\n [ 205.472797] BUG: kernel NULL pointer dereference, address:\n 0000000000000028\n [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted\n 6.3.0-12064-g2edfa098e750-dirty #1216\n [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300\n [ 205.489584] Call Trace:\n [ 205.489812] \u003cTASK\u003e\n [ 205.490014] ovl_get_inode_acl+0x26/0x30\n [ 205.490466] get_cached_acl_rcu+0x61/0xa0\n [ 205.490908] generic_permission+0x1bf/0x4e0\n [ 205.491447] ovl_permission+0x79/0x1b0\n [ 205.491917] inode_permission+0x15e/0x2c0\n [ 205.492425] link_path_walk+0x115/0x550\n [ 205.493311] path_lookupat.isra.0+0xb2/0x200\n [ 205.493803] filename_lookup+0xda/0x240\n [ 205.495747] vfs_fstatat+0x7b/0xb0\n\nFetch a reproducer in [Link].\n\nUse the helper ovl_i_path_realinode() to get realinode and then do\nnon-nullptr checking."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:44.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d97481c7b2739a704848bb3c01f224dc71bdf78e"
},
{
"url": "https://git.kernel.org/stable/c/c4a5fb1ae5d3f02d3227afde2b9339994389463d"
},
{
"url": "https://git.kernel.org/stable/c/d536af163c53ce9f9bcfe87d2e9946f06f1a7ea4"
},
{
"url": "https://git.kernel.org/stable/c/f4e19e595cc2e76a8a58413eb19d3d9c51328b53"
}
],
"title": "ovl: fix null pointer dereference in ovl_get_acl_rcu()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54313",
"datePublished": "2025-12-30T12:23:44.484Z",
"dateReserved": "2025-12-30T12:06:44.531Z",
"dateUpdated": "2025-12-30T12:23:44.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68184 (GCVE-0-2025-68184)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43
VLAI?
EPSS
Title
drm/mediatek: Disable AFBC support on Mediatek DRM driver
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: Disable AFBC support on Mediatek DRM driver
Commit c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM
driver") added AFBC support to Mediatek DRM and enabled the
32x8/split/sparse modifier.
However, this is currently broken on Mediatek MT8188 (Genio 700 EVK
platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by
default since Mesa v25.0.
Kernel trace reports vblank timeouts constantly, and the render is garbled:
```
[CRTC:62:crtc-0] vblank wait timed out
WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c
[...]
Hardware name: MediaTek Genio-700 EVK (DT)
Workqueue: events_unbound commit_work
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c
lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c
sp : ffff80008337bca0
x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000
x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000
x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80
x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a
x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000
x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b
x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70
x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70
x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480
Call trace:
drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P)
drm_atomic_helper_commit_tail_rpm+0x64/0x80
commit_tail+0xa4/0x1a4
commit_work+0x14/0x20
process_one_work+0x150/0x290
worker_thread+0x2d0/0x3ec
kthread+0x12c/0x210
ret_from_fork+0x10/0x20
---[ end trace 0000000000000000 ]---
```
Until this gets fixed upstream, disable AFBC support on this platform, as
it's currently broken with upstream Mesa.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c410fa9b07c32cc69968ec83a148366d16c76dc4 , < df1ad5de2197ea1b527d13ae7b699e9ee7d724d4
(git)
Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17 (git) Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 72223700b620885d556a4c52a63f5294316176c6 (git) Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 9882a40640036d5bbc590426a78981526d4f2345 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "df1ad5de2197ea1b527d13ae7b699e9ee7d724d4",
"status": "affected",
"version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
"versionType": "git"
},
{
"lessThan": "0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17",
"status": "affected",
"version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
"versionType": "git"
},
{
"lessThan": "72223700b620885d556a4c52a63f5294316176c6",
"status": "affected",
"version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
"versionType": "git"
},
{
"lessThan": "9882a40640036d5bbc590426a78981526d4f2345",
"status": "affected",
"version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Disable AFBC support on Mediatek DRM driver\n\nCommit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM\ndriver\") added AFBC support to Mediatek DRM and enabled the\n32x8/split/sparse modifier.\n\nHowever, this is currently broken on Mediatek MT8188 (Genio 700 EVK\nplatform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by\ndefault since Mesa v25.0.\n\nKernel trace reports vblank timeouts constantly, and the render is garbled:\n\n```\n[CRTC:62:crtc-0] vblank wait timed out\nWARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\n[...]\nHardware name: MediaTek Genio-700 EVK (DT)\nWorkqueue: events_unbound commit_work\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\nlr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\nsp : ffff80008337bca0\nx29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000\nx26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000\nx23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80\nx20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a\nx17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000\nx14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b\nx11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70\nx8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70\nx5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480\nCall trace:\n drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P)\n drm_atomic_helper_commit_tail_rpm+0x64/0x80\n commit_tail+0xa4/0x1a4\n commit_work+0x14/0x20\n process_one_work+0x150/0x290\n worker_thread+0x2d0/0x3ec\n kthread+0x12c/0x210\n ret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\n```\n\nUntil this gets fixed upstream, disable AFBC support on this platform, as\nit\u0027s currently broken with upstream Mesa."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:43:02.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/df1ad5de2197ea1b527d13ae7b699e9ee7d724d4"
},
{
"url": "https://git.kernel.org/stable/c/0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17"
},
{
"url": "https://git.kernel.org/stable/c/72223700b620885d556a4c52a63f5294316176c6"
},
{
"url": "https://git.kernel.org/stable/c/9882a40640036d5bbc590426a78981526d4f2345"
}
],
"title": "drm/mediatek: Disable AFBC support on Mediatek DRM driver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68184",
"datePublished": "2025-12-16T13:43:02.010Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2025-12-16T13:43:02.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50859 (GCVE-0-2022-50859)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list")
extend the dialects from 3 to 4, but forget to decrease the extended
length when specific the dialect, then the message length is larger
than expected.
This maybe leak some info through network because not initialize the
message body.
After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is
reduced from 28 bytes to 26 bytes.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d5c7076b772ad7dcdb92303397b36aee8fa0d25d , < d0050ec3ebbcb3451df9a65b8460be9b9e02e80c
(git)
Affected: d5c7076b772ad7dcdb92303397b36aee8fa0d25d , < 9312e04b6c6bc46354ecd0cc82052a2b3df0b529 (git) Affected: d5c7076b772ad7dcdb92303397b36aee8fa0d25d , < 60480291c1fcafad8425d93f771b5bcc2bd398b4 (git) Affected: d5c7076b772ad7dcdb92303397b36aee8fa0d25d , < 943eb0ede74ecd609fdfd3f0b83e0d237613e526 (git) Affected: d5c7076b772ad7dcdb92303397b36aee8fa0d25d , < fada9b8c95c77bb46b89e18117405bc90fce9f74 (git) Affected: d5c7076b772ad7dcdb92303397b36aee8fa0d25d , < e98ecc6e94f4e6d21c06660b0f336df02836694f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0050ec3ebbcb3451df9a65b8460be9b9e02e80c",
"status": "affected",
"version": "d5c7076b772ad7dcdb92303397b36aee8fa0d25d",
"versionType": "git"
},
{
"lessThan": "9312e04b6c6bc46354ecd0cc82052a2b3df0b529",
"status": "affected",
"version": "d5c7076b772ad7dcdb92303397b36aee8fa0d25d",
"versionType": "git"
},
{
"lessThan": "60480291c1fcafad8425d93f771b5bcc2bd398b4",
"status": "affected",
"version": "d5c7076b772ad7dcdb92303397b36aee8fa0d25d",
"versionType": "git"
},
{
"lessThan": "943eb0ede74ecd609fdfd3f0b83e0d237613e526",
"status": "affected",
"version": "d5c7076b772ad7dcdb92303397b36aee8fa0d25d",
"versionType": "git"
},
{
"lessThan": "fada9b8c95c77bb46b89e18117405bc90fce9f74",
"status": "affected",
"version": "d5c7076b772ad7dcdb92303397b36aee8fa0d25d",
"versionType": "git"
},
{
"lessThan": "e98ecc6e94f4e6d21c06660b0f336df02836694f",
"status": "affected",
"version": "d5c7076b772ad7dcdb92303397b36aee8fa0d25d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message\n\nCommit d5c7076b772a (\"smb3: add smb3.1.1 to default dialect list\")\nextend the dialects from 3 to 4, but forget to decrease the extended\nlength when specific the dialect, then the message length is larger\nthan expected.\n\nThis maybe leak some info through network because not initialize the\nmessage body.\n\nAfter apply this patch, the VALIDATE_NEGOTIATE_INFO message length is\nreduced from 28 bytes to 26 bytes."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:33.198Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0050ec3ebbcb3451df9a65b8460be9b9e02e80c"
},
{
"url": "https://git.kernel.org/stable/c/9312e04b6c6bc46354ecd0cc82052a2b3df0b529"
},
{
"url": "https://git.kernel.org/stable/c/60480291c1fcafad8425d93f771b5bcc2bd398b4"
},
{
"url": "https://git.kernel.org/stable/c/943eb0ede74ecd609fdfd3f0b83e0d237613e526"
},
{
"url": "https://git.kernel.org/stable/c/fada9b8c95c77bb46b89e18117405bc90fce9f74"
},
{
"url": "https://git.kernel.org/stable/c/e98ecc6e94f4e6d21c06660b0f336df02836694f"
}
],
"title": "cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50859",
"datePublished": "2025-12-30T12:15:33.198Z",
"dateReserved": "2025-12-30T12:06:07.135Z",
"dateUpdated": "2025-12-30T12:15:33.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53997 (GCVE-0-2023-53997)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
thermal: of: fix double-free on unregistration
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: of: fix double-free on unregistration
Since commit 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal
zone parameters structure"), thermal_zone_device_register() allocates
a copy of the tzp argument and frees it when unregistering, so
thermal_of_zone_register() now ends up leaking its original tzp and
double-freeing the tzp copy. Fix this by locating tzp on stack instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_of.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "adce49089412a9ae28f5c666e0bb12fbcd86b3f7",
"status": "affected",
"version": "3d439b1a2ad36c8b4ea151c8de25309d60d17407",
"versionType": "git"
},
{
"lessThan": "ac4436a5b20e0ef1f608a9ef46c08d5d142f8da6",
"status": "affected",
"version": "3d439b1a2ad36c8b4ea151c8de25309d60d17407",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_of.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: of: fix double-free on unregistration\n\nSince commit 3d439b1a2ad3 (\"thermal/core: Alloc-copy-free the thermal\nzone parameters structure\"), thermal_zone_device_register() allocates\na copy of the tzp argument and frees it when unregistering, so\nthermal_of_zone_register() now ends up leaking its original tzp and\ndouble-freeing the tzp copy. Fix this by locating tzp on stack instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:34.077Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/adce49089412a9ae28f5c666e0bb12fbcd86b3f7"
},
{
"url": "https://git.kernel.org/stable/c/ac4436a5b20e0ef1f608a9ef46c08d5d142f8da6"
}
],
"title": "thermal: of: fix double-free on unregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53997",
"datePublished": "2025-12-24T10:55:34.077Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:34.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53799 (GCVE-0-2023-53799)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
crypto: api - Use work queue in crypto_destroy_instance
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: api - Use work queue in crypto_destroy_instance
The function crypto_drop_spawn expects to be called in process
context. However, when an instance is unregistered while it still
has active users, the last user may cause the instance to be freed
in atomic context.
Fix this by delaying the freeing to a work queue.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < 625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c
(git)
Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < 048545d9fc6424b0a11e7e8771225bb9afe09422 (git) Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < c4cb61c5f976183c07d16b0071f0c60bc212ef1f (git) Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < 867a146690960ac7b89ce40f4ee60dd32eeb1682 (git) Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < c0dbcebc7f390ec7dbe010dcc22c60f0c6bfc26d (git) Affected: 6bfd48096ff8ecabf955958b51ddfa7988eb0a14 , < 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/algapi.c",
"include/crypto/algapi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "048545d9fc6424b0a11e7e8771225bb9afe09422",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "c4cb61c5f976183c07d16b0071f0c60bc212ef1f",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "867a146690960ac7b89ce40f4ee60dd32eeb1682",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "c0dbcebc7f390ec7dbe010dcc22c60f0c6bfc26d",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
},
{
"lessThan": "9ae4577bc077a7e32c3c7d442c95bc76865c0f17",
"status": "affected",
"version": "6bfd48096ff8ecabf955958b51ddfa7988eb0a14",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/algapi.c",
"include/crypto/algapi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.19"
},
{
"lessThan": "2.6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "2.6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: api - Use work queue in crypto_destroy_instance\n\nThe function crypto_drop_spawn expects to be called in process\ncontext. However, when an instance is unregistered while it still\nhas active users, the last user may cause the instance to be freed\nin atomic context.\n\nFix this by delaying the freeing to a work queue."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:55.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c"
},
{
"url": "https://git.kernel.org/stable/c/048545d9fc6424b0a11e7e8771225bb9afe09422"
},
{
"url": "https://git.kernel.org/stable/c/c4cb61c5f976183c07d16b0071f0c60bc212ef1f"
},
{
"url": "https://git.kernel.org/stable/c/867a146690960ac7b89ce40f4ee60dd32eeb1682"
},
{
"url": "https://git.kernel.org/stable/c/c0dbcebc7f390ec7dbe010dcc22c60f0c6bfc26d"
},
{
"url": "https://git.kernel.org/stable/c/9ae4577bc077a7e32c3c7d442c95bc76865c0f17"
}
],
"title": "crypto: api - Use work queue in crypto_destroy_instance",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53799",
"datePublished": "2025-12-09T00:00:55.629Z",
"dateReserved": "2025-12-08T23:58:35.275Z",
"dateUpdated": "2025-12-09T00:00:55.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50706 (GCVE-0-2022-50706)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net/ieee802154: don't warn zero-sized raw_sendmsg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/ieee802154: don't warn zero-sized raw_sendmsg()
syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],
for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting
__dev_queue_xmit() with skb->len == 0.
Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was
able to return 0, don't call __dev_queue_xmit() if packet length is 0.
----------
#include <sys/socket.h>
#include <netinet/in.h>
int main(int argc, char *argv[])
{
struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };
struct iovec iov = { };
struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 };
sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0);
return 0;
}
----------
Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't
redirect packets with invalid pkt_len") should be reverted, for
skb->len == 0 was acceptable for at least PF_IEEE802154 socket.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b68e53d56697a59b5c53893b53f508bbdf272a0 , < 4a36de8947794fa21435d1e916e089095f3246a8
(git)
Affected: 6204bf78b2a903b96ba43afff6abc0b04d6e0462 , < 791489a5c56396ddfed75fc525066d4738dace46 (git) Affected: a75987714bd2d8e59840667a28e15c1fa5c47554 , < 34f31a2b667914ab701ca725554a0b447809d7ef (git) Affected: 72f2dc8993f10262092745a88cb2dd0fef094f23 , < df0da3fc131132b6c32a15c4da4ffa3a5aea1af2 (git) Affected: fd1894224407c484f652ad456e1ce423e89bb3eb , < 9974d220c5073d035b5469d1d8ecd71da86c7afd (git) Affected: fd1894224407c484f652ad456e1ce423e89bb3eb , < b12e924a2f5b960373459c8f8a514f887adf5cac (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ieee802154/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a36de8947794fa21435d1e916e089095f3246a8",
"status": "affected",
"version": "8b68e53d56697a59b5c53893b53f508bbdf272a0",
"versionType": "git"
},
{
"lessThan": "791489a5c56396ddfed75fc525066d4738dace46",
"status": "affected",
"version": "6204bf78b2a903b96ba43afff6abc0b04d6e0462",
"versionType": "git"
},
{
"lessThan": "34f31a2b667914ab701ca725554a0b447809d7ef",
"status": "affected",
"version": "a75987714bd2d8e59840667a28e15c1fa5c47554",
"versionType": "git"
},
{
"lessThan": "df0da3fc131132b6c32a15c4da4ffa3a5aea1af2",
"status": "affected",
"version": "72f2dc8993f10262092745a88cb2dd0fef094f23",
"versionType": "git"
},
{
"lessThan": "9974d220c5073d035b5469d1d8ecd71da86c7afd",
"status": "affected",
"version": "fd1894224407c484f652ad456e1ce423e89bb3eb",
"versionType": "git"
},
{
"lessThan": "b12e924a2f5b960373459c8f8a514f887adf5cac",
"status": "affected",
"version": "fd1894224407c484f652ad456e1ce423e89bb3eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ieee802154/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.4.212",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.10.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.15.65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.19.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ieee802154: don\u0027t warn zero-sized raw_sendmsg()\n\nsyzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],\nfor PF_IEEE802154 socket\u0027s zero-sized raw_sendmsg() request is hitting\n__dev_queue_xmit() with skb-\u003elen == 0.\n\nSince PF_IEEE802154 socket\u0027s zero-sized raw_sendmsg() request was\nable to return 0, don\u0027t call __dev_queue_xmit() if packet length is 0.\n\n ----------\n #include \u003csys/socket.h\u003e\n #include \u003cnetinet/in.h\u003e\n\n int main(int argc, char *argv[])\n {\n struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };\n struct iovec iov = { };\n struct msghdr hdr = { .msg_name = \u0026addr, .msg_namelen = sizeof(addr), .msg_iov = \u0026iov, .msg_iovlen = 1 };\n sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), \u0026hdr, 0);\n return 0;\n }\n ----------\n\nNote that this might be a sign that commit fd1894224407c484 (\"bpf: Don\u0027t\nredirect packets with invalid pkt_len\") should be reverted, for\nskb-\u003elen == 0 was acceptable for at least PF_IEEE802154 socket."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:20.835Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a36de8947794fa21435d1e916e089095f3246a8"
},
{
"url": "https://git.kernel.org/stable/c/791489a5c56396ddfed75fc525066d4738dace46"
},
{
"url": "https://git.kernel.org/stable/c/34f31a2b667914ab701ca725554a0b447809d7ef"
},
{
"url": "https://git.kernel.org/stable/c/df0da3fc131132b6c32a15c4da4ffa3a5aea1af2"
},
{
"url": "https://git.kernel.org/stable/c/9974d220c5073d035b5469d1d8ecd71da86c7afd"
},
{
"url": "https://git.kernel.org/stable/c/b12e924a2f5b960373459c8f8a514f887adf5cac"
}
],
"title": "net/ieee802154: don\u0027t warn zero-sized raw_sendmsg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50706",
"datePublished": "2025-12-24T10:55:20.835Z",
"dateReserved": "2025-12-24T10:53:15.518Z",
"dateUpdated": "2025-12-24T10:55:20.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53791 (GCVE-0-2023-53791)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
md: fix warning for holder mismatch from export_rdev()
Summary
In the Linux kernel, the following vulnerability has been resolved:
md: fix warning for holder mismatch from export_rdev()
Commit a1d767191096 ("md: use mddev->external to select holder in
export_rdev()") fix the problem that 'claim_rdev' is used for
blkdev_get_by_dev() while 'rdev' is used for blkdev_put().
However, if mddev->external is changed from 0 to 1, then 'rdev' is used
for blkdev_get_by_dev() while 'claim_rdev' is used for blkdev_put(). And
this problem can be reporduced reliably by following:
New file: mdadm/tests/23rdev-lifetime
devname=${dev0##*/}
devt=`cat /sys/block/$devname/dev`
pid=""
runtime=2
clean_up_test() {
pill -9 $pid
echo clear > /sys/block/md0/md/array_state
}
trap 'clean_up_test' EXIT
add_by_sysfs() {
while true; do
echo $devt > /sys/block/md0/md/new_dev
done
}
remove_by_sysfs(){
while true; do
echo remove > /sys/block/md0/md/dev-${devname}/state
done
}
echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"
add_by_sysfs &
pid="$pid $!"
remove_by_sysfs &
pid="$pid $!"
sleep $runtime
exit 0
Test cmd:
./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime
Test result:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330
Modules linked in: multipath md_mod loop
CPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50
RIP: 0010:blkdev_put+0x27c/0x330
Call Trace:
<TASK>
export_rdev.isra.23+0x50/0xa0 [md_mod]
mddev_unlock+0x19d/0x300 [md_mod]
rdev_attr_store+0xec/0x190 [md_mod]
sysfs_kf_write+0x52/0x70
kernfs_fop_write_iter+0x19a/0x2a0
vfs_write+0x3b5/0x770
ksys_write+0x74/0x150
__x64_sys_write+0x22/0x30
do_syscall_64+0x40/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fix the problem by recording if 'rdev' is used as holder.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "99fcd427178d0f58f5520f8f01df727f8eaeb2c7",
"status": "affected",
"version": "a1d7671910965ca9f8f0377e7e3bfd1179fba4d8",
"versionType": "git"
},
{
"lessThan": "99892147f028d711f9d40fefad4f33632593864c",
"status": "affected",
"version": "a1d7671910965ca9f8f0377e7e3bfd1179fba4d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c",
"drivers/md/md.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix warning for holder mismatch from export_rdev()\n\nCommit a1d767191096 (\"md: use mddev-\u003eexternal to select holder in\nexport_rdev()\") fix the problem that \u0027claim_rdev\u0027 is used for\nblkdev_get_by_dev() while \u0027rdev\u0027 is used for blkdev_put().\n\nHowever, if mddev-\u003eexternal is changed from 0 to 1, then \u0027rdev\u0027 is used\nfor blkdev_get_by_dev() while \u0027claim_rdev\u0027 is used for blkdev_put(). And\nthis problem can be reporduced reliably by following:\n\nNew file: mdadm/tests/23rdev-lifetime\n\ndevname=${dev0##*/}\ndevt=`cat /sys/block/$devname/dev`\npid=\"\"\nruntime=2\n\nclean_up_test() {\n pill -9 $pid\n echo clear \u003e /sys/block/md0/md/array_state\n}\n\ntrap \u0027clean_up_test\u0027 EXIT\n\nadd_by_sysfs() {\n while true; do\n echo $devt \u003e /sys/block/md0/md/new_dev\n done\n}\n\nremove_by_sysfs(){\n while true; do\n echo remove \u003e /sys/block/md0/md/dev-${devname}/state\n done\n}\n\necho md0 \u003e /sys/module/md_mod/parameters/new_array || die \"create md0 failed\"\n\nadd_by_sysfs \u0026\npid=\"$pid $!\"\n\nremove_by_sysfs \u0026\npid=\"$pid $!\"\n\nsleep $runtime\nexit 0\n\nTest cmd:\n\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\n\nTest result:\n\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330\nModules linked in: multipath md_mod loop\nCPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50\nRIP: 0010:blkdev_put+0x27c/0x330\nCall Trace:\n \u003cTASK\u003e\n export_rdev.isra.23+0x50/0xa0 [md_mod]\n mddev_unlock+0x19d/0x300 [md_mod]\n rdev_attr_store+0xec/0x190 [md_mod]\n sysfs_kf_write+0x52/0x70\n kernfs_fop_write_iter+0x19a/0x2a0\n vfs_write+0x3b5/0x770\n ksys_write+0x74/0x150\n __x64_sys_write+0x22/0x30\n do_syscall_64+0x40/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFix the problem by recording if \u0027rdev\u0027 is used as holder."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:48.301Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/99fcd427178d0f58f5520f8f01df727f8eaeb2c7"
},
{
"url": "https://git.kernel.org/stable/c/99892147f028d711f9d40fefad4f33632593864c"
}
],
"title": "md: fix warning for holder mismatch from export_rdev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53791",
"datePublished": "2025-12-09T00:00:48.301Z",
"dateReserved": "2025-12-08T23:58:35.274Z",
"dateUpdated": "2025-12-09T00:00:48.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54017 (GCVE-0-2023-54017)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
If device_register() returns error in ibmebus_bus_init(), name of kobject
which is allocated in dev_set_name() called in device_add() is leaked.
As comment of device_add() says, it should call put_device() to drop
the reference count that was set in device_initialize() when it fails,
so the name can be freed in kobject_cleanup().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < e4ff88548defafb1ef84facd9856ec252da7b008
(git)
Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < 3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < 7ffe14fce7425c32e735bdc44bce425f18976a49 (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < 9f3b2b666833ebef6d0ce5a40e189f38e70342a1 (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < d35e7ae10eb8917883da2a0b1823c620a1be42d6 (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < 96f27ff732208dce6468016e7a7d5032bd1bfc23 (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < ebd8dc974fcc59e2851a0d89ee7935b55142dc8e (git) Affected: d7a301033f1990188f65abf4fe8e5b90ef0e3888 , < afda85b963c12947e298ad85d757e333aa40fd74 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/ibmebus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4ff88548defafb1ef84facd9856ec252da7b008",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "7ffe14fce7425c32e735bdc44bce425f18976a49",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "9f3b2b666833ebef6d0ce5a40e189f38e70342a1",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "d35e7ae10eb8917883da2a0b1823c620a1be42d6",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "96f27ff732208dce6468016e7a7d5032bd1bfc23",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "ebd8dc974fcc59e2851a0d89ee7935b55142dc8e",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
},
{
"lessThan": "afda85b963c12947e298ad85d757e333aa40fd74",
"status": "affected",
"version": "d7a301033f1990188f65abf4fe8e5b90ef0e3888",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/platforms/pseries/ibmebus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: fix possible memory leak in ibmebus_bus_init()\n\nIf device_register() returns error in ibmebus_bus_init(), name of kobject\nwhich is allocated in dev_set_name() called in device_add() is leaked.\n\nAs comment of device_add() says, it should call put_device() to drop\nthe reference count that was set in device_initialize() when it fails,\nso the name can be freed in kobject_cleanup()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:29.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4ff88548defafb1ef84facd9856ec252da7b008"
},
{
"url": "https://git.kernel.org/stable/c/3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c"
},
{
"url": "https://git.kernel.org/stable/c/7ffe14fce7425c32e735bdc44bce425f18976a49"
},
{
"url": "https://git.kernel.org/stable/c/9f3b2b666833ebef6d0ce5a40e189f38e70342a1"
},
{
"url": "https://git.kernel.org/stable/c/d35e7ae10eb8917883da2a0b1823c620a1be42d6"
},
{
"url": "https://git.kernel.org/stable/c/96f27ff732208dce6468016e7a7d5032bd1bfc23"
},
{
"url": "https://git.kernel.org/stable/c/ebd8dc974fcc59e2851a0d89ee7935b55142dc8e"
},
{
"url": "https://git.kernel.org/stable/c/afda85b963c12947e298ad85d757e333aa40fd74"
}
],
"title": "powerpc/pseries: fix possible memory leak in ibmebus_bus_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54017",
"datePublished": "2025-12-24T10:55:48.364Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2026-01-05T10:33:29.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50888 (GCVE-0-2022-50888)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37
VLAI?
EPSS
Title
remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()
Summary
In the Linux kernel, the following vulnerability has been resolved:
remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()
q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may
fail and return NULL. devm_ioremap() will use res->start as input, which
may causes null-ptr-deref. Check the ret value of
platform_get_resource_byname() to avoid the null-ptr-deref.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
0af65b9b915e52019aee91db3e1f8b39a7ec8d08 , < 098ebb9089c4eedea09333f912d105fa63377496
(git)
Affected: 0af65b9b915e52019aee91db3e1f8b39a7ec8d08 , < 3afa88ae9911b65702a3aca9d92ea23fe496e56f (git) Affected: 0af65b9b915e52019aee91db3e1f8b39a7ec8d08 , < 0903a87490a9ed456ac765a84dcc484c1ee42c32 (git) Affected: 0af65b9b915e52019aee91db3e1f8b39a7ec8d08 , < f360e2b275efbb745ba0af8b47d9ef44221be586 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/qcom_q6v5_wcss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "098ebb9089c4eedea09333f912d105fa63377496",
"status": "affected",
"version": "0af65b9b915e52019aee91db3e1f8b39a7ec8d08",
"versionType": "git"
},
{
"lessThan": "3afa88ae9911b65702a3aca9d92ea23fe496e56f",
"status": "affected",
"version": "0af65b9b915e52019aee91db3e1f8b39a7ec8d08",
"versionType": "git"
},
{
"lessThan": "0903a87490a9ed456ac765a84dcc484c1ee42c32",
"status": "affected",
"version": "0af65b9b915e52019aee91db3e1f8b39a7ec8d08",
"versionType": "git"
},
{
"lessThan": "f360e2b275efbb745ba0af8b47d9ef44221be586",
"status": "affected",
"version": "0af65b9b915e52019aee91db3e1f8b39a7ec8d08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/remoteproc/qcom_q6v5_wcss.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()\n\nq6v5_wcss_init_mmio() will call platform_get_resource_byname() that may\nfail and return NULL. devm_ioremap() will use res-\u003estart as input, which\nmay causes null-ptr-deref. Check the ret value of\nplatform_get_resource_byname() to avoid the null-ptr-deref."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:37:06.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/098ebb9089c4eedea09333f912d105fa63377496"
},
{
"url": "https://git.kernel.org/stable/c/3afa88ae9911b65702a3aca9d92ea23fe496e56f"
},
{
"url": "https://git.kernel.org/stable/c/0903a87490a9ed456ac765a84dcc484c1ee42c32"
},
{
"url": "https://git.kernel.org/stable/c/f360e2b275efbb745ba0af8b47d9ef44221be586"
}
],
"title": "remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50888",
"datePublished": "2025-12-30T12:37:06.269Z",
"dateReserved": "2025-12-30T12:35:41.595Z",
"dateUpdated": "2025-12-30T12:37:06.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68308 (GCVE-0-2025-68308)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`
functions contain logic to zero-length commands. These commands are used
to align data to the USB endpoint's wMaxPacketSize boundary.
The driver attempts to skip these placeholders by aligning the buffer
position `pos` to the next packet boundary using `round_up()` function.
However, if zero-length command is found exactly on a packet boundary
(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`
function will return the unchanged value of `pos`. This prevents `pos`
to be increased, causing an infinite loop in the parsing logic.
This patch fixes this in the function by using `pos + 1` instead.
This ensures that even if `pos` is on a boundary, the calculation is
based on `pos + 1`, forcing `round_up()` to always return the next
aligned boundary.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7259124eac7d1b76b41c7a9cb2511a30556deebe , < 58343e0a4d43699f0e2f5b169384bbe4c0217add
(git)
Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 69c7825df64e24dc15d31631a1fc9145324b1345 (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 028e89c7e8b4346302e88df01cc50e0a1f05791a (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < e9dd83a75a7274edef21682c823bf0b66d7b6b7f (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 0897cea266e39166a36111059ba147192b36592f (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < bd8135a560cf6e64f0b98ed4daadf126a38f7f48 (git) Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 0c73772cd2b8cc108d5f5334de89ad648d89b9ec (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58343e0a4d43699f0e2f5b169384bbe4c0217add",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "69c7825df64e24dc15d31631a1fc9145324b1345",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "028e89c7e8b4346302e88df01cc50e0a1f05791a",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "e9dd83a75a7274edef21682c823bf0b66d7b6b7f",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "0897cea266e39166a36111059ba147192b36592f",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "bd8135a560cf6e64f0b98ed4daadf126a38f7f48",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
},
{
"lessThan": "0c73772cd2b8cc108d5f5334de89ad648d89b9ec",
"status": "affected",
"version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: leaf: Fix potential infinite loop in command parsers\n\nThe `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`\nfunctions contain logic to zero-length commands. These commands are used\nto align data to the USB endpoint\u0027s wMaxPacketSize boundary.\n\nThe driver attempts to skip these placeholders by aligning the buffer\nposition `pos` to the next packet boundary using `round_up()` function.\n\nHowever, if zero-length command is found exactly on a packet boundary\n(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`\nfunction will return the unchanged value of `pos`. This prevents `pos`\nto be increased, causing an infinite loop in the parsing logic.\n\nThis patch fixes this in the function by using `pos + 1` instead.\nThis ensures that even if `pos` is on a boundary, the calculation is\nbased on `pos + 1`, forcing `round_up()` to always return the next\naligned boundary."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:25.081Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add"
},
{
"url": "https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345"
},
{
"url": "https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a"
},
{
"url": "https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f"
},
{
"url": "https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f"
},
{
"url": "https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48"
},
{
"url": "https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec"
}
],
"title": "can: kvaser_usb: leaf: Fix potential infinite loop in command parsers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68308",
"datePublished": "2025-12-16T15:06:25.081Z",
"dateReserved": "2025-12-16T14:48:05.294Z",
"dateUpdated": "2025-12-16T15:06:25.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54209 (GCVE-0-2023-54209)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
block: fix blktrace debugfs entries leakage
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: fix blktrace debugfs entries leakage
Commit 99d055b4fd4b ("block: remove per-disk debugfs files in
blk_unregister_queue") moves blk_trace_shutdown() from
blk_release_queue() to blk_unregister_queue(), this is safe if blktrace
is created through sysfs, however, there is a regression in corner
case.
blktrace can still be enabled after del_gendisk() through ioctl if
the disk is opened before del_gendisk(), and if blktrace is not shutdown
through ioctl before closing the disk, debugfs entries will be leaked.
Fix this problem by shutdown blktrace in disk_release(), this is safe
because blk_trace_remove() is reentrant.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
99d055b4fd4bbb309c6cdb51a0d420669f777944 , < aa07e56c6a9c7558165690d14eed4fe8babf34fb
(git)
Affected: 99d055b4fd4bbb309c6cdb51a0d420669f777944 , < 7149e57cf01184fba175589f8fbe9fbf33be02e1 (git) Affected: 99d055b4fd4bbb309c6cdb51a0d420669f777944 , < 942e81650b81b4ca62f1d8c61de455c9e7c7e6ca (git) Affected: 99d055b4fd4bbb309c6cdb51a0d420669f777944 , < dd7de3704af9989b780693d51eaea49a665bd9c2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/genhd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa07e56c6a9c7558165690d14eed4fe8babf34fb",
"status": "affected",
"version": "99d055b4fd4bbb309c6cdb51a0d420669f777944",
"versionType": "git"
},
{
"lessThan": "7149e57cf01184fba175589f8fbe9fbf33be02e1",
"status": "affected",
"version": "99d055b4fd4bbb309c6cdb51a0d420669f777944",
"versionType": "git"
},
{
"lessThan": "942e81650b81b4ca62f1d8c61de455c9e7c7e6ca",
"status": "affected",
"version": "99d055b4fd4bbb309c6cdb51a0d420669f777944",
"versionType": "git"
},
{
"lessThan": "dd7de3704af9989b780693d51eaea49a665bd9c2",
"status": "affected",
"version": "99d055b4fd4bbb309c6cdb51a0d420669f777944",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"block/genhd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix blktrace debugfs entries leakage\n\nCommit 99d055b4fd4b (\"block: remove per-disk debugfs files in\nblk_unregister_queue\") moves blk_trace_shutdown() from\nblk_release_queue() to blk_unregister_queue(), this is safe if blktrace\nis created through sysfs, however, there is a regression in corner\ncase.\n\nblktrace can still be enabled after del_gendisk() through ioctl if\nthe disk is opened before del_gendisk(), and if blktrace is not shutdown\nthrough ioctl before closing the disk, debugfs entries will be leaked.\n\nFix this problem by shutdown blktrace in disk_release(), this is safe\nbecause blk_trace_remove() is reentrant."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:08.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa07e56c6a9c7558165690d14eed4fe8babf34fb"
},
{
"url": "https://git.kernel.org/stable/c/7149e57cf01184fba175589f8fbe9fbf33be02e1"
},
{
"url": "https://git.kernel.org/stable/c/942e81650b81b4ca62f1d8c61de455c9e7c7e6ca"
},
{
"url": "https://git.kernel.org/stable/c/dd7de3704af9989b780693d51eaea49a665bd9c2"
}
],
"title": "block: fix blktrace debugfs entries leakage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54209",
"datePublished": "2025-12-30T12:11:08.027Z",
"dateReserved": "2025-12-30T12:06:44.500Z",
"dateUpdated": "2025-12-30T12:11:08.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50844 (GCVE-0-2022-50844)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing 'int (*)(void *, uint32_t, long *, uint32_t)' (aka 'int (*)(void *, unsigned int, long *, unsigned int)') with an expression of type 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)' (aka 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict]
.odn_edit_dpm_table = smu_od_edit_dpm_table,
^~~~~~~~~~~~~~~~~~~~~
1 error generated.
There are only two implementations of ->odn_edit_dpm_table() in 'struct
amd_pm_funcs': smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One
has a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND' and the
other uses 'u32'. Ultimately, smu_od_edit_dpm_table() calls
->od_edit_dpm_table() from 'struct pptable_funcs' and
pp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from 'struct
pp_hwmgr_func', which both have a second parameter type of 'enum
PP_OD_DPM_TABLE_COMMAND'.
Update the type parameter in both the prototype in 'struct amd_pm_funcs'
and pp_odn_edit_dpm_table() to 'enum PP_OD_DPM_TABLE_COMMAND', which
cleans up the warning.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8f4828d0a104d961d5eb850d0aef1530fc24e370 , < f9084e9930db562bdcd47fa199a66fb45e16dab5
(git)
Affected: 8f4828d0a104d961d5eb850d0aef1530fc24e370 , < 24cba9d865157c9e23128fbcf8b86f5da9570edd (git) Affected: 8f4828d0a104d961d5eb850d0aef1530fc24e370 , < 36217f676b55932a12d6732c95388150015fdee6 (git) Affected: 8f4828d0a104d961d5eb850d0aef1530fc24e370 , < e4d0ef752081e7aa6ffb7ccac11c499c732a2e05 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/include/kgd_pp_interface.h",
"drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9084e9930db562bdcd47fa199a66fb45e16dab5",
"status": "affected",
"version": "8f4828d0a104d961d5eb850d0aef1530fc24e370",
"versionType": "git"
},
{
"lessThan": "24cba9d865157c9e23128fbcf8b86f5da9570edd",
"status": "affected",
"version": "8f4828d0a104d961d5eb850d0aef1530fc24e370",
"versionType": "git"
},
{
"lessThan": "36217f676b55932a12d6732c95388150015fdee6",
"status": "affected",
"version": "8f4828d0a104d961d5eb850d0aef1530fc24e370",
"versionType": "git"
},
{
"lessThan": "e4d0ef752081e7aa6ffb7ccac11c499c732a2e05",
"status": "affected",
"version": "8f4828d0a104d961d5eb850d0aef1530fc24e370",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/include/kgd_pp_interface.h",
"drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback\n\nWith clang\u0027s kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing \u0027int (*)(void *, uint32_t, long *, uint32_t)\u0027 (aka \u0027int (*)(void *, unsigned int, long *, unsigned int)\u0027) with an expression of type \u0027int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)\u0027 (aka \u0027int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)\u0027) [-Werror,-Wincompatible-function-pointer-types-strict]\n .odn_edit_dpm_table = smu_od_edit_dpm_table,\n ^~~~~~~~~~~~~~~~~~~~~\n 1 error generated.\n\nThere are only two implementations of -\u003eodn_edit_dpm_table() in \u0027struct\namd_pm_funcs\u0027: smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One\nhas a second parameter type of \u0027enum PP_OD_DPM_TABLE_COMMAND\u0027 and the\nother uses \u0027u32\u0027. Ultimately, smu_od_edit_dpm_table() calls\n-\u003eod_edit_dpm_table() from \u0027struct pptable_funcs\u0027 and\npp_odn_edit_dpm_table() calls -\u003eodn_edit_dpm_table() from \u0027struct\npp_hwmgr_func\u0027, which both have a second parameter type of \u0027enum\nPP_OD_DPM_TABLE_COMMAND\u0027.\n\nUpdate the type parameter in both the prototype in \u0027struct amd_pm_funcs\u0027\nand pp_odn_edit_dpm_table() to \u0027enum PP_OD_DPM_TABLE_COMMAND\u0027, which\ncleans up the warning."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:59.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9084e9930db562bdcd47fa199a66fb45e16dab5"
},
{
"url": "https://git.kernel.org/stable/c/24cba9d865157c9e23128fbcf8b86f5da9570edd"
},
{
"url": "https://git.kernel.org/stable/c/36217f676b55932a12d6732c95388150015fdee6"
},
{
"url": "https://git.kernel.org/stable/c/e4d0ef752081e7aa6ffb7ccac11c499c732a2e05"
}
],
"title": "drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50844",
"datePublished": "2025-12-30T12:11:01.928Z",
"dateReserved": "2025-12-30T12:06:07.133Z",
"dateUpdated": "2026-01-02T15:04:59.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53840 (GCVE-0-2023-53840)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
usb: early: xhci-dbc: Fix a potential out-of-bound memory access
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: early: xhci-dbc: Fix a potential out-of-bound memory access
If xdbc_bulk_write() fails, the values in 'buf' can be anything. So the
string is not guaranteed to be NULL terminated when xdbc_trace() is called.
Reserve an extra byte, which will be zeroed automatically because 'buf' is
a static variable, in order to avoid troubles, should it happen.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0
(git)
Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < 351c8d8650d1ccc006255fa01f98b6c6496a02e5 (git) Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < df7c8aba7309f4dc55df94e06b67f576c0f52406 (git) Affected: aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 , < a4a97ab3db5c081eb6e7dba91306adefb461e0bd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/early/xhci-dbc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "351c8d8650d1ccc006255fa01f98b6c6496a02e5",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "df7c8aba7309f4dc55df94e06b67f576c0f52406",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
},
{
"lessThan": "a4a97ab3db5c081eb6e7dba91306adefb461e0bd",
"status": "affected",
"version": "aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/early/xhci-dbc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: early: xhci-dbc: Fix a potential out-of-bound memory access\n\nIf xdbc_bulk_write() fails, the values in \u0027buf\u0027 can be anything. So the\nstring is not guaranteed to be NULL terminated when xdbc_trace() is called.\n\nReserve an extra byte, which will be zeroed automatically because \u0027buf\u0027 is\na static variable, in order to avoid troubles, should it happen."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:56.848Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0"
},
{
"url": "https://git.kernel.org/stable/c/351c8d8650d1ccc006255fa01f98b6c6496a02e5"
},
{
"url": "https://git.kernel.org/stable/c/df7c8aba7309f4dc55df94e06b67f576c0f52406"
},
{
"url": "https://git.kernel.org/stable/c/a4a97ab3db5c081eb6e7dba91306adefb461e0bd"
}
],
"title": "usb: early: xhci-dbc: Fix a potential out-of-bound memory access",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53840",
"datePublished": "2025-12-09T01:29:56.848Z",
"dateReserved": "2025-12-09T01:27:17.826Z",
"dateUpdated": "2025-12-09T01:29:56.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40256 (GCVE-0-2025-40256)
Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I
missed the case where state creation fails between full
initialization (->init_state has been called) and being inserted on
the lists.
In this situation, ->init_state has been called, so for IPcomp
tunnels, the fallback tunnel has been created and added onto the
lists, but the user state never gets added, because we fail before
that. The user state doesn't go through __xfrm_state_delete, so we
don't call xfrm_state_delete_tunnel for those states, and we end up
leaking the FB tunnel.
There are several codepaths affected by this: the add/update paths, in
both net/key and xfrm, and the migrate code (xfrm_migrate,
xfrm_state_migrate). A "proper" rollback of the init_state work would
probably be doable in the add/update code, but for migrate it gets
more complicated as multiple states may be involved.
At some point, the new (not-inserted) state will be destroyed, so call
xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states
will have their fallback tunnel cleaned up during __xfrm_state_delete,
which solves the issue that b441cf3f8c4b (and other patches before it)
aimed at. All states (including FB tunnels) will be removed from the
lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1b28a7fae0128fa140a7dccd995182ff6cd1c67b , < 57b72d74d4651dc19d046308a8304eb9abfe66ac
(git)
Affected: 4b2c17d0f9be8b58bb30468bc81a4b61c985b04e , < 1dad653643f28ccc89be93f9440b8804cded85b2 (git) Affected: 0da961fa46da1b37ef868d9b603bd202136f8f8e , < 64441724387b4ac92f67ef51caaaeffe99c950d1 (git) Affected: d0e0d1097118461463b76562c7ebaabaa5b90b13 , < 763e5c351206c1e4d910db4a1159053f6263689c (git) Affected: dc3636912d41770466543623cb76e7b88fdb42c7 , < f7d879c19d306512c2e260f37e8a3e5c85e37c50 (git) Affected: b441cf3f8c4b8576639d20c8eb4aa32917602ecd , < d6fe5c740c573af10943b8353992e1325cdb2715 (git) Affected: b441cf3f8c4b8576639d20c8eb4aa32917602ecd , < 10deb69864840ccf96b00ac2ab3a2055c0c04721 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57b72d74d4651dc19d046308a8304eb9abfe66ac",
"status": "affected",
"version": "1b28a7fae0128fa140a7dccd995182ff6cd1c67b",
"versionType": "git"
},
{
"lessThan": "1dad653643f28ccc89be93f9440b8804cded85b2",
"status": "affected",
"version": "4b2c17d0f9be8b58bb30468bc81a4b61c985b04e",
"versionType": "git"
},
{
"lessThan": "64441724387b4ac92f67ef51caaaeffe99c950d1",
"status": "affected",
"version": "0da961fa46da1b37ef868d9b603bd202136f8f8e",
"versionType": "git"
},
{
"lessThan": "763e5c351206c1e4d910db4a1159053f6263689c",
"status": "affected",
"version": "d0e0d1097118461463b76562c7ebaabaa5b90b13",
"versionType": "git"
},
{
"lessThan": "f7d879c19d306512c2e260f37e8a3e5c85e37c50",
"status": "affected",
"version": "dc3636912d41770466543623cb76e7b88fdb42c7",
"versionType": "git"
},
{
"lessThan": "d6fe5c740c573af10943b8353992e1325cdb2715",
"status": "affected",
"version": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
"versionType": "git"
},
{
"lessThan": "10deb69864840ccf96b00ac2ab3a2055c0c04721",
"status": "affected",
"version": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/xfrm/xfrm_state.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added\n\nIn commit b441cf3f8c4b (\"xfrm: delete x-\u003etunnel as we delete x\"), I\nmissed the case where state creation fails between full\ninitialization (-\u003einit_state has been called) and being inserted on\nthe lists.\n\nIn this situation, -\u003einit_state has been called, so for IPcomp\ntunnels, the fallback tunnel has been created and added onto the\nlists, but the user state never gets added, because we fail before\nthat. The user state doesn\u0027t go through __xfrm_state_delete, so we\ndon\u0027t call xfrm_state_delete_tunnel for those states, and we end up\nleaking the FB tunnel.\n\nThere are several codepaths affected by this: the add/update paths, in\nboth net/key and xfrm, and the migrate code (xfrm_migrate,\nxfrm_state_migrate). A \"proper\" rollback of the init_state work would\nprobably be doable in the add/update code, but for migrate it gets\nmore complicated as multiple states may be involved.\n\nAt some point, the new (not-inserted) state will be destroyed, so call\nxfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states\nwill have their fallback tunnel cleaned up during __xfrm_state_delete,\nwhich solves the issue that b441cf3f8c4b (and other patches before it)\naimed at. All states (including FB tunnels) will be removed from the\nlists once xfrm_state_fini has called flush_work(\u0026xfrm_state_gc_work)."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:06.846Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57b72d74d4651dc19d046308a8304eb9abfe66ac"
},
{
"url": "https://git.kernel.org/stable/c/1dad653643f28ccc89be93f9440b8804cded85b2"
},
{
"url": "https://git.kernel.org/stable/c/64441724387b4ac92f67ef51caaaeffe99c950d1"
},
{
"url": "https://git.kernel.org/stable/c/763e5c351206c1e4d910db4a1159053f6263689c"
},
{
"url": "https://git.kernel.org/stable/c/f7d879c19d306512c2e260f37e8a3e5c85e37c50"
},
{
"url": "https://git.kernel.org/stable/c/d6fe5c740c573af10943b8353992e1325cdb2715"
},
{
"url": "https://git.kernel.org/stable/c/10deb69864840ccf96b00ac2ab3a2055c0c04721"
}
],
"title": "xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40256",
"datePublished": "2025-12-04T16:08:17.756Z",
"dateReserved": "2025-04-16T07:20:57.181Z",
"dateUpdated": "2026-01-19T12:18:06.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68332 (GCVE-0-2025-68332)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
comedi: c6xdigio: Fix invalid PNP driver unregistration
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: c6xdigio: Fix invalid PNP driver unregistration
The Comedi low-level driver "c6xdigio" seems to be for a parallel port
connected device. When the Comedi core calls the driver's Comedi
"attach" handler `c6xdigio_attach()` to configure a Comedi to use this
driver, it tries to enable the parallel port PNP resources by
registering a PNP driver with `pnp_register_driver()`, but ignores the
return value. (The `struct pnp_driver` it uses has only the `name` and
`id_table` members filled in.) The driver's Comedi "detach" handler
`c6xdigio_detach()` unconditionally unregisters the PNP driver with
`pnp_unregister_driver()`.
It is possible for `c6xdigio_attach()` to return an error before it
calls `pnp_register_driver()` and it is possible for the call to
`pnp_register_driver()` to return an error (that is ignored). In both
cases, the driver should not be calling `pnp_unregister_driver()` as it
does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be
called by the Comedi core if `c6xdigio_attach()` returns an error, or if
the Comedi core decides to detach the Comedi device from the driver for
some other reason.)
The unconditional call to `pnp_unregister_driver()` without a previous
successful call to `pnp_register_driver()` will cause
`driver_unregister()` to issue a warning "Unexpected driver
unregister!". This was detected by Syzbot [1].
Also, the PNP driver registration and unregistration should be done at
module init and exit time, respectively, not when attaching or detaching
Comedi devices to the driver. (There might be more than one Comedi
device being attached to the driver, although that is unlikely.)
Change the driver to do the PNP driver registration at module init time,
and the unregistration at module exit time. Since `c6xdigio_detach()`
now only calls `comedi_legacy_detach()`, remove the function and change
the Comedi driver "detach" handler to `comedi_legacy_detach`.
-------------------------------------------
[1] Syzbot sample crash report:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Modules linked in:
CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]
RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41
RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8
RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000
FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0
Call Trace:
<TASK>
comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011
do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872
comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_sys
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2c89e159cd2f386285e9522d6476dd7e801bee22 , < 407b25bb9284d69c27309e691ab1e02f9e1c46ac
(git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < f7fa1f4670c3c358a451546f0b80b9231952912d (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < e8110402b0c24d822b0b933d87d50870d59667ef (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72b3627b0d3b819de49b29c2c8cb1c64d54536b9 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 698149d797d0178162f394c55d4ed52aa0e0b7f6 (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 888f7e2847bcb9df8257e656e1e837828942c53b (git) Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72262330f7b3ad2130e800cecf02adcce3c32c77 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "407b25bb9284d69c27309e691ab1e02f9e1c46ac",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "f7fa1f4670c3c358a451546f0b80b9231952912d",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "e8110402b0c24d822b0b933d87d50870d59667ef",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72b3627b0d3b819de49b29c2c8cb1c64d54536b9",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "698149d797d0178162f394c55d4ed52aa0e0b7f6",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "888f7e2847bcb9df8257e656e1e837828942c53b",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
},
{
"lessThan": "72262330f7b3ad2130e800cecf02adcce3c32c77",
"status": "affected",
"version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/c6xdigio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\n\nThe Comedi low-level driver \"c6xdigio\" seems to be for a parallel port\nconnected device. When the Comedi core calls the driver\u0027s Comedi\n\"attach\" handler `c6xdigio_attach()` to configure a Comedi to use this\ndriver, it tries to enable the parallel port PNP resources by\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\nreturn value. (The `struct pnp_driver` it uses has only the `name` and\n`id_table` members filled in.) The driver\u0027s Comedi \"detach\" handler\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\n`pnp_unregister_driver()`.\n\nIt is possible for `c6xdigio_attach()` to return an error before it\ncalls `pnp_register_driver()` and it is possible for the call to\n`pnp_register_driver()` to return an error (that is ignored). In both\ncases, the driver should not be calling `pnp_unregister_driver()` as it\ndoes in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\nthe Comedi core decides to detach the Comedi device from the driver for\nsome other reason.)\n\nThe unconditional call to `pnp_unregister_driver()` without a previous\nsuccessful call to `pnp_register_driver()` will cause\n`driver_unregister()` to issue a warning \"Unexpected driver\nunregister!\". This was detected by Syzbot [1].\n\nAlso, the PNP driver registration and unregistration should be done at\nmodule init and exit time, respectively, not when attaching or detaching\nComedi devices to the driver. (There might be more than one Comedi\ndevice being attached to the driver, although that is unlikely.)\n\nChange the driver to do the PNP driver registration at module init time,\nand the unregistration at module exit time. Since `c6xdigio_detach()`\nnow only calls `comedi_legacy_detach()`, remove the function and change\nthe Comedi driver \"detach\" handler to `comedi_legacy_detach`.\n\n-------------------------------------------\n[1] Syzbot sample crash report:\nUnexpected driver unregister!\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nModules linked in:\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 \u003c0f\u003e 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\nFS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_sys\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:18.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/407b25bb9284d69c27309e691ab1e02f9e1c46ac"
},
{
"url": "https://git.kernel.org/stable/c/f7fa1f4670c3c358a451546f0b80b9231952912d"
},
{
"url": "https://git.kernel.org/stable/c/e8110402b0c24d822b0b933d87d50870d59667ef"
},
{
"url": "https://git.kernel.org/stable/c/72b3627b0d3b819de49b29c2c8cb1c64d54536b9"
},
{
"url": "https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072"
},
{
"url": "https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6"
},
{
"url": "https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b"
},
{
"url": "https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77"
}
],
"title": "comedi: c6xdigio: Fix invalid PNP driver unregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68332",
"datePublished": "2025-12-22T16:14:10.146Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-01-19T12:18:18.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50767 (GCVE-0-2022-50767)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04
VLAI?
EPSS
Title
fbdev: smscufx: Fix several use-after-free bugs
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: smscufx: Fix several use-after-free bugs
Several types of UAFs can occur when physically removing a USB device.
Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and
in this function, there is kref_put() that finally calls ufx_free().
This fix prevents multiple UAFs.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f
(git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 3f40852d671072836fb7ae331a1f28a24223c4e8 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 70faf9d9b6cc74418716bbf76fe75bd2da10ad4a (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 5385af2f89bc352fb70753ab41b2bb036190141f (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < cc6a7249842fceda7574ceb63275a2d5e99d2862 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 8d924b262f3178a9b17c17d4306a9f426c508bd9 (git) Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < cc67482c9e5f2c80d62f623bcc347c29f9f648e1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "3f40852d671072836fb7ae331a1f28a24223c4e8",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "70faf9d9b6cc74418716bbf76fe75bd2da10ad4a",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "5385af2f89bc352fb70753ab41b2bb036190141f",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "cc6a7249842fceda7574ceb63275a2d5e99d2862",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "8d924b262f3178a9b17c17d4306a9f426c508bd9",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
},
{
"lessThan": "cc67482c9e5f2c80d62f623bcc347c29f9f648e1",
"status": "affected",
"version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.223",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.223",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.153",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.77",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.7",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: Fix several use-after-free bugs\n\nSeveral types of UAFs can occur when physically removing a USB device.\n\nAdds ufx_ops_destroy() function to .fb_destroy of fb_ops, and\nin this function, there is kref_put() that finally calls ufx_free().\n\nThis fix prevents multiple UAFs."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:04:30.518Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f"
},
{
"url": "https://git.kernel.org/stable/c/3f40852d671072836fb7ae331a1f28a24223c4e8"
},
{
"url": "https://git.kernel.org/stable/c/70faf9d9b6cc74418716bbf76fe75bd2da10ad4a"
},
{
"url": "https://git.kernel.org/stable/c/5385af2f89bc352fb70753ab41b2bb036190141f"
},
{
"url": "https://git.kernel.org/stable/c/d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86"
},
{
"url": "https://git.kernel.org/stable/c/cc6a7249842fceda7574ceb63275a2d5e99d2862"
},
{
"url": "https://git.kernel.org/stable/c/8d924b262f3178a9b17c17d4306a9f426c508bd9"
},
{
"url": "https://git.kernel.org/stable/c/cc67482c9e5f2c80d62f623bcc347c29f9f648e1"
}
],
"title": "fbdev: smscufx: Fix several use-after-free bugs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50767",
"datePublished": "2025-12-24T13:05:57.569Z",
"dateReserved": "2025-12-24T13:02:21.546Z",
"dateUpdated": "2026-01-02T15:04:30.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54130 (GCVE-0-2023-54130)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
Commit 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") fixed
a build warning by turning a comment into a WARN_ON(), but it turns out
that syzbot then complains because it can trigger said warning with a
corrupted hfs image.
The warning actually does warn about a bad situation, but we are much
better off just handling it as the error it is. So rather than warn
about us doing bad things, stop doing the bad things and return -EIO.
While at it, also fix a memory leak that was introduced by an earlier
fix for a similar syzbot warning situation, and add a check for one case
that historically wasn't handled at all (ie neither comment nor
subsequent WARN_ON).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c886c10a6eddb99923b315f42bf63f448883ef9a , < cc2164ada548addfa8ee215196661c3afe0c5154
(git)
Affected: 2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30 , < 82725be426bce0a425cc5e26fbad61ffd29cff03 (git) Affected: 90103ccb6e60aa4efe48993d23d6a528472f2233 , < da23752d9660ba7a8ca6c5768fd8776f67f59ee7 (git) Affected: 4fd3a11804c8877ff11fec59c5c53f1635331e3e , < be01f35efa876eb81cebab2cb0add068b7280ef4 (git) Affected: 48d9e2e6de01ed35e965eb549758a837c07b601d , < f10defb0be6ac42fb6a97b45920d32da6bd6fde8 (git) Affected: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb , < 90e019006644dad35862cb4aa270f561b0732066 (git) Affected: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb , < 45917be9f0af339a45b4619f31c902d37b8aed59 (git) Affected: 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb , < cb7a95af78d29442b8294683eca4897544b8ef46 (git) Affected: 8c40f2dbae603ef0bd21e87c63f54ec59fd88256 (git) Affected: 367296925c7625c3969d2a78d7a3e1dee161beb5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc2164ada548addfa8ee215196661c3afe0c5154",
"status": "affected",
"version": "c886c10a6eddb99923b315f42bf63f448883ef9a",
"versionType": "git"
},
{
"lessThan": "82725be426bce0a425cc5e26fbad61ffd29cff03",
"status": "affected",
"version": "2344f17c0a89c181ab1a9fef57fd8c3bddfd6e30",
"versionType": "git"
},
{
"lessThan": "da23752d9660ba7a8ca6c5768fd8776f67f59ee7",
"status": "affected",
"version": "90103ccb6e60aa4efe48993d23d6a528472f2233",
"versionType": "git"
},
{
"lessThan": "be01f35efa876eb81cebab2cb0add068b7280ef4",
"status": "affected",
"version": "4fd3a11804c8877ff11fec59c5c53f1635331e3e",
"versionType": "git"
},
{
"lessThan": "f10defb0be6ac42fb6a97b45920d32da6bd6fde8",
"status": "affected",
"version": "48d9e2e6de01ed35e965eb549758a837c07b601d",
"versionType": "git"
},
{
"lessThan": "90e019006644dad35862cb4aa270f561b0732066",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
},
{
"lessThan": "45917be9f0af339a45b4619f31c902d37b8aed59",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
},
{
"lessThan": "cb7a95af78d29442b8294683eca4897544b8ef46",
"status": "affected",
"version": "55d1cbbbb29e6656c662ee8f73ba1fc4777532eb",
"versionType": "git"
},
{
"status": "affected",
"version": "8c40f2dbae603ef0bd21e87c63f54ec59fd88256",
"versionType": "git"
},
{
"status": "affected",
"version": "367296925c7625c3969d2a78d7a3e1dee161beb5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling\n\nCommit 55d1cbbbb29e (\"hfs/hfsplus: use WARN_ON for sanity check\") fixed\na build warning by turning a comment into a WARN_ON(), but it turns out\nthat syzbot then complains because it can trigger said warning with a\ncorrupted hfs image.\n\nThe warning actually does warn about a bad situation, but we are much\nbetter off just handling it as the error it is. So rather than warn\nabout us doing bad things, stop doing the bad things and return -EIO.\n\nWhile at it, also fix a memory leak that was introduced by an earlier\nfix for a similar syzbot warning situation, and add a check for one case\nthat historically wasn\u0027t handled at all (ie neither comment nor\nsubsequent WARN_ON)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:47.502Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc2164ada548addfa8ee215196661c3afe0c5154"
},
{
"url": "https://git.kernel.org/stable/c/82725be426bce0a425cc5e26fbad61ffd29cff03"
},
{
"url": "https://git.kernel.org/stable/c/da23752d9660ba7a8ca6c5768fd8776f67f59ee7"
},
{
"url": "https://git.kernel.org/stable/c/be01f35efa876eb81cebab2cb0add068b7280ef4"
},
{
"url": "https://git.kernel.org/stable/c/f10defb0be6ac42fb6a97b45920d32da6bd6fde8"
},
{
"url": "https://git.kernel.org/stable/c/90e019006644dad35862cb4aa270f561b0732066"
},
{
"url": "https://git.kernel.org/stable/c/45917be9f0af339a45b4619f31c902d37b8aed59"
},
{
"url": "https://git.kernel.org/stable/c/cb7a95af78d29442b8294683eca4897544b8ef46"
}
],
"title": "hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54130",
"datePublished": "2025-12-24T13:06:47.502Z",
"dateReserved": "2025-12-24T13:02:52.521Z",
"dateUpdated": "2025-12-24T13:06:47.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50672 (GCVE-0-2022-50672)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
mailbox: zynq-ipi: fix error handling while device_register() fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
mailbox: zynq-ipi: fix error handling while device_register() fails
If device_register() fails, it has two issues:
1. The name allocated by dev_set_name() is leaked.
2. The parent of device is not NULL, device_unregister() is called
in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because
of removing not added device.
Call put_device() to give up the reference, so the name is freed in
kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes()
to avoid null-ptr-deref.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < b3a5c76f61e2b380e29dfc6705854ca1ee85501d
(git)
Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < a39b4de0804f9fe0ae911b359ffd4afe7d9d933b (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < 4f05d8e2fb3ab702c2633a74571e1b31cb579985 (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < f2d63cefc012cafe1b7651bbf3302f8bcd8bea4a (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < 3fcf079958c00d83c51e4f250abf2c77fe9cc1b9 (git) Affected: 4981b82ba2ff87df6a711fcd7a233c615df5fc79 , < a6792a0cdef0b1c2d77920246283a72537e60e94 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/zynqmp-ipi-mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b3a5c76f61e2b380e29dfc6705854ca1ee85501d",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "a39b4de0804f9fe0ae911b359ffd4afe7d9d933b",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "4f05d8e2fb3ab702c2633a74571e1b31cb579985",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "f2d63cefc012cafe1b7651bbf3302f8bcd8bea4a",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "3fcf079958c00d83c51e4f250abf2c77fe9cc1b9",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
},
{
"lessThan": "a6792a0cdef0b1c2d77920246283a72537e60e94",
"status": "affected",
"version": "4981b82ba2ff87df6a711fcd7a233c615df5fc79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/zynqmp-ipi-mailbox.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: zynq-ipi: fix error handling while device_register() fails\n\nIf device_register() fails, it has two issues:\n1. The name allocated by dev_set_name() is leaked.\n2. The parent of device is not NULL, device_unregister() is called\n in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because\n of removing not added device.\n\nCall put_device() to give up the reference, so the name is freed in\nkobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes()\nto avoid null-ptr-deref."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:24.072Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b3a5c76f61e2b380e29dfc6705854ca1ee85501d"
},
{
"url": "https://git.kernel.org/stable/c/a39b4de0804f9fe0ae911b359ffd4afe7d9d933b"
},
{
"url": "https://git.kernel.org/stable/c/4f05d8e2fb3ab702c2633a74571e1b31cb579985"
},
{
"url": "https://git.kernel.org/stable/c/f2d63cefc012cafe1b7651bbf3302f8bcd8bea4a"
},
{
"url": "https://git.kernel.org/stable/c/3fcf079958c00d83c51e4f250abf2c77fe9cc1b9"
},
{
"url": "https://git.kernel.org/stable/c/a6792a0cdef0b1c2d77920246283a72537e60e94"
}
],
"title": "mailbox: zynq-ipi: fix error handling while device_register() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50672",
"datePublished": "2025-12-09T01:29:24.072Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-09T01:29:24.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0854 (GCVE-0-2022-0854)
Vulnerability from cvelistv5 – Published: 2022-03-23 19:46 – Updated: 2024-08-02 23:40
VLAI?
EPSS
Summary
A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8\u0026id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13"
},
{
"name": "DSA-5161",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5161"
},
{
"name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
},
{
"name": "DSA-5173",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5173"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Linux kernel 5.17-rc8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory leak flaw was found in the Linux kernel\u2019s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-04T10:11:26",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8\u0026id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13"
},
{
"name": "DSA-5161",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5161"
},
{
"name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
},
{
"name": "DSA-5173",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5173"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2022-0854",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kernel",
"version": {
"version_data": [
{
"version_value": "Linux kernel 5.17-rc8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A memory leak flaw was found in the Linux kernel\u2019s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8\u0026id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13",
"refsource": "MISC",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8\u0026id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13"
},
{
"name": "DSA-5161",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5161"
},
{
"name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
},
{
"name": "DSA-5173",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5173"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0854",
"datePublished": "2022-03-23T19:46:15",
"dateReserved": "2022-03-04T00:00:00",
"dateUpdated": "2024-08-02T23:40:04.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53998 (GCVE-0-2023-53998)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
hwrng: virtio - Fix race on data_avail and actual data
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwrng: virtio - Fix race on data_avail and actual data
The virtio rng device kicks off a new entropy request whenever the
data available reaches zero. When a new request occurs at the end
of a read operation, that is, when the result of that request is
only needed by the next reader, then there is a race between the
writing of the new data and the next reader.
This is because there is no synchronisation whatsoever between the
writer and the reader.
Fix this by writing data_avail with smp_store_release and reading
it with smp_load_acquire when we first enter read. The subsequent
reads are safe because they're either protected by the first load
acquire, or by the completion mechanism.
Also remove the redundant zeroing of data_idx in random_recv_done
(data_idx must already be zero at this point) and data_avail in
request_entropy (ditto).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f7f510ec195781c857ab76366a3e1c59e1caae42 , < 241ef15776a7c8505008db689175b320d345ecd3
(git)
Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < 77471e4912d3960dafe141e268c44be8024fe4dc (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < c76d991b6f01a5d931e7053a73bc9524975a5215 (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < 22c30022cde6e2c88612b3a499223cfa912f1bc7 (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < 318657b4c2077289659f1cd9e2a34f6a3b208e3e (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < 2fc91f156b3f3446a1bce80cf4adedcbf41271c2 (git) Affected: f7f510ec195781c857ab76366a3e1c59e1caae42 , < ac52578d6e8d300dd50f790f29a24169b1edd26c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/virtio-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "241ef15776a7c8505008db689175b320d345ecd3",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "77471e4912d3960dafe141e268c44be8024fe4dc",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "c76d991b6f01a5d931e7053a73bc9524975a5215",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "22c30022cde6e2c88612b3a499223cfa912f1bc7",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "318657b4c2077289659f1cd9e2a34f6a3b208e3e",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "2fc91f156b3f3446a1bce80cf4adedcbf41271c2",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
},
{
"lessThan": "ac52578d6e8d300dd50f790f29a24169b1edd26c",
"status": "affected",
"version": "f7f510ec195781c857ab76366a3e1c59e1caae42",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/char/hw_random/virtio-rng.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwrng: virtio - Fix race on data_avail and actual data\n\nThe virtio rng device kicks off a new entropy request whenever the\ndata available reaches zero. When a new request occurs at the end\nof a read operation, that is, when the result of that request is\nonly needed by the next reader, then there is a race between the\nwriting of the new data and the next reader.\n\nThis is because there is no synchronisation whatsoever between the\nwriter and the reader.\n\nFix this by writing data_avail with smp_store_release and reading\nit with smp_load_acquire when we first enter read. The subsequent\nreads are safe because they\u0027re either protected by the first load\nacquire, or by the completion mechanism.\n\nAlso remove the redundant zeroing of data_idx in random_recv_done\n(data_idx must already be zero at this point) and data_avail in\nrequest_entropy (ditto)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:34.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/241ef15776a7c8505008db689175b320d345ecd3"
},
{
"url": "https://git.kernel.org/stable/c/a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d"
},
{
"url": "https://git.kernel.org/stable/c/77471e4912d3960dafe141e268c44be8024fe4dc"
},
{
"url": "https://git.kernel.org/stable/c/c76d991b6f01a5d931e7053a73bc9524975a5215"
},
{
"url": "https://git.kernel.org/stable/c/22c30022cde6e2c88612b3a499223cfa912f1bc7"
},
{
"url": "https://git.kernel.org/stable/c/318657b4c2077289659f1cd9e2a34f6a3b208e3e"
},
{
"url": "https://git.kernel.org/stable/c/2fc91f156b3f3446a1bce80cf4adedcbf41271c2"
},
{
"url": "https://git.kernel.org/stable/c/ac52578d6e8d300dd50f790f29a24169b1edd26c"
}
],
"title": "hwrng: virtio - Fix race on data_avail and actual data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53998",
"datePublished": "2025-12-24T10:55:34.856Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:34.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39977 (GCVE-0-2025-39977)
Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55
VLAI?
EPSS
Title
futex: Prevent use-after-free during requeue-PI
Summary
In the Linux kernel, the following vulnerability has been resolved:
futex: Prevent use-after-free during requeue-PI
syzbot managed to trigger the following race:
T1 T2
futex_wait_requeue_pi()
futex_do_wait()
schedule()
futex_requeue()
futex_proxy_trylock_atomic()
futex_requeue_pi_prepare()
requeue_pi_wake_futex()
futex_requeue_pi_complete()
/* preempt */
* timeout/ signal wakes T1 *
futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED
futex_hash_put()
// back to userland, on stack futex_q is garbage
/* back */
wake_up_state(q->task, TASK_NORMAL);
In this scenario futex_wait_requeue_pi() is able to leave without using
futex_q::lock_ptr for synchronization.
This can be prevented by reading futex_q::task before updating the
futex_q::requeue_state. A reference on the task_struct is not needed
because requeue_pi_wake_futex() is invoked with a spinlock_t held which
implies a RCU read section.
Even if T1 terminates immediately after, the task_struct will remain valid
during T2's wake_up_state(). A READ_ONCE on futex_q::task before
futex_requeue_pi_complete() is enough because it ensures that the variable
is read before the state is updated.
Read futex_q::task before updating the requeue state, use it for the
following wakeup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < cb5d19a61274b51b49601214a87af573b43d60fa
(git)
Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < 348736955ed6ca6e99ca24b93b1d3fbfe352c181 (git) Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < a170b9c0dde83312b8b58ccc91509c7c15711641 (git) Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < d824b2dbdcfe3c390278dd9652ea526168ef6850 (git) Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < b549113738e8c751b613118032a724b772aa83f2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/futex/requeue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb5d19a61274b51b49601214a87af573b43d60fa",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
},
{
"lessThan": "348736955ed6ca6e99ca24b93b1d3fbfe352c181",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
},
{
"lessThan": "a170b9c0dde83312b8b58ccc91509c7c15711641",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
},
{
"lessThan": "d824b2dbdcfe3c390278dd9652ea526168ef6850",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
},
{
"lessThan": "b549113738e8c751b613118032a724b772aa83f2",
"status": "affected",
"version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/futex/requeue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.109",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.50",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.155",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.109",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.50",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Prevent use-after-free during requeue-PI\n\nsyzbot managed to trigger the following race:\n\n T1 T2\n\n futex_wait_requeue_pi()\n futex_do_wait()\n schedule()\n futex_requeue()\n futex_proxy_trylock_atomic()\n futex_requeue_pi_prepare()\n requeue_pi_wake_futex()\n futex_requeue_pi_complete()\n /* preempt */\n\n * timeout/ signal wakes T1 *\n\n futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED\n futex_hash_put()\n // back to userland, on stack futex_q is garbage\n\n /* back */\n wake_up_state(q-\u003etask, TASK_NORMAL);\n\nIn this scenario futex_wait_requeue_pi() is able to leave without using\nfutex_q::lock_ptr for synchronization.\n\nThis can be prevented by reading futex_q::task before updating the\nfutex_q::requeue_state. A reference on the task_struct is not needed\nbecause requeue_pi_wake_futex() is invoked with a spinlock_t held which\nimplies a RCU read section.\n\nEven if T1 terminates immediately after, the task_struct will remain valid\nduring T2\u0027s wake_up_state(). A READ_ONCE on futex_q::task before\nfutex_requeue_pi_complete() is enough because it ensures that the variable\nis read before the state is updated.\n\nRead futex_q::task before updating the requeue state, use it for the\nfollowing wakeup."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T07:55:58.283Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb5d19a61274b51b49601214a87af573b43d60fa"
},
{
"url": "https://git.kernel.org/stable/c/348736955ed6ca6e99ca24b93b1d3fbfe352c181"
},
{
"url": "https://git.kernel.org/stable/c/a170b9c0dde83312b8b58ccc91509c7c15711641"
},
{
"url": "https://git.kernel.org/stable/c/d824b2dbdcfe3c390278dd9652ea526168ef6850"
},
{
"url": "https://git.kernel.org/stable/c/b549113738e8c751b613118032a724b772aa83f2"
}
],
"title": "futex: Prevent use-after-free during requeue-PI",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39977",
"datePublished": "2025-10-15T07:55:58.283Z",
"dateReserved": "2025-04-16T07:20:57.150Z",
"dateUpdated": "2025-10-15T07:55:58.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-54172 (GCVE-0-2023-54172)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2026-01-05 10:51
VLAI?
EPSS
Title
x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction
On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs
with ConfigVersion 9.3 or later support IBT in the guest. However,
current versions of Hyper-V have a bug in that there's not an ENDBR64
instruction at the beginning of the hypercall page. Since hypercalls are
made with an indirect call to the hypercall page, all hypercall attempts
fail with an exception and Linux panics.
A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux
panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start
with ENDBR. The VM will boot and run without IBT.
If future Linux 32-bit kernels were to support IBT, additional hypercall
page hackery would be needed to make IBT work for such kernels in a
Hyper-V VM.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
991625f3dd2cbc4b787deb0213e2bcf8fa264b21 , < 98cccbd0a19a161971bc7f7feb10577adc62c400
(git)
Affected: 991625f3dd2cbc4b787deb0213e2bcf8fa264b21 , < 73626b70b361ddda7c380e52c236aa4f2487c402 (git) Affected: 991625f3dd2cbc4b787deb0213e2bcf8fa264b21 , < d5ace2a776442d80674eff9ed42e737f7dd95056 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/hyperv/hv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98cccbd0a19a161971bc7f7feb10577adc62c400",
"status": "affected",
"version": "991625f3dd2cbc4b787deb0213e2bcf8fa264b21",
"versionType": "git"
},
{
"lessThan": "73626b70b361ddda7c380e52c236aa4f2487c402",
"status": "affected",
"version": "991625f3dd2cbc4b787deb0213e2bcf8fa264b21",
"versionType": "git"
},
{
"lessThan": "d5ace2a776442d80674eff9ed42e737f7dd95056",
"status": "affected",
"version": "991625f3dd2cbc4b787deb0213e2bcf8fa264b21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/hyperv/hv_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction\n\nOn hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs\nwith ConfigVersion 9.3 or later support IBT in the guest. However,\ncurrent versions of Hyper-V have a bug in that there\u0027s not an ENDBR64\ninstruction at the beginning of the hypercall page. Since hypercalls are\nmade with an indirect call to the hypercall page, all hypercall attempts\nfail with an exception and Linux panics.\n\nA Hyper-V fix is in progress to add ENDBR64. But guard against the Linux\npanic by clearing X86_FEATURE_IBT if the hypercall page doesn\u0027t start\nwith ENDBR. The VM will boot and run without IBT.\n\nIf future Linux 32-bit kernels were to support IBT, additional hypercall\npage hackery would be needed to make IBT work for such kernels in a\nHyper-V VM."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:51:14.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98cccbd0a19a161971bc7f7feb10577adc62c400"
},
{
"url": "https://git.kernel.org/stable/c/73626b70b361ddda7c380e52c236aa4f2487c402"
},
{
"url": "https://git.kernel.org/stable/c/d5ace2a776442d80674eff9ed42e737f7dd95056"
}
],
"title": "x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54172",
"datePublished": "2025-12-30T12:08:46.146Z",
"dateReserved": "2025-12-30T12:06:44.496Z",
"dateUpdated": "2026-01-05T10:51:14.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50630 (GCVE-0-2022-50630)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16
VLAI?
EPSS
Title
mm: hugetlb: fix UAF in hugetlb_handle_userfault
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: hugetlb: fix UAF in hugetlb_handle_userfault
The vma_lock and hugetlb_fault_mutex are dropped before handling userfault
and reacquire them again after handle_userfault(), but reacquire the
vma_lock could lead to UAF[1,2] due to the following race,
hugetlb_fault
hugetlb_no_page
/*unlock vma_lock */
hugetlb_handle_userfault
handle_userfault
/* unlock mm->mmap_lock*/
vm_mmap_pgoff
do_mmap
mmap_region
munmap_vma_range
/* clean old vma */
/* lock vma_lock again <--- UAF */
/* unlock vma_lock */
Since the vma_lock will unlock immediately after
hugetlb_handle_userfault(), let's drop the unneeded lock and unlock in
hugetlb_handle_userfault() to fix the issue.
[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/
[2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < 45c33966759ea1b4040c08dacda99ef623c0ca29
(git)
Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < 0db2efb3bff879566f05341d94c3de00ac95c4cc (git) Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < dd691973f67b2800a97db723b1ff6f07fdcf7f5a (git) Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < 78504bcedb2f1bbfb353b4d233c24d641c4dda33 (git) Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < 958f32ce832ba781ac20e11bb2d12a9352ea28fc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45c33966759ea1b4040c08dacda99ef623c0ca29",
"status": "affected",
"version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
"versionType": "git"
},
{
"lessThan": "0db2efb3bff879566f05341d94c3de00ac95c4cc",
"status": "affected",
"version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
"versionType": "git"
},
{
"lessThan": "dd691973f67b2800a97db723b1ff6f07fdcf7f5a",
"status": "affected",
"version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
"versionType": "git"
},
{
"lessThan": "78504bcedb2f1bbfb353b4d233c24d641c4dda33",
"status": "affected",
"version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
"versionType": "git"
},
{
"lessThan": "958f32ce832ba781ac20e11bb2d12a9352ea28fc",
"status": "affected",
"version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: fix UAF in hugetlb_handle_userfault\n\nThe vma_lock and hugetlb_fault_mutex are dropped before handling userfault\nand reacquire them again after handle_userfault(), but reacquire the\nvma_lock could lead to UAF[1,2] due to the following race,\n\nhugetlb_fault\n hugetlb_no_page\n /*unlock vma_lock */\n hugetlb_handle_userfault\n handle_userfault\n /* unlock mm-\u003emmap_lock*/\n vm_mmap_pgoff\n do_mmap\n mmap_region\n munmap_vma_range\n /* clean old vma */\n /* lock vma_lock again \u003c--- UAF */\n /* unlock vma_lock */\n\nSince the vma_lock will unlock immediately after\nhugetlb_handle_userfault(), let\u0027s drop the unneeded lock and unlock in\nhugetlb_handle_userfault() to fix the issue.\n\n[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/\n[2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T01:16:45.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45c33966759ea1b4040c08dacda99ef623c0ca29"
},
{
"url": "https://git.kernel.org/stable/c/0db2efb3bff879566f05341d94c3de00ac95c4cc"
},
{
"url": "https://git.kernel.org/stable/c/dd691973f67b2800a97db723b1ff6f07fdcf7f5a"
},
{
"url": "https://git.kernel.org/stable/c/78504bcedb2f1bbfb353b4d233c24d641c4dda33"
},
{
"url": "https://git.kernel.org/stable/c/958f32ce832ba781ac20e11bb2d12a9352ea28fc"
}
],
"title": "mm: hugetlb: fix UAF in hugetlb_handle_userfault",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50630",
"datePublished": "2025-12-08T01:16:45.555Z",
"dateReserved": "2025-12-08T01:14:55.192Z",
"dateUpdated": "2025-12-08T01:16:45.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54097 (GCVE-0-2023-54097)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
regulator: stm32-pwr: fix of_iomap leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: stm32-pwr: fix of_iomap leak
Smatch reports:
drivers/regulator/stm32-pwr.c:166 stm32_pwr_regulator_probe() warn:
'base' from of_iomap() not released on lines: 151,166.
In stm32_pwr_regulator_probe(), base is not released
when devm_kzalloc() fails to allocate memory or
devm_regulator_register() fails to register a new regulator device,
which may cause a leak.
To fix this issue, replace of_iomap() with
devm_platform_ioremap_resource(). devm_platform_ioremap_resource()
is a specialized function for platform devices.
It allows 'base' to be automatically released whether the probe
function succeeds or fails.
Besides, use IS_ERR(base) instead of !base
as the return value of devm_platform_ioremap_resource()
can either be a pointer to the remapped memory or
an ERR_PTR() encoded error code if the operation fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dc62f951a6a8490bcccc7b6de36cd85bd57be740 , < 824683dbec234a01bd49a0589ee3323594a6f4cf
(git)
Affected: dc62f951a6a8490bcccc7b6de36cd85bd57be740 , < dfce9bb3517a78507cf96f9b83948d0b81338afa (git) Affected: dc62f951a6a8490bcccc7b6de36cd85bd57be740 , < ad6481f49fb2c703efa3a929643934f24b666d6a (git) Affected: dc62f951a6a8490bcccc7b6de36cd85bd57be740 , < f25994f7a9ad53eb756bc4869497c3ebe281ad5e (git) Affected: dc62f951a6a8490bcccc7b6de36cd85bd57be740 , < c091bb49b3233307c7af73dae888f0799752af3d (git) Affected: dc62f951a6a8490bcccc7b6de36cd85bd57be740 , < 0ad07e02be0d3f0d554653382ffe53ae4879378d (git) Affected: dc62f951a6a8490bcccc7b6de36cd85bd57be740 , < c4a413e56d16a2ae84e6d8992f215c4dcc7fac20 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/stm32-pwr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "824683dbec234a01bd49a0589ee3323594a6f4cf",
"status": "affected",
"version": "dc62f951a6a8490bcccc7b6de36cd85bd57be740",
"versionType": "git"
},
{
"lessThan": "dfce9bb3517a78507cf96f9b83948d0b81338afa",
"status": "affected",
"version": "dc62f951a6a8490bcccc7b6de36cd85bd57be740",
"versionType": "git"
},
{
"lessThan": "ad6481f49fb2c703efa3a929643934f24b666d6a",
"status": "affected",
"version": "dc62f951a6a8490bcccc7b6de36cd85bd57be740",
"versionType": "git"
},
{
"lessThan": "f25994f7a9ad53eb756bc4869497c3ebe281ad5e",
"status": "affected",
"version": "dc62f951a6a8490bcccc7b6de36cd85bd57be740",
"versionType": "git"
},
{
"lessThan": "c091bb49b3233307c7af73dae888f0799752af3d",
"status": "affected",
"version": "dc62f951a6a8490bcccc7b6de36cd85bd57be740",
"versionType": "git"
},
{
"lessThan": "0ad07e02be0d3f0d554653382ffe53ae4879378d",
"status": "affected",
"version": "dc62f951a6a8490bcccc7b6de36cd85bd57be740",
"versionType": "git"
},
{
"lessThan": "c4a413e56d16a2ae84e6d8992f215c4dcc7fac20",
"status": "affected",
"version": "dc62f951a6a8490bcccc7b6de36cd85bd57be740",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/stm32-pwr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: stm32-pwr: fix of_iomap leak\n\nSmatch reports:\ndrivers/regulator/stm32-pwr.c:166 stm32_pwr_regulator_probe() warn:\n\u0027base\u0027 from of_iomap() not released on lines: 151,166.\n\nIn stm32_pwr_regulator_probe(), base is not released\nwhen devm_kzalloc() fails to allocate memory or\ndevm_regulator_register() fails to register a new regulator device,\nwhich may cause a leak.\n\nTo fix this issue, replace of_iomap() with\ndevm_platform_ioremap_resource(). devm_platform_ioremap_resource()\nis a specialized function for platform devices.\nIt allows \u0027base\u0027 to be automatically released whether the probe\nfunction succeeds or fails.\n\nBesides, use IS_ERR(base) instead of !base\nas the return value of devm_platform_ioremap_resource()\ncan either be a pointer to the remapped memory or\nan ERR_PTR() encoded error code if the operation fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:24.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/824683dbec234a01bd49a0589ee3323594a6f4cf"
},
{
"url": "https://git.kernel.org/stable/c/dfce9bb3517a78507cf96f9b83948d0b81338afa"
},
{
"url": "https://git.kernel.org/stable/c/ad6481f49fb2c703efa3a929643934f24b666d6a"
},
{
"url": "https://git.kernel.org/stable/c/f25994f7a9ad53eb756bc4869497c3ebe281ad5e"
},
{
"url": "https://git.kernel.org/stable/c/c091bb49b3233307c7af73dae888f0799752af3d"
},
{
"url": "https://git.kernel.org/stable/c/0ad07e02be0d3f0d554653382ffe53ae4879378d"
},
{
"url": "https://git.kernel.org/stable/c/c4a413e56d16a2ae84e6d8992f215c4dcc7fac20"
}
],
"title": "regulator: stm32-pwr: fix of_iomap leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54097",
"datePublished": "2025-12-24T13:06:24.519Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:24.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54025 (GCVE-0-2023-54025)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled
In case WoWlan was never configured during the operation of the system,
the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks
whether wowlan_config is non-NULL and if it is not, then WARNs about it.
The warning is valid, as during normal operation the rsi_config_wowlan()
should only ever be called with non-NULL wowlan_config. In shutdown this
rsi_config_wowlan() should only ever be called if WoWlan was configured
before by the user.
Add checks for non-NULL wowlan_config into the shutdown hook. While at it,
check whether the wiphy is also non-NULL before accessing wowlan_config .
Drop the single-use wowlan_config variable, just inline it into function
call.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
16bbc3eb83728c03138191a5d23d84d38175fa26 , < b2aeb97fd470206e67f7b3b4a3e68212a13f747b
(git)
Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < 4391fa180856ff84a2cef4a92694a689eebb855e (git) Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < eb205a06908122f50b1dd1baa43f7c8036bfc7dc (git) Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < 1b51236aa49a0564280bd45c94118cab6d9b0fbd (git) Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < b601468539c1d97539097bfc87ad11f1704b7eb7 (git) Affected: 16bbc3eb83728c03138191a5d23d84d38175fa26 , < b241e260820b68c09586e8a0ae0fc23c0e3215bd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_sdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2aeb97fd470206e67f7b3b4a3e68212a13f747b",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "4391fa180856ff84a2cef4a92694a689eebb855e",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "eb205a06908122f50b1dd1baa43f7c8036bfc7dc",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "1b51236aa49a0564280bd45c94118cab6d9b0fbd",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "b601468539c1d97539097bfc87ad11f1704b7eb7",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
},
{
"lessThan": "b241e260820b68c09586e8a0ae0fc23c0e3215bd",
"status": "affected",
"version": "16bbc3eb83728c03138191a5d23d84d38175fa26",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/rsi/rsi_91x_sdio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rsi: Do not configure WoWlan in shutdown hook if not enabled\n\nIn case WoWlan was never configured during the operation of the system,\nthe hw-\u003ewiphy-\u003ewowlan_config will be NULL. rsi_config_wowlan() checks\nwhether wowlan_config is non-NULL and if it is not, then WARNs about it.\nThe warning is valid, as during normal operation the rsi_config_wowlan()\nshould only ever be called with non-NULL wowlan_config. In shutdown this\nrsi_config_wowlan() should only ever be called if WoWlan was configured\nbefore by the user.\n\nAdd checks for non-NULL wowlan_config into the shutdown hook. While at it,\ncheck whether the wiphy is also non-NULL before accessing wowlan_config .\nDrop the single-use wowlan_config variable, just inline it into function\ncall."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:54.440Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2aeb97fd470206e67f7b3b4a3e68212a13f747b"
},
{
"url": "https://git.kernel.org/stable/c/4391fa180856ff84a2cef4a92694a689eebb855e"
},
{
"url": "https://git.kernel.org/stable/c/eb205a06908122f50b1dd1baa43f7c8036bfc7dc"
},
{
"url": "https://git.kernel.org/stable/c/1b51236aa49a0564280bd45c94118cab6d9b0fbd"
},
{
"url": "https://git.kernel.org/stable/c/b601468539c1d97539097bfc87ad11f1704b7eb7"
},
{
"url": "https://git.kernel.org/stable/c/b241e260820b68c09586e8a0ae0fc23c0e3215bd"
}
],
"title": "wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54025",
"datePublished": "2025-12-24T10:55:54.440Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2025-12-24T10:55:54.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40164 (GCVE-0-2025-40164)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2026-01-30 09:48
VLAI?
EPSS
Title
usbnet: Fix using smp_processor_id() in preemptible code warnings
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: Fix using smp_processor_id() in preemptible code warnings
Syzbot reported the following warning:
BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
__dev_set_mtu net/core/dev.c:9443 [inline]
netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
sock_do_ioctl+0x19d/0x280 net/socket.c:1204
sock_ioctl+0x42f/0x6a0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
For historical and portability reasons, the netif_rx() is usually
run in the softirq or interrupt context, this commit therefore add
local_bh_disable/enable() protection in the usbnet_resume_rx().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 17fbad93879e87a334062882b45fa727ba1b3dd7
(git)
Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < d1944bab8e0c1511f0cbf364aa06547735bb0ddb (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 0134c7bff14bd50314a4f92b182850ddfc38e255 (git) Affected: 43daa96b166c3cf5ff30dfac0c5efa2620e4beab , < 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17fbad93879e87a334062882b45fa727ba1b3dd7",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "d1944bab8e0c1511f0cbf364aa06547735bb0ddb",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "0134c7bff14bd50314a4f92b182850ddfc38e255",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
},
{
"lessThan": "327cd4b68b4398b6c24f10eb2b2533ffbfc10185",
"status": "affected",
"version": "43daa96b166c3cf5ff30dfac0c5efa2620e4beab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/usbnet.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.5",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix using smp_processor_id() in preemptible code warnings\n\nSyzbot reported the following warning:\n\nBUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879\ncaller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\nCPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120\n check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49\n usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331\n usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708\n usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417\n __dev_set_mtu net/core/dev.c:9443 [inline]\n netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496\n netif_set_mtu+0xb0/0x160 net/core/dev.c:9520\n dev_set_mtu+0xae/0x170 net/core/dev_api.c:247\n dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572\n dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821\n sock_do_ioctl+0x19d/0x280 net/socket.c:1204\n sock_ioctl+0x42f/0x6a0 net/socket.c:1311\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFor historical and portability reasons, the netif_rx() is usually\nrun in the softirq or interrupt context, this commit therefore add\nlocal_bh_disable/enable() protection in the usbnet_resume_rx()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-30T09:48:39.458Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17fbad93879e87a334062882b45fa727ba1b3dd7"
},
{
"url": "https://git.kernel.org/stable/c/d1944bab8e0c1511f0cbf364aa06547735bb0ddb"
},
{
"url": "https://git.kernel.org/stable/c/0134c7bff14bd50314a4f92b182850ddfc38e255"
},
{
"url": "https://git.kernel.org/stable/c/327cd4b68b4398b6c24f10eb2b2533ffbfc10185"
}
],
"title": "usbnet: Fix using smp_processor_id() in preemptible code warnings",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40164",
"datePublished": "2025-11-12T10:26:23.482Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-01-30T09:48:39.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68298 (GCVE-0-2025-68298)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06
VLAI?
EPSS
Title
Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref
In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to:
usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM)
That function can return NULL in some cases. Even when it returns
NULL, though, we still go on to call btusb_mtk_claim_iso_intf().
As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for
usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf()
when `btmtk_data->isopkt_intf` is NULL will cause a crash because
we'll end up passing a bad pointer to device_lock(). Prior to that
commit we'd pass the NULL pointer directly to
usb_driver_claim_interface() which would detect it and return an
error, which was handled.
Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check
at the start of the function. This makes the code handle a NULL
`btmtk_data->isopkt_intf` the same way it did before the problematic
commit (just with a slight change to the error message printed).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
930e1790b99e5839e1af69d2f7fd808f1fba2df9 , < 2fa09fe98ca3b114d66285f65f7e108fea131815
(git)
Affected: e9087e828827e5a5c85e124ce77503f2b81c3491 , < c3b990e0b23068da65f0004cd38ee31f43f36460 (git) Affected: e9087e828827e5a5c85e124ce77503f2b81c3491 , < c884a0b27b4586e607431d86a1aa0bb4fb39169c (git) Affected: 4194766ec8756f4f654d595ae49962acbac49490 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2fa09fe98ca3b114d66285f65f7e108fea131815",
"status": "affected",
"version": "930e1790b99e5839e1af69d2f7fd808f1fba2df9",
"versionType": "git"
},
{
"lessThan": "c3b990e0b23068da65f0004cd38ee31f43f36460",
"status": "affected",
"version": "e9087e828827e5a5c85e124ce77503f2b81c3491",
"versionType": "git"
},
{
"lessThan": "c884a0b27b4586e607431d86a1aa0bb4fb39169c",
"status": "affected",
"version": "e9087e828827e5a5c85e124ce77503f2b81c3491",
"versionType": "git"
},
{
"status": "affected",
"version": "4194766ec8756f4f654d595ae49962acbac49490",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref\n\nIn btusb_mtk_setup(), we set `btmtk_data-\u003eisopkt_intf` to:\n usb_ifnum_to_if(data-\u003eudev, MTK_ISO_IFNUM)\n\nThat function can return NULL in some cases. Even when it returns\nNULL, though, we still go on to call btusb_mtk_claim_iso_intf().\n\nAs of commit e9087e828827 (\"Bluetooth: btusb: mediatek: Add locks for\nusb_driver_claim_interface()\"), calling btusb_mtk_claim_iso_intf()\nwhen `btmtk_data-\u003eisopkt_intf` is NULL will cause a crash because\nwe\u0027ll end up passing a bad pointer to device_lock(). Prior to that\ncommit we\u0027d pass the NULL pointer directly to\nusb_driver_claim_interface() which would detect it and return an\nerror, which was handled.\n\nResolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check\nat the start of the function. This makes the code handle a NULL\n`btmtk_data-\u003eisopkt_intf` the same way it did before the problematic\ncommit (just with a slight change to the error message printed)."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:06:17.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2fa09fe98ca3b114d66285f65f7e108fea131815"
},
{
"url": "https://git.kernel.org/stable/c/c3b990e0b23068da65f0004cd38ee31f43f36460"
},
{
"url": "https://git.kernel.org/stable/c/c884a0b27b4586e607431d86a1aa0bb4fb39169c"
}
],
"title": "Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68298",
"datePublished": "2025-12-16T15:06:17.526Z",
"dateReserved": "2025-12-16T14:48:05.293Z",
"dateUpdated": "2025-12-16T15:06:17.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54112 (GCVE-0-2023-54112)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
kcm: Fix memory leak in error path of kcm_sendmsg()
Summary
In the Linux kernel, the following vulnerability has been resolved:
kcm: Fix memory leak in error path of kcm_sendmsg()
syzbot reported a memory leak like below:
BUG: memory leak
unreferenced object 0xffff88810b088c00 (size 240):
comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s)
hex dump (first 32 bytes):
00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634
[<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline]
[<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815
[<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline]
[<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748
[<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494
[<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548
[<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577
[<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append
newly allocated skbs to 'head'. If some bytes are copied, an error occurred,
and jumped to out_error label, 'last_skb' is left unmodified. A later
kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the
'head' frag_list and causing the leak.
This patch fixes this issue by properly updating the last allocated skb in
'last_skb'.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 8dc7eb757b1652b82725f32e0c89a1e9f6c0e13b
(git)
Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 5e5554389397e98fafb9efe395d8b4830dd5f042 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 479c71cda14b3c3a6515773faa39055333eaa2b7 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 33db24ad811b3576a0c2f8862506763f2be925b0 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 97275339c34cfbccd65e87bc38fd910ae66c48ba (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < 16989de75497574b5fafd174c0c233d5a86858b7 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < af8085e0fc3207ecbf8b9e7a635c790e36d058c6 (git) Affected: ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 , < c821a88bd720b0046433173185fd841a100d44ad (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/kcm/kcmsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8dc7eb757b1652b82725f32e0c89a1e9f6c0e13b",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "5e5554389397e98fafb9efe395d8b4830dd5f042",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "479c71cda14b3c3a6515773faa39055333eaa2b7",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "33db24ad811b3576a0c2f8862506763f2be925b0",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "97275339c34cfbccd65e87bc38fd910ae66c48ba",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "16989de75497574b5fafd174c0c233d5a86858b7",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "af8085e0fc3207ecbf8b9e7a635c790e36d058c6",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
},
{
"lessThan": "c821a88bd720b0046433173185fd841a100d44ad",
"status": "affected",
"version": "ab7ac4eb9832e32a09f4e8042705484d2fb0aad3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/kcm/kcmsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkcm: Fix memory leak in error path of kcm_sendmsg()\n\nsyzbot reported a memory leak like below:\n\nBUG: memory leak\nunreferenced object 0xffff88810b088c00 (size 240):\n comm \"syz-executor186\", pid 5012, jiffies 4294943306 (age 13.680s)\n hex dump (first 32 bytes):\n 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff83e5d5ff\u003e] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634\n [\u003cffffffff84606e59\u003e] alloc_skb include/linux/skbuff.h:1289 [inline]\n [\u003cffffffff84606e59\u003e] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815\n [\u003cffffffff83e479c6\u003e] sock_sendmsg_nosec net/socket.c:725 [inline]\n [\u003cffffffff83e479c6\u003e] sock_sendmsg+0x56/0xb0 net/socket.c:748\n [\u003cffffffff83e47f55\u003e] ____sys_sendmsg+0x365/0x470 net/socket.c:2494\n [\u003cffffffff83e4c389\u003e] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548\n [\u003cffffffff83e4c536\u003e] __sys_sendmsg+0xa6/0x120 net/socket.c:2577\n [\u003cffffffff84ad7bb8\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n [\u003cffffffff84ad7bb8\u003e] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80\n [\u003cffffffff84c0008b\u003e] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nIn kcm_sendmsg(), kcm_tx_msg(head)-\u003elast_skb is used as a cursor to append\nnewly allocated skbs to \u0027head\u0027. If some bytes are copied, an error occurred,\nand jumped to out_error label, \u0027last_skb\u0027 is left unmodified. A later\nkcm_sendmsg() will use an obsoleted \u0027last_skb\u0027 reference, corrupting the\n\u0027head\u0027 frag_list and causing the leak.\n\nThis patch fixes this issue by properly updating the last allocated skb in\n\u0027last_skb\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:34.854Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8dc7eb757b1652b82725f32e0c89a1e9f6c0e13b"
},
{
"url": "https://git.kernel.org/stable/c/5e5554389397e98fafb9efe395d8b4830dd5f042"
},
{
"url": "https://git.kernel.org/stable/c/479c71cda14b3c3a6515773faa39055333eaa2b7"
},
{
"url": "https://git.kernel.org/stable/c/33db24ad811b3576a0c2f8862506763f2be925b0"
},
{
"url": "https://git.kernel.org/stable/c/97275339c34cfbccd65e87bc38fd910ae66c48ba"
},
{
"url": "https://git.kernel.org/stable/c/16989de75497574b5fafd174c0c233d5a86858b7"
},
{
"url": "https://git.kernel.org/stable/c/af8085e0fc3207ecbf8b9e7a635c790e36d058c6"
},
{
"url": "https://git.kernel.org/stable/c/c821a88bd720b0046433173185fd841a100d44ad"
}
],
"title": "kcm: Fix memory leak in error path of kcm_sendmsg()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54112",
"datePublished": "2025-12-24T13:06:34.854Z",
"dateReserved": "2025-12-24T13:02:52.518Z",
"dateUpdated": "2025-12-24T13:06:34.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40134 (GCVE-0-2025-40134)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18
VLAI?
EPSS
Title
dm: fix NULL pointer dereference in __dm_suspend()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix NULL pointer dereference in __dm_suspend()
There is a race condition between dm device suspend and table load that
can lead to null pointer dereference. The issue occurs when suspend is
invoked before table load completes:
BUG: kernel NULL pointer dereference, address: 0000000000000054
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50
Call Trace:
<TASK>
blk_mq_quiesce_queue+0x2c/0x50
dm_stop_queue+0xd/0x20
__dm_suspend+0x130/0x330
dm_suspend+0x11a/0x180
dev_suspend+0x27e/0x560
ctl_ioctl+0x4cf/0x850
dm_ctl_ioctl+0xd/0x20
vfs_ioctl+0x1d/0x50
__se_sys_ioctl+0x9b/0xc0
__x64_sys_ioctl+0x19/0x30
x64_sys_call+0x2c4a/0x4620
do_syscall_64+0x9e/0x1b0
The issue can be triggered as below:
T1 T2
dm_suspend table_load
__dm_suspend dm_setup_md_queue
dm_mq_init_request_queue
blk_mq_init_allocated_queue
=> q->mq_ops = set->ops; (1)
dm_stop_queue / dm_wait_for_completion
=> q->tag_set NULL pointer! (2)
=> q->tag_set = set; (3)
Fix this by checking if a valid table (map) exists before performing
request-based suspend and waiting for target I/O. When map is NULL,
skip these table-dependent suspend steps.
Even when map is NULL, no I/O can reach any target because there is
no table loaded; I/O submitted in this state will fail early in the
DM layer. Skipping the table-dependent suspend logic in this case
is safe and avoids NULL pointer dereferences.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c4576aed8d85d808cd6443bda58393d525207d01 , < 9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98
(git)
Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 30f95b7eda5966b81cb221bd569c0f095a068cf6 (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < a802901b75e13cc306f1b7ab0f062135c8034e9e (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 19ca4528666990be376ac3eb6fe667b03db5324d (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 331c2dd8ca8bad1a3ac10cce847ffb76158eece4 (git) Affected: c4576aed8d85d808cd6443bda58393d525207d01 , < 8d33a030c566e1f105cd5bf27f37940b6367f3be (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "30f95b7eda5966b81cb221bd569c0f095a068cf6",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "a802901b75e13cc306f1b7ab0f062135c8034e9e",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "19ca4528666990be376ac3eb6fe667b03db5324d",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "331c2dd8ca8bad1a3ac10cce847ffb76158eece4",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
},
{
"lessThan": "8d33a030c566e1f105cd5bf27f37940b6367f3be",
"status": "affected",
"version": "c4576aed8d85d808cd6443bda58393d525207d01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.156",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.156",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.112",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.53",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix NULL pointer dereference in __dm_suspend()\n\nThere is a race condition between dm device suspend and table load that\ncan lead to null pointer dereference. The issue occurs when suspend is\ninvoked before table load completes:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000054\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nRIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50\nCall Trace:\n \u003cTASK\u003e\n blk_mq_quiesce_queue+0x2c/0x50\n dm_stop_queue+0xd/0x20\n __dm_suspend+0x130/0x330\n dm_suspend+0x11a/0x180\n dev_suspend+0x27e/0x560\n ctl_ioctl+0x4cf/0x850\n dm_ctl_ioctl+0xd/0x20\n vfs_ioctl+0x1d/0x50\n __se_sys_ioctl+0x9b/0xc0\n __x64_sys_ioctl+0x19/0x30\n x64_sys_call+0x2c4a/0x4620\n do_syscall_64+0x9e/0x1b0\n\nThe issue can be triggered as below:\n\nT1 \t\t\t\t\t\tT2\ndm_suspend\t\t\t\t\ttable_load\n__dm_suspend\t\t\t\t\tdm_setup_md_queue\n\t\t\t\t\t\tdm_mq_init_request_queue\n\t\t\t\t\t\tblk_mq_init_allocated_queue\n\t\t\t\t\t\t=\u003e q-\u003emq_ops = set-\u003eops; (1)\ndm_stop_queue / dm_wait_for_completion\n=\u003e q-\u003etag_set NULL pointer!\t(2)\n\t\t\t\t\t\t=\u003e q-\u003etag_set = set; (3)\n\nFix this by checking if a valid table (map) exists before performing\nrequest-based suspend and waiting for target I/O. When map is NULL,\nskip these table-dependent suspend steps.\n\nEven when map is NULL, no I/O can reach any target because there is\nno table loaded; I/O submitted in this state will fail early in the\nDM layer. Skipping the table-dependent suspend logic in this case\nis safe and avoids NULL pointer dereferences."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:18:40.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98"
},
{
"url": "https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6"
},
{
"url": "https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c"
},
{
"url": "https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e"
},
{
"url": "https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe"
},
{
"url": "https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d"
},
{
"url": "https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4"
},
{
"url": "https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be"
}
],
"title": "dm: fix NULL pointer dereference in __dm_suspend()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40134",
"datePublished": "2025-11-12T10:23:22.771Z",
"dateReserved": "2025-04-16T07:20:57.170Z",
"dateUpdated": "2025-12-01T06:18:40.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53991 (GCVE-0-2023-53991)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
drm/msm/dpu: Disallow unallocated resources to be returned
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Disallow unallocated resources to be returned
In the event that the topology requests resources that have not been
created by the system (because they are typically not represented in
dpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC
blocks, until their allocation/assignment is being sanity-checked in
"drm/msm/dpu: Reject topologies for which no DSC blocks are available")
remain NULL but will still be returned out of
dpu_rm_get_assigned_resources, where the caller expects to get an array
containing num_blks valid pointers (but instead gets these NULLs).
To prevent this from happening, where null-pointer dereferences
typically result in a hard-to-debug platform lockup, num_blks shouldn't
increase past NULL blocks and will print an error and break instead.
After all, max_blks represents the static size of the maximum number of
blocks whereas the actual amount varies per platform.
^1: which can happen after a git rebase ended up moving additions to
_dpu_cfg to a different struct which has the same patch context.
Patchwork: https://patchwork.freedesktop.org/patch/517636/
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
bb00a452d6f77391441ef7df48f7115dd459cd2f , < 8dbd54d679e3ab37be43bc1ed9f463dbf83a2259
(git)
Affected: bb00a452d6f77391441ef7df48f7115dd459cd2f , < bf661c5e3bc48973acb363c76e3db965d9ed26d0 (git) Affected: bb00a452d6f77391441ef7df48f7115dd459cd2f , < 9e1e236acdc42b5c43ec8d7f03a39537e70cc309 (git) Affected: bb00a452d6f77391441ef7df48f7115dd459cd2f , < 9fe3644c720ac87d150f0bba5a4ae86cae55afaf (git) Affected: bb00a452d6f77391441ef7df48f7115dd459cd2f , < abc40122d9a69f56c04efb5a7485795f5ac799d1 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8dbd54d679e3ab37be43bc1ed9f463dbf83a2259",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
},
{
"lessThan": "bf661c5e3bc48973acb363c76e3db965d9ed26d0",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
},
{
"lessThan": "9e1e236acdc42b5c43ec8d7f03a39537e70cc309",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
},
{
"lessThan": "9fe3644c720ac87d150f0bba5a4ae86cae55afaf",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
},
{
"lessThan": "abc40122d9a69f56c04efb5a7485795f5ac799d1",
"status": "affected",
"version": "bb00a452d6f77391441ef7df48f7115dd459cd2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Disallow unallocated resources to be returned\n\nIn the event that the topology requests resources that have not been\ncreated by the system (because they are typically not represented in\ndpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC\nblocks, until their allocation/assignment is being sanity-checked in\n\"drm/msm/dpu: Reject topologies for which no DSC blocks are available\")\nremain NULL but will still be returned out of\ndpu_rm_get_assigned_resources, where the caller expects to get an array\ncontaining num_blks valid pointers (but instead gets these NULLs).\n\nTo prevent this from happening, where null-pointer dereferences\ntypically result in a hard-to-debug platform lockup, num_blks shouldn\u0027t\nincrease past NULL blocks and will print an error and break instead.\nAfter all, max_blks represents the static size of the maximum number of\nblocks whereas the actual amount varies per platform.\n\n^1: which can happen after a git rebase ended up moving additions to\n_dpu_cfg to a different struct which has the same patch context.\n\nPatchwork: https://patchwork.freedesktop.org/patch/517636/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:29.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8dbd54d679e3ab37be43bc1ed9f463dbf83a2259"
},
{
"url": "https://git.kernel.org/stable/c/bf661c5e3bc48973acb363c76e3db965d9ed26d0"
},
{
"url": "https://git.kernel.org/stable/c/9e1e236acdc42b5c43ec8d7f03a39537e70cc309"
},
{
"url": "https://git.kernel.org/stable/c/9fe3644c720ac87d150f0bba5a4ae86cae55afaf"
},
{
"url": "https://git.kernel.org/stable/c/abc40122d9a69f56c04efb5a7485795f5ac799d1"
}
],
"title": "drm/msm/dpu: Disallow unallocated resources to be returned",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53991",
"datePublished": "2025-12-24T10:55:29.833Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:29.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50670 (GCVE-0-2022-50670)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
mmc: omap_hsmmc: fix return value check of mmc_add_host()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: omap_hsmmc: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
Fix this by checking the return value and goto error path wihch
will call mmc_free_host().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a45c6cb816474cefe56059fce422a9bdcd77e0dc , < f153c9e15f8961bdf38707853e15b42ea7c691d9
(git)
Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < fb3d596267a98813a7a8206097d8d46c98505a0d (git) Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < 62005dfcc396424db3337a1dc3ab49623537f5e5 (git) Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < a5f8a4583280a76e50329b910e91ef1dea1e6c79 (git) Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < 4e1dc24bcfc8257f24c0663badec7e4f3ae80558 (git) Affected: a45c6cb816474cefe56059fce422a9bdcd77e0dc , < a525cad241c339ca00bf7ebf03c5180f2a9b767c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/omap_hsmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f153c9e15f8961bdf38707853e15b42ea7c691d9",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "fb3d596267a98813a7a8206097d8d46c98505a0d",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "62005dfcc396424db3337a1dc3ab49623537f5e5",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "a5f8a4583280a76e50329b910e91ef1dea1e6c79",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "4e1dc24bcfc8257f24c0663badec7e4f3ae80558",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
},
{
"lessThan": "a525cad241c339ca00bf7ebf03c5180f2a9b767c",
"status": "affected",
"version": "a45c6cb816474cefe56059fce422a9bdcd77e0dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/omap_hsmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: omap_hsmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value,\nit will lead two issues:\n1. The memory that allocated in mmc_alloc_host() is leaked.\n2. In the remove() path, mmc_remove_host() will be called to\n delete device, but it\u0027s not added yet, it will lead a kernel\n crash because of null-ptr-deref in device_del().\n\nFix this by checking the return value and goto error path wihch\nwill call mmc_free_host()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:21.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f153c9e15f8961bdf38707853e15b42ea7c691d9"
},
{
"url": "https://git.kernel.org/stable/c/fb3d596267a98813a7a8206097d8d46c98505a0d"
},
{
"url": "https://git.kernel.org/stable/c/62005dfcc396424db3337a1dc3ab49623537f5e5"
},
{
"url": "https://git.kernel.org/stable/c/a5f8a4583280a76e50329b910e91ef1dea1e6c79"
},
{
"url": "https://git.kernel.org/stable/c/4e1dc24bcfc8257f24c0663badec7e4f3ae80558"
},
{
"url": "https://git.kernel.org/stable/c/a525cad241c339ca00bf7ebf03c5180f2a9b767c"
}
],
"title": "mmc: omap_hsmmc: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50670",
"datePublished": "2025-12-09T01:29:21.864Z",
"dateReserved": "2025-12-09T01:26:45.990Z",
"dateUpdated": "2025-12-09T01:29:21.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53751 (GCVE-0-2023-53751)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname
TCP_Server_Info::hostname may be updated once or many times during
reconnect, so protect its access outside reconnect path as well and
then prevent any potential use-after-free bugs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
93d5cb517db39e8af8d1292f9e785e4983b7f708 , < 64d62ac6d6514cba1305bd08e271ec1843bdd612
(git)
Affected: 93d5cb517db39e8af8d1292f9e785e4983b7f708 , < c511954bf142fe1995aec3c739a9f1a76990283a (git) Affected: 93d5cb517db39e8af8d1292f9e785e4983b7f708 , < 0b08c4c499200be67d54c439d56e5ea866869945 (git) Affected: 93d5cb517db39e8af8d1292f9e785e4983b7f708 , < 90c49fce1c43e1cc152695e20363ff5087897c09 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifs_debug.c",
"fs/cifs/cifs_debug.h",
"fs/cifs/connect.c",
"fs/cifs/sess.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64d62ac6d6514cba1305bd08e271ec1843bdd612",
"status": "affected",
"version": "93d5cb517db39e8af8d1292f9e785e4983b7f708",
"versionType": "git"
},
{
"lessThan": "c511954bf142fe1995aec3c739a9f1a76990283a",
"status": "affected",
"version": "93d5cb517db39e8af8d1292f9e785e4983b7f708",
"versionType": "git"
},
{
"lessThan": "0b08c4c499200be67d54c439d56e5ea866869945",
"status": "affected",
"version": "93d5cb517db39e8af8d1292f9e785e4983b7f708",
"versionType": "git"
},
{
"lessThan": "90c49fce1c43e1cc152695e20363ff5087897c09",
"status": "affected",
"version": "93d5cb517db39e8af8d1292f9e785e4983b7f708",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifs_debug.c",
"fs/cifs/cifs_debug.h",
"fs/cifs/connect.c",
"fs/cifs/sess.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential use-after-free bugs in TCP_Server_Info::hostname\n\nTCP_Server_Info::hostname may be updated once or many times during\nreconnect, so protect its access outside reconnect path as well and\nthen prevent any potential use-after-free bugs."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:40.396Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64d62ac6d6514cba1305bd08e271ec1843bdd612"
},
{
"url": "https://git.kernel.org/stable/c/c511954bf142fe1995aec3c739a9f1a76990283a"
},
{
"url": "https://git.kernel.org/stable/c/0b08c4c499200be67d54c439d56e5ea866869945"
},
{
"url": "https://git.kernel.org/stable/c/90c49fce1c43e1cc152695e20363ff5087897c09"
}
],
"title": "cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53751",
"datePublished": "2025-12-08T01:19:11.160Z",
"dateReserved": "2025-12-08T01:18:04.279Z",
"dateUpdated": "2026-01-05T10:32:40.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40170 (GCVE-0-2025-40170)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2026-01-08 09:50
VLAI?
EPSS
Title
net: use dst_dev_rcu() in sk_setup_caps()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: use dst_dev_rcu() in sk_setup_caps()
Use RCU to protect accesses to dst->dev from sk_setup_caps()
and sk_dst_gso_max_size().
Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),
and ip_dst_mtu_maybe_forward().
ip4_dst_hoplimit() can use dst_dev_net_rcu().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 5d1be493d1110c9e720b4c51a6e587bb2fb4ac12
(git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < a805729c0091073d8f0415cfa96c7acd1bc17a48 (git) Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 99a2ace61b211b0be861b07fbaa062fca4b58879 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"include/net/ip6_route.h",
"include/net/route.h",
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5d1be493d1110c9e720b4c51a6e587bb2fb4ac12",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "a805729c0091073d8f0415cfa96c7acd1bc17a48",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
},
{
"lessThan": "99a2ace61b211b0be861b07fbaa062fca4b58879",
"status": "affected",
"version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/ip.h",
"include/net/ip6_route.h",
"include/net/route.h",
"net/core/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.64",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use dst_dev_rcu() in sk_setup_caps()\n\nUse RCU to protect accesses to dst-\u003edev from sk_setup_caps()\nand sk_dst_gso_max_size().\n\nAlso use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),\nand ip_dst_mtu_maybe_forward().\n\nip4_dst_hoplimit() can use dst_dev_net_rcu()."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T09:50:18.753Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5d1be493d1110c9e720b4c51a6e587bb2fb4ac12"
},
{
"url": "https://git.kernel.org/stable/c/a805729c0091073d8f0415cfa96c7acd1bc17a48"
},
{
"url": "https://git.kernel.org/stable/c/99a2ace61b211b0be861b07fbaa062fca4b58879"
}
],
"title": "net: use dst_dev_rcu() in sk_setup_caps()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40170",
"datePublished": "2025-11-12T10:46:52.014Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2026-01-08T09:50:18.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53804 (GCVE-0-2023-53804)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:01 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer(). However, since
nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may
cause use-after-free read if inodes are left in "garbage_list" and
released by nilfs_dispose_list() at the end of nilfs_detach_log_writer().
Fix this issue by modifying nilfs_evict_inode() to only clear inode
without additional metadata changes that use nilfs_root if the file system
is degraded to read-only or the writer is detached.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
e912a5b66837ee89fb025e67b5efeaa11930c2ce , < f31e18131ee2ce80a4da5c808221d25b1ae9ad6d
(git)
Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < 2a782ea8ebd712a458466e3103e2881b4f886cb5 (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < 116d53f09ff52e6f98e3fe1f85d8898d6ba26c68 (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < 6b4205ea97901f822004e6c8d59484ccfda03faa (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < b8427b8522d9ede53015ba45a9978ba68d1162f5 (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < acc2a40e428f12780004e1e9fce4722d88f909fd (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < fb8e8d58f116d069e5939e1f786ac84e7fa4533e (git) Affected: e912a5b66837ee89fb025e67b5efeaa11930c2ce , < 9b5a04ac3ad9898c4745cba46ea26de74ba56a8e (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f31e18131ee2ce80a4da5c808221d25b1ae9ad6d",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "2a782ea8ebd712a458466e3103e2881b4f886cb5",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "116d53f09ff52e6f98e3fe1f85d8898d6ba26c68",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "6b4205ea97901f822004e6c8d59484ccfda03faa",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "b8427b8522d9ede53015ba45a9978ba68d1162f5",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "acc2a40e428f12780004e1e9fce4722d88f909fd",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "fb8e8d58f116d069e5939e1f786ac84e7fa4533e",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
},
{
"lessThan": "9b5a04ac3ad9898c4745cba46ea26de74ba56a8e",
"status": "affected",
"version": "e912a5b66837ee89fb025e67b5efeaa11930c2ce",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()\n\nDuring unmount process of nilfs2, nothing holds nilfs_root structure after\nnilfs2 detaches its writer in nilfs_detach_log_writer(). However, since\nnilfs_evict_inode() uses nilfs_root for some cleanup operations, it may\ncause use-after-free read if inodes are left in \"garbage_list\" and\nreleased by nilfs_dispose_list() at the end of nilfs_detach_log_writer().\n\nFix this issue by modifying nilfs_evict_inode() to only clear inode\nwithout additional metadata changes that use nilfs_root if the file system\nis degraded to read-only or the writer is detached."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:57.431Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f31e18131ee2ce80a4da5c808221d25b1ae9ad6d"
},
{
"url": "https://git.kernel.org/stable/c/2a782ea8ebd712a458466e3103e2881b4f886cb5"
},
{
"url": "https://git.kernel.org/stable/c/116d53f09ff52e6f98e3fe1f85d8898d6ba26c68"
},
{
"url": "https://git.kernel.org/stable/c/6b4205ea97901f822004e6c8d59484ccfda03faa"
},
{
"url": "https://git.kernel.org/stable/c/b8427b8522d9ede53015ba45a9978ba68d1162f5"
},
{
"url": "https://git.kernel.org/stable/c/acc2a40e428f12780004e1e9fce4722d88f909fd"
},
{
"url": "https://git.kernel.org/stable/c/fb8e8d58f116d069e5939e1f786ac84e7fa4533e"
},
{
"url": "https://git.kernel.org/stable/c/9b5a04ac3ad9898c4745cba46ea26de74ba56a8e"
}
],
"title": "nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53804",
"datePublished": "2025-12-09T00:01:01.787Z",
"dateReserved": "2025-12-08T23:58:35.276Z",
"dateUpdated": "2026-01-05T10:32:57.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53820 (GCVE-0-2023-53820)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:24 – Updated: 2025-12-23 16:39
VLAI?
EPSS
Title
loop: loop_set_status_from_info() check before assignment
Summary
In the Linux kernel, the following vulnerability has been resolved:
loop: loop_set_status_from_info() check before assignment
In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should
be checked before reassignment, because if an overflow error occurs, the
original correct value will be changed to the wrong value, and it will not
be changed back.
More, the original patch did not solve the problem, the value was set and
ioctl returned an error, but the subsequent io used the value in the loop
driver, which still caused an alarm:
loop_handle_cmd
do_req_filebacked
loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset;
lo_rw_aio
cmd->iocb.ki_pos = pos
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2035c770bfdbcc82bd52e05871a7c82db9529e0f , < 6bdf4e6dfb60cbb6121ccf027d97ed2ec97c0bcb
(git)
Affected: a217715338fd48f72114725aa7a40e484a781ca7 , < 832580af82ace363205039a8e7c4ef04552ccc1a (git) Affected: 13b2856037a651ba3ab4a8b25ecab3e791926da3 , < 2ea7077748e5d7cc64f1c31342c802fe66ea7426 (git) Affected: b40877b8562c5720d0a7fce20729f56b75a3dede , < 861021710bba9dfa0749a3c209a6c1773208b1f1 (git) Affected: 6858933131d0dadac071c4d33335a9ea4b8e76cf , < c79a924ed6afac1708dfd370ba66bcf6a852ced6 (git) Affected: 0455bef69028c65065f16bb04635591b2374249b , < 3e7d0968203d668af6036b9f9199c7b62c8a3581 (git) Affected: c490a0b5a4f36da3918181a8acdc6991d967c5f3 , < 4be26d553a3f1d4f54f25353d1496c562002126d (git) Affected: c490a0b5a4f36da3918181a8acdc6991d967c5f3 , < 258809bf22bf71d53247856f374f2b1d055f2fd4 (git) Affected: c490a0b5a4f36da3918181a8acdc6991d967c5f3 , < 9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa (git) Affected: 18e28817cb516b39de6281f6db9b0618b2cc7b42 (git) Affected: adf0112d9b8acb03485624220b4934f69bf13369 (git) Affected: 9be7fa7ead18a48940df7b59d993bbc8b9055c15 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6bdf4e6dfb60cbb6121ccf027d97ed2ec97c0bcb",
"status": "affected",
"version": "2035c770bfdbcc82bd52e05871a7c82db9529e0f",
"versionType": "git"
},
{
"lessThan": "832580af82ace363205039a8e7c4ef04552ccc1a",
"status": "affected",
"version": "a217715338fd48f72114725aa7a40e484a781ca7",
"versionType": "git"
},
{
"lessThan": "2ea7077748e5d7cc64f1c31342c802fe66ea7426",
"status": "affected",
"version": "13b2856037a651ba3ab4a8b25ecab3e791926da3",
"versionType": "git"
},
{
"lessThan": "861021710bba9dfa0749a3c209a6c1773208b1f1",
"status": "affected",
"version": "b40877b8562c5720d0a7fce20729f56b75a3dede",
"versionType": "git"
},
{
"lessThan": "c79a924ed6afac1708dfd370ba66bcf6a852ced6",
"status": "affected",
"version": "6858933131d0dadac071c4d33335a9ea4b8e76cf",
"versionType": "git"
},
{
"lessThan": "3e7d0968203d668af6036b9f9199c7b62c8a3581",
"status": "affected",
"version": "0455bef69028c65065f16bb04635591b2374249b",
"versionType": "git"
},
{
"lessThan": "4be26d553a3f1d4f54f25353d1496c562002126d",
"status": "affected",
"version": "c490a0b5a4f36da3918181a8acdc6991d967c5f3",
"versionType": "git"
},
{
"lessThan": "258809bf22bf71d53247856f374f2b1d055f2fd4",
"status": "affected",
"version": "c490a0b5a4f36da3918181a8acdc6991d967c5f3",
"versionType": "git"
},
{
"lessThan": "9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa",
"status": "affected",
"version": "c490a0b5a4f36da3918181a8acdc6991d967c5f3",
"versionType": "git"
},
{
"status": "affected",
"version": "18e28817cb516b39de6281f6db9b0618b2cc7b42",
"versionType": "git"
},
{
"status": "affected",
"version": "adf0112d9b8acb03485624220b4934f69bf13369",
"versionType": "git"
},
{
"status": "affected",
"version": "9be7fa7ead18a48940df7b59d993bbc8b9055c15",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/loop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.312",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.274",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.312",
"versionStartIncluding": "4.19.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.274",
"versionStartIncluding": "5.4.212",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.10.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"versionStartIncluding": "5.15.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.327",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.292",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nloop: loop_set_status_from_info() check before assignment\n\nIn loop_set_status_from_info(), lo-\u003elo_offset and lo-\u003elo_sizelimit should\nbe checked before reassignment, because if an overflow error occurs, the\noriginal correct value will be changed to the wrong value, and it will not\nbe changed back.\n\nMore, the original patch did not solve the problem, the value was set and\nioctl returned an error, but the subsequent io used the value in the loop\ndriver, which still caused an alarm:\n\nloop_handle_cmd\n do_req_filebacked\n loff_t pos = ((loff_t) blk_rq_pos(rq) \u003c\u003c 9) + lo-\u003elo_offset;\n lo_rw_aio\n cmd-\u003eiocb.ki_pos = pos"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T16:39:55.361Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6bdf4e6dfb60cbb6121ccf027d97ed2ec97c0bcb"
},
{
"url": "https://git.kernel.org/stable/c/832580af82ace363205039a8e7c4ef04552ccc1a"
},
{
"url": "https://git.kernel.org/stable/c/2ea7077748e5d7cc64f1c31342c802fe66ea7426"
},
{
"url": "https://git.kernel.org/stable/c/861021710bba9dfa0749a3c209a6c1773208b1f1"
},
{
"url": "https://git.kernel.org/stable/c/c79a924ed6afac1708dfd370ba66bcf6a852ced6"
},
{
"url": "https://git.kernel.org/stable/c/3e7d0968203d668af6036b9f9199c7b62c8a3581"
},
{
"url": "https://git.kernel.org/stable/c/4be26d553a3f1d4f54f25353d1496c562002126d"
},
{
"url": "https://git.kernel.org/stable/c/258809bf22bf71d53247856f374f2b1d055f2fd4"
},
{
"url": "https://git.kernel.org/stable/c/9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa"
}
],
"title": "loop: loop_set_status_from_info() check before assignment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53820",
"datePublished": "2025-12-09T01:24:29.417Z",
"dateReserved": "2025-12-08T23:58:35.278Z",
"dateUpdated": "2025-12-23T16:39:55.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54278 (GCVE-0-2023-54278)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16
VLAI?
EPSS
Title
s390/vmem: split pages when debug pagealloc is enabled
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/vmem: split pages when debug pagealloc is enabled
Since commit bb1520d581a3 ("s390/mm: start kernel with DAT enabled")
the kernel crashes early during boot when debug pagealloc is enabled:
mem auto-init: stack:off, heap alloc:off, heap free:off
addressing exception: 0005 ilc:2 [#1] SMP DEBUG_PAGEALLOC
Modules linked in:
CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc3-09759-gc5666c912155 #630
[..]
Krnl Code: 00000000001325f6: ec5600248064 cgrj %r5,%r6,8,000000000013263e
00000000001325fc: eb880002000c srlg %r8,%r8,2
#0000000000132602: b2210051 ipte %r5,%r1,%r0,0
>0000000000132606: b90400d1 lgr %r13,%r1
000000000013260a: 41605008 la %r6,8(%r5)
000000000013260e: a7db1000 aghi %r13,4096
0000000000132612: b221006d ipte %r6,%r13,%r0,0
0000000000132616: e3d0d0000171 lay %r13,4096(%r13)
Call Trace:
__kernel_map_pages+0x14e/0x320
__free_pages_ok+0x23a/0x5a8)
free_low_memory_core_early+0x214/0x2c8
memblock_free_all+0x28/0x58
mem_init+0xb6/0x228
mm_core_init+0xb6/0x3b0
start_kernel+0x1d2/0x5a8
startup_continue+0x36/0x40
Kernel panic - not syncing: Fatal exception: panic_on_oops
This is caused by using large mappings on machines with EDAT1/EDAT2. Add
the code to split the mappings into 4k pages if debug pagealloc is enabled
by CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT or the debug_pagealloc kernel
command line option.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/mm/vmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "601e467e29a960f7ab7ec4075afc6a68c3532a65",
"status": "affected",
"version": "bb1520d581a3a46e2d6e12bb74604ace33404de5",
"versionType": "git"
},
{
"lessThan": "edc1e4b6e26536868ef819a735e04a5b32c10589",
"status": "affected",
"version": "bb1520d581a3a46e2d6e12bb74604ace33404de5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/mm/vmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/vmem: split pages when debug pagealloc is enabled\n\nSince commit bb1520d581a3 (\"s390/mm: start kernel with DAT enabled\")\nthe kernel crashes early during boot when debug pagealloc is enabled:\n\nmem auto-init: stack:off, heap alloc:off, heap free:off\naddressing exception: 0005 ilc:2 [#1] SMP DEBUG_PAGEALLOC\nModules linked in:\nCPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc3-09759-gc5666c912155 #630\n[..]\nKrnl Code: 00000000001325f6: ec5600248064 cgrj %r5,%r6,8,000000000013263e\n 00000000001325fc: eb880002000c srlg %r8,%r8,2\n #0000000000132602: b2210051 ipte %r5,%r1,%r0,0\n \u003e0000000000132606: b90400d1 lgr %r13,%r1\n 000000000013260a: 41605008 la %r6,8(%r5)\n 000000000013260e: a7db1000 aghi %r13,4096\n 0000000000132612: b221006d ipte %r6,%r13,%r0,0\n 0000000000132616: e3d0d0000171 lay %r13,4096(%r13)\n\nCall Trace:\n __kernel_map_pages+0x14e/0x320\n __free_pages_ok+0x23a/0x5a8)\n free_low_memory_core_early+0x214/0x2c8\n memblock_free_all+0x28/0x58\n mem_init+0xb6/0x228\n mm_core_init+0xb6/0x3b0\n start_kernel+0x1d2/0x5a8\n startup_continue+0x36/0x40\nKernel panic - not syncing: Fatal exception: panic_on_oops\n\nThis is caused by using large mappings on machines with EDAT1/EDAT2. Add\nthe code to split the mappings into 4k pages if debug pagealloc is enabled\nby CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT or the debug_pagealloc kernel\ncommand line option."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:16:06.350Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/601e467e29a960f7ab7ec4075afc6a68c3532a65"
},
{
"url": "https://git.kernel.org/stable/c/edc1e4b6e26536868ef819a735e04a5b32c10589"
}
],
"title": "s390/vmem: split pages when debug pagealloc is enabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54278",
"datePublished": "2025-12-30T12:16:06.350Z",
"dateReserved": "2025-12-30T12:06:44.524Z",
"dateUpdated": "2025-12-30T12:16:06.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54041 (GCVE-0-2023-54041)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
io_uring: fix memory leak when removing provided buffers
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix memory leak when removing provided buffers
When removing provided buffers, io_buffer structs are not being disposed
of, leading to a memory leak. They can't be freed individually, because
they are allocated in page-sized groups. They need to be added to some
free list instead, such as io_buffers_cache. All callers already hold
the lock protecting it, apart from when destroying buffers, so had to
extend the lock there.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
cc3cec8367cba76a8ae4c271eba8450f3efc1ba3 , < ac48787f58d1068f4e06d627c1135784d64b4c72
(git)
Affected: cc3cec8367cba76a8ae4c271eba8450f3efc1ba3 , < c117c15927772d1624c29c092b6bd3f47c7faa48 (git) Affected: cc3cec8367cba76a8ae4c271eba8450f3efc1ba3 , < b4a72c0589fdea6259720375426179888969d6a2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c",
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac48787f58d1068f4e06d627c1135784d64b4c72",
"status": "affected",
"version": "cc3cec8367cba76a8ae4c271eba8450f3efc1ba3",
"versionType": "git"
},
{
"lessThan": "c117c15927772d1624c29c092b6bd3f47c7faa48",
"status": "affected",
"version": "cc3cec8367cba76a8ae4c271eba8450f3efc1ba3",
"versionType": "git"
},
{
"lessThan": "b4a72c0589fdea6259720375426179888969d6a2",
"status": "affected",
"version": "cc3cec8367cba76a8ae4c271eba8450f3efc1ba3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/io_uring.c",
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.24",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memory leak when removing provided buffers\n\nWhen removing provided buffers, io_buffer structs are not being disposed\nof, leading to a memory leak. They can\u0027t be freed individually, because\nthey are allocated in page-sized groups. They need to be added to some\nfree list instead, such as io_buffers_cache. All callers already hold\nthe lock protecting it, apart from when destroying buffers, so had to\nextend the lock there."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:06.858Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac48787f58d1068f4e06d627c1135784d64b4c72"
},
{
"url": "https://git.kernel.org/stable/c/c117c15927772d1624c29c092b6bd3f47c7faa48"
},
{
"url": "https://git.kernel.org/stable/c/b4a72c0589fdea6259720375426179888969d6a2"
}
],
"title": "io_uring: fix memory leak when removing provided buffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54041",
"datePublished": "2025-12-24T10:56:06.858Z",
"dateReserved": "2025-12-24T10:53:46.181Z",
"dateUpdated": "2025-12-24T10:56:06.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40322 (GCVE-0-2025-40322)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
fbdev: bitblit: bound-check glyph index in bit_putcs*
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: bitblit: bound-check glyph index in bit_putcs*
bit_putcs_aligned()/unaligned() derived the glyph pointer from the
character value masked by 0xff/0x1ff, which may exceed the actual font's
glyph count and read past the end of the built-in font array.
Clamp the index to the actual glyph count before computing the address.
This fixes a global out-of-bounds read reported by syzbot.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a10cede006f9614b465cf25609a8753efbfd45cc
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0998a6cb232674408a03e8561dc15aa266b2f53b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < db5c9a162d2f42bcc842b76b3d935dcc050a0eec (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c12003bf91fdff381c55ef54fef3e961a5af2545 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9ba1a7802ca9a2590cef95b253e6526f4364477f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 901f44227072be60812fe8083e83e1533c04eed1 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < efaf89a75a29b2d179bf4fe63ca62852e93ad620 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18c4ef4e765a798b47980555ed665d78b71aeadf (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a10cede006f9614b465cf25609a8753efbfd45cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0998a6cb232674408a03e8561dc15aa266b2f53b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "db5c9a162d2f42bcc842b76b3d935dcc050a0eec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c12003bf91fdff381c55ef54fef3e961a5af2545",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9ba1a7802ca9a2590cef95b253e6526f4364477f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "901f44227072be60812fe8083e83e1533c04eed1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "efaf89a75a29b2d179bf4fe63ca62852e93ad620",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "18c4ef4e765a798b47980555ed665d78b71aeadf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/core/bitblit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: bitblit: bound-check glyph index in bit_putcs*\n\nbit_putcs_aligned()/unaligned() derived the glyph pointer from the\ncharacter value masked by 0xff/0x1ff, which may exceed the actual font\u0027s\nglyph count and read past the end of the built-in font array.\nClamp the index to the actual glyph count before computing the address.\n\nThis fixes a global out-of-bounds read reported by syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:34.750Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a10cede006f9614b465cf25609a8753efbfd45cc"
},
{
"url": "https://git.kernel.org/stable/c/0998a6cb232674408a03e8561dc15aa266b2f53b"
},
{
"url": "https://git.kernel.org/stable/c/db5c9a162d2f42bcc842b76b3d935dcc050a0eec"
},
{
"url": "https://git.kernel.org/stable/c/c12003bf91fdff381c55ef54fef3e961a5af2545"
},
{
"url": "https://git.kernel.org/stable/c/9ba1a7802ca9a2590cef95b253e6526f4364477f"
},
{
"url": "https://git.kernel.org/stable/c/901f44227072be60812fe8083e83e1533c04eed1"
},
{
"url": "https://git.kernel.org/stable/c/efaf89a75a29b2d179bf4fe63ca62852e93ad620"
},
{
"url": "https://git.kernel.org/stable/c/18c4ef4e765a798b47980555ed665d78b71aeadf"
}
],
"title": "fbdev: bitblit: bound-check glyph index in bit_putcs*",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40322",
"datePublished": "2025-12-08T00:46:49.773Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2026-01-02T15:33:34.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68732 (GCVE-0-2025-68732)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
gpu: host1x: Fix race in syncpt alloc/free
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpu: host1x: Fix race in syncpt alloc/free
Fix race condition between host1x_syncpt_alloc()
and host1x_syncpt_put() by using kref_put_mutex()
instead of kref_put() + manual mutex locking.
This ensures no thread can acquire the
syncpt_mutex after the refcount drops to zero
but before syncpt_release acquires it.
This prevents races where syncpoints could
be allocated while still being cleaned up
from a previous release.
Remove explicit mutex locking in syncpt_release
as kref_put_mutex() handles this atomically.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f5ba33fb9690566c382624637125827b5512e766 , < ca9388fba50dac2eb71c13702b7022a801bef90e
(git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4aeaece518fa4436af93d1d8b786200d9656ff4b (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 6245cce711e2cdb2cc75c0bb8632952e36f8c972 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4e6e07ce0197aecfb6c4a62862acc93b3efedeb7 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < d138f73ffb0c57ded473c577719e6e551b7b1f27 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < 79197c6007f2afbfd7bcf5b9b80ccabf8483d774 (git) Affected: f5ba33fb9690566c382624637125827b5512e766 , < c7d393267c497502fa737607f435f05dfe6e3d9b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ca9388fba50dac2eb71c13702b7022a801bef90e",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4aeaece518fa4436af93d1d8b786200d9656ff4b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "6245cce711e2cdb2cc75c0bb8632952e36f8c972",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "4e6e07ce0197aecfb6c4a62862acc93b3efedeb7",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "d138f73ffb0c57ded473c577719e6e551b7b1f27",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "79197c6007f2afbfd7bcf5b9b80ccabf8483d774",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
},
{
"lessThan": "c7d393267c497502fa737607f435f05dfe6e3d9b",
"status": "affected",
"version": "f5ba33fb9690566c382624637125827b5512e766",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/host1x/syncpt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.63",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.63",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.13",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.2",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix race in syncpt alloc/free\n\nFix race condition between host1x_syncpt_alloc()\nand host1x_syncpt_put() by using kref_put_mutex()\ninstead of kref_put() + manual mutex locking.\n\nThis ensures no thread can acquire the\nsyncpt_mutex after the refcount drops to zero\nbut before syncpt_release acquires it.\nThis prevents races where syncpoints could\nbe allocated while still being cleaned up\nfrom a previous release.\n\nRemove explicit mutex locking in syncpt_release\nas kref_put_mutex() handles this atomically."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:39.034Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ca9388fba50dac2eb71c13702b7022a801bef90e"
},
{
"url": "https://git.kernel.org/stable/c/4aeaece518fa4436af93d1d8b786200d9656ff4b"
},
{
"url": "https://git.kernel.org/stable/c/6245cce711e2cdb2cc75c0bb8632952e36f8c972"
},
{
"url": "https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7"
},
{
"url": "https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27"
},
{
"url": "https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774"
},
{
"url": "https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b"
}
],
"title": "gpu: host1x: Fix race in syncpt alloc/free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68732",
"datePublished": "2025-12-24T10:33:14.664Z",
"dateReserved": "2025-12-24T10:30:51.028Z",
"dateUpdated": "2026-01-19T12:18:39.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54235 (GCVE-0-2023-54235)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
PCI/DOE: Fix destroy_work_on_stack() race
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/DOE: Fix destroy_work_on_stack() race
The following debug object splat was observed in testing:
ODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510
WARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0
...
Workqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work
RIP: 0010:debug_print_object+0x7d/0xb0
...
Call Trace:
? debug_print_object+0x7d/0xb0
? __pfx_doe_statemachine_work+0x10/0x10
debug_object_free.part.0+0x11b/0x150
doe_statemachine_work+0x45e/0x510
process_one_work+0x1d4/0x3c0
This occurs because destroy_work_on_stack() was called after signaling
the completion in the calling thread. This creates a race between
destroy_work_on_stack() and the task->work struct going out of scope in
pci_doe().
Signal the work complete after destroying the work struct. This is safe
because signal_task_complete() is the final thing the work item does and
the workqueue code is careful not to access the work struct after.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
2a0e0f4773fe8032fb17e56f897bee32ce3cdc2b , < d96799ee3b78962c80e4b6653734f488f999ca09
(git)
Affected: abf04be0e7071f2bcd39bf97ba407e7d4439785e , < c4f9c0a3a6df143f2e1092823b7fa9e07d6ab57f (git) Affected: abf04be0e7071f2bcd39bf97ba407e7d4439785e , < 19cf3ba16dcc2ef059dcf010072d4f96d76486e0 (git) Affected: abf04be0e7071f2bcd39bf97ba407e7d4439785e , < e3a3a097eaebaf234a482b4d2f9f18fe989208c1 (git) Affected: 95628b830952943631d3d74f73f431f501c5d6f5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/doe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d96799ee3b78962c80e4b6653734f488f999ca09",
"status": "affected",
"version": "2a0e0f4773fe8032fb17e56f897bee32ce3cdc2b",
"versionType": "git"
},
{
"lessThan": "c4f9c0a3a6df143f2e1092823b7fa9e07d6ab57f",
"status": "affected",
"version": "abf04be0e7071f2bcd39bf97ba407e7d4439785e",
"versionType": "git"
},
{
"lessThan": "19cf3ba16dcc2ef059dcf010072d4f96d76486e0",
"status": "affected",
"version": "abf04be0e7071f2bcd39bf97ba407e7d4439785e",
"versionType": "git"
},
{
"lessThan": "e3a3a097eaebaf234a482b4d2f9f18fe989208c1",
"status": "affected",
"version": "abf04be0e7071f2bcd39bf97ba407e7d4439785e",
"versionType": "git"
},
{
"status": "affected",
"version": "95628b830952943631d3d74f73f431f501c5d6f5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/doe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.1.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/DOE: Fix destroy_work_on_stack() race\n\nThe following debug object splat was observed in testing:\n\n ODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510\n WARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0\n ...\n Workqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work\n RIP: 0010:debug_print_object+0x7d/0xb0\n ...\n Call Trace:\n ? debug_print_object+0x7d/0xb0\n ? __pfx_doe_statemachine_work+0x10/0x10\n debug_object_free.part.0+0x11b/0x150\n doe_statemachine_work+0x45e/0x510\n process_one_work+0x1d4/0x3c0\n\nThis occurs because destroy_work_on_stack() was called after signaling\nthe completion in the calling thread. This creates a race between\ndestroy_work_on_stack() and the task-\u003ework struct going out of scope in\npci_doe().\n\nSignal the work complete after destroying the work struct. This is safe\nbecause signal_task_complete() is the final thing the work item does and\nthe workqueue code is careful not to access the work struct after."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:25.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d96799ee3b78962c80e4b6653734f488f999ca09"
},
{
"url": "https://git.kernel.org/stable/c/c4f9c0a3a6df143f2e1092823b7fa9e07d6ab57f"
},
{
"url": "https://git.kernel.org/stable/c/19cf3ba16dcc2ef059dcf010072d4f96d76486e0"
},
{
"url": "https://git.kernel.org/stable/c/e3a3a097eaebaf234a482b4d2f9f18fe989208c1"
}
],
"title": "PCI/DOE: Fix destroy_work_on_stack() race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54235",
"datePublished": "2025-12-30T12:11:25.688Z",
"dateReserved": "2025-12-30T12:06:44.508Z",
"dateUpdated": "2025-12-30T12:11:25.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54318 (GCVE-0-2023-54318)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
While doing smcr_port_add, there maybe linkgroup add into or delete
from smc_lgr_list.list at the same time, which may result kernel crash.
So, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in
smcr_port_add.
The crash calltrace show below:
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G
Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014
Workqueue: events smc_ib_port_event_work [smc]
RIP: 0010:smcr_port_add+0xa6/0xf0 [smc]
RSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297
RAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918
R10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4
R13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08
FS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0
PKRU: 55555554
Call Trace:
smc_ib_port_event_work+0x18f/0x380 [smc]
process_one_work+0x19b/0x340
worker_thread+0x30/0x370
? process_one_work+0x340/0x340
kthread+0x114/0x130
? __kthread_cancel_work+0x50/0x50
ret_from_fork+0x1f/0x30
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1f90a05d9ff907c70456e7c9d7058372679a88c6 , < d1c6c93c27a4bf48006ab16cd9b38d85559d7645
(git)
Affected: 1f90a05d9ff907c70456e7c9d7058372679a88c6 , < 06b4934ab2b534bb92935c7601852066ebb9eab8 (git) Affected: 1f90a05d9ff907c70456e7c9d7058372679a88c6 , < 70c8d17007dc4a07156b7da44509527990e569b3 (git) Affected: 1f90a05d9ff907c70456e7c9d7058372679a88c6 , < b717463610a27fc0b58484cfead7a623d5913e61 (git) Affected: 1f90a05d9ff907c70456e7c9d7058372679a88c6 , < f5146e3ef0a9eea405874b36178c19a4863b8989 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/smc_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1c6c93c27a4bf48006ab16cd9b38d85559d7645",
"status": "affected",
"version": "1f90a05d9ff907c70456e7c9d7058372679a88c6",
"versionType": "git"
},
{
"lessThan": "06b4934ab2b534bb92935c7601852066ebb9eab8",
"status": "affected",
"version": "1f90a05d9ff907c70456e7c9d7058372679a88c6",
"versionType": "git"
},
{
"lessThan": "70c8d17007dc4a07156b7da44509527990e569b3",
"status": "affected",
"version": "1f90a05d9ff907c70456e7c9d7058372679a88c6",
"versionType": "git"
},
{
"lessThan": "b717463610a27fc0b58484cfead7a623d5913e61",
"status": "affected",
"version": "1f90a05d9ff907c70456e7c9d7058372679a88c6",
"versionType": "git"
},
{
"lessThan": "f5146e3ef0a9eea405874b36178c19a4863b8989",
"status": "affected",
"version": "1f90a05d9ff907c70456e7c9d7058372679a88c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/smc_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add\n\nWhile doing smcr_port_add, there maybe linkgroup add into or delete\nfrom smc_lgr_list.list at the same time, which may result kernel crash.\nSo, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in\nsmcr_port_add.\n\nThe crash calltrace show below:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nPGD 0 P4D 0\nOops: 0000 [#1] SMP NOPTI\nCPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G\nHardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014\nWorkqueue: events smc_ib_port_event_work [smc]\nRIP: 0010:smcr_port_add+0xa6/0xf0 [smc]\nRSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297\nRAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000\nRDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000\nRBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918\nR10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4\nR13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08\nFS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0\nPKRU: 55555554\nCall Trace:\n smc_ib_port_event_work+0x18f/0x380 [smc]\n process_one_work+0x19b/0x340\n worker_thread+0x30/0x370\n ? process_one_work+0x340/0x340\n kthread+0x114/0x130\n ? __kthread_cancel_work+0x50/0x50\n ret_from_fork+0x1f/0x30"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:48.134Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1c6c93c27a4bf48006ab16cd9b38d85559d7645"
},
{
"url": "https://git.kernel.org/stable/c/06b4934ab2b534bb92935c7601852066ebb9eab8"
},
{
"url": "https://git.kernel.org/stable/c/70c8d17007dc4a07156b7da44509527990e569b3"
},
{
"url": "https://git.kernel.org/stable/c/b717463610a27fc0b58484cfead7a623d5913e61"
},
{
"url": "https://git.kernel.org/stable/c/f5146e3ef0a9eea405874b36178c19a4863b8989"
}
],
"title": "net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54318",
"datePublished": "2025-12-30T12:23:48.134Z",
"dateReserved": "2025-12-30T12:06:44.531Z",
"dateUpdated": "2025-12-30T12:23:48.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68313 (GCVE-0-2025-68313)
Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
x86/CPU/AMD: Add RDSEED fix for Zen5
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/CPU/AMD: Add RDSEED fix for Zen5
There's an issue with RDSEED's 16-bit and 32-bit register output
variants on Zen5 which return a random value of 0 "at a rate inconsistent
with randomness while incorrectly signaling success (CF=1)". Search the
web for AMD-SB-7055 for more detail.
Add a fix glue which checks microcode revisions.
[ bp: Add microcode revisions checking, rewrite. ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < e980de2ff109dacb6d9d3a77f01b27c467115ecb
(git)
Affected: 3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < 36ff93e66d0efc46e39fab536a9feec968daa766 (git) Affected: 3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < 607b9fb2ce248cc5b633c5949e0153838992c152 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e980de2ff109dacb6d9d3a77f01b27c467115ecb",
"status": "affected",
"version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
"versionType": "git"
},
{
"lessThan": "36ff93e66d0efc46e39fab536a9feec968daa766",
"status": "affected",
"version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
"versionType": "git"
},
{
"lessThan": "607b9fb2ce248cc5b633c5949e0153838992c152",
"status": "affected",
"version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/cpu/amd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Add RDSEED fix for Zen5\n\nThere\u0027s an issue with RDSEED\u0027s 16-bit and 32-bit register output\nvariants on Zen5 which return a random value of 0 \"at a rate inconsistent\nwith randomness while incorrectly signaling success (CF=1)\". Search the\nweb for AMD-SB-7055 for more detail.\n\nAdd a fix glue which checks microcode revisions.\n\n [ bp: Add microcode revisions checking, rewrite. ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:56.955Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e980de2ff109dacb6d9d3a77f01b27c467115ecb"
},
{
"url": "https://git.kernel.org/stable/c/36ff93e66d0efc46e39fab536a9feec968daa766"
},
{
"url": "https://git.kernel.org/stable/c/607b9fb2ce248cc5b633c5949e0153838992c152"
}
],
"title": "x86/CPU/AMD: Add RDSEED fix for Zen5",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68313",
"datePublished": "2025-12-16T15:39:43.972Z",
"dateReserved": "2025-12-16T14:48:05.295Z",
"dateUpdated": "2026-01-02T15:34:56.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50727 (GCVE-0-2022-50727)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
scsi: efct: Fix possible memleak in efct_device_init()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: efct: Fix possible memleak in efct_device_init()
In efct_device_init(), when efct_scsi_reg_fc_transport() fails,
efct_scsi_tgt_driver_exit() is not called to release memory for
efct_scsi_tgt_driver_init() and causes memleak:
unreferenced object 0xffff8881020ce000 (size 2048):
comm "modprobe", pid 465, jiffies 4294928222 (age 55.872s)
backtrace:
[<0000000021a1ef1b>] kmalloc_trace+0x27/0x110
[<000000004c3ed51c>] target_register_template+0x4fd/0x7b0 [target_core_mod]
[<00000000f3393296>] efct_scsi_tgt_driver_init+0x18/0x50 [efct]
[<00000000115de533>] 0xffffffffc0d90011
[<00000000d608f646>] do_one_initcall+0xd0/0x4e0
[<0000000067828cf1>] do_init_module+0x1cc/0x6a0
...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4df84e8466242de835416a4ec0c856c0e2ed26eb , < 038359eeccffaf0de4c1c9c51ee19cc5649619a1
(git)
Affected: 4df84e8466242de835416a4ec0c856c0e2ed26eb , < 0c6e6bb30229b1297ac0fd7ede2941d2322fc736 (git) Affected: 4df84e8466242de835416a4ec0c856c0e2ed26eb , < c7e96168a8ca3be96c4959475164bef31115f07e (git) Affected: 4df84e8466242de835416a4ec0c856c0e2ed26eb , < bb0cd225dd37df1f4a22e36dad59ff33178ecdfc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/elx/efct/efct_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "038359eeccffaf0de4c1c9c51ee19cc5649619a1",
"status": "affected",
"version": "4df84e8466242de835416a4ec0c856c0e2ed26eb",
"versionType": "git"
},
{
"lessThan": "0c6e6bb30229b1297ac0fd7ede2941d2322fc736",
"status": "affected",
"version": "4df84e8466242de835416a4ec0c856c0e2ed26eb",
"versionType": "git"
},
{
"lessThan": "c7e96168a8ca3be96c4959475164bef31115f07e",
"status": "affected",
"version": "4df84e8466242de835416a4ec0c856c0e2ed26eb",
"versionType": "git"
},
{
"lessThan": "bb0cd225dd37df1f4a22e36dad59ff33178ecdfc",
"status": "affected",
"version": "4df84e8466242de835416a4ec0c856c0e2ed26eb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/elx/efct/efct_driver.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: efct: Fix possible memleak in efct_device_init()\n\nIn efct_device_init(), when efct_scsi_reg_fc_transport() fails,\nefct_scsi_tgt_driver_exit() is not called to release memory for\nefct_scsi_tgt_driver_init() and causes memleak:\n\nunreferenced object 0xffff8881020ce000 (size 2048):\n comm \"modprobe\", pid 465, jiffies 4294928222 (age 55.872s)\n backtrace:\n [\u003c0000000021a1ef1b\u003e] kmalloc_trace+0x27/0x110\n [\u003c000000004c3ed51c\u003e] target_register_template+0x4fd/0x7b0 [target_core_mod]\n [\u003c00000000f3393296\u003e] efct_scsi_tgt_driver_init+0x18/0x50 [efct]\n [\u003c00000000115de533\u003e] 0xffffffffc0d90011\n [\u003c00000000d608f646\u003e] do_one_initcall+0xd0/0x4e0\n [\u003c0000000067828cf1\u003e] do_init_module+0x1cc/0x6a0\n ..."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:48.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/038359eeccffaf0de4c1c9c51ee19cc5649619a1"
},
{
"url": "https://git.kernel.org/stable/c/0c6e6bb30229b1297ac0fd7ede2941d2322fc736"
},
{
"url": "https://git.kernel.org/stable/c/c7e96168a8ca3be96c4959475164bef31115f07e"
},
{
"url": "https://git.kernel.org/stable/c/bb0cd225dd37df1f4a22e36dad59ff33178ecdfc"
}
],
"title": "scsi: efct: Fix possible memleak in efct_device_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50727",
"datePublished": "2025-12-24T12:22:48.315Z",
"dateReserved": "2025-12-24T12:20:40.330Z",
"dateUpdated": "2025-12-24T12:22:48.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54189 (GCVE-0-2023-54189)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
pstore/ram: Add check for kstrdup
Summary
In the Linux kernel, the following vulnerability has been resolved:
pstore/ram: Add check for kstrdup
Add check for the return value of kstrdup() and return the error
if it fails in order to avoid NULL pointer dereference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c617a3b777b92a0e80ceff2dffaae9350d4c3850 , < 8430a8e8e85420d4cb51dcb08b0278ab194ea82f
(git)
Affected: e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8 , < a14cb307267ba7a1715403e071bdc4deda77eef5 (git) Affected: e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8 , < 38a9d7dac3ad25323145b4aaea3b5f434f50011d (git) Affected: e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8 , < f57ba91a46d3fc52bfdac9cca5cf5572ec7afd6d (git) Affected: e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8 , < 2a764a2facd9dd88a69777200f65dfd0182765dc (git) Affected: e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8 , < 065c81ae5817b245bb9feb6d54e027702740b49a (git) Affected: e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8 , < d97038d5ec2062733c1e016caf9baaf68cf64ea1 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8430a8e8e85420d4cb51dcb08b0278ab194ea82f",
"status": "affected",
"version": "c617a3b777b92a0e80ceff2dffaae9350d4c3850",
"versionType": "git"
},
{
"lessThan": "a14cb307267ba7a1715403e071bdc4deda77eef5",
"status": "affected",
"version": "e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8",
"versionType": "git"
},
{
"lessThan": "38a9d7dac3ad25323145b4aaea3b5f434f50011d",
"status": "affected",
"version": "e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8",
"versionType": "git"
},
{
"lessThan": "f57ba91a46d3fc52bfdac9cca5cf5572ec7afd6d",
"status": "affected",
"version": "e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8",
"versionType": "git"
},
{
"lessThan": "2a764a2facd9dd88a69777200f65dfd0182765dc",
"status": "affected",
"version": "e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8",
"versionType": "git"
},
{
"lessThan": "065c81ae5817b245bb9feb6d54e027702740b49a",
"status": "affected",
"version": "e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8",
"versionType": "git"
},
{
"lessThan": "d97038d5ec2062733c1e016caf9baaf68cf64ea1",
"status": "affected",
"version": "e163fdb3f7f8c62dccf194f3f37a7bcb3c333aa8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "5.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Add check for kstrdup\n\nAdd check for the return value of kstrdup() and return the error\nif it fails in order to avoid NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:57.915Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8430a8e8e85420d4cb51dcb08b0278ab194ea82f"
},
{
"url": "https://git.kernel.org/stable/c/a14cb307267ba7a1715403e071bdc4deda77eef5"
},
{
"url": "https://git.kernel.org/stable/c/38a9d7dac3ad25323145b4aaea3b5f434f50011d"
},
{
"url": "https://git.kernel.org/stable/c/f57ba91a46d3fc52bfdac9cca5cf5572ec7afd6d"
},
{
"url": "https://git.kernel.org/stable/c/2a764a2facd9dd88a69777200f65dfd0182765dc"
},
{
"url": "https://git.kernel.org/stable/c/065c81ae5817b245bb9feb6d54e027702740b49a"
},
{
"url": "https://git.kernel.org/stable/c/d97038d5ec2062733c1e016caf9baaf68cf64ea1"
}
],
"title": "pstore/ram: Add check for kstrdup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54189",
"datePublished": "2025-12-30T12:08:57.915Z",
"dateReserved": "2025-12-30T12:06:44.498Z",
"dateUpdated": "2025-12-30T12:08:57.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54194 (GCVE-0-2023-54194)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:09 – Updated: 2026-01-05 10:51
VLAI?
EPSS
Title
exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree
Summary
In the Linux kernel, the following vulnerability has been resolved:
exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree
The call stack shown below is a scenario in the Linux 4.19 kernel.
Allocating memory failed where exfat fs use kmalloc_array due to
system memory fragmentation, while the u-disk was inserted without
recognition.
Devices such as u-disk using the exfat file system are pluggable and
may be insert into the system at any time.
However, long-term running systems cannot guarantee the continuity of
physical memory. Therefore, it's necessary to address this issue.
Binder:2632_6: page allocation failure: order:4,
mode:0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null)
Call trace:
[242178.097582] dump_backtrace+0x0/0x4
[242178.097589] dump_stack+0xf4/0x134
[242178.097598] warn_alloc+0xd8/0x144
[242178.097603] __alloc_pages_nodemask+0x1364/0x1384
[242178.097608] kmalloc_order+0x2c/0x510
[242178.097612] kmalloc_order_trace+0x40/0x16c
[242178.097618] __kmalloc+0x360/0x408
[242178.097624] load_alloc_bitmap+0x160/0x284
[242178.097628] exfat_fill_super+0xa3c/0xe7c
[242178.097635] mount_bdev+0x2e8/0x3a0
[242178.097638] exfat_fs_mount+0x40/0x50
[242178.097643] mount_fs+0x138/0x2e8
[242178.097649] vfs_kern_mount+0x90/0x270
[242178.097655] do_mount+0x798/0x173c
[242178.097659] ksys_mount+0x114/0x1ac
[242178.097665] __arm64_sys_mount+0x24/0x34
[242178.097671] el0_svc_common+0xb8/0x1b8
[242178.097676] el0_svc_handler+0x74/0x90
[242178.097681] el0_svc+0x8/0x340
By analyzing the exfat code,we found that continuous physical memory
is not required here,so kvmalloc_array is used can solve this problem.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1e49a94cf707204b66a3fb242f2814712c941f52 , < 79d16a84ea41272dfcb0c00f9798ddd0edd8098d
(git)
Affected: 1e49a94cf707204b66a3fb242f2814712c941f52 , < 8a34a242cf03211cc89f68308d149b793f63c479 (git) Affected: 1e49a94cf707204b66a3fb242f2814712c941f52 , < 1427a7e96fb90d0896f74f5bcd21feb03cc7c3d0 (git) Affected: 1e49a94cf707204b66a3fb242f2814712c941f52 , < 0c5c3e8a2550b6b2a304b45f260296db9c09df96 (git) Affected: 1e49a94cf707204b66a3fb242f2814712c941f52 , < daf60d6cca26e50d65dac374db92e58de745ad26 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "79d16a84ea41272dfcb0c00f9798ddd0edd8098d",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
},
{
"lessThan": "8a34a242cf03211cc89f68308d149b793f63c479",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
},
{
"lessThan": "1427a7e96fb90d0896f74f5bcd21feb03cc7c3d0",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
},
{
"lessThan": "0c5c3e8a2550b6b2a304b45f260296db9c09df96",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
},
{
"lessThan": "daf60d6cca26e50d65dac374db92e58de745ad26",
"status": "affected",
"version": "1e49a94cf707204b66a3fb242f2814712c941f52",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/exfat/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree\n\nThe call stack shown below is a scenario in the Linux 4.19 kernel.\nAllocating memory failed where exfat fs use kmalloc_array due to\nsystem memory fragmentation, while the u-disk was inserted without\nrecognition.\nDevices such as u-disk using the exfat file system are pluggable and\nmay be insert into the system at any time.\nHowever, long-term running systems cannot guarantee the continuity of\nphysical memory. Therefore, it\u0027s necessary to address this issue.\n\nBinder:2632_6: page allocation failure: order:4,\n mode:0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null)\nCall trace:\n[242178.097582] dump_backtrace+0x0/0x4\n[242178.097589] dump_stack+0xf4/0x134\n[242178.097598] warn_alloc+0xd8/0x144\n[242178.097603] __alloc_pages_nodemask+0x1364/0x1384\n[242178.097608] kmalloc_order+0x2c/0x510\n[242178.097612] kmalloc_order_trace+0x40/0x16c\n[242178.097618] __kmalloc+0x360/0x408\n[242178.097624] load_alloc_bitmap+0x160/0x284\n[242178.097628] exfat_fill_super+0xa3c/0xe7c\n[242178.097635] mount_bdev+0x2e8/0x3a0\n[242178.097638] exfat_fs_mount+0x40/0x50\n[242178.097643] mount_fs+0x138/0x2e8\n[242178.097649] vfs_kern_mount+0x90/0x270\n[242178.097655] do_mount+0x798/0x173c\n[242178.097659] ksys_mount+0x114/0x1ac\n[242178.097665] __arm64_sys_mount+0x24/0x34\n[242178.097671] el0_svc_common+0xb8/0x1b8\n[242178.097676] el0_svc_handler+0x74/0x90\n[242178.097681] el0_svc+0x8/0x340\n\nBy analyzing the exfat code,we found that continuous physical memory\nis not required here,so kvmalloc_array is used can solve this problem."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:51:25.173Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/79d16a84ea41272dfcb0c00f9798ddd0edd8098d"
},
{
"url": "https://git.kernel.org/stable/c/8a34a242cf03211cc89f68308d149b793f63c479"
},
{
"url": "https://git.kernel.org/stable/c/1427a7e96fb90d0896f74f5bcd21feb03cc7c3d0"
},
{
"url": "https://git.kernel.org/stable/c/0c5c3e8a2550b6b2a304b45f260296db9c09df96"
},
{
"url": "https://git.kernel.org/stable/c/daf60d6cca26e50d65dac374db92e58de745ad26"
}
],
"title": "exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54194",
"datePublished": "2025-12-30T12:09:01.436Z",
"dateReserved": "2025-12-30T12:06:44.498Z",
"dateUpdated": "2026-01-05T10:51:25.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53855 (GCVE-0-2023-53855)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:30 – Updated: 2025-12-09 01:30
VLAI?
EPSS
Title
net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove
When the tagging protocol in current use is "ocelot-8021q" and we unbind
the driver, we see this splat:
$ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind
mscc_felix 0000:00:00.5 swp0: left promiscuous mode
sja1105 spi2.0: Link is Down
DSA: tree 1 torn down
mscc_felix 0000:00:00.5 swp2: left promiscuous mode
sja1105 spi2.2: Link is Down
DSA: tree 3 torn down
fsl_enetc 0000:00:00.2 eno2: left promiscuous mode
mscc_felix 0000:00:00.5: Link is Down
------------[ cut here ]------------
RTNL: assertion failed at net/dsa/tag_8021q.c (409)
WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0
Modules linked in:
CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771
pc : dsa_tag_8021q_unregister+0x12c/0x1a0
lr : dsa_tag_8021q_unregister+0x12c/0x1a0
Call trace:
dsa_tag_8021q_unregister+0x12c/0x1a0
felix_tag_8021q_teardown+0x130/0x150
felix_teardown+0x3c/0xd8
dsa_tree_teardown_switches+0xbc/0xe0
dsa_unregister_switch+0x168/0x260
felix_pci_remove+0x30/0x60
pci_device_remove+0x4c/0x100
device_release_driver_internal+0x188/0x288
device_links_unbind_consumers+0xfc/0x138
device_release_driver_internal+0xe0/0x288
device_driver_detach+0x24/0x38
unbind_store+0xd8/0x108
drv_attr_store+0x30/0x50
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
RTNL: assertion failed at net/8021q/vlan_core.c (376)
WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0
CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771
pc : vlan_vid_del+0x1b8/0x1f0
lr : vlan_vid_del+0x1b8/0x1f0
dsa_tag_8021q_unregister+0x8c/0x1a0
felix_tag_8021q_teardown+0x130/0x150
felix_teardown+0x3c/0xd8
dsa_tree_teardown_switches+0xbc/0xe0
dsa_unregister_switch+0x168/0x260
felix_pci_remove+0x30/0x60
pci_device_remove+0x4c/0x100
device_release_driver_internal+0x188/0x288
device_links_unbind_consumers+0xfc/0x138
device_release_driver_internal+0xe0/0x288
device_driver_detach+0x24/0x38
unbind_store+0xd8/0x108
drv_attr_store+0x30/0x50
DSA: tree 0 torn down
This was somewhat not so easy to spot, because "ocelot-8021q" is not the
default tagging protocol, and thus, not everyone who tests the unbinding
path may have switched to it beforehand. The default
felix_tag_npi_teardown() does not require rtnl_lock() to be held.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < 758dbcfb257e1aee0a310bae789c2af6ffe35d0f
(git)
Affected: 7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < 7ae8fa6b70975b6efbbef7912d09bff5a0bff491 (git) Affected: 7c83a7c539abe9f980996063ac20532a7a7f6eb1 , < a94c16a2fda010866b8858a386a8bfbeba4f72c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/ocelot/felix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "758dbcfb257e1aee0a310bae789c2af6ffe35d0f",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
},
{
"lessThan": "7ae8fa6b70975b6efbbef7912d09bff5a0bff491",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
},
{
"lessThan": "a94c16a2fda010866b8858a386a8bfbeba4f72c5",
"status": "affected",
"version": "7c83a7c539abe9f980996063ac20532a7a7f6eb1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/ocelot/felix.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove\n\nWhen the tagging protocol in current use is \"ocelot-8021q\" and we unbind\nthe driver, we see this splat:\n\n$ echo \u00270000:00:00.2\u0027 \u003e /sys/bus/pci/drivers/fsl_enetc/unbind\nmscc_felix 0000:00:00.5 swp0: left promiscuous mode\nsja1105 spi2.0: Link is Down\nDSA: tree 1 torn down\nmscc_felix 0000:00:00.5 swp2: left promiscuous mode\nsja1105 spi2.2: Link is Down\nDSA: tree 3 torn down\nfsl_enetc 0000:00:00.2 eno2: left promiscuous mode\nmscc_felix 0000:00:00.5: Link is Down\n------------[ cut here ]------------\nRTNL: assertion failed at net/dsa/tag_8021q.c (409)\nWARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0\nModules linked in:\nCPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771\npc : dsa_tag_8021q_unregister+0x12c/0x1a0\nlr : dsa_tag_8021q_unregister+0x12c/0x1a0\nCall trace:\n dsa_tag_8021q_unregister+0x12c/0x1a0\n felix_tag_8021q_teardown+0x130/0x150\n felix_teardown+0x3c/0xd8\n dsa_tree_teardown_switches+0xbc/0xe0\n dsa_unregister_switch+0x168/0x260\n felix_pci_remove+0x30/0x60\n pci_device_remove+0x4c/0x100\n device_release_driver_internal+0x188/0x288\n device_links_unbind_consumers+0xfc/0x138\n device_release_driver_internal+0xe0/0x288\n device_driver_detach+0x24/0x38\n unbind_store+0xd8/0x108\n drv_attr_store+0x30/0x50\n---[ end trace 0000000000000000 ]---\n------------[ cut here ]------------\nRTNL: assertion failed at net/8021q/vlan_core.c (376)\nWARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0\nCPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771\npc : vlan_vid_del+0x1b8/0x1f0\nlr : vlan_vid_del+0x1b8/0x1f0\n dsa_tag_8021q_unregister+0x8c/0x1a0\n felix_tag_8021q_teardown+0x130/0x150\n felix_teardown+0x3c/0xd8\n dsa_tree_teardown_switches+0xbc/0xe0\n dsa_unregister_switch+0x168/0x260\n felix_pci_remove+0x30/0x60\n pci_device_remove+0x4c/0x100\n device_release_driver_internal+0x188/0x288\n device_links_unbind_consumers+0xfc/0x138\n device_release_driver_internal+0xe0/0x288\n device_driver_detach+0x24/0x38\n unbind_store+0xd8/0x108\n drv_attr_store+0x30/0x50\nDSA: tree 0 torn down\n\nThis was somewhat not so easy to spot, because \"ocelot-8021q\" is not the\ndefault tagging protocol, and thus, not everyone who tests the unbinding\npath may have switched to it beforehand. The default\nfelix_tag_npi_teardown() does not require rtnl_lock() to be held."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:30:20.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/758dbcfb257e1aee0a310bae789c2af6ffe35d0f"
},
{
"url": "https://git.kernel.org/stable/c/7ae8fa6b70975b6efbbef7912d09bff5a0bff491"
},
{
"url": "https://git.kernel.org/stable/c/a94c16a2fda010866b8858a386a8bfbeba4f72c5"
}
],
"title": "net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53855",
"datePublished": "2025-12-09T01:30:20.864Z",
"dateReserved": "2025-12-09T01:27:17.828Z",
"dateUpdated": "2025-12-09T01:30:20.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54009 (GCVE-0-2023-54009)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path
The cdns_i2c_master_xfer() function gets a runtime PM reference when the
function is entered. This reference is released when the function is
exited. There is currently one error path where the function exits
directly, which leads to a leak of the runtime PM reference.
Make sure that this error path also releases the runtime PM reference.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < fd7bf900c3215c77f6d779d1532faa22b79f2430
(git)
Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < 2d65599ad1e4f195bbb80752cd5cbc2f1a018dba (git) Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < a712b5a95270e62209f5c2201c774f708f75234e (git) Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44 (git) Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < 5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa (git) Affected: 1a351b10b9671fc2fac767c40a1c4373b9bf5092 , < ae1664f04f504a998737f5bb563f16b44357bcca (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-cadence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd7bf900c3215c77f6d779d1532faa22b79f2430",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "2d65599ad1e4f195bbb80752cd5cbc2f1a018dba",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "a712b5a95270e62209f5c2201c774f708f75234e",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
},
{
"lessThan": "ae1664f04f504a998737f5bb563f16b44357bcca",
"status": "affected",
"version": "1a351b10b9671fc2fac767c40a1c4373b9bf5092",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-cadence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path\n\nThe cdns_i2c_master_xfer() function gets a runtime PM reference when the\nfunction is entered. This reference is released when the function is\nexited. There is currently one error path where the function exits\ndirectly, which leads to a leak of the runtime PM reference.\n\nMake sure that this error path also releases the runtime PM reference."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:42.679Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd7bf900c3215c77f6d779d1532faa22b79f2430"
},
{
"url": "https://git.kernel.org/stable/c/2d65599ad1e4f195bbb80752cd5cbc2f1a018dba"
},
{
"url": "https://git.kernel.org/stable/c/a712b5a95270e62209f5c2201c774f708f75234e"
},
{
"url": "https://git.kernel.org/stable/c/d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44"
},
{
"url": "https://git.kernel.org/stable/c/5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa"
},
{
"url": "https://git.kernel.org/stable/c/ae1664f04f504a998737f5bb563f16b44357bcca"
}
],
"title": "i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54009",
"datePublished": "2025-12-24T10:55:42.679Z",
"dateReserved": "2025-12-24T10:53:46.178Z",
"dateUpdated": "2025-12-24T10:55:42.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54123 (GCVE-0-2023-54123)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
md/raid10: fix memleak for 'conf->bio_split'
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix memleak for 'conf->bio_split'
In the error path of raid10_run(), 'conf' need be freed, however,
'conf->bio_split' is missed and memory will be leaked.
Since there are 3 places to free 'conf', factor out a helper to fix the
problem.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fc9977dd069e4f82fcacb262652117c488647319 , < 133008af833b4f2e021d2c294c29c70364a3f0ba
(git)
Affected: fc9977dd069e4f82fcacb262652117c488647319 , < b6460f68c1cc95a80d089af402be501619f228e4 (git) Affected: fc9977dd069e4f82fcacb262652117c488647319 , < 6361b0592b46c465ac926c1f3105d66c30d9658b (git) Affected: fc9977dd069e4f82fcacb262652117c488647319 , < 7f673fa34c0e3f95ee951a1bbf61791164871d2e (git) Affected: fc9977dd069e4f82fcacb262652117c488647319 , < b21019a220d9cac08819bb6c63000de9ee61eb9e (git) Affected: fc9977dd069e4f82fcacb262652117c488647319 , < 5cba3e26c073b535e4e3b825ea481fb29c53943b (git) Affected: fc9977dd069e4f82fcacb262652117c488647319 , < e2fec8d95353a48634b085011626ba3ec8ab8b1c (git) Affected: fc9977dd069e4f82fcacb262652117c488647319 , < c9ac2acde53f5385de185bccf6aaa91cf9ac1541 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "133008af833b4f2e021d2c294c29c70364a3f0ba",
"status": "affected",
"version": "fc9977dd069e4f82fcacb262652117c488647319",
"versionType": "git"
},
{
"lessThan": "b6460f68c1cc95a80d089af402be501619f228e4",
"status": "affected",
"version": "fc9977dd069e4f82fcacb262652117c488647319",
"versionType": "git"
},
{
"lessThan": "6361b0592b46c465ac926c1f3105d66c30d9658b",
"status": "affected",
"version": "fc9977dd069e4f82fcacb262652117c488647319",
"versionType": "git"
},
{
"lessThan": "7f673fa34c0e3f95ee951a1bbf61791164871d2e",
"status": "affected",
"version": "fc9977dd069e4f82fcacb262652117c488647319",
"versionType": "git"
},
{
"lessThan": "b21019a220d9cac08819bb6c63000de9ee61eb9e",
"status": "affected",
"version": "fc9977dd069e4f82fcacb262652117c488647319",
"versionType": "git"
},
{
"lessThan": "5cba3e26c073b535e4e3b825ea481fb29c53943b",
"status": "affected",
"version": "fc9977dd069e4f82fcacb262652117c488647319",
"versionType": "git"
},
{
"lessThan": "e2fec8d95353a48634b085011626ba3ec8ab8b1c",
"status": "affected",
"version": "fc9977dd069e4f82fcacb262652117c488647319",
"versionType": "git"
},
{
"lessThan": "c9ac2acde53f5385de185bccf6aaa91cf9ac1541",
"status": "affected",
"version": "fc9977dd069e4f82fcacb262652117c488647319",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix memleak for \u0027conf-\u003ebio_split\u0027\n\nIn the error path of raid10_run(), \u0027conf\u0027 need be freed, however,\n\u0027conf-\u003ebio_split\u0027 is missed and memory will be leaked.\n\nSince there are 3 places to free \u0027conf\u0027, factor out a helper to fix the\nproblem."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:42.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/133008af833b4f2e021d2c294c29c70364a3f0ba"
},
{
"url": "https://git.kernel.org/stable/c/b6460f68c1cc95a80d089af402be501619f228e4"
},
{
"url": "https://git.kernel.org/stable/c/6361b0592b46c465ac926c1f3105d66c30d9658b"
},
{
"url": "https://git.kernel.org/stable/c/7f673fa34c0e3f95ee951a1bbf61791164871d2e"
},
{
"url": "https://git.kernel.org/stable/c/b21019a220d9cac08819bb6c63000de9ee61eb9e"
},
{
"url": "https://git.kernel.org/stable/c/5cba3e26c073b535e4e3b825ea481fb29c53943b"
},
{
"url": "https://git.kernel.org/stable/c/e2fec8d95353a48634b085011626ba3ec8ab8b1c"
},
{
"url": "https://git.kernel.org/stable/c/c9ac2acde53f5385de185bccf6aaa91cf9ac1541"
}
],
"title": "md/raid10: fix memleak for \u0027conf-\u003ebio_split\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54123",
"datePublished": "2025-12-24T13:06:42.588Z",
"dateReserved": "2025-12-24T13:02:52.521Z",
"dateUpdated": "2025-12-24T13:06:42.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40309 (GCVE-0-2025-40309)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
Bluetooth: SCO: Fix UAF on sco_conn_free
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SCO: Fix UAF on sco_conn_free
BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]
BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]
BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410
net/bluetooth/sco.c:107
Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352
CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted
6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: hci13 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x191/0x550 mm/kasan/report.c:482
kasan_report+0xc4/0x100 mm/kasan/report.c:595
sco_conn_free net/bluetooth/sco.c:87 [inline]
kref_put include/linux/kref.h:65 [inline]
sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107
sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441
hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]
hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313
hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121
hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147
hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689
hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319
worker_thread+0xbee/0x1200 kernel/workqueue.c:3400
kthread+0x3c7/0x870 kernel/kthread.c:463
ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 31370:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4382 [inline]
__kmalloc_noprof+0x22f/0x390 mm/slub.c:4394
kmalloc_noprof include/linux/slab.h:909 [inline]
sk_prot_alloc+0xae/0x220 net/core/sock.c:2239
sk_alloc+0x34/0x5a0 net/core/sock.c:2295
bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151
sco_sock_alloc net/bluetooth/sco.c:562 [inline]
sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593
bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135
__sock_create+0x3ad/0x780 net/socket.c:1589
sock_create net/socket.c:1647 [inline]
__sys_socket_create net/socket.c:1684 [inline]
__sys_socket+0xd5/0x330 net/socket.c:1731
__do_sys_socket net/socket.c:1745 [inline]
__se_sys_socket net/socket.c:1743 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1743
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 31374:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2428 [inline]
slab_free mm/slub.c:4701 [inline]
kfree+0x199/0x3b0 mm/slub.c:4900
sk_prot_free net/core/sock.c:2278 [inline]
__sk_destruct+0x4aa/0x630 net/core/sock.c:2373
sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333
__sock_release net/socket.c:649 [inline]
sock_close+0xb8/0x230 net/socket.c:1439
__fput+0x3d1/0x9e0 fs/file_table.c:468
task_work_run+0x206/0x2a0 kernel/task_work.c:227
get_signal+0x1201/0x1410 kernel/signal.c:2807
arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
s
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "391f83547b7b2c63e4b572ab838e10a06cfa4425",
"status": "affected",
"version": "e6720779ae612a14ac4ba7fe4fd5b27d900d932c",
"versionType": "git"
},
{
"lessThan": "ecb9a843be4d6fd710d7026e359f21015a062572",
"status": "affected",
"version": "e6720779ae612a14ac4ba7fe4fd5b27d900d932c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/sco.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:30.865Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425"
},
{
"url": "https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572"
}
],
"title": "Bluetooth: SCO: Fix UAF on sco_conn_free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40309",
"datePublished": "2025-12-08T00:46:34.785Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2026-01-02T15:33:30.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54300 (GCVE-0-2023-54300)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23
VLAI?
EPSS
Title
wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid
uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should
validate pkt_len before accessing the SKB.
For example, the obtained SKB may have been badly constructed with
pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr
but after being processed in ath9k_htc_rx_msg() and passed to
ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI
command header which should be located inside its data payload.
Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit
memory can be referenced.
Tested on Qualcomm Atheros Communications AR9271 802.11n .
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fb9987d0f748c983bb795a86f47522313f701a08 , < 0bc12e41af4e3ae1f0efecc377f0514459df0707
(git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 28259ce4f1f1f9ab37fa817756c89098213d2fc0 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 90e3c10177573b8662ac9858abd9bf731d5d98e0 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 250efb4d3f5b32a115ea6bf25437ba44a1b3c04f (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < ad5425e70789c29b93acafb5bb4629e4eb908296 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < d1c2ff2bd84c3692c9df267a2b991ce92bfca8ef (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 8ed572e52714593b209e3aa352406aff84481179 (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 75acec91aeaa07375cd5f418069e61b16d39bbad (git) Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < f24292e827088bba8de7158501ac25a59b064953 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bc12e41af4e3ae1f0efecc377f0514459df0707",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "28259ce4f1f1f9ab37fa817756c89098213d2fc0",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "90e3c10177573b8662ac9858abd9bf731d5d98e0",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "250efb4d3f5b32a115ea6bf25437ba44a1b3c04f",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "ad5425e70789c29b93acafb5bb4629e4eb908296",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "d1c2ff2bd84c3692c9df267a2b991ce92bfca8ef",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "8ed572e52714593b209e3aa352406aff84481179",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "75acec91aeaa07375cd5f418069e61b16d39bbad",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
},
{
"lessThan": "f24292e827088bba8de7158501ac25a59b064953",
"status": "affected",
"version": "fb9987d0f748c983bb795a86f47522313f701a08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath9k/wmi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx\n\nFor the reasons also described in commit b383e8abed41 (\"wifi: ath9k: avoid\nuninit memory read in ath9k_htc_rx_msg()\"), ath9k_htc_rx_msg() should\nvalidate pkt_len before accessing the SKB.\n\nFor example, the obtained SKB may have been badly constructed with\npkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr\nbut after being processed in ath9k_htc_rx_msg() and passed to\nath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI\ncommand header which should be located inside its data payload.\n\nImplement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit\nmemory can be referenced.\n\nTested on Qualcomm Atheros Communications AR9271 802.11n .\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:23:35.819Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bc12e41af4e3ae1f0efecc377f0514459df0707"
},
{
"url": "https://git.kernel.org/stable/c/28259ce4f1f1f9ab37fa817756c89098213d2fc0"
},
{
"url": "https://git.kernel.org/stable/c/90e3c10177573b8662ac9858abd9bf731d5d98e0"
},
{
"url": "https://git.kernel.org/stable/c/250efb4d3f5b32a115ea6bf25437ba44a1b3c04f"
},
{
"url": "https://git.kernel.org/stable/c/ad5425e70789c29b93acafb5bb4629e4eb908296"
},
{
"url": "https://git.kernel.org/stable/c/d1c2ff2bd84c3692c9df267a2b991ce92bfca8ef"
},
{
"url": "https://git.kernel.org/stable/c/8ed572e52714593b209e3aa352406aff84481179"
},
{
"url": "https://git.kernel.org/stable/c/75acec91aeaa07375cd5f418069e61b16d39bbad"
},
{
"url": "https://git.kernel.org/stable/c/f24292e827088bba8de7158501ac25a59b064953"
}
],
"title": "wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54300",
"datePublished": "2025-12-30T12:23:35.819Z",
"dateReserved": "2025-12-30T12:06:44.528Z",
"dateUpdated": "2025-12-30T12:23:35.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53828 (GCVE-0-2023-53828)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()
KSAN reports use-after-free in hci_add_adv_monitor().
While adding an adv monitor,
hci_add_adv_monitor() calls ->
msft_add_monitor_pattern() calls ->
msft_add_monitor_sync() calls ->
msft_le_monitor_advertisement_cb() calls in an error case ->
hci_free_adv_monitor() which frees the *moniter.
This is referenced by bt_dev_dbg() in hci_add_adv_monitor().
Fix the bt_dev_dbg() by using handle instead of monitor->handle.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
b747a83690c8f53bc7a3f75899415c699b2c51aa , < 81d8e9f59df63b8358751c1ffed9f1cf5c796909
(git)
Affected: b747a83690c8f53bc7a3f75899415c699b2c51aa , < aafda69d4807f5edf3558c9534be9b911774e63a (git) Affected: b747a83690c8f53bc7a3f75899415c699b2c51aa , < 8d66f7ced51cb924bc90278d6a0a26a52877271a (git) Affected: b747a83690c8f53bc7a3f75899415c699b2c51aa , < a2bcd2b63271a93a695fabbfbf459c603d956d48 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81d8e9f59df63b8358751c1ffed9f1cf5c796909",
"status": "affected",
"version": "b747a83690c8f53bc7a3f75899415c699b2c51aa",
"versionType": "git"
},
{
"lessThan": "aafda69d4807f5edf3558c9534be9b911774e63a",
"status": "affected",
"version": "b747a83690c8f53bc7a3f75899415c699b2c51aa",
"versionType": "git"
},
{
"lessThan": "8d66f7ced51cb924bc90278d6a0a26a52877271a",
"status": "affected",
"version": "b747a83690c8f53bc7a3f75899415c699b2c51aa",
"versionType": "git"
},
{
"lessThan": "a2bcd2b63271a93a695fabbfbf459c603d956d48",
"status": "affected",
"version": "b747a83690c8f53bc7a3f75899415c699b2c51aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()\n\nKSAN reports use-after-free in hci_add_adv_monitor().\n\nWhile adding an adv monitor,\n hci_add_adv_monitor() calls -\u003e\n msft_add_monitor_pattern() calls -\u003e\n msft_add_monitor_sync() calls -\u003e\n msft_le_monitor_advertisement_cb() calls in an error case -\u003e\n hci_free_adv_monitor() which frees the *moniter.\n\nThis is referenced by bt_dev_dbg() in hci_add_adv_monitor().\n\nFix the bt_dev_dbg() by using handle instead of monitor-\u003ehandle."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:42.166Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81d8e9f59df63b8358751c1ffed9f1cf5c796909"
},
{
"url": "https://git.kernel.org/stable/c/aafda69d4807f5edf3558c9534be9b911774e63a"
},
{
"url": "https://git.kernel.org/stable/c/8d66f7ced51cb924bc90278d6a0a26a52877271a"
},
{
"url": "https://git.kernel.org/stable/c/a2bcd2b63271a93a695fabbfbf459c603d956d48"
}
],
"title": "Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53828",
"datePublished": "2025-12-09T01:29:42.166Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:42.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54186 (GCVE-0-2023-54186)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
usb: typec: altmodes/displayport: fix pin_assignment_show
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: altmodes/displayport: fix pin_assignment_show
This patch fixes negative indexing of buf array in pin_assignment_show
when get_current_pin_assignments returns 0 i.e. no compatible pin
assignments are found.
BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c
...
Call trace:
dump_backtrace+0x110/0x204
dump_stack_lvl+0x84/0xbc
print_report+0x358/0x974
kasan_report+0x9c/0xfc
__do_kernel_fault+0xd4/0x2d4
do_bad_area+0x48/0x168
do_tag_check_fault+0x24/0x38
do_mem_abort+0x6c/0x14c
el1_abort+0x44/0x68
el1h_64_sync_handler+0x64/0xa4
el1h_64_sync+0x78/0x7c
pin_assignment_show+0x26c/0x33c
dev_attr_show+0x50/0xc0
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 , < 0e61a7432fcd4bca06f05b7f1c7d7cb461880fe2
(git)
Affected: 0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 , < 4f9c0a7c272626cb6716ffc7800e8c73260cdce6 (git) Affected: 0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 , < ff466f77d0a56719979c4234abd412abd98eae8f (git) Affected: 0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 , < fc0e18f95c88435bd8a1ceb540243cd7fbcd9781 (git) Affected: 0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 , < 08bd1be1c716fd50a7df48f82dcbc59a103082b5 (git) Affected: 0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 , < 54ee23e4ab263a495ace1eed43d3883212ece17f (git) Affected: 0e3bb7d6894d9b6e67d6382bb03a46a1dc989588 , < d8f28269dd4bf9b55c3fb376ae31512730a96fce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/altmodes/displayport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e61a7432fcd4bca06f05b7f1c7d7cb461880fe2",
"status": "affected",
"version": "0e3bb7d6894d9b6e67d6382bb03a46a1dc989588",
"versionType": "git"
},
{
"lessThan": "4f9c0a7c272626cb6716ffc7800e8c73260cdce6",
"status": "affected",
"version": "0e3bb7d6894d9b6e67d6382bb03a46a1dc989588",
"versionType": "git"
},
{
"lessThan": "ff466f77d0a56719979c4234abd412abd98eae8f",
"status": "affected",
"version": "0e3bb7d6894d9b6e67d6382bb03a46a1dc989588",
"versionType": "git"
},
{
"lessThan": "fc0e18f95c88435bd8a1ceb540243cd7fbcd9781",
"status": "affected",
"version": "0e3bb7d6894d9b6e67d6382bb03a46a1dc989588",
"versionType": "git"
},
{
"lessThan": "08bd1be1c716fd50a7df48f82dcbc59a103082b5",
"status": "affected",
"version": "0e3bb7d6894d9b6e67d6382bb03a46a1dc989588",
"versionType": "git"
},
{
"lessThan": "54ee23e4ab263a495ace1eed43d3883212ece17f",
"status": "affected",
"version": "0e3bb7d6894d9b6e67d6382bb03a46a1dc989588",
"versionType": "git"
},
{
"lessThan": "d8f28269dd4bf9b55c3fb376ae31512730a96fce",
"status": "affected",
"version": "0e3bb7d6894d9b6e67d6382bb03a46a1dc989588",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/altmodes/displayport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: fix pin_assignment_show\n\nThis patch fixes negative indexing of buf array in pin_assignment_show\nwhen get_current_pin_assignments returns 0 i.e. no compatible pin\nassignments are found.\n\nBUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c\n...\nCall trace:\ndump_backtrace+0x110/0x204\ndump_stack_lvl+0x84/0xbc\nprint_report+0x358/0x974\nkasan_report+0x9c/0xfc\n__do_kernel_fault+0xd4/0x2d4\ndo_bad_area+0x48/0x168\ndo_tag_check_fault+0x24/0x38\ndo_mem_abort+0x6c/0x14c\nel1_abort+0x44/0x68\nel1h_64_sync_handler+0x64/0xa4\nel1h_64_sync+0x78/0x7c\npin_assignment_show+0x26c/0x33c\ndev_attr_show+0x50/0xc0"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:55.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e61a7432fcd4bca06f05b7f1c7d7cb461880fe2"
},
{
"url": "https://git.kernel.org/stable/c/4f9c0a7c272626cb6716ffc7800e8c73260cdce6"
},
{
"url": "https://git.kernel.org/stable/c/ff466f77d0a56719979c4234abd412abd98eae8f"
},
{
"url": "https://git.kernel.org/stable/c/fc0e18f95c88435bd8a1ceb540243cd7fbcd9781"
},
{
"url": "https://git.kernel.org/stable/c/08bd1be1c716fd50a7df48f82dcbc59a103082b5"
},
{
"url": "https://git.kernel.org/stable/c/54ee23e4ab263a495ace1eed43d3883212ece17f"
},
{
"url": "https://git.kernel.org/stable/c/d8f28269dd4bf9b55c3fb376ae31512730a96fce"
}
],
"title": "usb: typec: altmodes/displayport: fix pin_assignment_show",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54186",
"datePublished": "2025-12-30T12:08:55.882Z",
"dateReserved": "2025-12-30T12:06:44.497Z",
"dateUpdated": "2025-12-30T12:08:55.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40198 (GCVE-0-2025-40198)
Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19
VLAI?
EPSS
Title
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
Unlike other strings in the ext4 superblock, we rely on tune2fs to
make sure s_mount_opts is NUL terminated. Harden
parse_apply_sb_mount_options() by treating s_mount_opts as a potential
__nonstring.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 7bf46ff83a0ef11836e38ebd72cdc5107209342d
(git)
Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < b2bac84fde28fb6a88817b8b761abda17a1d300b (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < e651294218d2684302ee5ed95ccf381646f3e5b4 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 01829af7656b56d83682b3491265d583d502e502 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 2a0cf438320cdb783e0378570744c0ef0d83e934 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < a6e94557cd05adc82fae0400f6e17745563e5412 (git) Affected: 8b67f04ab9de5d8f3a71aef72bf02c995a506db5 , < 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7bf46ff83a0ef11836e38ebd72cdc5107209342d",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "b2bac84fde28fb6a88817b8b761abda17a1d300b",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "e651294218d2684302ee5ed95ccf381646f3e5b4",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "01829af7656b56d83682b3491265d583d502e502",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "2a0cf438320cdb783e0378570744c0ef0d83e934",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "a6e94557cd05adc82fae0400f6e17745563e5412",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
},
{
"lessThan": "8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8",
"status": "affected",
"version": "8b67f04ab9de5d8f3a71aef72bf02c995a506db5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.114",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.114",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.4",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid potential buffer over-read in parse_apply_sb_mount_options()\n\nUnlike other strings in the ext4 superblock, we rely on tune2fs to\nmake sure s_mount_opts is NUL terminated. Harden\nparse_apply_sb_mount_options() by treating s_mount_opts as a potential\n__nonstring."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:19:59.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7bf46ff83a0ef11836e38ebd72cdc5107209342d"
},
{
"url": "https://git.kernel.org/stable/c/b2bac84fde28fb6a88817b8b761abda17a1d300b"
},
{
"url": "https://git.kernel.org/stable/c/e651294218d2684302ee5ed95ccf381646f3e5b4"
},
{
"url": "https://git.kernel.org/stable/c/01829af7656b56d83682b3491265d583d502e502"
},
{
"url": "https://git.kernel.org/stable/c/2a0cf438320cdb783e0378570744c0ef0d83e934"
},
{
"url": "https://git.kernel.org/stable/c/a6e94557cd05adc82fae0400f6e17745563e5412"
},
{
"url": "https://git.kernel.org/stable/c/8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8"
}
],
"title": "ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40198",
"datePublished": "2025-11-12T21:56:33.220Z",
"dateReserved": "2025-04-16T07:20:57.178Z",
"dateUpdated": "2025-12-01T06:19:59.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68335 (GCVE-0-2025-68335)
Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.
Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.
[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
00aba6e7b5653a6607238ecdab7172318059d984 , < b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16
(git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 935ad4b3c325c24fff2c702da403283025ffc722 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 88d99ca5adbd01ff088f5fb2ddeba5755e085e52 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 5caa40e7c6a43e08e3574f990865127705c22861 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < d948c53dec36dafe182631457597c49c1f1df5ea (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 877adccfacb32687b90714a27cfb09f444fdfa16 (git) Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < a51f025b5038abd3d22eed2ede4cd46793d89565 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "935ad4b3c325c24fff2c702da403283025ffc722",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "88d99ca5adbd01ff088f5fb2ddeba5755e085e52",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "5caa40e7c6a43e08e3574f990865127705c22861",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "d948c53dec36dafe182631457597c49c1f1df5ea",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "877adccfacb32687b90714a27cfb09f444fdfa16",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
},
{
"lessThan": "a51f025b5038abd3d22eed2ede4cd46793d89565",
"status": "affected",
"version": "00aba6e7b5653a6607238ecdab7172318059d984",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/drivers/pcl818.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()\n\nSyzbot identified an issue [1] in pcl818_ai_cancel(), which stems from\nthe fact that in case of early device detach via pcl818_detach(),\nsubdevice dev-\u003eread_subdev may not have initialized its pointer to\n\u0026struct comedi_async as intended. Thus, any such dereferencing of\n\u0026s-\u003easync-\u003ecmd will lead to general protection fault and kernel crash.\n\nMitigate this problem by removing a call to pcl818_ai_cancel() from\npcl818_detach() altogether. This way, if the subdevice setups its\nsupport for async commands, everything async-related will be\nhandled via subdevice\u0027s own -\u003ecancel() function in\ncomedi_device_detach_locked() even before pcl818_detach(). If no\nsupport for asynchronous commands is provided, there is no need\nto cancel anything either.\n\n[1] Syzbot crash:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nRIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762\n...\nCall Trace:\n \u003cTASK\u003e\n pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115\n comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207\n do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]\n comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:20.046Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16"
},
{
"url": "https://git.kernel.org/stable/c/935ad4b3c325c24fff2c702da403283025ffc722"
},
{
"url": "https://git.kernel.org/stable/c/88d99ca5adbd01ff088f5fb2ddeba5755e085e52"
},
{
"url": "https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861"
},
{
"url": "https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea"
},
{
"url": "https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16"
},
{
"url": "https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565"
}
],
"title": "comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68335",
"datePublished": "2025-12-22T16:14:12.614Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2026-01-19T12:18:20.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38085 (GCVE-0-2025-38085)
Vulnerability from cvelistv5 – Published: 2025-06-28 07:44 – Updated: 2025-11-03 17:33
VLAI?
EPSS
Title
mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
huge_pmd_unshare() drops a reference on a page table that may have
previously been shared across processes, potentially turning it into a
normal page table used in another process in which unrelated VMAs can
afterwards be installed.
If this happens in the middle of a concurrent gup_fast(), gup_fast() could
end up walking the page tables of another process. While I don't see any
way in which that immediately leads to kernel memory corruption, it is
really weird and unexpected.
Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),
just like we do in khugepaged when removing page tables for a THP
collapse.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 952596b08c74e8fe9e2883d1dc8a8f54a37384ec
(git)
Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < a3d864c901a300c295692d129159fc3001a56185 (git) Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < b7754d3aa7bf9f62218d096c0c8f6c13698fac8b (git) Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < fe684290418ef9ef76630072086ee530b92f02b8 (git) Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 034a52b5ef57c9c8225d94e9067f3390bb33922f (git) Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < a6bfeb97941a9187833b526bc6cc4ff5706d0ce9 (git) Affected: 39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa , < 1013af4f585fccc4d3e5c5824d174de2257f7d6d (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:33:54.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "952596b08c74e8fe9e2883d1dc8a8f54a37384ec",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "a3d864c901a300c295692d129159fc3001a56185",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "b7754d3aa7bf9f62218d096c0c8f6c13698fac8b",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "fe684290418ef9ef76630072086ee530b92f02b8",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "034a52b5ef57c9c8225d94e9067f3390bb33922f",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "a6bfeb97941a9187833b526bc6cc4ff5706d0ce9",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
},
{
"lessThan": "1013af4f585fccc4d3e5c5824d174de2257f7d6d",
"status": "affected",
"version": "39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race\n\nhuge_pmd_unshare() drops a reference on a page table that may have\npreviously been shared across processes, potentially turning it into a\nnormal page table used in another process in which unrelated VMAs can\nafterwards be installed.\n\nIf this happens in the middle of a concurrent gup_fast(), gup_fast() could\nend up walking the page tables of another process. While I don\u0027t see any\nway in which that immediately leads to kernel memory corruption, it is\nreally weird and unexpected.\n\nFix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),\njust like we do in khugepaged when removing page tables for a THP\ncollapse."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T05:58:57.434Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec"
},
{
"url": "https://git.kernel.org/stable/c/a3d864c901a300c295692d129159fc3001a56185"
},
{
"url": "https://git.kernel.org/stable/c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b"
},
{
"url": "https://git.kernel.org/stable/c/fe684290418ef9ef76630072086ee530b92f02b8"
},
{
"url": "https://git.kernel.org/stable/c/034a52b5ef57c9c8225d94e9067f3390bb33922f"
},
{
"url": "https://git.kernel.org/stable/c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9"
},
{
"url": "https://git.kernel.org/stable/c/1013af4f585fccc4d3e5c5824d174de2257f7d6d"
},
{
"url": "https://project-zero.issues.chromium.org/issues/420715744"
}
],
"title": "mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38085",
"datePublished": "2025-06-28T07:44:26.178Z",
"dateReserved": "2025-04-16T04:51:23.981Z",
"dateUpdated": "2025-11-03T17:33:54.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54320 (GCVE-0-2023-54320)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()
Summary
In the Linux kernel, the following vulnerability has been resolved:
platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()
Function amd_pmc_stb_debugfs_open_v2() may be called when the STB
debug mechanism enabled.
When amd_pmc_send_cmd() fails, the 'buf' needs to be released.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d804adef7b23b22bb82e1b3dd113e9073cea9bc1",
"status": "affected",
"version": "1ecfd30960d4377c2d85181608936dedd35bb171",
"versionType": "git"
},
{
"lessThan": "f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7",
"status": "affected",
"version": "1ecfd30960d4377c2d85181608936dedd35bb171",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/platform/x86/amd/pmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()\n\nFunction amd_pmc_stb_debugfs_open_v2() may be called when the STB\ndebug mechanism enabled.\n\nWhen amd_pmc_send_cmd() fails, the \u0027buf\u0027 needs to be released."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:24.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d804adef7b23b22bb82e1b3dd113e9073cea9bc1"
},
{
"url": "https://git.kernel.org/stable/c/f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7"
}
],
"title": "platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54320",
"datePublished": "2025-12-30T12:34:14.133Z",
"dateReserved": "2025-12-30T12:28:53.860Z",
"dateUpdated": "2026-01-05T11:37:24.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54166 (GCVE-0-2023-54166)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08
VLAI?
EPSS
Title
igc: Fix Kernel Panic during ndo_tx_timeout callback
Summary
In the Linux kernel, the following vulnerability has been resolved:
igc: Fix Kernel Panic during ndo_tx_timeout callback
The Xeon validation group has been carrying out some loaded tests
with various HW configurations, and they have seen some transmit
queue time out happening during the test. This will cause the
reset adapter function to be called by igc_tx_timeout().
Similar race conditions may arise when the interface is being brought
down and up in igc_reinit_locked(), an interrupt being generated, and
igc_clean_tx_irq() being called to complete the TX.
When the igc_tx_timeout() function is invoked, this patch will turn
off all TX ring HW queues during igc_down() process. TX ring HW queues
will be activated again during the igc_configure_tx_ring() process
when performing the igc_up() procedure later.
This patch also moved existing igc_disable_tx_ring_hw() to avoid using
forward declaration.
Kernel trace:
[ 7678.747813] ------------[ cut here ]------------
[ 7678.757914] NETDEV WATCHDOG: enp1s0 (igc): transmit queue 2 timed out
[ 7678.770117] WARNING: CPU: 0 PID: 13 at net/sched/sch_generic.c:525 dev_watchdog+0x1ae/0x1f0
[ 7678.784459] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat
nf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO)
cegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO) svfs_pci_hotplug(PO)
vtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO) svheartbeat(PO) ioapic(PO)
sv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO) smbus(PO) spiflash_cdf(PO) arden(PO)
dsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO) pch(PO) sviotargets(PO) svbdf(PO) svmem(PO)
svbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO) svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO)
fs_svfs(PO) mdevdefdb(PO) svfs_os_services(O) ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO)
regsupport(O) libnvdimm nls_cp437 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel
snd_intel_dspcfg snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci
[ 7678.784496] input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm fuse backlight
configfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic pegasus mmc_block usbhid
mmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa scsi_transport_sas e1000e e1000 e100 ax88179_178a
usbnet xhci_pci sd_mod xhci_hcd t10_pi crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore
crct10dif_generic ptp crct10dif_common usb_common pps_core
[ 7679.200403] RIP: 0010:dev_watchdog+0x1ae/0x1f0
[ 7679.210201] Code: 28 e9 53 ff ff ff 4c 89 e7 c6 05 06 42 b9 00 01 e8 17 d1 fb ff 44 89 e9 4c
89 e6 48 c7 c7 40 ad fb 81 48 89 c2 e8 52 62 82 ff <0f> 0b e9 72 ff ff ff 65 8b 05 80 7d 7c 7e
89 c0 48 0f a3 05 0a c1
[ 7679.245438] RSP: 0018:ffa00000001f7d90 EFLAGS: 00010282
[ 7679.256021] RAX: 0000000000000000 RBX: ff11000109938440 RCX: 0000000000000000
[ 7679.268710] RDX: ff11000361e26cd8 RSI: ff11000361e1b880 RDI: ff11000361e1b880
[ 7679.281314] RBP: ffa00000001f7da8 R08: ff1100035f8fffe8 R09: 0000000000027ffb
[ 7679.293840] R10: 0000000000001f0a R11: ff1100035f840000 R12: ff11000109938000
[ 7679.306276] R13: 0000000000000002 R14: dead000000000122 R15: ffa00000001f7e18
[ 7679.318648] FS: 0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000
[ 7679.332064] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7679.342757] CR2: 00007ffff7fca168 CR3: 000000013b08a006 CR4: 0000000000471ef8
[ 7679.354984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 7679.367207] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[ 7679.379370] PKRU: 55555554
[ 7679.386446] Call Trace:
[ 7679.393152] <TASK>
[ 7679.399363] ? __pfx_dev_watchdog+0x10/0x10
[ 7679.407870] call_timer_fn+0x31/0x110
[ 7679.415698] e
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
48d6d8f2f6096ef51bd193e2a2fb59cbbc350599 , < feba294c454a51bb1e80dd2ff038e335f07ae481
(git)
Affected: 5f9c656ab2c4c36f3b85819c7a9a8bec5711cfb5 , < c09df09241fdd6aa5b94a5243369662a13ec608a (git) Affected: 9b275176270efd18f2f4e328b32be1bad34c4c0d , < c12554d97fcd954d5c66bcd016586732cf240d0b (git) Affected: 9b275176270efd18f2f4e328b32be1bad34c4c0d , < d4a7ce642100765119a872d4aba1bf63e3a22c8a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igc/igc_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "feba294c454a51bb1e80dd2ff038e335f07ae481",
"status": "affected",
"version": "48d6d8f2f6096ef51bd193e2a2fb59cbbc350599",
"versionType": "git"
},
{
"lessThan": "c09df09241fdd6aa5b94a5243369662a13ec608a",
"status": "affected",
"version": "5f9c656ab2c4c36f3b85819c7a9a8bec5711cfb5",
"versionType": "git"
},
{
"lessThan": "c12554d97fcd954d5c66bcd016586732cf240d0b",
"status": "affected",
"version": "9b275176270efd18f2f4e328b32be1bad34c4c0d",
"versionType": "git"
},
{
"lessThan": "d4a7ce642100765119a872d4aba1bf63e3a22c8a",
"status": "affected",
"version": "9b275176270efd18f2f4e328b32be1bad34c4c0d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igc/igc_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.15.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.1.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Fix Kernel Panic during ndo_tx_timeout callback\n\nThe Xeon validation group has been carrying out some loaded tests\nwith various HW configurations, and they have seen some transmit\nqueue time out happening during the test. This will cause the\nreset adapter function to be called by igc_tx_timeout().\nSimilar race conditions may arise when the interface is being brought\ndown and up in igc_reinit_locked(), an interrupt being generated, and\nigc_clean_tx_irq() being called to complete the TX.\n\nWhen the igc_tx_timeout() function is invoked, this patch will turn\noff all TX ring HW queues during igc_down() process. TX ring HW queues\nwill be activated again during the igc_configure_tx_ring() process\nwhen performing the igc_up() procedure later.\n\nThis patch also moved existing igc_disable_tx_ring_hw() to avoid using\nforward declaration.\n\nKernel trace:\n[ 7678.747813] ------------[ cut here ]------------\n[ 7678.757914] NETDEV WATCHDOG: enp1s0 (igc): transmit queue 2 timed out\n[ 7678.770117] WARNING: CPU: 0 PID: 13 at net/sched/sch_generic.c:525 dev_watchdog+0x1ae/0x1f0\n[ 7678.784459] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat\nnf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO)\ncegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO) svfs_pci_hotplug(PO)\nvtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO) svheartbeat(PO) ioapic(PO)\nsv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO) smbus(PO) spiflash_cdf(PO) arden(PO)\ndsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO) pch(PO) sviotargets(PO) svbdf(PO) svmem(PO)\nsvbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO) svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO)\nfs_svfs(PO) mdevdefdb(PO) svfs_os_services(O) ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO)\nregsupport(O) libnvdimm nls_cp437 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel\nsnd_intel_dspcfg snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci\n[ 7678.784496] input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm fuse backlight\nconfigfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic pegasus mmc_block usbhid\nmmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa scsi_transport_sas e1000e e1000 e100 ax88179_178a\nusbnet xhci_pci sd_mod xhci_hcd t10_pi crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore\ncrct10dif_generic ptp crct10dif_common usb_common pps_core\n[ 7679.200403] RIP: 0010:dev_watchdog+0x1ae/0x1f0\n[ 7679.210201] Code: 28 e9 53 ff ff ff 4c 89 e7 c6 05 06 42 b9 00 01 e8 17 d1 fb ff 44 89 e9 4c\n89 e6 48 c7 c7 40 ad fb 81 48 89 c2 e8 52 62 82 ff \u003c0f\u003e 0b e9 72 ff ff ff 65 8b 05 80 7d 7c 7e\n89 c0 48 0f a3 05 0a c1\n[ 7679.245438] RSP: 0018:ffa00000001f7d90 EFLAGS: 00010282\n[ 7679.256021] RAX: 0000000000000000 RBX: ff11000109938440 RCX: 0000000000000000\n[ 7679.268710] RDX: ff11000361e26cd8 RSI: ff11000361e1b880 RDI: ff11000361e1b880\n[ 7679.281314] RBP: ffa00000001f7da8 R08: ff1100035f8fffe8 R09: 0000000000027ffb\n[ 7679.293840] R10: 0000000000001f0a R11: ff1100035f840000 R12: ff11000109938000\n[ 7679.306276] R13: 0000000000000002 R14: dead000000000122 R15: ffa00000001f7e18\n[ 7679.318648] FS: 0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000\n[ 7679.332064] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 7679.342757] CR2: 00007ffff7fca168 CR3: 000000013b08a006 CR4: 0000000000471ef8\n[ 7679.354984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 7679.367207] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 7679.379370] PKRU: 55555554\n[ 7679.386446] Call Trace:\n[ 7679.393152] \u003cTASK\u003e\n[ 7679.399363] ? __pfx_dev_watchdog+0x10/0x10\n[ 7679.407870] call_timer_fn+0x31/0x110\n[ 7679.415698] e\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:41.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/feba294c454a51bb1e80dd2ff038e335f07ae481"
},
{
"url": "https://git.kernel.org/stable/c/c09df09241fdd6aa5b94a5243369662a13ec608a"
},
{
"url": "https://git.kernel.org/stable/c/c12554d97fcd954d5c66bcd016586732cf240d0b"
},
{
"url": "https://git.kernel.org/stable/c/d4a7ce642100765119a872d4aba1bf63e3a22c8a"
}
],
"title": "igc: Fix Kernel Panic during ndo_tx_timeout callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54166",
"datePublished": "2025-12-30T12:08:41.832Z",
"dateReserved": "2025-12-30T12:06:44.495Z",
"dateUpdated": "2025-12-30T12:08:41.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68218 (GCVE-0-2025-68218)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57
VLAI?
EPSS
Title
nvme-multipath: fix lockdep WARN due to partition scan work
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvme-multipath: fix lockdep WARN due to partition scan work
Blktests test cases nvme/014, 057 and 058 fail occasionally due to a
lockdep WARN. As reported in the Closes tag URL, the WARN indicates that
a deadlock can happen due to the dependency among disk->open_mutex,
kblockd workqueue completion and partition_scan_work completion.
To avoid the lockdep WARN and the potential deadlock, cut the dependency
by running the partition_scan_work not by kblockd workqueue but by
nvme_wq.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
60de2e03f984cfbcdc12fa552f95087c35a05a98 , < 89456dab7ba5ab63d60945440926673a3205e829
(git)
Affected: 4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e , < e2a897ad5f538d314955c747a0a2edb184fcdecd (git) Affected: 1f021341eef41e77a633186e9be5223de2ce5d48 , < ef4ab2a8abe554379e10303ae86f7c501336ba0d (git) Affected: 1f021341eef41e77a633186e9be5223de2ce5d48 , < b03eb63288a8ffe3adfb34e68309c8e2edb06d0b (git) Affected: 1f021341eef41e77a633186e9be5223de2ce5d48 , < 6d87cd5335784351280f82c47cc8a657271929c3 (git) Affected: a91b7eddf45afeeb9c5ece11dddff5de0921b00f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/multipath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89456dab7ba5ab63d60945440926673a3205e829",
"status": "affected",
"version": "60de2e03f984cfbcdc12fa552f95087c35a05a98",
"versionType": "git"
},
{
"lessThan": "e2a897ad5f538d314955c747a0a2edb184fcdecd",
"status": "affected",
"version": "4a57f42e5ed42cb8f1beb262c4f6d3e698939e4e",
"versionType": "git"
},
{
"lessThan": "ef4ab2a8abe554379e10303ae86f7c501336ba0d",
"status": "affected",
"version": "1f021341eef41e77a633186e9be5223de2ce5d48",
"versionType": "git"
},
{
"lessThan": "b03eb63288a8ffe3adfb34e68309c8e2edb06d0b",
"status": "affected",
"version": "1f021341eef41e77a633186e9be5223de2ce5d48",
"versionType": "git"
},
{
"lessThan": "6d87cd5335784351280f82c47cc8a657271929c3",
"status": "affected",
"version": "1f021341eef41e77a633186e9be5223de2ce5d48",
"versionType": "git"
},
{
"status": "affected",
"version": "a91b7eddf45afeeb9c5ece11dddff5de0921b00f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/host/multipath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.118",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.60",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.118",
"versionStartIncluding": "6.6.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.60",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.10",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-multipath: fix lockdep WARN due to partition scan work\n\nBlktests test cases nvme/014, 057 and 058 fail occasionally due to a\nlockdep WARN. As reported in the Closes tag URL, the WARN indicates that\na deadlock can happen due to the dependency among disk-\u003eopen_mutex,\nkblockd workqueue completion and partition_scan_work completion.\n\nTo avoid the lockdep WARN and the potential deadlock, cut the dependency\nby running the partition_scan_work not by kblockd workqueue but by\nnvme_wq."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T13:57:12.733Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89456dab7ba5ab63d60945440926673a3205e829"
},
{
"url": "https://git.kernel.org/stable/c/e2a897ad5f538d314955c747a0a2edb184fcdecd"
},
{
"url": "https://git.kernel.org/stable/c/ef4ab2a8abe554379e10303ae86f7c501336ba0d"
},
{
"url": "https://git.kernel.org/stable/c/b03eb63288a8ffe3adfb34e68309c8e2edb06d0b"
},
{
"url": "https://git.kernel.org/stable/c/6d87cd5335784351280f82c47cc8a657271929c3"
}
],
"title": "nvme-multipath: fix lockdep WARN due to partition scan work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68218",
"datePublished": "2025-12-16T13:57:12.733Z",
"dateReserved": "2025-12-16T13:41:40.256Z",
"dateUpdated": "2025-12-16T13:57:12.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53832 (GCVE-0-2023-53832)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29
VLAI?
EPSS
Title
md/raid10: fix null-ptr-deref in raid10_sync_request
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix null-ptr-deref in raid10_sync_request
init_resync() inits mempool and sets conf->have_replacemnt at the beginning
of sync, close_sync() frees the mempool when sync is completed.
After [1] recovery might be skipped and init_resync() is called but
close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio.
The following is one way to reproduce the issue.
1) create a array, wait for resync to complete, mddev->recovery_cp is set
to MaxSector.
2) recovery is woken and it is skipped. conf->have_replacement is set to
0 in init_resync(). close_sync() not called.
3) some io errors and rdev A is set to WantReplacement.
4) a new device is added and set to A's replacement.
5) recovery is woken, A have replacement, but conf->have_replacemnt is
0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref
occurs.
Fix it by not calling init_resync() if recovery skipped.
[1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled")
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7e83ccbecd608b971f340e951c9e84cd0343002f , < 38d33593260536840b49fd1dcac9aedfd14a9d42
(git)
Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < 14964127be77884003976a392c9faa9ebaabbbe1 (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < bdbf104b1c91fbf38f82c522ebf75429f094292a (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < 68695084077e3de9d3e94e09238ace2b6f246446 (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < b50fd1c3d9d0175aa29ff2706ef36cc178bc356a (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < 99b503e4edc5938885d839cf0e7571963f75d800 (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < 9e9efc77efd1956cc244af975240f2513d78a371 (git) Affected: 7e83ccbecd608b971f340e951c9e84cd0343002f , < a405c6f0229526160aa3f177f65e20c86fce84c5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38d33593260536840b49fd1dcac9aedfd14a9d42",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "14964127be77884003976a392c9faa9ebaabbbe1",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "bdbf104b1c91fbf38f82c522ebf75429f094292a",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "68695084077e3de9d3e94e09238ace2b6f246446",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "b50fd1c3d9d0175aa29ff2706ef36cc178bc356a",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "99b503e4edc5938885d839cf0e7571963f75d800",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "9e9efc77efd1956cc244af975240f2513d78a371",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
},
{
"lessThan": "a405c6f0229526160aa3f177f65e20c86fce84c5",
"status": "affected",
"version": "7e83ccbecd608b971f340e951c9e84cd0343002f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/raid10.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.111",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.111",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix null-ptr-deref in raid10_sync_request\n\ninit_resync() inits mempool and sets conf-\u003ehave_replacemnt at the beginning\nof sync, close_sync() frees the mempool when sync is completed.\n\nAfter [1] recovery might be skipped and init_resync() is called but\nclose_sync() is not. null-ptr-deref occurs with r10bio-\u003edev[i].repl_bio.\n\nThe following is one way to reproduce the issue.\n\n 1) create a array, wait for resync to complete, mddev-\u003erecovery_cp is set\n to MaxSector.\n 2) recovery is woken and it is skipped. conf-\u003ehave_replacement is set to\n 0 in init_resync(). close_sync() not called.\n 3) some io errors and rdev A is set to WantReplacement.\n 4) a new device is added and set to A\u0027s replacement.\n 5) recovery is woken, A have replacement, but conf-\u003ehave_replacemnt is\n 0. r10bio-\u003edev[i].repl_bio will not be alloced and null-ptr-deref\n occurs.\n\nFix it by not calling init_resync() if recovery skipped.\n\n[1] commit 7e83ccbecd60 (\"md/raid10: Allow skipping recovery when clean arrays are assembled\")"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T01:29:47.513Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38d33593260536840b49fd1dcac9aedfd14a9d42"
},
{
"url": "https://git.kernel.org/stable/c/14964127be77884003976a392c9faa9ebaabbbe1"
},
{
"url": "https://git.kernel.org/stable/c/bdbf104b1c91fbf38f82c522ebf75429f094292a"
},
{
"url": "https://git.kernel.org/stable/c/68695084077e3de9d3e94e09238ace2b6f246446"
},
{
"url": "https://git.kernel.org/stable/c/b50fd1c3d9d0175aa29ff2706ef36cc178bc356a"
},
{
"url": "https://git.kernel.org/stable/c/99b503e4edc5938885d839cf0e7571963f75d800"
},
{
"url": "https://git.kernel.org/stable/c/9e9efc77efd1956cc244af975240f2513d78a371"
},
{
"url": "https://git.kernel.org/stable/c/a405c6f0229526160aa3f177f65e20c86fce84c5"
}
],
"title": "md/raid10: fix null-ptr-deref in raid10_sync_request",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53832",
"datePublished": "2025-12-09T01:29:47.513Z",
"dateReserved": "2025-12-09T01:27:17.825Z",
"dateUpdated": "2025-12-09T01:29:47.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54060 (GCVE-0-2023-54060)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
iommufd: Set end correctly when doing batch carry
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd: Set end correctly when doing batch carry
Even though the test suite covers this it somehow became obscured that
this wasn't working.
The test iommufd_ioas.mock_domain.access_domain_destory would blow up
rarely.
end should be set to 1 because this just pushed an item, the carry, to the
pfns list.
Sometimes the test would blow up with:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP
CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:batch_unpin+0xa2/0x100 [iommufd]
Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc
RSP: 0018:ffffc90001677a58 EFLAGS: 00010246
RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c
RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200
R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001
R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe
FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? show_regs+0x5c/0x70
? __die+0x1f/0x60
? page_fault_oops+0x15d/0x440
? lock_release+0xbc/0x240
? exc_page_fault+0x4a4/0x970
? asm_exc_page_fault+0x27/0x30
? batch_unpin+0xa2/0x100 [iommufd]
? batch_unpin+0xba/0x100 [iommufd]
__iopt_area_unfill_domain+0x198/0x430 [iommufd]
? __mutex_lock+0x8c/0xb80
? __mutex_lock+0x6aa/0xb80
? xa_erase+0x28/0x30
? iopt_table_remove_domain+0x162/0x320 [iommufd]
? lock_release+0xbc/0x240
iopt_area_unfill_domain+0xd/0x10 [iommufd]
iopt_table_remove_domain+0x195/0x320 [iommufd]
iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd]
iommufd_object_destroy_user+0x8e/0xf0 [iommufd]
iommufd_device_detach+0xc5/0x140 [iommufd]
iommufd_selftest_destroy+0x1f/0x70 [iommufd]
iommufd_object_destroy_user+0x8e/0xf0 [iommufd]
iommufd_destroy+0x3a/0x50 [iommufd]
iommufd_fops_ioctl+0xfb/0x170 [iommufd]
__x64_sys_ioctl+0x40d/0x9a0
do_syscall_64+0x3c/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/pages.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "176f36a376c417b58d19f79edfce20db9317eaa2",
"status": "affected",
"version": "f394576eb11dbcd3a740fa41e577b97f0720d26e",
"versionType": "git"
},
{
"lessThan": "b7c822fa6b7701b17e139f1c562fc24135880ed4",
"status": "affected",
"version": "f394576eb11dbcd3a740fa41e577b97f0720d26e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/pages.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Set end correctly when doing batch carry\n\nEven though the test suite covers this it somehow became obscured that\nthis wasn\u0027t working.\n\nThe test iommufd_ioas.mock_domain.access_domain_destory would blow up\nrarely.\n\nend should be set to 1 because this just pushed an item, the carry, to the\npfns list.\n\nSometimes the test would blow up with:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP\n CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:batch_unpin+0xa2/0x100 [iommufd]\n Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 \u003c48\u003e 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc\n RSP: 0018:ffffc90001677a58 EFLAGS: 00010246\n RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001\n RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c\n RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200\n R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001\n R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe\n FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n ? show_regs+0x5c/0x70\n ? __die+0x1f/0x60\n ? page_fault_oops+0x15d/0x440\n ? lock_release+0xbc/0x240\n ? exc_page_fault+0x4a4/0x970\n ? asm_exc_page_fault+0x27/0x30\n ? batch_unpin+0xa2/0x100 [iommufd]\n ? batch_unpin+0xba/0x100 [iommufd]\n __iopt_area_unfill_domain+0x198/0x430 [iommufd]\n ? __mutex_lock+0x8c/0xb80\n ? __mutex_lock+0x6aa/0xb80\n ? xa_erase+0x28/0x30\n ? iopt_table_remove_domain+0x162/0x320 [iommufd]\n ? lock_release+0xbc/0x240\n iopt_area_unfill_domain+0xd/0x10 [iommufd]\n iopt_table_remove_domain+0x195/0x320 [iommufd]\n iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd]\n iommufd_object_destroy_user+0x8e/0xf0 [iommufd]\n iommufd_device_detach+0xc5/0x140 [iommufd]\n iommufd_selftest_destroy+0x1f/0x70 [iommufd]\n iommufd_object_destroy_user+0x8e/0xf0 [iommufd]\n iommufd_destroy+0x3a/0x50 [iommufd]\n iommufd_fops_ioctl+0xfb/0x170 [iommufd]\n __x64_sys_ioctl+0x40d/0x9a0\n do_syscall_64+0x3c/0x80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:07.276Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/176f36a376c417b58d19f79edfce20db9317eaa2"
},
{
"url": "https://git.kernel.org/stable/c/b7c822fa6b7701b17e139f1c562fc24135880ed4"
}
],
"title": "iommufd: Set end correctly when doing batch carry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54060",
"datePublished": "2025-12-24T12:23:07.276Z",
"dateReserved": "2025-12-24T12:21:05.091Z",
"dateUpdated": "2025-12-24T12:23:07.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50873 (GCVE-0-2022-50873)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove
Summary
In the Linux kernel, the following vulnerability has been resolved:
vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove
In vp_vdpa_remove(), the code kfree(&vp_vdpa_mgtdev->mgtdev.id_table) uses
a reference of pointer as the argument of kfree, which is the wrong pointer
and then may hit crash like this:
Unable to handle kernel paging request at virtual address 00ffff003363e30c
Internal error: Oops: 96000004 [#1] SMP
Call trace:
rb_next+0x20/0x5c
ext4_readdir+0x494/0x5c4 [ext4]
iterate_dir+0x168/0x1b4
__se_sys_getdents64+0x68/0x170
__arm64_sys_getdents64+0x24/0x30
el0_svc_common.constprop.0+0x7c/0x1bc
do_el0_svc+0x2c/0x94
el0_svc+0x20/0x30
el0_sync_handler+0xb0/0xb4
el0_sync+0x160/0x180
Code: 54000220 f9400441 b4000161 aa0103e0 (f9400821)
SMP: stopping secondary CPUs
Starting crashdump kernel...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ffbda8e9df10d1784d5427ec199e7d8308e3763f , < 8fe12680b2c731201519935013ec9219c93ec540
(git)
Affected: ffbda8e9df10d1784d5427ec199e7d8308e3763f , < 6ccc891f36d0c20ee220551caabdcd3886ec584b (git) Affected: ffbda8e9df10d1784d5427ec199e7d8308e3763f , < ed843d6ed7310a27cf7c8ee0a82a482eed0cb4a6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/virtio_pci/vp_vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8fe12680b2c731201519935013ec9219c93ec540",
"status": "affected",
"version": "ffbda8e9df10d1784d5427ec199e7d8308e3763f",
"versionType": "git"
},
{
"lessThan": "6ccc891f36d0c20ee220551caabdcd3886ec584b",
"status": "affected",
"version": "ffbda8e9df10d1784d5427ec199e7d8308e3763f",
"versionType": "git"
},
{
"lessThan": "ed843d6ed7310a27cf7c8ee0a82a482eed0cb4a6",
"status": "affected",
"version": "ffbda8e9df10d1784d5427ec199e7d8308e3763f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vdpa/virtio_pci/vp_vdpa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove\n\nIn vp_vdpa_remove(), the code kfree(\u0026vp_vdpa_mgtdev-\u003emgtdev.id_table) uses\na reference of pointer as the argument of kfree, which is the wrong pointer\nand then may hit crash like this:\n\nUnable to handle kernel paging request at virtual address 00ffff003363e30c\nInternal error: Oops: 96000004 [#1] SMP\nCall trace:\n rb_next+0x20/0x5c\n ext4_readdir+0x494/0x5c4 [ext4]\n iterate_dir+0x168/0x1b4\n __se_sys_getdents64+0x68/0x170\n __arm64_sys_getdents64+0x24/0x30\n el0_svc_common.constprop.0+0x7c/0x1bc\n do_el0_svc+0x2c/0x94\n el0_svc+0x20/0x30\n el0_sync_handler+0xb0/0xb4\n el0_sync+0x160/0x180\nCode: 54000220 f9400441 b4000161 aa0103e0 (f9400821)\nSMP: stopping secondary CPUs\nStarting crashdump kernel..."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:42.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8fe12680b2c731201519935013ec9219c93ec540"
},
{
"url": "https://git.kernel.org/stable/c/6ccc891f36d0c20ee220551caabdcd3886ec584b"
},
{
"url": "https://git.kernel.org/stable/c/ed843d6ed7310a27cf7c8ee0a82a482eed0cb4a6"
}
],
"title": "vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50873",
"datePublished": "2025-12-30T12:15:42.705Z",
"dateReserved": "2025-12-30T12:06:07.136Z",
"dateUpdated": "2025-12-30T12:15:42.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40268 (GCVE-0-2025-40268)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
cifs: client: fix memory leak in smb3_fs_context_parse_param
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: client: fix memory leak in smb3_fs_context_parse_param
The user calls fsconfig twice, but when the program exits, free() only
frees ctx->source for the second fsconfig, not the first.
Regarding fc->source, there is no code in the fs context related to its
memory reclamation.
To fix this memory leak, release the source memory corresponding to ctx
or fc before each parsing.
syzbot reported:
BUG: memory leak
unreferenced object 0xffff888128afa360 (size 96):
backtrace (crc 79c9c7ba):
kstrdup+0x3c/0x80 mm/util.c:84
smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444
BUG: memory leak
unreferenced object 0xffff888112c7d900 (size 96):
backtrace (crc 79c9c7ba):
smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629
smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 868fc62811d3fabcf5685e14f36377a855d5412d
(git)
Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 48c17341577e25a22feb13d694374b61d974edbc (git) Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 4515743cc7a42e1d67468402a6420c195532a6fa (git) Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "868fc62811d3fabcf5685e14f36377a855d5412d",
"status": "affected",
"version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
"versionType": "git"
},
{
"lessThan": "48c17341577e25a22feb13d694374b61d974edbc",
"status": "affected",
"version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
"versionType": "git"
},
{
"lessThan": "4515743cc7a42e1d67468402a6420c195532a6fa",
"status": "affected",
"version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
"versionType": "git"
},
{
"lessThan": "e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6",
"status": "affected",
"version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/fs_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: client: fix memory leak in smb3_fs_context_parse_param\n\nThe user calls fsconfig twice, but when the program exits, free() only\nfrees ctx-\u003esource for the second fsconfig, not the first.\nRegarding fc-\u003esource, there is no code in the fs context related to its\nmemory reclamation.\n\nTo fix this memory leak, release the source memory corresponding to ctx\nor fc before each parsing.\n\nsyzbot reported:\nBUG: memory leak\nunreferenced object 0xffff888128afa360 (size 96):\n backtrace (crc 79c9c7ba):\n kstrdup+0x3c/0x80 mm/util.c:84\n smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444\n\nBUG: memory leak\nunreferenced object 0xffff888112c7d900 (size 96):\n backtrace (crc 79c9c7ba):\n smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629\n smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:18.852Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/868fc62811d3fabcf5685e14f36377a855d5412d"
},
{
"url": "https://git.kernel.org/stable/c/48c17341577e25a22feb13d694374b61d974edbc"
},
{
"url": "https://git.kernel.org/stable/c/4515743cc7a42e1d67468402a6420c195532a6fa"
},
{
"url": "https://git.kernel.org/stable/c/e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6"
}
],
"title": "cifs: client: fix memory leak in smb3_fs_context_parse_param",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40268",
"datePublished": "2025-12-06T21:50:48.917Z",
"dateReserved": "2025-04-16T07:20:57.183Z",
"dateUpdated": "2026-01-02T15:33:18.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54199 (GCVE-0-2023-54199)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:09 – Updated: 2025-12-30 12:09
VLAI?
EPSS
Title
drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup()
Fix the below kernel panic due to null pointer access:
[ 18.504431] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048
[ 18.513464] Mem abort info:
[ 18.516346] ESR = 0x0000000096000005
[ 18.520204] EC = 0x25: DABT (current EL), IL = 32 bits
[ 18.525706] SET = 0, FnV = 0
[ 18.528878] EA = 0, S1PTW = 0
[ 18.532117] FSC = 0x05: level 1 translation fault
[ 18.537138] Data abort info:
[ 18.540110] ISV = 0, ISS = 0x00000005
[ 18.544060] CM = 0, WnR = 0
[ 18.547109] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112826000
[ 18.553738] [0000000000000048] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[ 18.562690] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
**Snip**
[ 18.696758] Call trace:
[ 18.699278] adreno_gpu_cleanup+0x30/0x88
[ 18.703396] a6xx_destroy+0xc0/0x130
[ 18.707066] a6xx_gpu_init+0x308/0x424
[ 18.710921] adreno_bind+0x178/0x288
[ 18.714590] component_bind_all+0xe0/0x214
[ 18.718797] msm_drm_bind+0x1d4/0x614
[ 18.722566] try_to_bring_up_aggregate_device+0x16c/0x1b8
[ 18.728105] __component_add+0xa0/0x158
[ 18.732048] component_add+0x20/0x2c
[ 18.735719] adreno_probe+0x40/0xc0
[ 18.739300] platform_probe+0xb4/0xd4
[ 18.743068] really_probe+0xfc/0x284
[ 18.746738] __driver_probe_device+0xc0/0xec
[ 18.751129] driver_probe_device+0x48/0x110
[ 18.755421] __device_attach_driver+0xa8/0xd0
[ 18.759900] bus_for_each_drv+0x90/0xdc
[ 18.763843] __device_attach+0xfc/0x174
[ 18.767786] device_initial_probe+0x20/0x2c
[ 18.772090] bus_probe_device+0x40/0xa0
[ 18.776032] deferred_probe_work_func+0x94/0xd0
[ 18.780686] process_one_work+0x190/0x3d0
[ 18.784805] worker_thread+0x280/0x3d4
[ 18.788659] kthread+0x104/0x1c0
[ 18.791981] ret_from_fork+0x10/0x20
[ 18.795654] Code: f9400408 aa0003f3 aa1f03f4 91142015 (f9402516)
[ 18.801913] ---[ end trace 0000000000000000 ]---
[ 18.809039] Kernel panic - not syncing: Oops: Fatal exception
Patchwork: https://patchwork.freedesktop.org/patch/515605/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
594726c93841c9e6182d3af540c6f317464bc23d , < 65a8b6d129cfcf63a2b8a36a63d275479ba6a217
(git)
Affected: 17e822f7591fb66162aca07685dc0b01468e5480 , < b26bd7791f3cdf3c3318162b1d40c9d1910facca (git) Affected: 17e822f7591fb66162aca07685dc0b01468e5480 , < 399d01375659c273fb6ad9ccfb6e92bc5b891e0d (git) Affected: 17e822f7591fb66162aca07685dc0b01468e5480 , < 7af606b9eb11d6cdf767cabbddc326e20d0d4702 (git) Affected: 17e822f7591fb66162aca07685dc0b01468e5480 , < 5fef23c1c0edceb44d16e64e7818f27d48b5bc38 (git) Affected: 17e822f7591fb66162aca07685dc0b01468e5480 , < dbeedbcb268d055d8895aceca427f897e12c2b50 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/adreno_gpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65a8b6d129cfcf63a2b8a36a63d275479ba6a217",
"status": "affected",
"version": "594726c93841c9e6182d3af540c6f317464bc23d",
"versionType": "git"
},
{
"lessThan": "b26bd7791f3cdf3c3318162b1d40c9d1910facca",
"status": "affected",
"version": "17e822f7591fb66162aca07685dc0b01468e5480",
"versionType": "git"
},
{
"lessThan": "399d01375659c273fb6ad9ccfb6e92bc5b891e0d",
"status": "affected",
"version": "17e822f7591fb66162aca07685dc0b01468e5480",
"versionType": "git"
},
{
"lessThan": "7af606b9eb11d6cdf767cabbddc326e20d0d4702",
"status": "affected",
"version": "17e822f7591fb66162aca07685dc0b01468e5480",
"versionType": "git"
},
{
"lessThan": "5fef23c1c0edceb44d16e64e7818f27d48b5bc38",
"status": "affected",
"version": "17e822f7591fb66162aca07685dc0b01468e5480",
"versionType": "git"
},
{
"lessThan": "dbeedbcb268d055d8895aceca427f897e12c2b50",
"status": "affected",
"version": "17e822f7591fb66162aca07685dc0b01468e5480",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/adreno/adreno_gpu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup()\n\nFix the below kernel panic due to null pointer access:\n[ 18.504431] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048\n[ 18.513464] Mem abort info:\n[ 18.516346] ESR = 0x0000000096000005\n[ 18.520204] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 18.525706] SET = 0, FnV = 0\n[ 18.528878] EA = 0, S1PTW = 0\n[ 18.532117] FSC = 0x05: level 1 translation fault\n[ 18.537138] Data abort info:\n[ 18.540110] ISV = 0, ISS = 0x00000005\n[ 18.544060] CM = 0, WnR = 0\n[ 18.547109] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112826000\n[ 18.553738] [0000000000000048] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n[ 18.562690] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n**Snip**\n[ 18.696758] Call trace:\n[ 18.699278] adreno_gpu_cleanup+0x30/0x88\n[ 18.703396] a6xx_destroy+0xc0/0x130\n[ 18.707066] a6xx_gpu_init+0x308/0x424\n[ 18.710921] adreno_bind+0x178/0x288\n[ 18.714590] component_bind_all+0xe0/0x214\n[ 18.718797] msm_drm_bind+0x1d4/0x614\n[ 18.722566] try_to_bring_up_aggregate_device+0x16c/0x1b8\n[ 18.728105] __component_add+0xa0/0x158\n[ 18.732048] component_add+0x20/0x2c\n[ 18.735719] adreno_probe+0x40/0xc0\n[ 18.739300] platform_probe+0xb4/0xd4\n[ 18.743068] really_probe+0xfc/0x284\n[ 18.746738] __driver_probe_device+0xc0/0xec\n[ 18.751129] driver_probe_device+0x48/0x110\n[ 18.755421] __device_attach_driver+0xa8/0xd0\n[ 18.759900] bus_for_each_drv+0x90/0xdc\n[ 18.763843] __device_attach+0xfc/0x174\n[ 18.767786] device_initial_probe+0x20/0x2c\n[ 18.772090] bus_probe_device+0x40/0xa0\n[ 18.776032] deferred_probe_work_func+0x94/0xd0\n[ 18.780686] process_one_work+0x190/0x3d0\n[ 18.784805] worker_thread+0x280/0x3d4\n[ 18.788659] kthread+0x104/0x1c0\n[ 18.791981] ret_from_fork+0x10/0x20\n[ 18.795654] Code: f9400408 aa0003f3 aa1f03f4 91142015 (f9402516)\n[ 18.801913] ---[ end trace 0000000000000000 ]---\n[ 18.809039] Kernel panic - not syncing: Oops: Fatal exception\n\nPatchwork: https://patchwork.freedesktop.org/patch/515605/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:09:04.886Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65a8b6d129cfcf63a2b8a36a63d275479ba6a217"
},
{
"url": "https://git.kernel.org/stable/c/b26bd7791f3cdf3c3318162b1d40c9d1910facca"
},
{
"url": "https://git.kernel.org/stable/c/399d01375659c273fb6ad9ccfb6e92bc5b891e0d"
},
{
"url": "https://git.kernel.org/stable/c/7af606b9eb11d6cdf767cabbddc326e20d0d4702"
},
{
"url": "https://git.kernel.org/stable/c/5fef23c1c0edceb44d16e64e7818f27d48b5bc38"
},
{
"url": "https://git.kernel.org/stable/c/dbeedbcb268d055d8895aceca427f897e12c2b50"
}
],
"title": "drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54199",
"datePublished": "2025-12-30T12:09:04.886Z",
"dateReserved": "2025-12-30T12:06:44.499Z",
"dateUpdated": "2025-12-30T12:09:04.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50866 (GCVE-0-2022-50866)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
ASoC: pxa: fix null-pointer dereference in filter()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: pxa: fix null-pointer dereference in filter()
kasprintf() would return NULL pointer when kmalloc() fail to allocate.
Need to check the return pointer before calling strcmp().
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
7a824e214e25a49442fe868dac0af8a904b24f58 , < 3ec75e0ea9550b8f2e531172f2e67ba9d5227ec3
(git)
Affected: 7a824e214e25a49442fe868dac0af8a904b24f58 , < 5b510a82740d2a42a75b5661b402bcaf8ae22cd5 (git) Affected: 7a824e214e25a49442fe868dac0af8a904b24f58 , < 0abd1d78317a3a2dfe00b203fbf14ee7df537e0a (git) Affected: 7a824e214e25a49442fe868dac0af8a904b24f58 , < a8baccb79de2f48a2083d51febf627eb50ce1898 (git) Affected: 7a824e214e25a49442fe868dac0af8a904b24f58 , < 21a1409e8cf73053b54f7860548e3043dfa351a9 (git) Affected: 7a824e214e25a49442fe868dac0af8a904b24f58 , < 83baa509396a742e0ce145b09fde1ce0a948f49a (git) Affected: 7a824e214e25a49442fe868dac0af8a904b24f58 , < 9fb9b3b67a5b8669296d6372cd901ef86557e6f6 (git) Affected: 7a824e214e25a49442fe868dac0af8a904b24f58 , < 21b92cf41952577a95bfa430e39478cbd66e42a7 (git) Affected: 7a824e214e25a49442fe868dac0af8a904b24f58 , < ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/pxa/mmp-pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3ec75e0ea9550b8f2e531172f2e67ba9d5227ec3",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
},
{
"lessThan": "5b510a82740d2a42a75b5661b402bcaf8ae22cd5",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
},
{
"lessThan": "0abd1d78317a3a2dfe00b203fbf14ee7df537e0a",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
},
{
"lessThan": "a8baccb79de2f48a2083d51febf627eb50ce1898",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
},
{
"lessThan": "21a1409e8cf73053b54f7860548e3043dfa351a9",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
},
{
"lessThan": "83baa509396a742e0ce145b09fde1ce0a948f49a",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
},
{
"lessThan": "9fb9b3b67a5b8669296d6372cd901ef86557e6f6",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
},
{
"lessThan": "21b92cf41952577a95bfa430e39478cbd66e42a7",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
},
{
"lessThan": "ec7bf231aaa1bdbcb69d23bc50c753c80fb22429",
"status": "affected",
"version": "7a824e214e25a49442fe868dac0af8a904b24f58",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/pxa/mmp-pcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: pxa: fix null-pointer dereference in filter()\n\nkasprintf() would return NULL pointer when kmalloc() fail to allocate.\nNeed to check the return pointer before calling strcmp()."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:37.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3ec75e0ea9550b8f2e531172f2e67ba9d5227ec3"
},
{
"url": "https://git.kernel.org/stable/c/5b510a82740d2a42a75b5661b402bcaf8ae22cd5"
},
{
"url": "https://git.kernel.org/stable/c/0abd1d78317a3a2dfe00b203fbf14ee7df537e0a"
},
{
"url": "https://git.kernel.org/stable/c/a8baccb79de2f48a2083d51febf627eb50ce1898"
},
{
"url": "https://git.kernel.org/stable/c/21a1409e8cf73053b54f7860548e3043dfa351a9"
},
{
"url": "https://git.kernel.org/stable/c/83baa509396a742e0ce145b09fde1ce0a948f49a"
},
{
"url": "https://git.kernel.org/stable/c/9fb9b3b67a5b8669296d6372cd901ef86557e6f6"
},
{
"url": "https://git.kernel.org/stable/c/21b92cf41952577a95bfa430e39478cbd66e42a7"
},
{
"url": "https://git.kernel.org/stable/c/ec7bf231aaa1bdbcb69d23bc50c753c80fb22429"
}
],
"title": "ASoC: pxa: fix null-pointer dereference in filter()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50866",
"datePublished": "2025-12-30T12:15:37.827Z",
"dateReserved": "2025-12-30T12:06:07.136Z",
"dateUpdated": "2025-12-30T12:15:37.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54141 (GCVE-0-2023-54141)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018
During sending data after clients connected, hw_ops->get_ring_selector()
will be called. But for IPQ5018, this member isn't set, and the
following NULL pointer exception will be occurred:
[ 38.840478] 8<--- cut here ---
[ 38.840517] Unable to handle kernel NULL pointer dereference at virtual address 00000000
...
[ 38.923161] PC is at 0x0
[ 38.927930] LR is at ath11k_dp_tx+0x70/0x730 [ath11k]
...
[ 39.063264] Process hostapd (pid: 1034, stack limit = 0x801ceb3d)
[ 39.068994] Stack: (0x856a9a68 to 0x856aa000)
...
[ 39.438467] [<7f323804>] (ath11k_dp_tx [ath11k]) from [<7f314e6c>] (ath11k_mac_op_tx+0x80/0x190 [ath11k])
[ 39.446607] [<7f314e6c>] (ath11k_mac_op_tx [ath11k]) from [<7f17dbe0>] (ieee80211_handle_wake_tx_queue+0x7c/0xc0 [mac80211])
[ 39.456162] [<7f17dbe0>] (ieee80211_handle_wake_tx_queue [mac80211]) from [<7f174450>] (ieee80211_probereq_get+0x584/0x704 [mac80211])
[ 39.467443] [<7f174450>] (ieee80211_probereq_get [mac80211]) from [<7f178c40>] (ieee80211_tx_prepare_skb+0x1f8/0x248 [mac80211])
[ 39.479334] [<7f178c40>] (ieee80211_tx_prepare_skb [mac80211]) from [<7f179e28>] (__ieee80211_subif_start_xmit+0x32c/0x3d4 [mac80211])
[ 39.491053] [<7f179e28>] (__ieee80211_subif_start_xmit [mac80211]) from [<7f17af08>] (ieee80211_tx_control_port+0x19c/0x288 [mac80211])
[ 39.502946] [<7f17af08>] (ieee80211_tx_control_port [mac80211]) from [<7f0fc704>] (nl80211_tx_control_port+0x174/0x1d4 [cfg80211])
[ 39.515017] [<7f0fc704>] (nl80211_tx_control_port [cfg80211]) from [<808ceac4>] (genl_rcv_msg+0x154/0x340)
[ 39.526814] [<808ceac4>] (genl_rcv_msg) from [<808cdb74>] (netlink_rcv_skb+0xb8/0x11c)
[ 39.536446] [<808cdb74>] (netlink_rcv_skb) from [<808ce1d0>] (genl_rcv+0x28/0x34)
[ 39.544344] [<808ce1d0>] (genl_rcv) from [<808cd234>] (netlink_unicast+0x174/0x274)
[ 39.551895] [<808cd234>] (netlink_unicast) from [<808cd510>] (netlink_sendmsg+0x1dc/0x440)
[ 39.559362] [<808cd510>] (netlink_sendmsg) from [<808596e0>] (____sys_sendmsg+0x1a8/0x1fc)
[ 39.567697] [<808596e0>] (____sys_sendmsg) from [<8085b1a8>] (___sys_sendmsg+0xa4/0xdc)
[ 39.575941] [<8085b1a8>] (___sys_sendmsg) from [<8085b310>] (sys_sendmsg+0x44/0x74)
[ 39.583841] [<8085b310>] (sys_sendmsg) from [<80300060>] (ret_fast_syscall+0x0/0x40)
...
[ 39.620734] Code: bad PC value
[ 39.625869] ---[ end trace 8aef983ad3cbc032 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ba60f2793d3a37a00da14bb56a26558a902d2831 , < d1992d72a359732f143cc962917104d193705da7
(git)
Affected: ba60f2793d3a37a00da14bb56a26558a902d2831 , < c36289e3c5e83286974ef68c20c821fd5b63801c (git) Affected: ba60f2793d3a37a00da14bb56a26558a902d2831 , < ce282d8de71f07f0056ea319541141152c65f552 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1992d72a359732f143cc962917104d193705da7",
"status": "affected",
"version": "ba60f2793d3a37a00da14bb56a26558a902d2831",
"versionType": "git"
},
{
"lessThan": "c36289e3c5e83286974ef68c20c821fd5b63801c",
"status": "affected",
"version": "ba60f2793d3a37a00da14bb56a26558a902d2831",
"versionType": "git"
},
{
"lessThan": "ce282d8de71f07f0056ea319541141152c65f552",
"status": "affected",
"version": "ba60f2793d3a37a00da14bb56a26558a902d2831",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/hw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Add missing hw_ops-\u003eget_ring_selector() for IPQ5018\n\nDuring sending data after clients connected, hw_ops-\u003eget_ring_selector()\nwill be called. But for IPQ5018, this member isn\u0027t set, and the\nfollowing NULL pointer exception will be occurred:\n\n\t[ 38.840478] 8\u003c--- cut here ---\n\t[ 38.840517] Unable to handle kernel NULL pointer dereference at virtual address 00000000\n\t...\n\t[ 38.923161] PC is at 0x0\n\t[ 38.927930] LR is at ath11k_dp_tx+0x70/0x730 [ath11k]\n\t...\n\t[ 39.063264] Process hostapd (pid: 1034, stack limit = 0x801ceb3d)\n\t[ 39.068994] Stack: (0x856a9a68 to 0x856aa000)\n\t...\n\t[ 39.438467] [\u003c7f323804\u003e] (ath11k_dp_tx [ath11k]) from [\u003c7f314e6c\u003e] (ath11k_mac_op_tx+0x80/0x190 [ath11k])\n\t[ 39.446607] [\u003c7f314e6c\u003e] (ath11k_mac_op_tx [ath11k]) from [\u003c7f17dbe0\u003e] (ieee80211_handle_wake_tx_queue+0x7c/0xc0 [mac80211])\n\t[ 39.456162] [\u003c7f17dbe0\u003e] (ieee80211_handle_wake_tx_queue [mac80211]) from [\u003c7f174450\u003e] (ieee80211_probereq_get+0x584/0x704 [mac80211])\n\t[ 39.467443] [\u003c7f174450\u003e] (ieee80211_probereq_get [mac80211]) from [\u003c7f178c40\u003e] (ieee80211_tx_prepare_skb+0x1f8/0x248 [mac80211])\n\t[ 39.479334] [\u003c7f178c40\u003e] (ieee80211_tx_prepare_skb [mac80211]) from [\u003c7f179e28\u003e] (__ieee80211_subif_start_xmit+0x32c/0x3d4 [mac80211])\n\t[ 39.491053] [\u003c7f179e28\u003e] (__ieee80211_subif_start_xmit [mac80211]) from [\u003c7f17af08\u003e] (ieee80211_tx_control_port+0x19c/0x288 [mac80211])\n\t[ 39.502946] [\u003c7f17af08\u003e] (ieee80211_tx_control_port [mac80211]) from [\u003c7f0fc704\u003e] (nl80211_tx_control_port+0x174/0x1d4 [cfg80211])\n\t[ 39.515017] [\u003c7f0fc704\u003e] (nl80211_tx_control_port [cfg80211]) from [\u003c808ceac4\u003e] (genl_rcv_msg+0x154/0x340)\n\t[ 39.526814] [\u003c808ceac4\u003e] (genl_rcv_msg) from [\u003c808cdb74\u003e] (netlink_rcv_skb+0xb8/0x11c)\n\t[ 39.536446] [\u003c808cdb74\u003e] (netlink_rcv_skb) from [\u003c808ce1d0\u003e] (genl_rcv+0x28/0x34)\n\t[ 39.544344] [\u003c808ce1d0\u003e] (genl_rcv) from [\u003c808cd234\u003e] (netlink_unicast+0x174/0x274)\n\t[ 39.551895] [\u003c808cd234\u003e] (netlink_unicast) from [\u003c808cd510\u003e] (netlink_sendmsg+0x1dc/0x440)\n\t[ 39.559362] [\u003c808cd510\u003e] (netlink_sendmsg) from [\u003c808596e0\u003e] (____sys_sendmsg+0x1a8/0x1fc)\n\t[ 39.567697] [\u003c808596e0\u003e] (____sys_sendmsg) from [\u003c8085b1a8\u003e] (___sys_sendmsg+0xa4/0xdc)\n\t[ 39.575941] [\u003c8085b1a8\u003e] (___sys_sendmsg) from [\u003c8085b310\u003e] (sys_sendmsg+0x44/0x74)\n\t[ 39.583841] [\u003c8085b310\u003e] (sys_sendmsg) from [\u003c80300060\u003e] (ret_fast_syscall+0x0/0x40)\n\t...\n\t[ 39.620734] Code: bad PC value\n\t[ 39.625869] ---[ end trace 8aef983ad3cbc032 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:55.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1992d72a359732f143cc962917104d193705da7"
},
{
"url": "https://git.kernel.org/stable/c/c36289e3c5e83286974ef68c20c821fd5b63801c"
},
{
"url": "https://git.kernel.org/stable/c/ce282d8de71f07f0056ea319541141152c65f552"
}
],
"title": "wifi: ath11k: Add missing hw_ops-\u003eget_ring_selector() for IPQ5018",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54141",
"datePublished": "2025-12-24T13:06:55.468Z",
"dateReserved": "2025-12-24T13:02:52.523Z",
"dateUpdated": "2025-12-24T13:06:55.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54262 (GCVE-0-2023-54262)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15
VLAI?
EPSS
Title
net/mlx5e: Don't clone flow post action attributes second time
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Don't clone flow post action attributes second time
The code already clones post action attributes in
mlx5e_clone_flow_attr_for_post_act(). Creating another copy in
mlx5e_tc_post_act_add() is a erroneous leftover from original
implementation. Instead, assign handle->attribute to post_attr provided by
the caller. Note that cloning the attribute second time is not just
wasteful but also causes issues like second copy not being properly updated
in neigh update code which leads to following use-after-free:
Feb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30
Feb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_free_info+0x2a/0x40
Feb 21 09:02:00 c-237-177-40-045 kernel: ____kasan_slab_free+0x11a/0x1b0
Feb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 8833): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22)
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0 enp8s0f0: Failed to add post action rule
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5e_tc_encap_flows_add:190:(pid 8833): Failed to update flow post acts, -22
Feb 21 09:02:00 c-237-177-40-045 kernel: Call Trace:
Feb 21 09:02:00 c-237-177-40-045 kernel: <TASK>
Feb 21 09:02:00 c-237-177-40-045 kernel: dump_stack_lvl+0x57/0x7d
Feb 21 09:02:00 c-237-177-40-045 kernel: print_report+0x170/0x471
Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0
Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: ? __module_address.part.0+0x62/0x200
Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_stub_create_flow_table+0xd0/0xd0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: ? __raw_spin_lock_init+0x3b/0x110
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_create_fte+0x80/0xb0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: add_rule_fg+0xe80/0x19c0 [mlx5_core]
--
Feb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476:
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30
Feb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_packet_reformat_alloc+0x7b/0x230 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_tun_create_header_ipv4+0x977/0xf10 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_attach_encap+0x15b4/0x1e10 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: post_process_attr+0x305/0xa30 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_add_fdb_flow+0x4c0/0xcf0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_configure_flower+0xcaa/0x4b90 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cls_flower+0x99/0x1b0 [mlx5_core]
Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cb+0x133/0x1e0 [mlx5_core]
--
Feb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833:
Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_s
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf
(git)
Affected: 8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < 8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8 (git) Affected: 8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < 2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e (git) Affected: 8300f225268be9ee2c0daf5a3f23929fcdcbf213 , < e9fce818fe003b6c527f25517b9ac08eb4661b5d (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c",
"drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
},
{
"lessThan": "8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
},
{
"lessThan": "2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
},
{
"lessThan": "e9fce818fe003b6c527f25517b9ac08eb4661b5d",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.c",
"drivers/net/ethernet/mellanox/mlx5/core/en/tc/post_act.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.28",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don\u0027t clone flow post action attributes second time\n\nThe code already clones post action attributes in\nmlx5e_clone_flow_attr_for_post_act(). Creating another copy in\nmlx5e_tc_post_act_add() is a erroneous leftover from original\nimplementation. Instead, assign handle-\u003eattribute to post_attr provided by\nthe caller. Note that cloning the attribute second time is not just\nwasteful but also causes issues like second copy not being properly updated\nin neigh update code which leads to following use-after-free:\n\nFeb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_free_info+0x2a/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel: ____kasan_slab_free+0x11a/0x1b0\nFeb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 8833): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22)\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0 enp8s0f0: Failed to add post action rule\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5e_tc_encap_flows_add:190:(pid 8833): Failed to update flow post acts, -22\nFeb 21 09:02:00 c-237-177-40-045 kernel: Call Trace:\nFeb 21 09:02:00 c-237-177-40-045 kernel: \u003cTASK\u003e\nFeb 21 09:02:00 c-237-177-40-045 kernel: dump_stack_lvl+0x57/0x7d\nFeb 21 09:02:00 c-237-177-40-045 kernel: print_report+0x170/0x471\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? __module_address.part.0+0x62/0x200\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_stub_create_flow_table+0xd0/0xd0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: ? __raw_spin_lock_init+0x3b/0x110\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_create_fte+0x80/0xb0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: add_rule_fg+0xe80/0x19c0 [mlx5_core]\n--\nFeb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476:\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30\nFeb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5_packet_reformat_alloc+0x7b/0x230 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_tun_create_header_ipv4+0x977/0xf10 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_attach_encap+0x15b4/0x1e10 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: post_process_attr+0x305/0xa30 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_add_fdb_flow+0x4c0/0xcf0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_configure_flower+0xcaa/0x4b90 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cls_flower+0x99/0x1b0 [mlx5_core]\nFeb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cb+0x133/0x1e0 [mlx5_core]\n--\nFeb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833:\nFeb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_s\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:15:55.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf"
},
{
"url": "https://git.kernel.org/stable/c/8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8"
},
{
"url": "https://git.kernel.org/stable/c/2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e"
},
{
"url": "https://git.kernel.org/stable/c/e9fce818fe003b6c527f25517b9ac08eb4661b5d"
}
],
"title": "net/mlx5e: Don\u0027t clone flow post action attributes second time",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54262",
"datePublished": "2025-12-30T12:15:55.556Z",
"dateReserved": "2025-12-30T12:06:44.517Z",
"dateUpdated": "2025-12-30T12:15:55.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68257 (GCVE-0-2025-68257)
Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-01-19 12:18
VLAI?
EPSS
Title
comedi: check device's attached status in compat ioctls
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: check device's attached status in compat ioctls
Syzbot identified an issue [1] that crashes kernel, seemingly due to
unexistent callback dev->get_valid_routes(). By all means, this should
not occur as said callback must always be set to
get_zero_valid_routes() in __comedi_device_postconfig().
As the crash seems to appear exclusively in i386 kernels, at least,
judging from [1] reports, the blame lies with compat versions
of standard IOCTL handlers. Several of them are modified and
do not use comedi_unlocked_ioctl(). While functionality of these
ioctls essentially copy their original versions, they do not
have required sanity check for device's attached status. This,
in turn, leads to a possibility of calling select IOCTLs on a
device that has not been properly setup, even via COMEDI_DEVCONFIG.
Doing so on unconfigured devices means that several crucial steps
are missed, for instance, specifying dev->get_valid_routes()
callback.
Fix this somewhat crudely by ensuring device's attached status before
performing any ioctls, improving logic consistency between modern
and compat functions.
[1] Syzbot report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0
Call Trace:
<TASK>
get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]
parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401
do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594
compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]
comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273
__do_compat_sys_ioctl fs/ioctl.c:695 [inline]
__se_compat_sys_ioctl fs/ioctl.c:638 [inline]
__ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
...
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3fbfd2223a271426509830e6340c386a1054cfad , < 4836ba483a22ebd076c8faaf8293a7295fad4142
(git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 7141915bf0c41cb57d83cdbaf695b8c731b16b71 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < f13895c03620933a58907e3250016f087e39b78c (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < b975f91de5f8f63cf490f0393775cc795f8b0557 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < f6e629dfe6f590091c662a87c9fcf118b1c1c7dc (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 573b07d2e3d473ee7eb625ef87519922cf01168d (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < aac80e912de306815297a3b74f0426873ffa7dc3 (git) Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4836ba483a22ebd076c8faaf8293a7295fad4142",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "7141915bf0c41cb57d83cdbaf695b8c731b16b71",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "f13895c03620933a58907e3250016f087e39b78c",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "b975f91de5f8f63cf490f0393775cc795f8b0557",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "f6e629dfe6f590091c662a87c9fcf118b1c1c7dc",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "573b07d2e3d473ee7eb625ef87519922cf01168d",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "aac80e912de306815297a3b74f0426873ffa7dc3",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
},
{
"lessThan": "0de7d9cd07a2671fa6089173bccc0b2afe6b93ee",
"status": "affected",
"version": "3fbfd2223a271426509830e6340c386a1054cfad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/comedi/comedi_fops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.160",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.120",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.62",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.160",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.120",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.62",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.12",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.1",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc1",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: check device\u0027s attached status in compat ioctls\n\nSyzbot identified an issue [1] that crashes kernel, seemingly due to\nunexistent callback dev-\u003eget_valid_routes(). By all means, this should\nnot occur as said callback must always be set to\nget_zero_valid_routes() in __comedi_device_postconfig().\n\nAs the crash seems to appear exclusively in i386 kernels, at least,\njudging from [1] reports, the blame lies with compat versions\nof standard IOCTL handlers. Several of them are modified and\ndo not use comedi_unlocked_ioctl(). While functionality of these\nioctls essentially copy their original versions, they do not\nhave required sanity check for device\u0027s attached status. This,\nin turn, leads to a possibility of calling select IOCTLs on a\ndevice that has not been properly setup, even via COMEDI_DEVCONFIG.\n\nDoing so on unconfigured devices means that several crucial steps\nare missed, for instance, specifying dev-\u003eget_valid_routes()\ncallback.\n\nFix this somewhat crudely by ensuring device\u0027s attached status before\nperforming any ioctls, improving logic consistency between modern\nand compat functions.\n\n[1] Syzbot report:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]\n parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401\n do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594\n compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]\n comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273\n __do_compat_sys_ioctl fs/ioctl.c:695 [inline]\n __se_compat_sys_ioctl fs/ioctl.c:638 [inline]\n __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n..."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T12:18:10.447Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4836ba483a22ebd076c8faaf8293a7295fad4142"
},
{
"url": "https://git.kernel.org/stable/c/7141915bf0c41cb57d83cdbaf695b8c731b16b71"
},
{
"url": "https://git.kernel.org/stable/c/f13895c03620933a58907e3250016f087e39b78c"
},
{
"url": "https://git.kernel.org/stable/c/b975f91de5f8f63cf490f0393775cc795f8b0557"
},
{
"url": "https://git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dc"
},
{
"url": "https://git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168d"
},
{
"url": "https://git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3"
},
{
"url": "https://git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93ee"
}
],
"title": "comedi: check device\u0027s attached status in compat ioctls",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68257",
"datePublished": "2025-12-16T14:44:59.535Z",
"dateReserved": "2025-12-16T13:41:40.267Z",
"dateUpdated": "2026-01-19T12:18:10.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40212 (GCVE-0-2025-40212)
Vulnerability from cvelistv5 – Published: 2025-11-24 13:04 – Updated: 2025-12-01 06:20
VLAI?
EPSS
Title
nfsd: fix refcount leak in nfsd_set_fh_dentry()
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix refcount leak in nfsd_set_fh_dentry()
nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find
the various exported filesystems using LOOKUP requests from a known root
filehandle. NFSv3 uses the MOUNT protocol to find those exported
filesystems and so is not given access to the pseudo root filesystem.
If a v3 (or v2) client uses a filehandle from that filesystem,
nfsd_set_fh_dentry() will report an error, but still stores the export
in "struct svc_fh" even though it also drops the reference (exp_put()).
This means that when fh_put() is called an extra reference will be dropped
which can lead to use-after-free and possible denial of service.
Normal NFS usage will not provide a pseudo-root filehandle to a v3
client. This bug can only be triggered by the client synthesising an
incorrect filehandle.
To fix this we move the assignments to the svc_fh later, after all
possible error cases have been detected.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444 , < b6bc86ce3944b10b9fc181fc00c1a520a20ed965
(git)
Affected: ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444 , < c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2 (git) Affected: ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444 , < 8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsfh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6bc86ce3944b10b9fc181fc00c1a520a20ed965",
"status": "affected",
"version": "ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444",
"versionType": "git"
},
{
"lessThan": "c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2",
"status": "affected",
"version": "ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444",
"versionType": "git"
},
{
"lessThan": "8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c",
"status": "affected",
"version": "ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfsfh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix refcount leak in nfsd_set_fh_dentry()\n\nnfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find\nthe various exported filesystems using LOOKUP requests from a known root\nfilehandle. NFSv3 uses the MOUNT protocol to find those exported\nfilesystems and so is not given access to the pseudo root filesystem.\n\nIf a v3 (or v2) client uses a filehandle from that filesystem,\nnfsd_set_fh_dentry() will report an error, but still stores the export\nin \"struct svc_fh\" even though it also drops the reference (exp_put()).\nThis means that when fh_put() is called an extra reference will be dropped\nwhich can lead to use-after-free and possible denial of service.\n\nNormal NFS usage will not provide a pseudo-root filehandle to a v3\nclient. This bug can only be triggered by the client synthesising an\nincorrect filehandle.\n\nTo fix this we move the assignments to the svc_fh later, after all\npossible error cases have been detected."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:20:17.962Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6bc86ce3944b10b9fc181fc00c1a520a20ed965"
},
{
"url": "https://git.kernel.org/stable/c/c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2"
},
{
"url": "https://git.kernel.org/stable/c/8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c"
}
],
"title": "nfsd: fix refcount leak in nfsd_set_fh_dentry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40212",
"datePublished": "2025-11-24T13:04:20.888Z",
"dateReserved": "2025-04-16T07:20:57.179Z",
"dateUpdated": "2025-12-01T06:20:17.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40343 (GCVE-0-2025-40343)
Vulnerability from cvelistv5 – Published: 2025-12-09 04:10 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
nvmet-fc: avoid scheduling association deletion twice
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-fc: avoid scheduling association deletion twice
When forcefully shutting down a port via the configfs interface,
nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and
then nvmet_disable_port(). Both functions will eventually schedule all
remaining associations for deletion.
The current implementation checks whether an association is about to be
removed, but only after the work item has already been scheduled. As a
result, it is possible for the first scheduled work item to free all
resources, and then for the same work item to be scheduled again for
deletion.
Because the association list is an RCU list, it is not possible to take
a lock and remove the list entry directly, so it cannot be looked up
again. Instead, a flag (terminating) must be used to determine whether
the association is already in the process of being deleted.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
a07b4970f464f13640e28e16dad6cfa33647cc99 , < 2f4852db87e25d4e226b25cb6f652fef9504360e
(git)
Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 85e2ce1920cb511d57aae59f0df6ff85b28bf04d (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 601ed47b2363c24d948d7bac0c23abc8bd459570 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 04d17540ef51e2c291eb863ca87fd332259b2d40 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < c09ac9a63fc3aaf4670ad7b5e4f5afd764424154 (git) Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < f2537be4f8421f6495edfa0bc284d722f253841d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2f4852db87e25d4e226b25cb6f652fef9504360e",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "85e2ce1920cb511d57aae59f0df6ff85b28bf04d",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "601ed47b2363c24d948d7bac0c23abc8bd459570",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "04d17540ef51e2c291eb863ca87fd332259b2d40",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "c09ac9a63fc3aaf4670ad7b5e4f5afd764424154",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
},
{
"lessThan": "f2537be4f8421f6495edfa0bc284d722f253841d",
"status": "affected",
"version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/fc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid scheduling association deletion twice\n\nWhen forcefully shutting down a port via the configfs interface,\nnvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and\nthen nvmet_disable_port(). Both functions will eventually schedule all\nremaining associations for deletion.\n\nThe current implementation checks whether an association is about to be\nremoved, but only after the work item has already been scheduled. As a\nresult, it is possible for the first scheduled work item to free all\nresources, and then for the same work item to be scheduled again for\ndeletion.\n\nBecause the association list is an RCU list, it is not possible to take\na lock and remove the list entry directly, so it cannot be looked up\nagain. Instead, a flag (terminating) must be used to determine whether\nthe association is already in the process of being deleted."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:13.716Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360e"
},
{
"url": "https://git.kernel.org/stable/c/85e2ce1920cb511d57aae59f0df6ff85b28bf04d"
},
{
"url": "https://git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570"
},
{
"url": "https://git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40"
},
{
"url": "https://git.kernel.org/stable/c/c09ac9a63fc3aaf4670ad7b5e4f5afd764424154"
},
{
"url": "https://git.kernel.org/stable/c/f2537be4f8421f6495edfa0bc284d722f253841d"
}
],
"title": "nvmet-fc: avoid scheduling association deletion twice",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40343",
"datePublished": "2025-12-09T04:10:00.973Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2025-12-20T08:52:13.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54036 (GCVE-0-2023-54036)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:56 – Updated: 2025-12-24 10:56
VLAI?
EPSS
Title
wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU
The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)
when it's connected to a bluetooth audio device. The busy bluetooth
traffic generates lots of C2H (card to host) messages, which are not
freed correctly.
To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()
inside the loop where skb_dequeue() is called.
The RTL8192EU leaks memory because the C2H messages are added to the
queue and left there forever. (This was fine in the past because it
probably wasn't sending any C2H messages until commit e542e66b7c2e
("wifi: rtl8xxxu: gen2: Turn on the rate control"). Since that commit
it sends a C2H message when the TX rate changes.)
To fix this, delete the check for rf_paths > 1 and the goto. Let the
function process the C2H messages from RTL8192EU like the ones from
the other chips.
Theoretically the RTL8188FU could also leak like RTL8723BU, but it
most likely doesn't send C2H messages frequently enough.
This change was tested with RTL8723BU by Erhard F. I tested it with
RTL8188FU and RTL8192EU.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < 430f9f9bec53a75f9ccc53e156a66f13fc098b83
(git)
Affected: e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < 35fb0e275af1aa1ca0a9784417e90f988aaf8e78 (git) Affected: e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < 93c3f34ec02fc81188d328287d4fddd498ccddea (git) Affected: e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < f39a86b4efd270947ee252cc32a30b0aef492d65 (git) Affected: e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 , < b39f662ce1648db0b9de32e6a849b098480793cb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "430f9f9bec53a75f9ccc53e156a66f13fc098b83",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
},
{
"lessThan": "35fb0e275af1aa1ca0a9784417e90f988aaf8e78",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
},
{
"lessThan": "93c3f34ec02fc81188d328287d4fddd498ccddea",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
},
{
"lessThan": "f39a86b4efd270947ee252cc32a30b0aef492d65",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
},
{
"lessThan": "b39f662ce1648db0b9de32e6a849b098480793cb",
"status": "affected",
"version": "e542e66b7c2ee2adeefdbb7f259f2f60cadf2819",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU\n\nThe wifi + bluetooth combo chip RTL8723BU can leak memory (especially?)\nwhen it\u0027s connected to a bluetooth audio device. The busy bluetooth\ntraffic generates lots of C2H (card to host) messages, which are not\nfreed correctly.\n\nTo fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback()\ninside the loop where skb_dequeue() is called.\n\nThe RTL8192EU leaks memory because the C2H messages are added to the\nqueue and left there forever. (This was fine in the past because it\nprobably wasn\u0027t sending any C2H messages until commit e542e66b7c2e\n(\"wifi: rtl8xxxu: gen2: Turn on the rate control\"). Since that commit\nit sends a C2H message when the TX rate changes.)\n\nTo fix this, delete the check for rf_paths \u003e 1 and the goto. Let the\nfunction process the C2H messages from RTL8192EU like the ones from\nthe other chips.\n\nTheoretically the RTL8188FU could also leak like RTL8723BU, but it\nmost likely doesn\u0027t send C2H messages frequently enough.\n\nThis change was tested with RTL8723BU by Erhard F. I tested it with\nRTL8188FU and RTL8192EU."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:56:03.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83"
},
{
"url": "https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78"
},
{
"url": "https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea"
},
{
"url": "https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65"
},
{
"url": "https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb"
}
],
"title": "wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54036",
"datePublished": "2025-12-24T10:56:03.215Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:56:03.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54032 (GCVE-0-2023-54032)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
btrfs: fix race when deleting quota root from the dirty cow roots list
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race when deleting quota root from the dirty cow roots list
When disabling quotas we are deleting the quota root from the list
fs_info->dirty_cowonly_roots without taking the lock that protects it,
which is struct btrfs_fs_info::trans_lock. This unsynchronized list
manipulation may cause chaos if there's another concurrent manipulation
of this list, such as when adding a root to it with
ctree.c:add_root_to_dirty_list().
This can result in all sorts of weird failures caused by a race, such as
the following crash:
[337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI
[337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1
[337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]
[337571.279928] Code: 85 38 06 00 (...)
[337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206
[337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000
[337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070
[337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b
[337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600
[337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48
[337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000
[337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0
[337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[337571.282874] Call Trace:
[337571.283101] <TASK>
[337571.283327] ? __die_body+0x1b/0x60
[337571.283570] ? die_addr+0x39/0x60
[337571.283796] ? exc_general_protection+0x22e/0x430
[337571.284022] ? asm_exc_general_protection+0x22/0x30
[337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]
[337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]
[337571.284803] ? _raw_spin_unlock+0x15/0x30
[337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]
[337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]
[337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]
[337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410
[337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]
[337571.286358] ? mod_objcg_state+0xd2/0x360
[337571.286577] ? refill_obj_stock+0xb0/0x160
[337571.286798] ? seq_release+0x25/0x30
[337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0
[337571.287235] ? percpu_counter_add_batch+0x2e/0xa0
[337571.287455] ? __x64_sys_ioctl+0x88/0xc0
[337571.287675] __x64_sys_ioctl+0x88/0xc0
[337571.287901] do_syscall_64+0x38/0x90
[337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[337571.288352] RIP: 0033:0x7f478aaffe9b
So fix this by locking struct btrfs_fs_info::trans_lock before deleting
the quota root from that list.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bed92eae26ccf280d1a2168b7509447b56675a27 , < 365f318da7384cbac5de6b9c098914888a4d63e7
(git)
Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 6da229754099518cfa27cbfcd0fd042618785fad (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 679c34821ab7cd93c8ccb96fbf57fc44848a78bc (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 6819bb0b8552dcc5f82ca606c8911b8c67e0628f (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < 7ba0da31dd4a8fd24d416016c538a95a5664ff02 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < a53d78d9a8551e72c46ded23e8b0a56e55d32032 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < a5cdc4012efa808e07d073c11dc2f366b5394ad3 (git) Affected: bed92eae26ccf280d1a2168b7509447b56675a27 , < b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "365f318da7384cbac5de6b9c098914888a4d63e7",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "6da229754099518cfa27cbfcd0fd042618785fad",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "679c34821ab7cd93c8ccb96fbf57fc44848a78bc",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "6819bb0b8552dcc5f82ca606c8911b8c67e0628f",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "7ba0da31dd4a8fd24d416016c538a95a5664ff02",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "a53d78d9a8551e72c46ded23e8b0a56e55d32032",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "a5cdc4012efa808e07d073c11dc2f366b5394ad3",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
},
{
"lessThan": "b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79",
"status": "affected",
"version": "bed92eae26ccf280d1a2168b7509447b56675a27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/qgroup.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting quota root from the dirty cow roots list\n\nWhen disabling quotas we are deleting the quota root from the list\nfs_info-\u003edirty_cowonly_roots without taking the lock that protects it,\nwhich is struct btrfs_fs_info::trans_lock. This unsynchronized list\nmanipulation may cause chaos if there\u0027s another concurrent manipulation\nof this list, such as when adding a root to it with\nctree.c:add_root_to_dirty_list().\n\nThis can result in all sorts of weird failures caused by a race, such as\nthe following crash:\n\n [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI\n [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1\n [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.279928] Code: 85 38 06 00 (...)\n [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206\n [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000\n [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070\n [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b\n [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600\n [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48\n [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000\n [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0\n [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n [337571.282874] Call Trace:\n [337571.283101] \u003cTASK\u003e\n [337571.283327] ? __die_body+0x1b/0x60\n [337571.283570] ? die_addr+0x39/0x60\n [337571.283796] ? exc_general_protection+0x22e/0x430\n [337571.284022] ? asm_exc_general_protection+0x22/0x30\n [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs]\n [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs]\n [337571.284803] ? _raw_spin_unlock+0x15/0x30\n [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs]\n [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs]\n [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs]\n [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410\n [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs]\n [337571.286358] ? mod_objcg_state+0xd2/0x360\n [337571.286577] ? refill_obj_stock+0xb0/0x160\n [337571.286798] ? seq_release+0x25/0x30\n [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0\n [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0\n [337571.287455] ? __x64_sys_ioctl+0x88/0xc0\n [337571.287675] __x64_sys_ioctl+0x88/0xc0\n [337571.287901] do_syscall_64+0x38/0x90\n [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc\n [337571.288352] RIP: 0033:0x7f478aaffe9b\n\nSo fix this by locking struct btrfs_fs_info::trans_lock before deleting\nthe quota root from that list."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:59.609Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7"
},
{
"url": "https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad"
},
{
"url": "https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc"
},
{
"url": "https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f"
},
{
"url": "https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02"
},
{
"url": "https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032"
},
{
"url": "https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3"
},
{
"url": "https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79"
}
],
"title": "btrfs: fix race when deleting quota root from the dirty cow roots list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54032",
"datePublished": "2025-12-24T10:55:59.609Z",
"dateReserved": "2025-12-24T10:53:46.180Z",
"dateUpdated": "2025-12-24T10:55:59.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40274 (GCVE-0-2025-40274)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50
VLAI?
EPSS
Title
KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying
When unbinding a memslot from a guest_memfd instance, remove the bindings
even if the guest_memfd file is dying, i.e. even if its file refcount has
gone to zero. If the memslot is freed before the file is fully released,
nullifying the memslot side of the binding in kvm_gmem_release() will
write to freed memory, as detected by syzbot+KASAN:
==================================================================
BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353
Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022
CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353
__fput+0x44c/0xa70 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbeeff8efc9
</TASK>
Allocated by task 6023:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414
kasan_kmalloc include/linux/kasan.h:262 [inline]
__kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104
kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154
kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6023:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2533 [inline]
slab_free mm/slub.c:6622 [inline]
kfree+0x19a/0x6d0 mm/slub.c:6829
kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130
kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154
kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Deliberately don't acquire filemap invalid lock when the file is dying as
the lifecycle of f_mapping is outside the purview of KVM. Dereferencing
the mapping is *probably* fine, but there's no need to invalidate anything
as memslot deletion is responsible for zapping SPTEs, and the only code
that can access the dying file is kvm_gmem_release(), whose core code is
mutual
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b
(git)
Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < 393893693a523e053f84d69320d090b93503f79f (git) Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < ae431059e75d36170a5ae6b44cc4d06d43613215 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/guest_memfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
},
{
"lessThan": "393893693a523e053f84d69320d090b93503f79f",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
},
{
"lessThan": "ae431059e75d36170a5ae6b44cc4d06d43613215",
"status": "affected",
"version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/guest_memfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying\n\nWhen unbinding a memslot from a guest_memfd instance, remove the bindings\neven if the guest_memfd file is dying, i.e. even if its file refcount has\ngone to zero. If the memslot is freed before the file is fully released,\nnullifying the memslot side of the binding in kvm_gmem_release() will\nwrite to freed memory, as detected by syzbot+KASAN:\n\n ==================================================================\n BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353\n Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022\n\n CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353\n __fput+0x44c/0xa70 fs/file_table.c:468\n task_work_run+0x1d4/0x260 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fbeeff8efc9\n \u003c/TASK\u003e\n\n Allocated by task 6023:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n poison_kmalloc_redzone mm/kasan/common.c:397 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414\n kasan_kmalloc include/linux/kasan.h:262 [inline]\n __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758\n kmalloc_noprof include/linux/slab.h:957 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104\n kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154\n kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Freed by task 6023:\n kasan_save_stack mm/kasan/common.c:56 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n poison_slab_object mm/kasan/common.c:252 [inline]\n __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284\n kasan_slab_free include/linux/kasan.h:234 [inline]\n slab_free_hook mm/slub.c:2533 [inline]\n slab_free mm/slub.c:6622 [inline]\n kfree+0x19a/0x6d0 mm/slub.c:6829\n kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130\n kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154\n kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nDeliberately don\u0027t acquire filemap invalid lock when the file is dying as\nthe lifecycle of f_mapping is outside the purview of KVM. Dereferencing\nthe mapping is *probably* fine, but there\u0027s no need to invalidate anything\nas memslot deletion is responsible for zapping SPTEs, and the only code\nthat can access the dying file is kvm_gmem_release(), whose core code is\nmutual\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:50:56.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b"
},
{
"url": "https://git.kernel.org/stable/c/393893693a523e053f84d69320d090b93503f79f"
},
{
"url": "https://git.kernel.org/stable/c/ae431059e75d36170a5ae6b44cc4d06d43613215"
}
],
"title": "KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40274",
"datePublished": "2025-12-06T21:50:56.832Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:50:56.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50777 (GCVE-0-2022-50777)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
of_phy_find_device() return device node with refcount incremented.
Call put_device() to relese it when not needed anymore.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3f7056e1822d648f8022997497edc6cad2ad1e73 , < 53526dbc8aa6b95e9fc2ab1e29b1a9145721da24
(git)
Affected: ab4e6ee578e88a659938db8fbf33720bc048d29c , < 78b0b1ff525d9be4babf5a148a4de0d50042d95d (git) Affected: ab4e6ee578e88a659938db8fbf33720bc048d29c , < 00616bd1913a4f879679e02dc08c2f501ca2bd4c (git) Affected: ab4e6ee578e88a659938db8fbf33720bc048d29c , < 106d0d33c9d1ec4ddeeffc1fdc717ff09953d4ed (git) Affected: ab4e6ee578e88a659938db8fbf33720bc048d29c , < 4d112f001612c79927c1ecf29522b34c4fa292e0 (git) Affected: ab4e6ee578e88a659938db8fbf33720bc048d29c , < 52841e71253e6ace72751c72560950474a57d04c (git) Affected: ab4e6ee578e88a659938db8fbf33720bc048d29c , < ee84d37a5f08ed1121cdd16f8f3ed87552087a21 (git) Affected: ab4e6ee578e88a659938db8fbf33720bc048d29c , < d039535850ee47079d59527e96be18d8e0daa84b (git) Affected: a5a849c9e8a6c357f84a5e249cb468f20da6d28f (git) Affected: 900812a0d318954400d20b0190c7d788b4ff2cc2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/xilinx_gmii2rgmii.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "53526dbc8aa6b95e9fc2ab1e29b1a9145721da24",
"status": "affected",
"version": "3f7056e1822d648f8022997497edc6cad2ad1e73",
"versionType": "git"
},
{
"lessThan": "78b0b1ff525d9be4babf5a148a4de0d50042d95d",
"status": "affected",
"version": "ab4e6ee578e88a659938db8fbf33720bc048d29c",
"versionType": "git"
},
{
"lessThan": "00616bd1913a4f879679e02dc08c2f501ca2bd4c",
"status": "affected",
"version": "ab4e6ee578e88a659938db8fbf33720bc048d29c",
"versionType": "git"
},
{
"lessThan": "106d0d33c9d1ec4ddeeffc1fdc717ff09953d4ed",
"status": "affected",
"version": "ab4e6ee578e88a659938db8fbf33720bc048d29c",
"versionType": "git"
},
{
"lessThan": "4d112f001612c79927c1ecf29522b34c4fa292e0",
"status": "affected",
"version": "ab4e6ee578e88a659938db8fbf33720bc048d29c",
"versionType": "git"
},
{
"lessThan": "52841e71253e6ace72751c72560950474a57d04c",
"status": "affected",
"version": "ab4e6ee578e88a659938db8fbf33720bc048d29c",
"versionType": "git"
},
{
"lessThan": "ee84d37a5f08ed1121cdd16f8f3ed87552087a21",
"status": "affected",
"version": "ab4e6ee578e88a659938db8fbf33720bc048d29c",
"versionType": "git"
},
{
"lessThan": "d039535850ee47079d59527e96be18d8e0daa84b",
"status": "affected",
"version": "ab4e6ee578e88a659938db8fbf33720bc048d29c",
"versionType": "git"
},
{
"status": "affected",
"version": "a5a849c9e8a6c357f84a5e249cb468f20da6d28f",
"versionType": "git"
},
{
"status": "affected",
"version": "900812a0d318954400d20b0190c7d788b4ff2cc2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/xilinx_gmii2rgmii.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.14.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.131",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.18.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe\n\nof_phy_find_device() return device node with refcount incremented.\nCall put_device() to relese it when not needed anymore."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:06.511Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/53526dbc8aa6b95e9fc2ab1e29b1a9145721da24"
},
{
"url": "https://git.kernel.org/stable/c/78b0b1ff525d9be4babf5a148a4de0d50042d95d"
},
{
"url": "https://git.kernel.org/stable/c/00616bd1913a4f879679e02dc08c2f501ca2bd4c"
},
{
"url": "https://git.kernel.org/stable/c/106d0d33c9d1ec4ddeeffc1fdc717ff09953d4ed"
},
{
"url": "https://git.kernel.org/stable/c/4d112f001612c79927c1ecf29522b34c4fa292e0"
},
{
"url": "https://git.kernel.org/stable/c/52841e71253e6ace72751c72560950474a57d04c"
},
{
"url": "https://git.kernel.org/stable/c/ee84d37a5f08ed1121cdd16f8f3ed87552087a21"
},
{
"url": "https://git.kernel.org/stable/c/d039535850ee47079d59527e96be18d8e0daa84b"
}
],
"title": "net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50777",
"datePublished": "2025-12-24T13:06:06.511Z",
"dateReserved": "2025-12-24T13:02:21.547Z",
"dateUpdated": "2025-12-24T13:06:06.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54092 (GCVE-0-2023-54092)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
KVM: s390: pv: fix index value of replaced ASCE
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: s390: pv: fix index value of replaced ASCE
The index field of the struct page corresponding to a guest ASCE should
be 0. When replacing the ASCE in s390_replace_asce(), the index of the
new ASCE should also be set to 0.
Having the wrong index might lead to the wrong addresses being passed
around when notifying pte invalidations, and eventually to validity
intercepts (VM crash) if the prefix gets unmapped and the notifier gets
called with the wrong address.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
9d216035d173214cd33712d67d89220ef2283ebf , < 8e635da0e0d3cb45e32fa79b36218fb98281bc10
(git)
Affected: 81ea65c9aefe100a9ace3082649bd84ae7dd9764 , < 49a2686adddebe1ae76b4d368383208656ef6606 (git) Affected: faa2f72cb3569256480c5540d242c84e99965160 , < 017f686bcb536ff23d49c143fdf9d1fd89a9a924 (git) Affected: faa2f72cb3569256480c5540d242c84e99965160 , < f1c7a776338f2ac5e34da40e58fe9f33ea390a5e (git) Affected: faa2f72cb3569256480c5540d242c84e99965160 , < c2fceb59bbda16468bda82b002383bff59de89ab (git) Affected: b5477f53e1d4de6191f50748a027251b14952eeb (git) Affected: 63c71e83d5b6ab8adb5fcebef977052048016957 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/s390/mm/gmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e635da0e0d3cb45e32fa79b36218fb98281bc10",
"status": "affected",
"version": "9d216035d173214cd33712d67d89220ef2283ebf",
"versionType": "git"
},
{
"lessThan": "49a2686adddebe1ae76b4d368383208656ef6606",
"status": "affected",
"version": "81ea65c9aefe100a9ace3082649bd84ae7dd9764",
"versionType": "git"
},
{
"lessThan": "017f686bcb536ff23d49c143fdf9d1fd89a9a924",
"status": "affected",
"version": "faa2f72cb3569256480c5540d242c84e99965160",
"versionType": "git"
},
{
"lessThan": "f1c7a776338f2ac5e34da40e58fe9f33ea390a5e",
"status": "affected",
"version": "faa2f72cb3569256480c5540d242c84e99965160",
"versionType": "git"
},
{
"lessThan": "c2fceb59bbda16468bda82b002383bff59de89ab",
"status": "affected",
"version": "faa2f72cb3569256480c5540d242c84e99965160",
"versionType": "git"
},
{
"status": "affected",
"version": "b5477f53e1d4de6191f50748a027251b14952eeb",
"versionType": "git"
},
{
"status": "affected",
"version": "63c71e83d5b6ab8adb5fcebef977052048016957",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/s390/mm/gmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.10.137",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.15.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: pv: fix index value of replaced ASCE\n\nThe index field of the struct page corresponding to a guest ASCE should\nbe 0. When replacing the ASCE in s390_replace_asce(), the index of the\nnew ASCE should also be set to 0.\n\nHaving the wrong index might lead to the wrong addresses being passed\naround when notifying pte invalidations, and eventually to validity\nintercepts (VM crash) if the prefix gets unmapped and the notifier gets\ncalled with the wrong address."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:21.092Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e635da0e0d3cb45e32fa79b36218fb98281bc10"
},
{
"url": "https://git.kernel.org/stable/c/49a2686adddebe1ae76b4d368383208656ef6606"
},
{
"url": "https://git.kernel.org/stable/c/017f686bcb536ff23d49c143fdf9d1fd89a9a924"
},
{
"url": "https://git.kernel.org/stable/c/f1c7a776338f2ac5e34da40e58fe9f33ea390a5e"
},
{
"url": "https://git.kernel.org/stable/c/c2fceb59bbda16468bda82b002383bff59de89ab"
}
],
"title": "KVM: s390: pv: fix index value of replaced ASCE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54092",
"datePublished": "2025-12-24T13:06:21.092Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:21.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40042 (GCVE-0-2025-40042)
Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16
VLAI?
EPSS
Title
tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix race condition in kprobe initialization causing NULL pointer dereference
There is a critical race condition in kprobe initialization that can lead to
NULL pointer dereference and kernel crash.
[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000
...
[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)
[1135630.269239] pc : kprobe_perf_func+0x30/0x260
[1135630.277643] lr : kprobe_dispatcher+0x44/0x60
[1135630.286041] sp : ffffaeff4977fa40
[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400
[1135630.302837] x27: 0000000000000000 x26: 0000000000000000
[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528
[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50
[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50
[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000
[1135630.349985] x17: 0000000000000000 x16: 0000000000000000
[1135630.359285] x15: 0000000000000000 x14: 0000000000000000
[1135630.368445] x13: 0000000000000000 x12: 0000000000000000
[1135630.377473] x11: 0000000000000000 x10: 0000000000000000
[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000
[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000
[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000
[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006
[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000
[1135630.429410] Call trace:
[1135630.434828] kprobe_perf_func+0x30/0x260
[1135630.441661] kprobe_dispatcher+0x44/0x60
[1135630.448396] aggr_pre_handler+0x70/0xc8
[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0
[1135630.462435] brk_handler+0xbc/0xd8
[1135630.468437] do_debug_exception+0x84/0x138
[1135630.475074] el1_dbg+0x18/0x8c
[1135630.480582] security_file_permission+0x0/0xd0
[1135630.487426] vfs_write+0x70/0x1c0
[1135630.493059] ksys_write+0x5c/0xc8
[1135630.498638] __arm64_sys_write+0x24/0x30
[1135630.504821] el0_svc_common+0x78/0x130
[1135630.510838] el0_svc_handler+0x38/0x78
[1135630.516834] el0_svc+0x8/0x1b0
kernel/trace/trace_kprobe.c: 1308
0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120]
include/linux/compiler.h: 294
0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0]
kernel/trace/trace_kprobe.c
1308: head = this_cpu_ptr(call->perf_events);
1309: if (hlist_empty(head))
1310: return 0;
crash> struct trace_event_call -o
struct trace_event_call {
...
[120] struct hlist_head *perf_events; //(call->perf_event)
...
}
crash> struct trace_event_call ffffaf015340e528
struct trace_event_call {
...
perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0
...
}
Race Condition Analysis:
The race occurs between kprobe activation and perf_events initialization:
CPU0 CPU1
==== ====
perf_kprobe_init
perf_trace_event_init
tp_event->perf_events = list;(1)
tp_event->class->reg (2)← KPROBE ACTIVE
Debug exception triggers
...
kprobe_dispatcher
kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE)
head = this_cpu_ptr(call->perf_events)(3)
(perf_events is still NULL)
Problem:
1. CPU0 executes (1) assigning tp_event->perf_events = list
2. CPU0 executes (2) enabling kprobe functionality via class->reg()
3. CPU1 triggers and reaches kprobe_dispatcher
4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)
5. CPU1 calls kprobe_perf_func() and crashes at (3) because
call->perf_events is still NULL
CPU1 sees that kprobe functionality is enabled but does not see that
perf_events has been assigned.
Add pairing read an
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
50d780560785b068c358675c5f0bf6c83b5c373e , < 07926ce598a95de6fd874a74fb510e2ebdfd0aae
(git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 9c4951b691bb8d7a004acd010f45144391f85ea6 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 95dd33361061f808d1f68616d69ada639e737cfa (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < a6e89ada1ff6b70df73f579071ffa6ade8ae7f98 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 1a301228c0a8aedc3154fb1a274456f487416b96 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 0fa388ab2c290ef1115ff88ae88e881d0fb2db02 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 5ebea6561649d30ec7a18fea23d7f76738dae916 (git) Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_fprobe.c",
"kernel/trace/trace_kprobe.c",
"kernel/trace/trace_probe.h",
"kernel/trace/trace_uprobe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07926ce598a95de6fd874a74fb510e2ebdfd0aae",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "9c4951b691bb8d7a004acd010f45144391f85ea6",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "95dd33361061f808d1f68616d69ada639e737cfa",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "a6e89ada1ff6b70df73f579071ffa6ade8ae7f98",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "1a301228c0a8aedc3154fb1a274456f487416b96",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "0fa388ab2c290ef1115ff88ae88e881d0fb2db02",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "5ebea6561649d30ec7a18fea23d7f76738dae916",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
},
{
"lessThan": "9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f",
"status": "affected",
"version": "50d780560785b068c358675c5f0bf6c83b5c373e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_fprobe.c",
"kernel/trace/trace_kprobe.c",
"kernel/trace/trace_probe.h",
"kernel/trace/trace_uprobe.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.157",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.195",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.157",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.113",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.54",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race condition in kprobe initialization causing NULL pointer dereference\n\nThere is a critical race condition in kprobe initialization that can lead to\nNULL pointer dereference and kernel crash.\n\n[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000\n...\n[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)\n[1135630.269239] pc : kprobe_perf_func+0x30/0x260\n[1135630.277643] lr : kprobe_dispatcher+0x44/0x60\n[1135630.286041] sp : ffffaeff4977fa40\n[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400\n[1135630.302837] x27: 0000000000000000 x26: 0000000000000000\n[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528\n[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50\n[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50\n[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000\n[1135630.349985] x17: 0000000000000000 x16: 0000000000000000\n[1135630.359285] x15: 0000000000000000 x14: 0000000000000000\n[1135630.368445] x13: 0000000000000000 x12: 0000000000000000\n[1135630.377473] x11: 0000000000000000 x10: 0000000000000000\n[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000\n[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000\n[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000\n[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006\n[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000\n[1135630.429410] Call trace:\n[1135630.434828] kprobe_perf_func+0x30/0x260\n[1135630.441661] kprobe_dispatcher+0x44/0x60\n[1135630.448396] aggr_pre_handler+0x70/0xc8\n[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0\n[1135630.462435] brk_handler+0xbc/0xd8\n[1135630.468437] do_debug_exception+0x84/0x138\n[1135630.475074] el1_dbg+0x18/0x8c\n[1135630.480582] security_file_permission+0x0/0xd0\n[1135630.487426] vfs_write+0x70/0x1c0\n[1135630.493059] ksys_write+0x5c/0xc8\n[1135630.498638] __arm64_sys_write+0x24/0x30\n[1135630.504821] el0_svc_common+0x78/0x130\n[1135630.510838] el0_svc_handler+0x38/0x78\n[1135630.516834] el0_svc+0x8/0x1b0\n\nkernel/trace/trace_kprobe.c: 1308\n0xffff3df8995039ec \u003ckprobe_perf_func+0x2c\u003e: ldr x21, [x24,#120]\ninclude/linux/compiler.h: 294\n0xffff3df8995039f0 \u003ckprobe_perf_func+0x30\u003e: ldr x1, [x21,x0]\n\nkernel/trace/trace_kprobe.c\n1308: head = this_cpu_ptr(call-\u003eperf_events);\n1309: if (hlist_empty(head))\n1310: \treturn 0;\n\ncrash\u003e struct trace_event_call -o\nstruct trace_event_call {\n ...\n [120] struct hlist_head *perf_events; //(call-\u003eperf_event)\n ...\n}\n\ncrash\u003e struct trace_event_call ffffaf015340e528\nstruct trace_event_call {\n ...\n perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0\n ...\n}\n\nRace Condition Analysis:\n\nThe race occurs between kprobe activation and perf_events initialization:\n\n CPU0 CPU1\n ==== ====\n perf_kprobe_init\n perf_trace_event_init\n tp_event-\u003eperf_events = list;(1)\n tp_event-\u003eclass-\u003ereg (2)\u2190 KPROBE ACTIVE\n Debug exception triggers\n ...\n kprobe_dispatcher\n kprobe_perf_func (tk-\u003etp.flags \u0026 TP_FLAG_PROFILE)\n head = this_cpu_ptr(call-\u003eperf_events)(3)\n (perf_events is still NULL)\n\nProblem:\n1. CPU0 executes (1) assigning tp_event-\u003eperf_events = list\n2. CPU0 executes (2) enabling kprobe functionality via class-\u003ereg()\n3. CPU1 triggers and reaches kprobe_dispatcher\n4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)\n5. CPU1 calls kprobe_perf_func() and crashes at (3) because\n call-\u003eperf_events is still NULL\n\nCPU1 sees that kprobe functionality is enabled but does not see that\nperf_events has been assigned.\n\nAdd pairing read an\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T06:16:46.821Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07926ce598a95de6fd874a74fb510e2ebdfd0aae"
},
{
"url": "https://git.kernel.org/stable/c/9c4951b691bb8d7a004acd010f45144391f85ea6"
},
{
"url": "https://git.kernel.org/stable/c/95dd33361061f808d1f68616d69ada639e737cfa"
},
{
"url": "https://git.kernel.org/stable/c/a6e89ada1ff6b70df73f579071ffa6ade8ae7f98"
},
{
"url": "https://git.kernel.org/stable/c/1a301228c0a8aedc3154fb1a274456f487416b96"
},
{
"url": "https://git.kernel.org/stable/c/0fa388ab2c290ef1115ff88ae88e881d0fb2db02"
},
{
"url": "https://git.kernel.org/stable/c/5ebea6561649d30ec7a18fea23d7f76738dae916"
},
{
"url": "https://git.kernel.org/stable/c/9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f"
}
],
"title": "tracing: Fix race condition in kprobe initialization causing NULL pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40042",
"datePublished": "2025-10-28T11:48:21.638Z",
"dateReserved": "2025-04-16T07:20:57.154Z",
"dateUpdated": "2025-12-01T06:16:46.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40324 (GCVE-0-2025-40324)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46
VLAI?
EPSS
Title
NFSD: Fix crash in nfsd4_read_release()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix crash in nfsd4_read_release()
When tracing is enabled, the trace_nfsd_read_done trace point
crashes during the pynfs read.testNoFh test.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
65a33135e91e6dd661ecdf1194b9d90c49ae3570 , < 930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1
(git)
Affected: b11d8162c24af4a351d21e2c804d25ca493305e3 , < 375fdd8993cecc48afa359728a6e70b280dde1c8 (git) Affected: b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3 , < 2ac46606b2cc49e78d8e3d8f2685e79e9ba73020 (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < 03524ccff698d4a77d096ed529073d91f5edee5d (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < a4948875ed0599c037dc438c11891c9012721b1d (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < 8f244b773c63fa480c9a3bd1ae04f5272f285e89 (git) Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < abb1f08a2121dd270193746e43b2a9373db9ad84 (git) Affected: 3d0dcada384af22dec764c8374a2997870ec86ae (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1",
"status": "affected",
"version": "65a33135e91e6dd661ecdf1194b9d90c49ae3570",
"versionType": "git"
},
{
"lessThan": "375fdd8993cecc48afa359728a6e70b280dde1c8",
"status": "affected",
"version": "b11d8162c24af4a351d21e2c804d25ca493305e3",
"versionType": "git"
},
{
"lessThan": "2ac46606b2cc49e78d8e3d8f2685e79e9ba73020",
"status": "affected",
"version": "b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3",
"versionType": "git"
},
{
"lessThan": "03524ccff698d4a77d096ed529073d91f5edee5d",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "a4948875ed0599c037dc438c11891c9012721b1d",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "8f244b773c63fa480c9a3bd1ae04f5272f285e89",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"lessThan": "abb1f08a2121dd270193746e43b2a9373db9ad84",
"status": "affected",
"version": "15a8b55dbb1ba154d82627547c5761cac884d810",
"versionType": "git"
},
{
"status": "affected",
"version": "3d0dcada384af22dec764c8374a2997870ec86ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.15.154",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "6.1.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix crash in nfsd4_read_release()\n\nWhen tracing is enabled, the trace_nfsd_read_done trace point\ncrashes during the pynfs read.testNoFh test."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T00:46:51.912Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1"
},
{
"url": "https://git.kernel.org/stable/c/375fdd8993cecc48afa359728a6e70b280dde1c8"
},
{
"url": "https://git.kernel.org/stable/c/2ac46606b2cc49e78d8e3d8f2685e79e9ba73020"
},
{
"url": "https://git.kernel.org/stable/c/03524ccff698d4a77d096ed529073d91f5edee5d"
},
{
"url": "https://git.kernel.org/stable/c/a4948875ed0599c037dc438c11891c9012721b1d"
},
{
"url": "https://git.kernel.org/stable/c/8f244b773c63fa480c9a3bd1ae04f5272f285e89"
},
{
"url": "https://git.kernel.org/stable/c/abb1f08a2121dd270193746e43b2a9373db9ad84"
}
],
"title": "NFSD: Fix crash in nfsd4_read_release()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40324",
"datePublished": "2025-12-08T00:46:51.912Z",
"dateReserved": "2025-04-16T07:20:57.186Z",
"dateUpdated": "2025-12-08T00:46:51.912Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53999 (GCVE-0-2023-53999)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
EPSS
Title
net/mlx5e: TC, Fix internal port memory leak
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: TC, Fix internal port memory leak
The flow rule can be splited, and the extra post_act rules are added
to post_act table. It's possible to trigger memleak when the rule
forwards packets from internal port and over tunnel, in the case that,
for example, CT 'new' state offload is allowed. As int_port object is
assigned to the flow attribute of post_act rule, and its refcnt is
incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is
not called, the refcnt is never decremented, then int_port is never
freed.
The kmemleak reports the following error:
unreferenced object 0xffff888128204b80 (size 64):
comm "handler20", pid 50121, jiffies 4296973009 (age 642.932s)
hex dump (first 32 bytes):
01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................
98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA....
backtrace:
[<00000000e992680d>] kmalloc_trace+0x27/0x120
[<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]
[<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]
[<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]
[<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]
[<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]
[<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]
[<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410
[<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower]
[<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower]
[<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010
[<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0
[<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360
[<0000000082dd6c8b>] netlink_unicast+0x438/0x710
[<00000000fc568f70>] netlink_sendmsg+0x794/0xc50
[<0000000016e92590>] sock_sendmsg+0xc5/0x190
So fix this by moving int_port cleanup code to the flow attribute
free helper, which is used by all the attribute free cases.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bc1918bac0f30e3f551ef5649b53062917db55fa",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
},
{
"lessThan": "ac5da544a3c2047cbfd715acd9cec8380d7fe5c6",
"status": "affected",
"version": "8300f225268be9ee2c0daf5a3f23929fcdcbf213",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, Fix internal port memory leak\n\nThe flow rule can be splited, and the extra post_act rules are added\nto post_act table. It\u0027s possible to trigger memleak when the rule\nforwards packets from internal port and over tunnel, in the case that,\nfor example, CT \u0027new\u0027 state offload is allowed. As int_port object is\nassigned to the flow attribute of post_act rule, and its refcnt is\nincremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is\nnot called, the refcnt is never decremented, then int_port is never\nfreed.\n\nThe kmemleak reports the following error:\nunreferenced object 0xffff888128204b80 (size 64):\n comm \"handler20\", pid 50121, jiffies 4296973009 (age 642.932s)\n hex dump (first 32 bytes):\n 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................\n 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA....\n backtrace:\n [\u003c00000000e992680d\u003e] kmalloc_trace+0x27/0x120\n [\u003c000000009e945a98\u003e] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core]\n [\u003c0000000035a537f0\u003e] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core]\n [\u003c0000000070c2cec6\u003e] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core]\n [\u003c000000005cc84048\u003e] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core]\n [\u003c000000004f8a2031\u003e] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core]\n [\u003c000000007df797dc\u003e] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core]\n [\u003c0000000016c15cc3\u003e] tc_setup_cb_add+0x1cf/0x410\n [\u003c00000000a63305b4\u003e] fl_hw_replace_filter+0x38f/0x670 [cls_flower]\n [\u003c000000008bc9e77c\u003e] fl_change+0x1fd5/0x4430 [cls_flower]\n [\u003c00000000e7f766e4\u003e] tc_new_tfilter+0x867/0x2010\n [\u003c00000000e101c0ef\u003e] rtnetlink_rcv_msg+0x6fc/0x9f0\n [\u003c00000000e1111d44\u003e] netlink_rcv_skb+0x12c/0x360\n [\u003c0000000082dd6c8b\u003e] netlink_unicast+0x438/0x710\n [\u003c00000000fc568f70\u003e] netlink_sendmsg+0x794/0xc50\n [\u003c0000000016e92590\u003e] sock_sendmsg+0xc5/0x190\n\nSo fix this by moving int_port cleanup code to the flow attribute\nfree helper, which is used by all the attribute free cases."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T10:55:35.523Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa"
},
{
"url": "https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6"
}
],
"title": "net/mlx5e: TC, Fix internal port memory leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53999",
"datePublished": "2025-12-24T10:55:35.523Z",
"dateReserved": "2025-12-24T10:53:46.176Z",
"dateUpdated": "2025-12-24T10:55:35.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53781 (GCVE-0-2023-53781)
Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00
VLAI?
EPSS
Title
smc: Fix use-after-free in tcp_write_timer_handler().
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix use-after-free in tcp_write_timer_handler().
With Eric's ref tracker, syzbot finally found a repro for
use-after-free in tcp_write_timer_handler() by kernel TCP
sockets. [0]
If SMC creates a kernel socket in __smc_create(), the kernel
socket is supposed to be freed in smc_clcsock_release() by
calling sock_release() when we close() the parent SMC socket.
However, at the end of smc_clcsock_release(), the kernel
socket's sk_state might not be TCP_CLOSE. This means that
we have not called inet_csk_destroy_sock() in __tcp_close()
and have not stopped the TCP timers.
The kernel socket's TCP timers can be fired later, so we
need to hold a refcnt for net as we do for MPTCP subflows
in mptcp_subflow_create_socket().
[0]:
leaked reference.
sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)
inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)
__sock_create (net/socket.c:1546)
smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)
__sock_create (net/socket.c:1546)
__sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)
__x64_sys_socket (net/socket.c:1672)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
==================================================================
BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)
Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091
CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:107)
print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
kasan_report (mm/kasan/report.c:538)
tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)
tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)
call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)
__run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)
run_timer_softirq (kernel/time/timer.c:2037)
__do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)
__irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)
irq_exit_rcu (kernel/softirq.c:664)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))
</IRQ>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1cc41c8acfc1ee30b4868559058db97fa44b0137",
"status": "affected",
"version": "ac7138746e14137a451f8539614cdd349153e0c0",
"versionType": "git"
},
{
"lessThan": "9744d2bf19762703704ecba885b7ac282c02eacf",
"status": "affected",
"version": "ac7138746e14137a451f8539614cdd349153e0c0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in tcp_write_timer_handler().\n\nWith Eric\u0027s ref tracker, syzbot finally found a repro for\nuse-after-free in tcp_write_timer_handler() by kernel TCP\nsockets. [0]\n\nIf SMC creates a kernel socket in __smc_create(), the kernel\nsocket is supposed to be freed in smc_clcsock_release() by\ncalling sock_release() when we close() the parent SMC socket.\n\nHowever, at the end of smc_clcsock_release(), the kernel\nsocket\u0027s sk_state might not be TCP_CLOSE. This means that\nwe have not called inet_csk_destroy_sock() in __tcp_close()\nand have not stopped the TCP timers.\n\nThe kernel socket\u0027s TCP timers can be fired later, so we\nneed to hold a refcnt for net as we do for MPTCP subflows\nin mptcp_subflow_create_socket().\n\n[0]:\nleaked reference.\n sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)\n inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)\n __sock_create (net/socket.c:1546)\n smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)\n __sock_create (net/socket.c:1546)\n __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)\n __x64_sys_socket (net/socket.c:1672)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n==================================================================\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\nRead of size 1 at addr ffff888052b65e0d by task syzrepro/18091\n\nCPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:107)\n print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n kasan_report (mm/kasan/report.c:538)\n tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\n tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)\n run_timer_softirq (kernel/time/timer.c:2037)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)\n __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)\n irq_exit_rcu (kernel/softirq.c:664)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:00:36.831Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1cc41c8acfc1ee30b4868559058db97fa44b0137"
},
{
"url": "https://git.kernel.org/stable/c/9744d2bf19762703704ecba885b7ac282c02eacf"
}
],
"title": "smc: Fix use-after-free in tcp_write_timer_handler().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53781",
"datePublished": "2025-12-09T00:00:36.831Z",
"dateReserved": "2025-12-08T23:58:35.272Z",
"dateUpdated": "2025-12-09T00:00:36.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68190 (GCVE-0-2025-68190)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()
kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws
remains NULL while ectx.ws_size is set, leading to a potential NULL
pointer dereference in atom_get_src_int() when accessing WS entries.
Return -ENOMEM on allocation failure to avoid the NULL dereference.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 35f3fb86bb0158a298d6834e7e110dcaf07f490c
(git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 997e28d3d00a1d30649629515e4402612921205b (git) Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < cc9a8e238e42c1f43b98c097995137d644b69245 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/atom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "35f3fb86bb0158a298d6834e7e110dcaf07f490c",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "997e28d3d00a1d30649629515e4402612921205b",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
},
{
"lessThan": "cc9a8e238e42c1f43b98c097995137d644b69245",
"status": "affected",
"version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/atom.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()\n\nkcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws\nremains NULL while ectx.ws_size is set, leading to a potential NULL\npointer dereference in atom_get_src_int() when accessing WS entries.\n\nReturn -ENOMEM on allocation failure to avoid the NULL dereference."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:18.560Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/35f3fb86bb0158a298d6834e7e110dcaf07f490c"
},
{
"url": "https://git.kernel.org/stable/c/997e28d3d00a1d30649629515e4402612921205b"
},
{
"url": "https://git.kernel.org/stable/c/cc9a8e238e42c1f43b98c097995137d644b69245"
}
],
"title": "drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68190",
"datePublished": "2025-12-16T13:43:12.297Z",
"dateReserved": "2025-12-16T13:41:40.253Z",
"dateUpdated": "2026-01-02T15:34:18.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38618 (GCVE-0-2025-38618)
Vulnerability from cvelistv5 – Published: 2025-08-22 13:01 – Updated: 2025-11-03 17:40
VLAI?
EPSS
Title
vsock: Do not allow binding to VMADDR_PORT_ANY
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Do not allow binding to VMADDR_PORT_ANY
It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
cause a use-after-free when a connection is made to the bound socket.
The socket returned by accept() also has port VMADDR_PORT_ANY but is not
on the list of unbound sockets. Binding it will result in an extra
refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
the binding until socket destruction).
Modify the check in __vsock_bind_connectible() to also prevent binding
to VMADDR_PORT_ANY.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d021c344051af91f42c5ba9fdedc176740cbd238 , < c04a2c1ca25b9b23104124d3b2d349d934e302de
(git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < d1a5b1964cef42727668ac0d8532dae4f8c19386 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < cf86704798c1b9c46fa59dfc2d662f57d1394d79 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < f138be5d7f301fddad4e65ec66dfc3ceebf79be3 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 44bd006d5c93f6a8f28b106cbae2428c5d0275b7 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 32950b1907919be86a7a2697d6f93d57068b3865 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 8f01093646b49f6330bb2d36761983fd829472b1 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < d73960f0cf03ef1dc9e96ec7a20e538accc26d87 (git) Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < aba0c94f61ec05315fa7815d21aefa4c87f6a9f4 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:30.483Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c04a2c1ca25b9b23104124d3b2d349d934e302de",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "d1a5b1964cef42727668ac0d8532dae4f8c19386",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "cf86704798c1b9c46fa59dfc2d662f57d1394d79",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "f138be5d7f301fddad4e65ec66dfc3ceebf79be3",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "44bd006d5c93f6a8f28b106cbae2428c5d0275b7",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "32950b1907919be86a7a2697d6f93d57068b3865",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "8f01093646b49f6330bb2d36761983fd829472b1",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "d73960f0cf03ef1dc9e96ec7a20e538accc26d87",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
},
{
"lessThan": "aba0c94f61ec05315fa7815d21aefa4c87f6a9f4",
"status": "affected",
"version": "d021c344051af91f42c5ba9fdedc176740cbd238",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Do not allow binding to VMADDR_PORT_ANY\n\nIt is possible for a vsock to autobind to VMADDR_PORT_ANY. This can\ncause a use-after-free when a connection is made to the bound socket.\nThe socket returned by accept() also has port VMADDR_PORT_ANY but is not\non the list of unbound sockets. Binding it will result in an extra\nrefcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep\nthe binding until socket destruction).\n\nModify the check in __vsock_bind_connectible() to also prevent binding\nto VMADDR_PORT_ANY."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T05:54:53.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c04a2c1ca25b9b23104124d3b2d349d934e302de"
},
{
"url": "https://git.kernel.org/stable/c/d1a5b1964cef42727668ac0d8532dae4f8c19386"
},
{
"url": "https://git.kernel.org/stable/c/cf86704798c1b9c46fa59dfc2d662f57d1394d79"
},
{
"url": "https://git.kernel.org/stable/c/f138be5d7f301fddad4e65ec66dfc3ceebf79be3"
},
{
"url": "https://git.kernel.org/stable/c/44bd006d5c93f6a8f28b106cbae2428c5d0275b7"
},
{
"url": "https://git.kernel.org/stable/c/32950b1907919be86a7a2697d6f93d57068b3865"
},
{
"url": "https://git.kernel.org/stable/c/8f01093646b49f6330bb2d36761983fd829472b1"
},
{
"url": "https://git.kernel.org/stable/c/d73960f0cf03ef1dc9e96ec7a20e538accc26d87"
},
{
"url": "https://git.kernel.org/stable/c/aba0c94f61ec05315fa7815d21aefa4c87f6a9f4"
}
],
"title": "vsock: Do not allow binding to VMADDR_PORT_ANY",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38618",
"datePublished": "2025-08-22T13:01:24.678Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2025-11-03T17:40:30.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53761 (GCVE-0-2023-53761)
Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2026-01-05 10:32
VLAI?
EPSS
Title
USB: usbtmc: Fix direction for 0-length ioctl control messages
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: usbtmc: Fix direction for 0-length ioctl control messages
The syzbot fuzzer found a problem in the usbtmc driver: When a user
submits an ioctl for a 0-length control transfer, the driver does not
check that the direction is set to OUT:
------------[ cut here ]------------
usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd
WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
Modules linked in:
CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41
RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000
RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001
RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528
R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100
FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153
usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]
usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097
To fix this, we must override the direction in the bRequestType field
of the control request structure when the length is 0.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 7cef7681aa7719ff585dd06113a061ab2def7da0
(git)
Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 6340e432cf70bf156b19c6f5dd737d940eca02a3 (git) Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 3b43d9df27a708f4079d518b879f517fea150a91 (git) Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 0ced12bdf624d8d8977ddb16eb130cd479d92bcf (git) Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 50775a046c68e1d157d5e413cae2e5e00da1c463 (git) Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 94d25e9128988c6a1fc9070f6e98215a95795bd8 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/usbtmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7cef7681aa7719ff585dd06113a061ab2def7da0",
"status": "affected",
"version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
"versionType": "git"
},
{
"lessThan": "6340e432cf70bf156b19c6f5dd737d940eca02a3",
"status": "affected",
"version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
"versionType": "git"
},
{
"lessThan": "3b43d9df27a708f4079d518b879f517fea150a91",
"status": "affected",
"version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
"versionType": "git"
},
{
"lessThan": "0ced12bdf624d8d8977ddb16eb130cd479d92bcf",
"status": "affected",
"version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
"versionType": "git"
},
{
"lessThan": "50775a046c68e1d157d5e413cae2e5e00da1c463",
"status": "affected",
"version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
"versionType": "git"
},
{
"lessThan": "94d25e9128988c6a1fc9070f6e98215a95795bd8",
"status": "affected",
"version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/class/usbtmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usbtmc: Fix direction for 0-length ioctl control messages\n\nThe syzbot fuzzer found a problem in the usbtmc driver: When a user\nsubmits an ioctl for a 0-length control transfer, the driver does not\ncheck that the direction is set to OUT:\n\n------------[ cut here ]------------\nusb 3-1: BOGUS control dir, pipe 80000b80 doesn\u0027t match bRequestType fd\nWARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nCode: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb \u003c0f\u003e 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41\nRSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000\nRDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001\nRBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528\nR13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100\nFS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]\n usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097\n\nTo fix this, we must override the direction in the bRequestType field\nof the control request structure when the length is 0."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:32:46.948Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7cef7681aa7719ff585dd06113a061ab2def7da0"
},
{
"url": "https://git.kernel.org/stable/c/6340e432cf70bf156b19c6f5dd737d940eca02a3"
},
{
"url": "https://git.kernel.org/stable/c/3b43d9df27a708f4079d518b879f517fea150a91"
},
{
"url": "https://git.kernel.org/stable/c/0ced12bdf624d8d8977ddb16eb130cd479d92bcf"
},
{
"url": "https://git.kernel.org/stable/c/50775a046c68e1d157d5e413cae2e5e00da1c463"
},
{
"url": "https://git.kernel.org/stable/c/94d25e9128988c6a1fc9070f6e98215a95795bd8"
}
],
"title": "USB: usbtmc: Fix direction for 0-length ioctl control messages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53761",
"datePublished": "2025-12-08T01:19:22.571Z",
"dateReserved": "2025-12-08T01:18:04.280Z",
"dateUpdated": "2026-01-05T10:32:46.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40149 (GCVE-0-2025-40149)
Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2026-01-17 15:46
VLAI?
EPSS
Title
tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
get_netdev_for_sock() is called during setsockopt(),
so not under RCU.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
Note that the only ->ndo_sk_get_lower_dev() user is
bond_sk_get_lower_dev(), which uses RCU.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e8f69799810c32dd40c6724d829eccc70baad07f , < e37ca0092ddace60833790b4ad7a390408fb1be9
(git)
Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < 13159c7125636371543a82cb7bbae00ab36730cc (git) Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < f09cd209359a23f88d4f3fa3d2379d057027e53c (git) Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < feb474ddbf26b51f462ae2e60a12013bdcfc5407 (git) Affected: e8f69799810c32dd40c6724d829eccc70baad07f , < c65f27b9c3be2269918e1cbad6d8884741f835c5 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e37ca0092ddace60833790b4ad7a390408fb1be9",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "13159c7125636371543a82cb7bbae00ab36730cc",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "f09cd209359a23f88d4f3fa3d2379d057027e53c",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "feb474ddbf26b51f462ae2e60a12013bdcfc5407",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
},
{
"lessThan": "c65f27b9c3be2269918e1cbad6d8884741f835c5",
"status": "affected",
"version": "e8f69799810c32dd40c6724d829eccc70baad07f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.18"
},
{
"lessThan": "4.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.161",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.66",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.161",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.121",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.66",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "4.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().\n\nget_netdev_for_sock() is called during setsockopt(),\nso not under RCU.\n\nUsing sk_dst_get(sk)-\u003edev could trigger UAF.\n\nLet\u0027s use __sk_dst_get() and dst_dev_rcu().\n\nNote that the only -\u003endo_sk_get_lower_dev() user is\nbond_sk_get_lower_dev(), which uses RCU."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T15:46:01.470Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e37ca0092ddace60833790b4ad7a390408fb1be9"
},
{
"url": "https://git.kernel.org/stable/c/13159c7125636371543a82cb7bbae00ab36730cc"
},
{
"url": "https://git.kernel.org/stable/c/f09cd209359a23f88d4f3fa3d2379d057027e53c"
},
{
"url": "https://git.kernel.org/stable/c/feb474ddbf26b51f462ae2e60a12013bdcfc5407"
},
{
"url": "https://git.kernel.org/stable/c/c65f27b9c3be2269918e1cbad6d8884741f835c5"
}
],
"title": "tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40149",
"datePublished": "2025-11-12T10:23:27.122Z",
"dateReserved": "2025-04-16T07:20:57.175Z",
"dateUpdated": "2026-01-17T15:46:01.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50673 (GCVE-0-2022-50673)
Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-23 13:30
VLAI?
EPSS
Title
ext4: fix use-after-free in ext4_orphan_cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in ext4_orphan_cleanup
I caught a issue as follows:
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0
Read of size 8 at addr ffff88814b13f378 by task mount/710
CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370
Call Trace:
<TASK>
dump_stack_lvl+0x73/0x9f
print_report+0x25d/0x759
kasan_report+0xc0/0x120
__asan_load8+0x99/0x140
__list_add_valid+0x28/0x1a0
ext4_orphan_cleanup+0x564/0x9d0 [ext4]
__ext4_fill_super+0x48e2/0x5300 [ext4]
ext4_fill_super+0x19f/0x3a0 [ext4]
get_tree_bdev+0x27b/0x450
ext4_get_tree+0x19/0x30 [ext4]
vfs_get_tree+0x49/0x150
path_mount+0xaae/0x1350
do_mount+0xe2/0x110
__x64_sys_mount+0xf0/0x190
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_orphan_cleanup
--- loop1: assume last_orphan is 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)
ext4_truncate --> return 0
ext4_inode_attach_jinode --> return -ENOMEM
iput(inode) --> free inode<12>
--- loop2: last_orphan is still 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);
// use inode<12> and trigger UAF
To solve this issue, we need to propagate the return value of
ext4_inode_attach_jinode() appropriately.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < 7f801a1593cb957f73659732836b2dafbdfc7709
(git)
Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < 026a4490b5381229a30f23d073b58e8e35ee6858 (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < 7223d5e75f26352354ea2c0ccf8b579821b52adf (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < cf0e0817b0f925b70d101d7014ea81b7094e1159 (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < c2bdbd4c69308835d1b6f6ba74feeccbfe113478 (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < 7908b8a541b1578cc61b4da7f19b604a931441da (git) Affected: 2c98eb5ea249767bbc11cf4e70e91d5b0458ed13 , < a71248b1accb2b42e4980afef4fa4a27fa0e36f5 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f801a1593cb957f73659732836b2dafbdfc7709",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "026a4490b5381229a30f23d073b58e8e35ee6858",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "7223d5e75f26352354ea2c0ccf8b579821b52adf",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "cf0e0817b0f925b70d101d7014ea81b7094e1159",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "c2bdbd4c69308835d1b6f6ba74feeccbfe113478",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "7908b8a541b1578cc61b4da7f19b604a931441da",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
},
{
"lessThan": "a71248b1accb2b42e4980afef4fa4a27fa0e36f5",
"status": "affected",
"version": "2c98eb5ea249767bbc11cf4e70e91d5b0458ed13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_orphan_cleanup\n\nI caught a issue as follows:\n==================================================================\n BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0\n Read of size 8 at addr ffff88814b13f378 by task mount/710\n\n CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x73/0x9f\n print_report+0x25d/0x759\n kasan_report+0xc0/0x120\n __asan_load8+0x99/0x140\n __list_add_valid+0x28/0x1a0\n ext4_orphan_cleanup+0x564/0x9d0 [ext4]\n __ext4_fill_super+0x48e2/0x5300 [ext4]\n ext4_fill_super+0x19f/0x3a0 [ext4]\n get_tree_bdev+0x27b/0x450\n ext4_get_tree+0x19/0x30 [ext4]\n vfs_get_tree+0x49/0x150\n path_mount+0xaae/0x1350\n do_mount+0xe2/0x110\n __x64_sys_mount+0xf0/0x190\n do_syscall_64+0x35/0x80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n [...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_orphan_cleanup\n --- loop1: assume last_orphan is 12 ---\n list_add(\u0026EXT4_I(inode)-\u003ei_orphan, \u0026EXT4_SB(sb)-\u003es_orphan)\n ext4_truncate --\u003e return 0\n ext4_inode_attach_jinode --\u003e return -ENOMEM\n iput(inode) --\u003e free inode\u003c12\u003e\n --- loop2: last_orphan is still 12 ---\n list_add(\u0026EXT4_I(inode)-\u003ei_orphan, \u0026EXT4_SB(sb)-\u003es_orphan);\n // use inode\u003c12\u003e and trigger UAF\n\nTo solve this issue, we need to propagate the return value of\next4_inode_attach_jinode() appropriately."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:30:30.545Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709"
},
{
"url": "https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858"
},
{
"url": "https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf"
},
{
"url": "https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159"
},
{
"url": "https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478"
},
{
"url": "https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da"
},
{
"url": "https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5"
}
],
"title": "ext4: fix use-after-free in ext4_orphan_cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50673",
"datePublished": "2025-12-09T01:29:25.220Z",
"dateReserved": "2025-12-09T01:26:45.991Z",
"dateUpdated": "2025-12-23T13:30:30.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54280 (GCVE-0-2023-54280)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-05 11:37
VLAI?
EPSS
Title
cifs: fix potential race when tree connecting ipc
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential race when tree connecting ipc
Protect access of TCP_Server_Info::hostname when building the ipc tree
name as it might get freed in cifsd thread and thus causing an
use-after-free bug in __tree_connect_dfs_target(). Also, while at it,
update status of IPC tcon on success and then avoid any extra tree
connects.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c88f7dcd6d6429197fc2fd87b54a894ffcd48e8e , < 536ec71ba060a02fabe8e22cecb82fe7b3a8708b
(git)
Affected: c88f7dcd6d6429197fc2fd87b54a894ffcd48e8e , < 553476df55a111e6a66ad9155256aec0ec1b7ad0 (git) Affected: c88f7dcd6d6429197fc2fd87b54a894ffcd48e8e , < ee20d7c6100752eaf2409d783f4f1449c29ea33d (git) Affected: 81d583baa5f1abd73c755ce1992929debd20b687 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/dfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "536ec71ba060a02fabe8e22cecb82fe7b3a8708b",
"status": "affected",
"version": "c88f7dcd6d6429197fc2fd87b54a894ffcd48e8e",
"versionType": "git"
},
{
"lessThan": "553476df55a111e6a66ad9155256aec0ec1b7ad0",
"status": "affected",
"version": "c88f7dcd6d6429197fc2fd87b54a894ffcd48e8e",
"versionType": "git"
},
{
"lessThan": "ee20d7c6100752eaf2409d783f4f1449c29ea33d",
"status": "affected",
"version": "c88f7dcd6d6429197fc2fd87b54a894ffcd48e8e",
"versionType": "git"
},
{
"status": "affected",
"version": "81d583baa5f1abd73c755ce1992929debd20b687",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/dfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.81",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential race when tree connecting ipc\n\nProtect access of TCP_Server_Info::hostname when building the ipc tree\nname as it might get freed in cifsd thread and thus causing an\nuse-after-free bug in __tree_connect_dfs_target(). Also, while at it,\nupdate status of IPC tcon on success and then avoid any extra tree\nconnects."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T11:37:13.944Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/536ec71ba060a02fabe8e22cecb82fe7b3a8708b"
},
{
"url": "https://git.kernel.org/stable/c/553476df55a111e6a66ad9155256aec0ec1b7ad0"
},
{
"url": "https://git.kernel.org/stable/c/ee20d7c6100752eaf2409d783f4f1449c29ea33d"
}
],
"title": "cifs: fix potential race when tree connecting ipc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54280",
"datePublished": "2025-12-30T12:23:22.335Z",
"dateReserved": "2025-12-30T12:06:44.525Z",
"dateUpdated": "2026-01-05T11:37:13.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50736 (GCVE-0-2022-50736)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22
VLAI?
EPSS
Title
RDMA/siw: Fix immediate work request flush to completion queue
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/siw: Fix immediate work request flush to completion queue
Correctly set send queue element opcode during immediate work request
flushing in post sendqueue operation, if the QP is in ERROR state.
An undefined ocode value results in out-of-bounds access to an array
for mapping the opcode between siw internal and RDMA core representation
in work completion generation. It resulted in a KASAN BUG report
of type 'global-out-of-bounds' during NFSoRDMA testing.
This patch further fixes a potential case of a malicious user which may
write undefined values for completion queue elements status or opcode,
if the CQ is memory mapped to user land. It avoids the same out-of-bounds
access to arrays for status and opcode mapping as described above.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 6af043089d3f1210776d19b6fdabea610d4c7699
(git)
Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 75af03fdf35acf15a3977f7115f6b8d10dff4bc7 (git) Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6 (git) Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 355d2eca68c10d713a42f68e62044b3d1c300471 (git) Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < f3d26a8589dfdeff328779b511f71fb90b10005e (git) Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < bdf1da5df9da680589a7f74448dd0a94dd3e1446 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw_cq.c",
"drivers/infiniband/sw/siw/siw_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6af043089d3f1210776d19b6fdabea610d4c7699",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "75af03fdf35acf15a3977f7115f6b8d10dff4bc7",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "355d2eca68c10d713a42f68e62044b3d1c300471",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "f3d26a8589dfdeff328779b511f71fb90b10005e",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
},
{
"lessThan": "bdf1da5df9da680589a7f74448dd0a94dd3e1446",
"status": "affected",
"version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/siw/siw_cq.c",
"drivers/infiniband/sw/siw/siw_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix immediate work request flush to completion queue\n\nCorrectly set send queue element opcode during immediate work request\nflushing in post sendqueue operation, if the QP is in ERROR state.\nAn undefined ocode value results in out-of-bounds access to an array\nfor mapping the opcode between siw internal and RDMA core representation\nin work completion generation. It resulted in a KASAN BUG report\nof type \u0027global-out-of-bounds\u0027 during NFSoRDMA testing.\n\nThis patch further fixes a potential case of a malicious user which may\nwrite undefined values for completion queue elements status or opcode,\nif the CQ is memory mapped to user land. It avoids the same out-of-bounds\naccess to arrays for status and opcode mapping as described above."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:22:54.695Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6af043089d3f1210776d19b6fdabea610d4c7699"
},
{
"url": "https://git.kernel.org/stable/c/75af03fdf35acf15a3977f7115f6b8d10dff4bc7"
},
{
"url": "https://git.kernel.org/stable/c/f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6"
},
{
"url": "https://git.kernel.org/stable/c/355d2eca68c10d713a42f68e62044b3d1c300471"
},
{
"url": "https://git.kernel.org/stable/c/f3d26a8589dfdeff328779b511f71fb90b10005e"
},
{
"url": "https://git.kernel.org/stable/c/bdf1da5df9da680589a7f74448dd0a94dd3e1446"
}
],
"title": "RDMA/siw: Fix immediate work request flush to completion queue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50736",
"datePublished": "2025-12-24T12:22:54.695Z",
"dateReserved": "2025-12-24T12:20:40.331Z",
"dateUpdated": "2025-12-24T12:22:54.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50845 (GCVE-0-2022-50845)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-02 15:05
VLAI?
EPSS
Title
ext4: fix inode leak in ext4_xattr_inode_create() on an error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix inode leak in ext4_xattr_inode_create() on an error path
There is issue as follows when do setxattr with inject fault:
[localhost]# fsck.ext4 -fn /dev/sda
e2fsck 1.46.6-rc1 (12-Sep-2022)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Unattached zero-length inode 15. Clear? no
Unattached inode 15
Connect to /lost+found? no
Pass 5: Checking group summary information
/dev/sda: ********** WARNING: Filesystem still has errors **********
/dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks
This occurs in 'ext4_xattr_inode_create()'. If 'ext4_mark_inode_dirty()'
fails, dropping i_nlink of the inode is needed. Or will lead to inode leak.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
bd3b963b273e247e13979f98812a6e4979b5c1e4 , < 0f709e08caffb41bbc9b38b9a4c1bd0769794007
(git)
Affected: bd3b963b273e247e13979f98812a6e4979b5c1e4 , < eab94a46560f68d4bcd15222701ced479f84f427 (git) Affected: bd3b963b273e247e13979f98812a6e4979b5c1e4 , < 9ef603086c5b796fde1c7f22a17d0fc826ba54cb (git) Affected: bd3b963b273e247e13979f98812a6e4979b5c1e4 , < 9882601ee689975c1c0076ee65bf222a2a35e535 (git) Affected: bd3b963b273e247e13979f98812a6e4979b5c1e4 , < 322cf639b0b7f137543072c55545adab782b3a25 (git) Affected: bd3b963b273e247e13979f98812a6e4979b5c1e4 , < fdaaf45786dc8c17a72901021772520fceb18f8c (git) Affected: bd3b963b273e247e13979f98812a6e4979b5c1e4 , < 70e5b46beba64706430a87a6d516054225e8ac8a (git) Affected: bd3b963b273e247e13979f98812a6e4979b5c1e4 , < e4db04f7d3dbbe16680e0ded27ea2a65b10f766a (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f709e08caffb41bbc9b38b9a4c1bd0769794007",
"status": "affected",
"version": "bd3b963b273e247e13979f98812a6e4979b5c1e4",
"versionType": "git"
},
{
"lessThan": "eab94a46560f68d4bcd15222701ced479f84f427",
"status": "affected",
"version": "bd3b963b273e247e13979f98812a6e4979b5c1e4",
"versionType": "git"
},
{
"lessThan": "9ef603086c5b796fde1c7f22a17d0fc826ba54cb",
"status": "affected",
"version": "bd3b963b273e247e13979f98812a6e4979b5c1e4",
"versionType": "git"
},
{
"lessThan": "9882601ee689975c1c0076ee65bf222a2a35e535",
"status": "affected",
"version": "bd3b963b273e247e13979f98812a6e4979b5c1e4",
"versionType": "git"
},
{
"lessThan": "322cf639b0b7f137543072c55545adab782b3a25",
"status": "affected",
"version": "bd3b963b273e247e13979f98812a6e4979b5c1e4",
"versionType": "git"
},
{
"lessThan": "fdaaf45786dc8c17a72901021772520fceb18f8c",
"status": "affected",
"version": "bd3b963b273e247e13979f98812a6e4979b5c1e4",
"versionType": "git"
},
{
"lessThan": "70e5b46beba64706430a87a6d516054225e8ac8a",
"status": "affected",
"version": "bd3b963b273e247e13979f98812a6e4979b5c1e4",
"versionType": "git"
},
{
"lessThan": "e4db04f7d3dbbe16680e0ded27ea2a65b10f766a",
"status": "affected",
"version": "bd3b963b273e247e13979f98812a6e4979b5c1e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/xattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix inode leak in ext4_xattr_inode_create() on an error path\n\nThere is issue as follows when do setxattr with inject fault:\n\n[localhost]# fsck.ext4 -fn /dev/sda\ne2fsck 1.46.6-rc1 (12-Sep-2022)\nPass 1: Checking inodes, blocks, and sizes\nPass 2: Checking directory structure\nPass 3: Checking directory connectivity\nPass 4: Checking reference counts\nUnattached zero-length inode 15. Clear? no\n\nUnattached inode 15\nConnect to /lost+found? no\n\nPass 5: Checking group summary information\n\n/dev/sda: ********** WARNING: Filesystem still has errors **********\n\n/dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks\n\nThis occurs in \u0027ext4_xattr_inode_create()\u0027. If \u0027ext4_mark_inode_dirty()\u0027\nfails, dropping i_nlink of the inode is needed. Or will lead to inode leak."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:05:00.692Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f709e08caffb41bbc9b38b9a4c1bd0769794007"
},
{
"url": "https://git.kernel.org/stable/c/eab94a46560f68d4bcd15222701ced479f84f427"
},
{
"url": "https://git.kernel.org/stable/c/9ef603086c5b796fde1c7f22a17d0fc826ba54cb"
},
{
"url": "https://git.kernel.org/stable/c/9882601ee689975c1c0076ee65bf222a2a35e535"
},
{
"url": "https://git.kernel.org/stable/c/322cf639b0b7f137543072c55545adab782b3a25"
},
{
"url": "https://git.kernel.org/stable/c/fdaaf45786dc8c17a72901021772520fceb18f8c"
},
{
"url": "https://git.kernel.org/stable/c/70e5b46beba64706430a87a6d516054225e8ac8a"
},
{
"url": "https://git.kernel.org/stable/c/e4db04f7d3dbbe16680e0ded27ea2a65b10f766a"
}
],
"title": "ext4: fix inode leak in ext4_xattr_inode_create() on an error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50845",
"datePublished": "2025-12-30T12:11:02.615Z",
"dateReserved": "2025-12-30T12:06:07.133Z",
"dateUpdated": "2026-01-02T15:05:00.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40283 (GCVE-0-2025-40283)
Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51
VLAI?
EPSS
Title
Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
There is a KASAN: slab-use-after-free read in btusb_disconnect().
Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will
free the btusb data associated with the interface. The same data is
then used later in the function, hence the UAF.
Fix by moving the accesses to btusb data to before the data is free'd.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
fd913ef7ce619467c6b0644af48ba1fec499c623 , < 297dbf87989e09af98f81f2bcb938041785557e8
(git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < f858f004bc343a7ae9f2533bbb2a3ab27428532f (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 7a6d1e740220ff9dfcb6a8c994d6ba49e76db198 (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 5dc00065a0496c36694afe11e52a5bc64524a9b8 (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 1c28c1e1522c773a94e26950ffb145e88cd9834b (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < a2610ecd9fd5708be8997ca8f033e4200c0bb6af (git) Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 23d22f2f71768034d6ef86168213843fc49bf550 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "297dbf87989e09af98f81f2bcb938041785557e8",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "f858f004bc343a7ae9f2533bbb2a3ab27428532f",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "7a6d1e740220ff9dfcb6a8c994d6ba49e76db198",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "5dc00065a0496c36694afe11e52a5bc64524a9b8",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "1c28c1e1522c773a94e26950ffb145e88cd9834b",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "a2610ecd9fd5708be8997ca8f033e4200c0bb6af",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
},
{
"lessThan": "23d22f2f71768034d6ef86168213843fc49bf550",
"status": "affected",
"version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/bluetooth/btusb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.302",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.247",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.59",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.302",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.247",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.59",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF\n\nThere is a KASAN: slab-use-after-free read in btusb_disconnect().\nCalling \"usb_driver_release_interface(\u0026btusb_driver, data-\u003eintf)\" will\nfree the btusb data associated with the interface. The same data is\nthen used later in the function, hence the UAF.\n\nFix by moving the accesses to btusb data to before the data is free\u0027d."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T21:51:07.409Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8"
},
{
"url": "https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f"
},
{
"url": "https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198"
},
{
"url": "https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8"
},
{
"url": "https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b"
},
{
"url": "https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d"
},
{
"url": "https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af"
},
{
"url": "https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550"
}
],
"title": "Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40283",
"datePublished": "2025-12-06T21:51:07.409Z",
"dateReserved": "2025-04-16T07:20:57.184Z",
"dateUpdated": "2025-12-06T21:51:07.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54023 (GCVE-0-2023-54023)
Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-05 10:33
VLAI?
EPSS
Title
btrfs: fix race between balance and cancel/pause
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix race between balance and cancel/pause
Syzbot reported a panic that looks like this:
assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465
------------[ cut here ]------------
kernel BUG at fs/btrfs/messages.c:259!
RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259
Call Trace:
<TASK>
btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline]
btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline]
btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The reproducer is running a balance and a cancel or pause in parallel.
The way balance finishes is a bit wonky, if we were paused we need to
save the balance_ctl in the fs_info, but clear it otherwise and cleanup.
However we rely on the return values being specific errors, or having a
cancel request or no pause request. If balance completes and returns 0,
but we have a pause or cancel request we won't do the appropriate
cleanup, and then the next time we try to start a balance we'll trip
this ASSERT.
The error handling is just wrong here, we always want to clean up,
unless we got -ECANCELLED and we set the appropriate pause flag in the
exclusive op. With this patch the reproducer ran for an hour without
tripping, previously it would trip in less than a few minutes.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 , < ddf7e8984c83aee9122552529f4e77291903f8d9
(git)
Affected: 837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 , < 72efe5d44821e38540888a5fe3ff3d0faab6acad (git) Affected: 837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961 , < b19c98f237cd76981aaded52c258ce93f7daa8cb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/volumes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddf7e8984c83aee9122552529f4e77291903f8d9",
"status": "affected",
"version": "837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961",
"versionType": "git"
},
{
"lessThan": "72efe5d44821e38540888a5fe3ff3d0faab6acad",
"status": "affected",
"version": "837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961",
"versionType": "git"
},
{
"lessThan": "b19c98f237cd76981aaded52c258ce93f7daa8cb",
"status": "affected",
"version": "837d5b6e46d1a4af5b6cc8f2fe83cb5de79a2961",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/volumes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race between balance and cancel/pause\n\nSyzbot reported a panic that looks like this:\n\n assertion failed: fs_info-\u003eexclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/messages.c:259!\n RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259\n Call Trace:\n \u003cTASK\u003e\n btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline]\n btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline]\n btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe reproducer is running a balance and a cancel or pause in parallel.\nThe way balance finishes is a bit wonky, if we were paused we need to\nsave the balance_ctl in the fs_info, but clear it otherwise and cleanup.\nHowever we rely on the return values being specific errors, or having a\ncancel request or no pause request. If balance completes and returns 0,\nbut we have a pause or cancel request we won\u0027t do the appropriate\ncleanup, and then the next time we try to start a balance we\u0027ll trip\nthis ASSERT.\n\nThe error handling is just wrong here, we always want to clean up,\nunless we got -ECANCELLED and we set the appropriate pause flag in the\nexclusive op. With this patch the reproducer ran for an hour without\ntripping, previously it would trip in less than a few minutes."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T10:33:33.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddf7e8984c83aee9122552529f4e77291903f8d9"
},
{
"url": "https://git.kernel.org/stable/c/72efe5d44821e38540888a5fe3ff3d0faab6acad"
},
{
"url": "https://git.kernel.org/stable/c/b19c98f237cd76981aaded52c258ce93f7daa8cb"
}
],
"title": "btrfs: fix race between balance and cancel/pause",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54023",
"datePublished": "2025-12-24T10:55:52.835Z",
"dateReserved": "2025-12-24T10:53:46.179Z",
"dateUpdated": "2026-01-05T10:33:33.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40349 (GCVE-0-2025-40349)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2026-01-02 15:33
VLAI?
EPSS
Title
hfs: validate record offset in hfsplus_bmap_alloc
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: validate record offset in hfsplus_bmap_alloc
hfsplus_bmap_alloc can trigger a crash if a
record offset or length is larger than node_size
[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
[ 15.265949]
[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 15.266167] Call Trace:
[ 15.266168] <TASK>
[ 15.266169] dump_stack_lvl+0x53/0x70
[ 15.266173] print_report+0xd0/0x660
[ 15.266181] kasan_report+0xce/0x100
[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
[ 15.266217] hfsplus_brec_insert+0x870/0xb00
[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
[ 15.266237] hfsplus_get_block+0x12b/0x8c0
[ 15.266238] __block_write_begin_int+0x36b/0x12c0
[ 15.266251] block_write_begin+0x77/0x110
[ 15.266252] cont_write_begin+0x428/0x720
[ 15.266259] hfsplus_write_begin+0x51/0x100
[ 15.266262] cont_write_begin+0x272/0x720
[ 15.266270] hfsplus_write_begin+0x51/0x100
[ 15.266274] generic_perform_write+0x321/0x750
[ 15.266285] generic_file_write_iter+0xc3/0x310
[ 15.266289] __kernel_write_iter+0x2fd/0x800
[ 15.266296] dump_user_range+0x2ea/0x910
[ 15.266301] elf_core_dump+0x2a94/0x2ed0
[ 15.266320] vfs_coredump+0x1d85/0x45e0
[ 15.266349] get_signal+0x12e3/0x1990
[ 15.266357] arch_do_signal_or_restart+0x89/0x580
[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
[ 15.266364] asm_exc_page_fault+0x26/0x30
[ 15.266366] RIP: 0033:0x41bd35
[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
[ 15.266376] </TASK>
When calling hfsplus_bmap_alloc to allocate a free node, this function
first retrieves the bitmap from header node and map node using node->page
together with the offset and length from hfs_brec_lenoff
```
len = hfs_brec_lenoff(node, 2, &off16);
off = off16;
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
data = kmap_local_page(*pagep);
```
However, if the retrieved offset or length is invalid(i.e. exceeds
node_size), the code may end up accessing pages outside the allocated
range for this node.
This patch adds proper validation of both offset and length before use,
preventing out-of-bounds page access. Move is_bnode_offset_valid and
check_and_correct_requested_length to hfsplus_fs.h, as they may be
required by other functions.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f7d9f600c7c3ff5dab36181a388af55f2c95604c
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 40dfe7a4215a1f20842561ffaf5a6f83a987e75b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 418e48cab99c52c1760636a4dbe464bf6db2018b (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0058d20d76182861dbdd8fd6e2dd8d18d6d3becf (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4f40a2b3969daf10dca4dea6f6dd0e813f79b227 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 17ed51cfce6c62cffb97059ef392ad2e0245806e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 068a46df3e6acc68fb9db0a6313ab379a11ecd6f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c",
"fs/hfsplus/btree.c",
"fs/hfsplus/hfsplus_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f7d9f600c7c3ff5dab36181a388af55f2c95604c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "40dfe7a4215a1f20842561ffaf5a6f83a987e75b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "418e48cab99c52c1760636a4dbe464bf6db2018b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0058d20d76182861dbdd8fd6e2dd8d18d6d3becf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4f40a2b3969daf10dca4dea6f6dd0e813f79b227",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17ed51cfce6c62cffb97059ef392ad2e0245806e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "068a46df3e6acc68fb9db0a6313ab379a11ecd6f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfsplus/bnode.c",
"fs/hfsplus/btree.c",
"fs/hfsplus/hfsplus_fs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.301",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.246",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.196",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.158",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.115",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.56",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.301",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.246",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.196",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.158",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.115",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.56",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.6",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: validate record offset in hfsplus_bmap_alloc\n\nhfsplus_bmap_alloc can trigger a crash if a\nrecord offset or length is larger than node_size\n\n[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0\n[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183\n[ 15.265949]\n[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)\n[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 15.266167] Call Trace:\n[ 15.266168] \u003cTASK\u003e\n[ 15.266169] dump_stack_lvl+0x53/0x70\n[ 15.266173] print_report+0xd0/0x660\n[ 15.266181] kasan_report+0xce/0x100\n[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0\n[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0\n[ 15.266217] hfsplus_brec_insert+0x870/0xb00\n[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570\n[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910\n[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200\n[ 15.266233] hfsplus_file_extend+0x5a7/0x1000\n[ 15.266237] hfsplus_get_block+0x12b/0x8c0\n[ 15.266238] __block_write_begin_int+0x36b/0x12c0\n[ 15.266251] block_write_begin+0x77/0x110\n[ 15.266252] cont_write_begin+0x428/0x720\n[ 15.266259] hfsplus_write_begin+0x51/0x100\n[ 15.266262] cont_write_begin+0x272/0x720\n[ 15.266270] hfsplus_write_begin+0x51/0x100\n[ 15.266274] generic_perform_write+0x321/0x750\n[ 15.266285] generic_file_write_iter+0xc3/0x310\n[ 15.266289] __kernel_write_iter+0x2fd/0x800\n[ 15.266296] dump_user_range+0x2ea/0x910\n[ 15.266301] elf_core_dump+0x2a94/0x2ed0\n[ 15.266320] vfs_coredump+0x1d85/0x45e0\n[ 15.266349] get_signal+0x12e3/0x1990\n[ 15.266357] arch_do_signal_or_restart+0x89/0x580\n[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110\n[ 15.266364] asm_exc_page_fault+0x26/0x30\n[ 15.266366] RIP: 0033:0x41bd35\n[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 \u003cf3\u003e 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f\n[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283\n[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000\n[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100\n[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000\n[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000\n[ 15.266376] \u003c/TASK\u003e\n\nWhen calling hfsplus_bmap_alloc to allocate a free node, this function\nfirst retrieves the bitmap from header node and map node using node-\u003epage\ntogether with the offset and length from hfs_brec_lenoff\n\n```\nlen = hfs_brec_lenoff(node, 2, \u0026off16);\noff = off16;\n\noff += node-\u003epage_offset;\npagep = node-\u003epage + (off \u003e\u003e PAGE_SHIFT);\ndata = kmap_local_page(*pagep);\n```\n\nHowever, if the retrieved offset or length is invalid(i.e. exceeds\nnode_size), the code may end up accessing pages outside the allocated\nrange for this node.\n\nThis patch adds proper validation of both offset and length before use,\npreventing out-of-bounds page access. Move is_bnode_offset_valid and\ncheck_and_correct_requested_length to hfsplus_fs.h, as they may be\nrequired by other functions."
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:33:44.685Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f7d9f600c7c3ff5dab36181a388af55f2c95604c"
},
{
"url": "https://git.kernel.org/stable/c/40dfe7a4215a1f20842561ffaf5a6f83a987e75b"
},
{
"url": "https://git.kernel.org/stable/c/418e48cab99c52c1760636a4dbe464bf6db2018b"
},
{
"url": "https://git.kernel.org/stable/c/0058d20d76182861dbdd8fd6e2dd8d18d6d3becf"
},
{
"url": "https://git.kernel.org/stable/c/4f40a2b3969daf10dca4dea6f6dd0e813f79b227"
},
{
"url": "https://git.kernel.org/stable/c/17ed51cfce6c62cffb97059ef392ad2e0245806e"
},
{
"url": "https://git.kernel.org/stable/c/068a46df3e6acc68fb9db0a6313ab379a11ecd6f"
},
{
"url": "https://git.kernel.org/stable/c/738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20"
}
],
"title": "hfs: validate record offset in hfsplus_bmap_alloc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40349",
"datePublished": "2025-12-16T13:30:23.092Z",
"dateReserved": "2025-04-16T07:20:57.187Z",
"dateUpdated": "2026-01-02T15:33:44.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54225 (GCVE-0-2023-54225)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11
VLAI?
EPSS
Title
net: ipa: only reset hashed tables when supported
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ipa: only reset hashed tables when supported
Last year, the code that manages GSI channel transactions switched
from using spinlock-protected linked lists to using indexes into the
ring buffer used for a channel. Recently, Google reported seeing
transaction reference count underflows occasionally during shutdown.
Doug Anderson found a way to reproduce the issue reliably, and
bisected the issue to the commit that eliminated the linked lists
and the lock. The root cause was ultimately determined to be
related to unused transactions being committed as part of the modem
shutdown cleanup activity. Unused transactions are not normally
expected (except in error cases).
The modem uses some ranges of IPA-resident memory, and whenever it
shuts down we zero those ranges. In ipa_filter_reset_table() a
transaction is allocated to zero modem filter table entries. If
hashing is not supported, hashed table memory should not be zeroed.
But currently nothing prevents that, and the result is an unused
transaction. Something similar occurs when we zero routing table
entries for the modem.
By preventing any attempt to clear hashed tables when hashing is not
supported, the reference count underflow is avoided in this case.
Note that there likely remains an issue with properly freeing unused
transactions (if they occur due to errors). This patch addresses
only the underflows that Google originally reported.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d338ae28d8a866c57fcac38f3d77bcc1d1702d19 , < 50c24f0c940728792c8bdf65c1eaf6b91b3b0dcd
(git)
Affected: d338ae28d8a866c57fcac38f3d77bcc1d1702d19 , < c00af3a818cc573e10100cc6770f0e47befa1fa4 (git) Affected: d338ae28d8a866c57fcac38f3d77bcc1d1702d19 , < e11ec2b868af2b351c6c1e2e50eb711cc5423a10 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ipa/ipa_table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "50c24f0c940728792c8bdf65c1eaf6b91b3b0dcd",
"status": "affected",
"version": "d338ae28d8a866c57fcac38f3d77bcc1d1702d19",
"versionType": "git"
},
{
"lessThan": "c00af3a818cc573e10100cc6770f0e47befa1fa4",
"status": "affected",
"version": "d338ae28d8a866c57fcac38f3d77bcc1d1702d19",
"versionType": "git"
},
{
"lessThan": "e11ec2b868af2b351c6c1e2e50eb711cc5423a10",
"status": "affected",
"version": "d338ae28d8a866c57fcac38f3d77bcc1d1702d19",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ipa/ipa_table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipa: only reset hashed tables when supported\n\nLast year, the code that manages GSI channel transactions switched\nfrom using spinlock-protected linked lists to using indexes into the\nring buffer used for a channel. Recently, Google reported seeing\ntransaction reference count underflows occasionally during shutdown.\n\nDoug Anderson found a way to reproduce the issue reliably, and\nbisected the issue to the commit that eliminated the linked lists\nand the lock. The root cause was ultimately determined to be\nrelated to unused transactions being committed as part of the modem\nshutdown cleanup activity. Unused transactions are not normally\nexpected (except in error cases).\n\nThe modem uses some ranges of IPA-resident memory, and whenever it\nshuts down we zero those ranges. In ipa_filter_reset_table() a\ntransaction is allocated to zero modem filter table entries. If\nhashing is not supported, hashed table memory should not be zeroed.\nBut currently nothing prevents that, and the result is an unused\ntransaction. Something similar occurs when we zero routing table\nentries for the modem.\n\nBy preventing any attempt to clear hashed tables when hashing is not\nsupported, the reference count underflow is avoided in this case.\n\nNote that there likely remains an issue with properly freeing unused\ntransactions (if they occur due to errors). This patch addresses\nonly the underflows that Google originally reported."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:11:18.839Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/50c24f0c940728792c8bdf65c1eaf6b91b3b0dcd"
},
{
"url": "https://git.kernel.org/stable/c/c00af3a818cc573e10100cc6770f0e47befa1fa4"
},
{
"url": "https://git.kernel.org/stable/c/e11ec2b868af2b351c6c1e2e50eb711cc5423a10"
}
],
"title": "net: ipa: only reset hashed tables when supported",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54225",
"datePublished": "2025-12-30T12:11:18.839Z",
"dateReserved": "2025-12-30T12:06:44.501Z",
"dateUpdated": "2025-12-30T12:11:18.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68340 (GCVE-0-2025-68340)
Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58
VLAI?
EPSS
Title
team: Move team device type change at the end of team_port_add
Summary
In the Linux kernel, the following vulnerability has been resolved:
team: Move team device type change at the end of team_port_add
Attempting to add a port device that is already up will expectedly fail,
but not before modifying the team device header_ops.
In the case of the syzbot reproducer the gre0 device is
already in state UP when it attempts to add it as a
port device of team0, this fails but before that
header_ops->create of team0 is changed from eth_header to ipgre_header
in the call to team_dev_type_check_change.
Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense
as the private data of the device still holds a struct team.
Example sequence of iproute2 commands to reproduce the hang/BUG():
ip link add dev team0 type team
ip link add dev gre0 type gre
ip link set dev gre0 up
ip link set dev gre0 master team0
ip link set dev team0 up
ping -I team0 1.1.1.1
Move team_dev_type_check_change down where all other checks have passed
as it changes the dev type with no way to restore it in case
one of the checks that follow it fail.
Also make sure to preserve the origial mtu assignment:
- If port_dev is not the same type as dev, dev takes mtu from port_dev
- If port_dev is the same type as dev, port_dev takes mtu from dev
This is done by adding a conditional before the call to dev_set_mtu
to prevent it from assigning port_dev->mtu = dev->mtu and instead
letting team_dev_type_check_change assign dev->mtu = port_dev->mtu.
The conditional is needed because the patch moves the call to
team_dev_type_check_change past dev_set_mtu.
Testing:
- team device driver in-tree selftests
- Add/remove various devices as slaves of team device
- syzbot
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
1d76efe1577b4323609b1bcbfafa8b731eda071a , < 4040b5e8963982a00aa821300cb746efc9f2947e
(git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < e3eed4f038214494af62c7d2d64749e5108ce6ca (git) Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4040b5e8963982a00aa821300cb746efc9f2947e",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "e3eed4f038214494af62c7d2d64749e5108ce6ca",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
},
{
"lessThan": "0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef",
"status": "affected",
"version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/team/team_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.61",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.11",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: Move team device type change at the end of team_port_add\n\nAttempting to add a port device that is already up will expectedly fail,\nbut not before modifying the team device header_ops.\n\nIn the case of the syzbot reproducer the gre0 device is\nalready in state UP when it attempts to add it as a\nport device of team0, this fails but before that\nheader_ops-\u003ecreate of team0 is changed from eth_header to ipgre_header\nin the call to team_dev_type_check_change.\n\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\nas the private data of the device still holds a struct team.\n\nExample sequence of iproute2 commands to reproduce the hang/BUG():\nip link add dev team0 type team\nip link add dev gre0 type gre\nip link set dev gre0 up\nip link set dev gre0 master team0\nip link set dev team0 up\nping -I team0 1.1.1.1\n\nMove team_dev_type_check_change down where all other checks have passed\nas it changes the dev type with no way to restore it in case\none of the checks that follow it fail.\n\nAlso make sure to preserve the origial mtu assignment:\n - If port_dev is not the same type as dev, dev takes mtu from port_dev\n - If port_dev is the same type as dev, port_dev takes mtu from dev\n\nThis is done by adding a conditional before the call to dev_set_mtu\nto prevent it from assigning port_dev-\u003emtu = dev-\u003emtu and instead\nletting team_dev_type_check_change assign dev-\u003emtu = port_dev-\u003emtu.\nThe conditional is needed because the patch moves the call to\nteam_dev_type_check_change past dev_set_mtu.\n\nTesting:\n - team device driver in-tree selftests\n - Add/remove various devices as slaves of team device\n - syzbot"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T13:58:25.841Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e"
},
{
"url": "https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca"
},
{
"url": "https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef"
}
],
"title": "team: Move team device type change at the end of team_port_add",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68340",
"datePublished": "2025-12-23T13:58:25.841Z",
"dateReserved": "2025-12-16T14:48:05.297Z",
"dateUpdated": "2025-12-23T13:58:25.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68183 (GCVE-0-2025-68183)
Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34
VLAI?
EPSS
Title
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
Summary
In the Linux kernel, the following vulnerability has been resolved:
ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
Currently when both IMA and EVM are in fix mode, the IMA signature will
be reset to IMA hash if a program first stores IMA signature in
security.ima and then writes/removes some other security xattr for the
file.
For example, on Fedora, after booting the kernel with "ima_appraise=fix
evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima,
installing/reinstalling a package will not make good reference IMA
signature generated. Instead IMA hash is generated,
# getfattr -m - -d -e hex /usr/bin/bash
# file: usr/bin/bash
security.ima=0x0404...
This happens because when setting security.selinux, the IMA_DIGSIG flag
that had been set early was cleared. As a result, IMA hash is generated
when the file is closed.
Similarly, IMA signature can be cleared on file close after removing
security xattr like security.evm or setting/removing ACL.
Prevent replacing the IMA file signature with a file hash, by preventing
the IMA_DIGSIG flag from being reset.
Here's a minimal C reproducer which sets security.selinux as the last
step which can also replaced by removing security.evm or setting ACL,
#include <stdio.h>
#include <sys/xattr.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int main() {
const char* file_path = "/usr/sbin/test_binary";
const char* hex_string = "030204d33204490066306402304";
int length = strlen(hex_string);
char* ima_attr_value;
int fd;
fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
perror("Error opening file");
return 1;
}
ima_attr_value = (char*)malloc(length / 2 );
for (int i = 0, j = 0; i < length; i += 2, j++) {
sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]);
}
if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
const char* selinux_value= "system_u:object_r:bin_t:s0";
if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) {
perror("Error setting extended attribute");
close(fd);
return 1;
}
close(fd);
return 0;
}
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
e3ccfe1ad7d895487977ef64eda3441d16c9851a , < d2993a7e98eb70c737c6f5365a190e79c72b8407
(git)
Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < edd824eb45e4f7e05ad3ab090dab6dbdb79cd292 (git) Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < 02aa671c08a4834bef5166743a7b88686fbfa023 (git) Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_appraise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2993a7e98eb70c737c6f5365a190e79c72b8407",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "edd824eb45e4f7e05ad3ab090dab6dbdb79cd292",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "02aa671c08a4834bef5166743a7b88686fbfa023",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
},
{
"lessThan": "88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd",
"status": "affected",
"version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/integrity/ima/ima_appraise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr\n\nCurrently when both IMA and EVM are in fix mode, the IMA signature will\nbe reset to IMA hash if a program first stores IMA signature in\nsecurity.ima and then writes/removes some other security xattr for the\nfile.\n\nFor example, on Fedora, after booting the kernel with \"ima_appraise=fix\nevm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima,\ninstalling/reinstalling a package will not make good reference IMA\nsignature generated. Instead IMA hash is generated,\n\n # getfattr -m - -d -e hex /usr/bin/bash\n # file: usr/bin/bash\n security.ima=0x0404...\n\nThis happens because when setting security.selinux, the IMA_DIGSIG flag\nthat had been set early was cleared. As a result, IMA hash is generated\nwhen the file is closed.\n\nSimilarly, IMA signature can be cleared on file close after removing\nsecurity xattr like security.evm or setting/removing ACL.\n\nPrevent replacing the IMA file signature with a file hash, by preventing\nthe IMA_DIGSIG flag from being reset.\n\nHere\u0027s a minimal C reproducer which sets security.selinux as the last\nstep which can also replaced by removing security.evm or setting ACL,\n\n #include \u003cstdio.h\u003e\n #include \u003csys/xattr.h\u003e\n #include \u003cfcntl.h\u003e\n #include \u003cunistd.h\u003e\n #include \u003cstring.h\u003e\n #include \u003cstdlib.h\u003e\n\n int main() {\n const char* file_path = \"/usr/sbin/test_binary\";\n const char* hex_string = \"030204d33204490066306402304\";\n int length = strlen(hex_string);\n char* ima_attr_value;\n int fd;\n\n fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);\n if (fd == -1) {\n perror(\"Error opening file\");\n return 1;\n }\n\n ima_attr_value = (char*)malloc(length / 2 );\n for (int i = 0, j = 0; i \u003c length; i += 2, j++) {\n sscanf(hex_string + i, \"%2hhx\", \u0026ima_attr_value[j]);\n }\n\n if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) {\n perror(\"Error setting extended attribute\");\n close(fd);\n return 1;\n }\n\n const char* selinux_value= \"system_u:object_r:bin_t:s0\";\n if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) {\n perror(\"Error setting extended attribute\");\n close(fd);\n return 1;\n }\n\n close(fd);\n\n return 0;\n }"
}
],
"providerMetadata": {
"dateUpdated": "2026-01-02T15:34:14.370Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2993a7e98eb70c737c6f5365a190e79c72b8407"
},
{
"url": "https://git.kernel.org/stable/c/edd824eb45e4f7e05ad3ab090dab6dbdb79cd292"
},
{
"url": "https://git.kernel.org/stable/c/02aa671c08a4834bef5166743a7b88686fbfa023"
},
{
"url": "https://git.kernel.org/stable/c/88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd"
}
],
"title": "ima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-68183",
"datePublished": "2025-12-16T13:43:01.178Z",
"dateReserved": "2025-12-16T13:41:40.252Z",
"dateUpdated": "2026-01-02T15:34:14.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54276 (GCVE-0-2023-54276)
Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16
VLAI?
EPSS
Title
nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd
startup") moved the initialization of the reply cache into nfsd startup,
but didn't account for the stats counters, which can be accessed before
nfsd is ever started. The result can be a NULL pointer dereference when
someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still
shut down.
This is a regression and a user-triggerable oops in the right situation:
- non-x86_64 arch
- /proc/fs/nfsd is mounted in the namespace
- nfsd is not started in the namespace
- unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats"
Although this is easy to trigger on some arches (like aarch64), on
x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the
fixed_percpu_data. That struct looks just enough like a newly
initialized percpu var to allow nfsd_reply_cache_stats_show to access
it without Oopsing.
Move the initialization of the per-net+per-cpu reply-cache counters
back into nfsd_init_net, while leaving the rest of the reply cache
allocations to be done at nfsd startup time.
Kudos to Eirik who did most of the legwork to track this down.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
4e18b58b106e34ac69d3052dd91f520bd83cf2fc , < 3025d489f9c8984d1bf5916c4a20097ed80fca5c
(git)
Affected: 70fdee548c036c6bdb496f284c9e78f1654b6dd0 , < 8549384d0f65981761fe2077d04fa2a8d37b54e0 (git) Affected: e7e571ed4ec7bb50136233d8e7b986efef2af8c1 , < 66a178177b2b3bb1d71e854c5e7bbb320eb0e566 (git) Affected: f5f9d4a314da88c0a5faa6d168bf69081b7a25ae , < 768c408594b52d8531e1a8ab62e5620c19213e73 (git) Affected: f5f9d4a314da88c0a5faa6d168bf69081b7a25ae , < ed9ab7346e908496816cffdecd46932035f66e2e (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/cache.h",
"fs/nfsd/nfscache.c",
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3025d489f9c8984d1bf5916c4a20097ed80fca5c",
"status": "affected",
"version": "4e18b58b106e34ac69d3052dd91f520bd83cf2fc",
"versionType": "git"
},
{
"lessThan": "8549384d0f65981761fe2077d04fa2a8d37b54e0",
"status": "affected",
"version": "70fdee548c036c6bdb496f284c9e78f1654b6dd0",
"versionType": "git"
},
{
"lessThan": "66a178177b2b3bb1d71e854c5e7bbb320eb0e566",
"status": "affected",
"version": "e7e571ed4ec7bb50136233d8e7b986efef2af8c1",
"versionType": "git"
},
{
"lessThan": "768c408594b52d8531e1a8ab62e5620c19213e73",
"status": "affected",
"version": "f5f9d4a314da88c0a5faa6d168bf69081b7a25ae",
"versionType": "git"
},
{
"lessThan": "ed9ab7346e908496816cffdecd46932035f66e2e",
"status": "affected",
"version": "f5f9d4a314da88c0a5faa6d168bf69081b7a25ae",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/cache.h",
"fs/nfsd/nfscache.c",
"fs/nfsd/nfsctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net\n\nCommit f5f9d4a314da (\"nfsd: move reply cache initialization into nfsd\nstartup\") moved the initialization of the reply cache into nfsd startup,\nbut didn\u0027t account for the stats counters, which can be accessed before\nnfsd is ever started. The result can be a NULL pointer dereference when\nsomeone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still\nshut down.\n\nThis is a regression and a user-triggerable oops in the right situation:\n\n- non-x86_64 arch\n- /proc/fs/nfsd is mounted in the namespace\n- nfsd is not started in the namespace\n- unprivileged user calls \"cat /proc/fs/nfsd/reply_cache_stats\"\n\nAlthough this is easy to trigger on some arches (like aarch64), on\nx86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the\nfixed_percpu_data. That struct looks just enough like a newly\ninitialized percpu var to allow nfsd_reply_cache_stats_show to access\nit without Oopsing.\n\nMove the initialization of the per-net+per-cpu reply-cache counters\nback into nfsd_init_net, while leaving the rest of the reply cache\nallocations to be done at nfsd startup time.\n\nKudos to Eirik who did most of the legwork to track this down."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:16:05.020Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3025d489f9c8984d1bf5916c4a20097ed80fca5c"
},
{
"url": "https://git.kernel.org/stable/c/8549384d0f65981761fe2077d04fa2a8d37b54e0"
},
{
"url": "https://git.kernel.org/stable/c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566"
},
{
"url": "https://git.kernel.org/stable/c/768c408594b52d8531e1a8ab62e5620c19213e73"
},
{
"url": "https://git.kernel.org/stable/c/ed9ab7346e908496816cffdecd46932035f66e2e"
}
],
"title": "nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54276",
"datePublished": "2025-12-30T12:16:05.020Z",
"dateReserved": "2025-12-30T12:06:44.523Z",
"dateUpdated": "2025-12-30T12:16:05.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54070 (GCVE-0-2023-54070)
Vulnerability from cvelistv5 – Published: 2025-12-24 12:23 – Updated: 2025-12-24 12:23
VLAI?
EPSS
Title
igb: clean up in all error paths when enabling SR-IOV
Summary
In the Linux kernel, the following vulnerability has been resolved:
igb: clean up in all error paths when enabling SR-IOV
After commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), removing
the igb module could hang or crash (depending on the machine) when the
module has been loaded with the max_vfs parameter set to some value != 0.
In case of one test machine with a dual port 82580, this hang occurred:
[ 232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1
[ 233.093257] igb 0000:41:00.1: IOV Disabled
[ 233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0
[ 233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata)
[ 233.352248] igb 0000:41:00.0: device [8086:1516] error status/mask=00100000
[ 233.361088] igb 0000:41:00.0: [20] UnsupReq (First)
[ 233.368183] igb 0000:41:00.0: AER: TLP Header: 40000001 0000040f cdbfc00c c
[ 233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata)
[ 233.388779] igb 0000:41:00.1: device [8086:1516] error status/mask=00100000
[ 233.397629] igb 0000:41:00.1: [20] UnsupReq (First)
[ 233.404736] igb 0000:41:00.1: AER: TLP Header: 40000001 0000040f cdbfc00c c
[ 233.538214] pci 0000:41:00.1: AER: can't recover (no error_detected callback)
[ 233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0
[ 233.546197] pcieport 0000:40:01.0: AER: device recovery failed
[ 234.157244] igb 0000:41:00.0: IOV Disabled
[ 371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds.
[ 371.627489] Not tainted 6.4.0-dirty #2
[ 371.632257] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this.
[ 371.641000] task:irq/35-aerdrv state:D stack:0 pid:257 ppid:2 f0
[ 371.650330] Call Trace:
[ 371.653061] <TASK>
[ 371.655407] __schedule+0x20e/0x660
[ 371.659313] schedule+0x5a/0xd0
[ 371.662824] schedule_preempt_disabled+0x11/0x20
[ 371.667983] __mutex_lock.constprop.0+0x372/0x6c0
[ 371.673237] ? __pfx_aer_root_reset+0x10/0x10
[ 371.678105] report_error_detected+0x25/0x1c0
[ 371.682974] ? __pfx_report_normal_detected+0x10/0x10
[ 371.688618] pci_walk_bus+0x72/0x90
[ 371.692519] pcie_do_recovery+0xb2/0x330
[ 371.696899] aer_process_err_devices+0x117/0x170
[ 371.702055] aer_isr+0x1c0/0x1e0
[ 371.705661] ? __set_cpus_allowed_ptr+0x54/0xa0
[ 371.710723] ? __pfx_irq_thread_fn+0x10/0x10
[ 371.715496] irq_thread_fn+0x20/0x60
[ 371.719491] irq_thread+0xe6/0x1b0
[ 371.723291] ? __pfx_irq_thread_dtor+0x10/0x10
[ 371.728255] ? __pfx_irq_thread+0x10/0x10
[ 371.732731] kthread+0xe2/0x110
[ 371.736243] ? __pfx_kthread+0x10/0x10
[ 371.740430] ret_from_fork+0x2c/0x50
[ 371.744428] </TASK>
The reproducer was a simple script:
#!/bin/sh
for i in `seq 1 5`; do
modprobe -rv igb
modprobe -v igb max_vfs=1
sleep 1
modprobe -rv igb
done
It turned out that this could only be reproduce on 82580 (quad and
dual-port), but not on 82576, i350 and i210. Further debugging showed
that igb_enable_sriov()'s call to pci_enable_sriov() is failing, because
dev->is_physfn is 0 on 82580.
Prior to commit 50f303496d92 ("igb: Enable SR-IOV after reinit"),
igb_enable_sriov() jumped into the "err_out" cleanup branch. After this
commit it only returned the error code.
So the cleanup didn't take place, and the incorrect VF setup in the
igb_adapter structure fooled the igb driver into assuming that VFs have
been set up where no VF actually existed.
Fix this problem by cleaning up again if pci_enable_sriov() fails.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0e3ea7e82a06014b9baf1b84ba579c38cbff3558",
"status": "affected",
"version": "50f303496d92e25b79bdfb73e3707ad0684ad67f",
"versionType": "git"
},
{
"lessThan": "bc6ed2fa24b14e40e1005488bbe11268ce7108fa",
"status": "affected",
"version": "50f303496d92e25b79bdfb73e3707ad0684ad67f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/igb/igb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: clean up in all error paths when enabling SR-IOV\n\nAfter commit 50f303496d92 (\"igb: Enable SR-IOV after reinit\"), removing\nthe igb module could hang or crash (depending on the machine) when the\nmodule has been loaded with the max_vfs parameter set to some value != 0.\n\nIn case of one test machine with a dual port 82580, this hang occurred:\n\n[ 232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1\n[ 233.093257] igb 0000:41:00.1: IOV Disabled\n[ 233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0\n[ 233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata)\n[ 233.352248] igb 0000:41:00.0: device [8086:1516] error status/mask=00100000\n[ 233.361088] igb 0000:41:00.0: [20] UnsupReq (First)\n[ 233.368183] igb 0000:41:00.0: AER: TLP Header: 40000001 0000040f cdbfc00c c\n[ 233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata)\n[ 233.388779] igb 0000:41:00.1: device [8086:1516] error status/mask=00100000\n[ 233.397629] igb 0000:41:00.1: [20] UnsupReq (First)\n[ 233.404736] igb 0000:41:00.1: AER: TLP Header: 40000001 0000040f cdbfc00c c\n[ 233.538214] pci 0000:41:00.1: AER: can\u0027t recover (no error_detected callback)\n[ 233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0\n[ 233.546197] pcieport 0000:40:01.0: AER: device recovery failed\n[ 234.157244] igb 0000:41:00.0: IOV Disabled\n[ 371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds.\n[ 371.627489] Not tainted 6.4.0-dirty #2\n[ 371.632257] \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this.\n[ 371.641000] task:irq/35-aerdrv state:D stack:0 pid:257 ppid:2 f0\n[ 371.650330] Call Trace:\n[ 371.653061] \u003cTASK\u003e\n[ 371.655407] __schedule+0x20e/0x660\n[ 371.659313] schedule+0x5a/0xd0\n[ 371.662824] schedule_preempt_disabled+0x11/0x20\n[ 371.667983] __mutex_lock.constprop.0+0x372/0x6c0\n[ 371.673237] ? __pfx_aer_root_reset+0x10/0x10\n[ 371.678105] report_error_detected+0x25/0x1c0\n[ 371.682974] ? __pfx_report_normal_detected+0x10/0x10\n[ 371.688618] pci_walk_bus+0x72/0x90\n[ 371.692519] pcie_do_recovery+0xb2/0x330\n[ 371.696899] aer_process_err_devices+0x117/0x170\n[ 371.702055] aer_isr+0x1c0/0x1e0\n[ 371.705661] ? __set_cpus_allowed_ptr+0x54/0xa0\n[ 371.710723] ? __pfx_irq_thread_fn+0x10/0x10\n[ 371.715496] irq_thread_fn+0x20/0x60\n[ 371.719491] irq_thread+0xe6/0x1b0\n[ 371.723291] ? __pfx_irq_thread_dtor+0x10/0x10\n[ 371.728255] ? __pfx_irq_thread+0x10/0x10\n[ 371.732731] kthread+0xe2/0x110\n[ 371.736243] ? __pfx_kthread+0x10/0x10\n[ 371.740430] ret_from_fork+0x2c/0x50\n[ 371.744428] \u003c/TASK\u003e\n\nThe reproducer was a simple script:\n\n #!/bin/sh\n for i in `seq 1 5`; do\n modprobe -rv igb\n modprobe -v igb max_vfs=1\n sleep 1\n modprobe -rv igb\n done\n\nIt turned out that this could only be reproduce on 82580 (quad and\ndual-port), but not on 82576, i350 and i210. Further debugging showed\nthat igb_enable_sriov()\u0027s call to pci_enable_sriov() is failing, because\ndev-\u003eis_physfn is 0 on 82580.\n\nPrior to commit 50f303496d92 (\"igb: Enable SR-IOV after reinit\"),\nigb_enable_sriov() jumped into the \"err_out\" cleanup branch. After this\ncommit it only returned the error code.\n\nSo the cleanup didn\u0027t take place, and the incorrect VF setup in the\nigb_adapter structure fooled the igb driver into assuming that VFs have\nbeen set up where no VF actually existed.\n\nFix this problem by cleaning up again if pci_enable_sriov() fails."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T12:23:14.182Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0e3ea7e82a06014b9baf1b84ba579c38cbff3558"
},
{
"url": "https://git.kernel.org/stable/c/bc6ed2fa24b14e40e1005488bbe11268ce7108fa"
}
],
"title": "igb: clean up in all error paths when enabling SR-IOV",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54070",
"datePublished": "2025-12-24T12:23:14.182Z",
"dateReserved": "2025-12-24T12:21:05.093Z",
"dateUpdated": "2025-12-24T12:23:14.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40314 (GCVE-0-2025-40314)
Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:52
VLAI?
EPSS
Title
usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget
structure (pdev->gadget) was freed before its endpoints.
The endpoints are linked via the ep_list in the gadget structure.
Freeing the gadget first leaves dangling pointers in the endpoint list.
When the endpoints are subsequently freed, this results in a use-after-free.
Fix:
By separating the usb_del_gadget_udc() operation into distinct "del" and
"put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the
final release of the gadget structure with usb_put_gadget().
A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure
only after freeing endpoints").
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8bc1901ca7b07d864fca11461b3875b31f949765 , < 0cf9a50af91fbdac3849f8d950e883a3eaa3ecea
(git)
Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 37158ce6ba964b62d1e3eebd11f03c6900a52dd1 (git) Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < ea37884097a0931abb8e11e40eacfb25e9fdb5e9 (git) Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 9c52f01429c377a2d32cafc977465f37b5384f77 (git) Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < fdf573c517627a96f5040f988e9b21267806be5c (git) Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 87c5ff5615dc0a37167e8faf3adeeddc6f1344a3 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdnsp-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0cf9a50af91fbdac3849f8d950e883a3eaa3ecea",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "37158ce6ba964b62d1e3eebd11f03c6900a52dd1",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "ea37884097a0931abb8e11e40eacfb25e9fdb5e9",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "9c52f01429c377a2d32cafc977465f37b5384f77",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "fdf573c517627a96f5040f988e9b21267806be5c",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
},
{
"lessThan": "87c5ff5615dc0a37167e8faf3adeeddc6f1344a3",
"status": "affected",
"version": "8bc1901ca7b07d864fca11461b3875b31f949765",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/cdns3/cdnsp-gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.117",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.197",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.117",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.58",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.8",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget\n\nIn the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget\nstructure (pdev-\u003egadget) was freed before its endpoints.\nThe endpoints are linked via the ep_list in the gadget structure.\nFreeing the gadget first leaves dangling pointers in the endpoint list.\nWhen the endpoints are subsequently freed, this results in a use-after-free.\n\nFix:\nBy separating the usb_del_gadget_udc() operation into distinct \"del\" and\n\"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the\nfinal release of the gadget structure with usb_put_gadget().\n\nA patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure\n only after freeing endpoints\")."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-20T08:52:04.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0cf9a50af91fbdac3849f8d950e883a3eaa3ecea"
},
{
"url": "https://git.kernel.org/stable/c/37158ce6ba964b62d1e3eebd11f03c6900a52dd1"
},
{
"url": "https://git.kernel.org/stable/c/ea37884097a0931abb8e11e40eacfb25e9fdb5e9"
},
{
"url": "https://git.kernel.org/stable/c/9c52f01429c377a2d32cafc977465f37b5384f77"
},
{
"url": "https://git.kernel.org/stable/c/fdf573c517627a96f5040f988e9b21267806be5c"
},
{
"url": "https://git.kernel.org/stable/c/87c5ff5615dc0a37167e8faf3adeeddc6f1344a3"
}
],
"title": "usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40314",
"datePublished": "2025-12-08T00:46:40.576Z",
"dateReserved": "2025-04-16T07:20:57.185Z",
"dateUpdated": "2025-12-20T08:52:04.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-54110 (GCVE-0-2023-54110)
Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
EPSS
Title
usb: rndis_host: Secure rndis_query check against int overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: rndis_host: Secure rndis_query check against int overflow
Variables off and len typed as uint32 in rndis_query function
are controlled by incoming RNDIS response message thus their
value may be manipulated. Setting off to a unexpectetly large
value will cause the sum with len and 8 to overflow and pass
the implemented validation step. Consequently the response
pointer will be referring to a location past the expected
buffer boundaries allowing information leakage e.g. via
RNDIS_OID_802_3_PERMANENT_ADDRESS OID.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 55782f6d63a5a3dd3b84c1e0627738fc5b146b4e
(git)
Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0 (git) Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < ebe6d2fcf7835f98cdbb1bd5e0414be20c321578 (git) Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 232ef345e5d76e5542f430a29658a85dbef07f0b (git) Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95 (git) Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 39eadaf5611ddd064ad1c53da65c02d2b0fe22a4 (git) Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < a713602807f32afc04add331410c77ef790ef77a (git) Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rndis_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "55782f6d63a5a3dd3b84c1e0627738fc5b146b4e",
"status": "affected",
"version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
"versionType": "git"
},
{
"lessThan": "02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0",
"status": "affected",
"version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
"versionType": "git"
},
{
"lessThan": "ebe6d2fcf7835f98cdbb1bd5e0414be20c321578",
"status": "affected",
"version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
"versionType": "git"
},
{
"lessThan": "232ef345e5d76e5542f430a29658a85dbef07f0b",
"status": "affected",
"version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
"versionType": "git"
},
{
"lessThan": "11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95",
"status": "affected",
"version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
"versionType": "git"
},
{
"lessThan": "39eadaf5611ddd064ad1c53da65c02d2b0fe22a4",
"status": "affected",
"version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
"versionType": "git"
},
{
"lessThan": "a713602807f32afc04add331410c77ef790ef77a",
"status": "affected",
"version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
"versionType": "git"
},
{
"lessThan": "c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2",
"status": "affected",
"version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/rndis_host.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: rndis_host: Secure rndis_query check against int overflow\n\nVariables off and len typed as uint32 in rndis_query function\nare controlled by incoming RNDIS response message thus their\nvalue may be manipulated. Setting off to a unexpectetly large\nvalue will cause the sum with len and 8 to overflow and pass\nthe implemented validation step. Consequently the response\npointer will be referring to a location past the expected\nbuffer boundaries allowing information leakage e.g. via\nRNDIS_OID_802_3_PERMANENT_ADDRESS OID."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:33.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/55782f6d63a5a3dd3b84c1e0627738fc5b146b4e"
},
{
"url": "https://git.kernel.org/stable/c/02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0"
},
{
"url": "https://git.kernel.org/stable/c/ebe6d2fcf7835f98cdbb1bd5e0414be20c321578"
},
{
"url": "https://git.kernel.org/stable/c/232ef345e5d76e5542f430a29658a85dbef07f0b"
},
{
"url": "https://git.kernel.org/stable/c/11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95"
},
{
"url": "https://git.kernel.org/stable/c/39eadaf5611ddd064ad1c53da65c02d2b0fe22a4"
},
{
"url": "https://git.kernel.org/stable/c/a713602807f32afc04add331410c77ef790ef77a"
},
{
"url": "https://git.kernel.org/stable/c/c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2"
}
],
"title": "usb: rndis_host: Secure rndis_query check against int overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54110",
"datePublished": "2025-12-24T13:06:33.495Z",
"dateReserved": "2025-12-24T13:02:52.518Z",
"dateUpdated": "2025-12-24T13:06:33.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…