csaf_suse - suse-su-2025:4215-1

suse-su-2025:4215-1

Vulnerability from csaf_suse

Published

2025-11-24 17:43

Modified

2025-11-24 17:43

Summary

Security update for the Linux Kernel (Live Patch 34 for SUSE Linux Enterprise 15 SP4)

Notes

Title of the patch

Security update for the Linux Kernel (Live Patch 34 for SUSE Linux Enterprise 15 SP4)

Description of the patch

This update for the SUSE Linux Enterprise kernel 5.14.21-150400.24.144 fixes various security issues The following security issues were fixed: - CVE-2023-53673: Bluetooth: hci_event: call disconnect callback before deleting conn (bsc#1251983). - CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1245778). - CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242882).

Patchnames

SUSE-2025-4211,SUSE-2025-4215,SUSE-SLE-Module-Live-Patching-15-SP4-2025-4215

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 34 for SUSE Linux Enterprise 15 SP4)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for the SUSE Linux Enterprise kernel 5.14.21-150400.24.144 fixes various security issues\n\nThe following security issues were fixed:\n\n- CVE-2023-53673: Bluetooth: hci_event: call disconnect callback before deleting conn (bsc#1251983).\n- CVE-2024-53141: netfilter: ipset: add missing range check in bitmap_ip_uadt (bsc#1245778).\n- CVE-2025-23145: mptcp: fix NULL pointer in can_accept_new_subflow (bsc#1242882).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4211,SUSE-2025-4215,SUSE-SLE-Module-Live-Patching-15-SP4-2025-4215",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4215-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4215-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254215-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4215-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023347.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1242882",
        "url": "https://bugzilla.suse.com/1242882"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1245778",
        "url": "https://bugzilla.suse.com/1245778"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1251983",
        "url": "https://bugzilla.suse.com/1251983"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-53673 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-53673/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-53141 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-53141/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-23145 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-23145/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 34 for SUSE Linux Enterprise 15 SP4)",
    "tracking": {
      "current_release_date": "2025-11-24T17:43:06Z",
      "generator": {
        "date": "2025-11-24T17:43:06Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4215-1",
      "initial_release_date": "2025-11-24T17:43:06Z",
      "revision_history": [
        {
          "date": "2025-11-24T17:43:06Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.ppc64le",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.s390x",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.s390x",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.x86_64",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_147-default-16-150400.2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP4",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-53673",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-53673"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: call disconnect callback before deleting conn\n\nIn hci_cs_disconnect, we do hci_conn_del even if disconnection failed.\n\nISO, L2CAP and SCO connections refer to the hci_conn without\nhci_conn_get, so disconn_cfm must be called so they can clean up their\nconn, otherwise use-after-free occurs.\n\nISO:\n==========================================================\niso_sock_connect:880: sk 00000000eabd6557\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073\nhci_dev_put:1487: hci0 orig refcnt 17\n__iso_chan_add:214: conn 00000000b6251073\niso_sock_clear_timer:117: sock 00000000eabd6557 state 3\n...\nhci_rx_work:4085: hci0 Event packet\nhci_event_packet:7601: hci0: event 0x0f\nhci_cmd_status_evt:4346: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3107: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560\nhci_conn_unlink:1102: hci0: hcon 000000001696f1fd\nhci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2\nhci_chan_list_flush:2780: hcon 000000001696f1fd\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_dev_put:1487: hci0 orig refcnt 20\nhci_req_cmd_complete:3978: opcode 0x0406 status 0x0c\n... \u003cno iso_* activity on sk/conn\u003e ...\niso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557\nBUG: kernel NULL pointer dereference, address: 0000000000000668\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth\n==========================================================\n\nL2CAP:\n==================================================================\nhci_cmd_status_evt:4359: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3085: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585\nhci_conn_unlink:1102: hci0: hcon ffff88800c999000\nhci_chan_list_flush:2780: hcon ffff88800c999000\nhci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280\n...\nBUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]\nRead of size 8 at addr ffff888018ddd298 by task bluetoothd/1175\n\nCPU: 0 PID: 1175 Comm: bluetoothd Tainted: G            E      6.4.0-rc4+ #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0xf8/0x180\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n kasan_report+0xa8/0xe0\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n hci_send_acl+0x2d/0x540 [bluetooth]\n ? __pfx___lock_acquire+0x10/0x10\n l2cap_chan_send+0x1fd/0x1300 [bluetooth]\n ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]\n ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]\n ? lock_release+0x1d5/0x3c0\n ? mark_held_locks+0x1a/0x90\n l2cap_sock_sendmsg+0x100/0x170 [bluetooth]\n sock_write_iter+0x275/0x280\n ? __pfx_sock_write_iter+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n do_iter_readv_writev+0x176/0x220\n ? __pfx_do_iter_readv_writev+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? selinux_file_permission+0x13e/0x210\n do_iter_write+0xda/0x340\n vfs_writev+0x1b4/0x400\n ? __pfx_vfs_writev+0x10/0x10\n ? __seccomp_filter+0x112/0x750\n ? populate_seccomp_data+0x182/0x220\n ? __fget_light+0xdf/0x100\n ? do_writev+0x19d/0x210\n do_writev+0x19d/0x210\n ? __pfx_do_writev+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0x60/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n ? do_syscall_64+0x6c/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7ff45cb23e64\nCode: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\nRSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: \n---truncated---",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-53673",
          "url": "https://www.suse.com/security/cve/CVE-2023-53673"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251763 for CVE-2023-53673",
          "url": "https://bugzilla.suse.com/1251763"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251983 for CVE-2023-53673",
          "url": "https://bugzilla.suse.com/1251983"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-24T17:43:06Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-53673"
    },
    {
      "cve": "CVE-2024-53141",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-53141"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: add missing range check in bitmap_ip_uadt\n\nWhen tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,\nthe values of ip and ip_to are slightly swapped. Therefore, the range check\nfor ip should be done later, but this part is missing and it seems that the\nvulnerability occurs.\n\nSo we should add missing range checks and remove unnecessary range checks.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-53141",
          "url": "https://www.suse.com/security/cve/CVE-2024-53141"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1234381 for CVE-2024-53141",
          "url": "https://bugzilla.suse.com/1234381"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1245778 for CVE-2024-53141",
          "url": "https://bugzilla.suse.com/1245778"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-24T17:43:06Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-53141"
    },
    {
      "cve": "CVE-2025-23145",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-23145"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer in can_accept_new_subflow\n\nWhen testing valkey benchmark tool with MPTCP, the kernel panics in\n\u0027mptcp_can_accept_new_subflow\u0027 because subflow_req-\u003emsk is NULL.\n\nCall trace:\n\n  mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)\n  subflow_syn_recv_sock (./net/mptcp/subflow.c:854)\n  tcp_check_req (./net/ipv4/tcp_minisocks.c:863)\n  tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)\n  ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)\n  ip_local_deliver_finish (./net/ipv4/ip_input.c:234)\n  ip_local_deliver (./net/ipv4/ip_input.c:254)\n  ip_rcv_finish (./net/ipv4/ip_input.c:449)\n  ...\n\nAccording to the debug log, the same req received two SYN-ACK in a very\nshort time, very likely because the client retransmits the syn ack due\nto multiple reasons.\n\nEven if the packets are transmitted with a relevant time interval, they\ncan be processed by the server on different CPUs concurrently). The\n\u0027subflow_req-\u003emsk\u0027 ownership is transferred to the subflow the first,\nand there will be a risk of a null pointer dereference here.\n\nThis patch fixes this issue by moving the \u0027subflow_req-\u003emsk\u0027 under the\n`own_req == true` conditional.\n\nNote that the !msk check in subflow_hmac_valid() can be dropped, because\nthe same check already exists under the own_req mpj branch where the\ncode has been moved to.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-23145",
          "url": "https://www.suse.com/security/cve/CVE-2025-23145"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1242596 for CVE-2025-23145",
          "url": "https://bugzilla.suse.com/1242596"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1242882 for CVE-2025-23145",
          "url": "https://bugzilla.suse.com/1242882"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-17-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-11-24T17:43:06Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-23145"
    }
  ]
}

CVE-2025-23145 (GCVE-0-2025-23145)

Vulnerability from cvelistv5

Published

2025-05-01 12:55

Modified

2025-11-03 19:42

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.

References

URL

Tags

	https://git.kernel.org/stable/c/8cf7fef1bb2ffea7792bcbf71ca00216cecc725d
	https://git.kernel.org/stable/c/b3088bd2a6790c8efff139d86d7a9d0b1305977b
	https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb
	https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1
	https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803
	https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f
	https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0
	https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc

Impacted products

Vendor

Product

Version

Linux

Version: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8
Version: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8
Version: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8
Version: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8
Version: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8
Version: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8
Version: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8
Version: 9466a1ccebbe54ac57fb8a89c2b4b854826546a8

Linux

Version: 5.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:35.316Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/subflow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8cf7fef1bb2ffea7792bcbf71ca00216cecc725d",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "b3088bd2a6790c8efff139d86d7a9d0b1305977b",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "855bf0aacd51fced11ea9aa0d5101ee0febaeadb",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "7f9ae060ed64aef8f174c5f1ea513825b1be9af1",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "dc81e41a307df523072186b241fa8244fecd7803",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "efd58a8dd9e7a709a90ee486a4247c923d27296f",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "4b2649b9717678aeb097893cc49f59311a1ecab0",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            },
            {
              "lessThan": "443041deb5ef6a1289a99ed95015ec7442f141dc",
              "status": "affected",
              "version": "9466a1ccebbe54ac57fb8a89c2b4b854826546a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/subflow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix NULL pointer in can_accept_new_subflow\n\nWhen testing valkey benchmark tool with MPTCP, the kernel panics in\n\u0027mptcp_can_accept_new_subflow\u0027 because subflow_req-\u003emsk is NULL.\n\nCall trace:\n\n  mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P)\n  subflow_syn_recv_sock (./net/mptcp/subflow.c:854)\n  tcp_check_req (./net/ipv4/tcp_minisocks.c:863)\n  tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268)\n  ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207)\n  ip_local_deliver_finish (./net/ipv4/ip_input.c:234)\n  ip_local_deliver (./net/ipv4/ip_input.c:254)\n  ip_rcv_finish (./net/ipv4/ip_input.c:449)\n  ...\n\nAccording to the debug log, the same req received two SYN-ACK in a very\nshort time, very likely because the client retransmits the syn ack due\nto multiple reasons.\n\nEven if the packets are transmitted with a relevant time interval, they\ncan be processed by the server on different CPUs concurrently). The\n\u0027subflow_req-\u003emsk\u0027 ownership is transferred to the subflow the first,\nand there will be a risk of a null pointer dereference here.\n\nThis patch fixes this issue by moving the \u0027subflow_req-\u003emsk\u0027 under the\n`own_req == true` conditional.\n\nNote that the !msk check in subflow_hmac_valid() can be dropped, because\nthe same check already exists under the own_req mpj branch where the\ncode has been moved to."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:25.316Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8cf7fef1bb2ffea7792bcbf71ca00216cecc725d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3088bd2a6790c8efff139d86d7a9d0b1305977b"
        },
        {
          "url": "https://git.kernel.org/stable/c/855bf0aacd51fced11ea9aa0d5101ee0febaeadb"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f9ae060ed64aef8f174c5f1ea513825b1be9af1"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc81e41a307df523072186b241fa8244fecd7803"
        },
        {
          "url": "https://git.kernel.org/stable/c/efd58a8dd9e7a709a90ee486a4247c923d27296f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b2649b9717678aeb097893cc49f59311a1ecab0"
        },
        {
          "url": "https://git.kernel.org/stable/c/443041deb5ef6a1289a99ed95015ec7442f141dc"
        }
      ],
      "title": "mptcp: fix NULL pointer in can_accept_new_subflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23145",
    "datePublished": "2025-05-01T12:55:34.622Z",
    "dateReserved": "2025-01-11T14:28:41.512Z",
    "dateUpdated": "2025-11-03T19:42:35.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53673 (GCVE-0-2023-53673)

Vulnerability from cvelistv5

Published

2025-10-07 15:21

Modified

2025-10-07 15:21

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: call disconnect callback before deleting conn In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. ISO, L2CAP and SCO connections refer to the hci_conn without hci_conn_get, so disconn_cfm must be called so they can clean up their conn, otherwise use-after-free occurs. ISO: ========================================================== iso_sock_connect:880: sk 00000000eabd6557 iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da ... iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073 hci_dev_put:1487: hci0 orig refcnt 17 __iso_chan_add:214: conn 00000000b6251073 iso_sock_clear_timer:117: sock 00000000eabd6557 state 3 ... hci_rx_work:4085: hci0 Event packet hci_event_packet:7601: hci0: event 0x0f hci_cmd_status_evt:4346: hci0: opcode 0x0406 hci_cs_disconnect:2760: hci0: status 0x0c hci_sent_cmd_data:3107: hci0 opcode 0x0406 hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560 hci_conn_unlink:1102: hci0: hcon 000000001696f1fd hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2 hci_chan_list_flush:2780: hcon 000000001696f1fd hci_dev_put:1487: hci0 orig refcnt 21 hci_dev_put:1487: hci0 orig refcnt 20 hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c ... <no iso_* activity on sk/conn> ... iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 BUG: kernel NULL pointer dereference, address: 0000000000000668 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth ========================================================== L2CAP: ================================================================== hci_cmd_status_evt:4359: hci0: opcode 0x0406 hci_cs_disconnect:2760: hci0: status 0x0c hci_sent_cmd_data:3085: hci0 opcode 0x0406 hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585 hci_conn_unlink:1102: hci0: hcon ffff88800c999000 hci_chan_list_flush:2780: hcon ffff88800c999000 hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 ... BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth] Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175 CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0xf8/0x180 ? hci_send_acl+0x2d/0x540 [bluetooth] kasan_report+0xa8/0xe0 ? hci_send_acl+0x2d/0x540 [bluetooth] hci_send_acl+0x2d/0x540 [bluetooth] ? __pfx___lock_acquire+0x10/0x10 l2cap_chan_send+0x1fd/0x1300 [bluetooth] ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] ? lock_release+0x1d5/0x3c0 ? mark_held_locks+0x1a/0x90 l2cap_sock_sendmsg+0x100/0x170 [bluetooth] sock_write_iter+0x275/0x280 ? __pfx_sock_write_iter+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 do_iter_readv_writev+0x176/0x220 ? __pfx_do_iter_readv_writev+0x10/0x10 ? find_held_lock+0x83/0xa0 ? selinux_file_permission+0x13e/0x210 do_iter_write+0xda/0x340 vfs_writev+0x1b4/0x400 ? __pfx_vfs_writev+0x10/0x10 ? __seccomp_filter+0x112/0x750 ? populate_seccomp_data+0x182/0x220 ? __fget_light+0xdf/0x100 ? do_writev+0x19d/0x210 do_writev+0x19d/0x210 ? __pfx_do_writev+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0x60/0x90 ? lockdep_hardirqs_on_prepare+0x149/0x210 ? do_syscall_64+0x6c/0x90 ? lockdep_hardirqs_on_prepare+0x149/0x210 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7ff45cb23e64 Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: ---truncated---

References

URL

Tags

	https://git.kernel.org/stable/c/59bd1e476bbc7bc6dff3c61bba787095a4839796
	https://git.kernel.org/stable/c/093a07052406b363b1b2ab489e17dbadaf3e509b
	https://git.kernel.org/stable/c/7f7cfcb6f0825652973b780f248603e23f16ee90

Impacted products

Vendor

Product

Version

Linux

Version: b8d290525e3972b5e876b2649a42bf4081d753fe
Version: b8d290525e3972b5e876b2649a42bf4081d753fe
Version: b8d290525e3972b5e876b2649a42bf4081d753fe

Linux

Version: 5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "59bd1e476bbc7bc6dff3c61bba787095a4839796",
              "status": "affected",
              "version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
              "versionType": "git"
            },
            {
              "lessThan": "093a07052406b363b1b2ab489e17dbadaf3e509b",
              "status": "affected",
              "version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
              "versionType": "git"
            },
            {
              "lessThan": "7f7cfcb6f0825652973b780f248603e23f16ee90",
              "status": "affected",
              "version": "b8d290525e3972b5e876b2649a42bf4081d753fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.42",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.7",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: call disconnect callback before deleting conn\n\nIn hci_cs_disconnect, we do hci_conn_del even if disconnection failed.\n\nISO, L2CAP and SCO connections refer to the hci_conn without\nhci_conn_get, so disconn_cfm must be called so they can clean up their\nconn, otherwise use-after-free occurs.\n\nISO:\n==========================================================\niso_sock_connect:880: sk 00000000eabd6557\niso_connect_cis:356: 70:1a:b8:98:ff:a2 -\u003e 28:3d:c2:4a:7e:da\n...\niso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073\nhci_dev_put:1487: hci0 orig refcnt 17\n__iso_chan_add:214: conn 00000000b6251073\niso_sock_clear_timer:117: sock 00000000eabd6557 state 3\n...\nhci_rx_work:4085: hci0 Event packet\nhci_event_packet:7601: hci0: event 0x0f\nhci_cmd_status_evt:4346: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3107: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560\nhci_conn_unlink:1102: hci0: hcon 000000001696f1fd\nhci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2\nhci_chan_list_flush:2780: hcon 000000001696f1fd\nhci_dev_put:1487: hci0 orig refcnt 21\nhci_dev_put:1487: hci0 orig refcnt 20\nhci_req_cmd_complete:3978: opcode 0x0406 status 0x0c\n... \u003cno iso_* activity on sk/conn\u003e ...\niso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557\nBUG: kernel NULL pointer dereference, address: 0000000000000668\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP PTI\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nRIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth\n==========================================================\n\nL2CAP:\n==================================================================\nhci_cmd_status_evt:4359: hci0: opcode 0x0406\nhci_cs_disconnect:2760: hci0: status 0x0c\nhci_sent_cmd_data:3085: hci0 opcode 0x0406\nhci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585\nhci_conn_unlink:1102: hci0: hcon ffff88800c999000\nhci_chan_list_flush:2780: hcon ffff88800c999000\nhci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280\n...\nBUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]\nRead of size 8 at addr ffff888018ddd298 by task bluetoothd/1175\n\nCPU: 0 PID: 1175 Comm: bluetoothd Tainted: G            E      6.4.0-rc4+ #2\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0xf8/0x180\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n kasan_report+0xa8/0xe0\n ? hci_send_acl+0x2d/0x540 [bluetooth]\n hci_send_acl+0x2d/0x540 [bluetooth]\n ? __pfx___lock_acquire+0x10/0x10\n l2cap_chan_send+0x1fd/0x1300 [bluetooth]\n ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth]\n ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth]\n ? lock_release+0x1d5/0x3c0\n ? mark_held_locks+0x1a/0x90\n l2cap_sock_sendmsg+0x100/0x170 [bluetooth]\n sock_write_iter+0x275/0x280\n ? __pfx_sock_write_iter+0x10/0x10\n ? __pfx___lock_acquire+0x10/0x10\n do_iter_readv_writev+0x176/0x220\n ? __pfx_do_iter_readv_writev+0x10/0x10\n ? find_held_lock+0x83/0xa0\n ? selinux_file_permission+0x13e/0x210\n do_iter_write+0xda/0x340\n vfs_writev+0x1b4/0x400\n ? __pfx_vfs_writev+0x10/0x10\n ? __seccomp_filter+0x112/0x750\n ? populate_seccomp_data+0x182/0x220\n ? __fget_light+0xdf/0x100\n ? do_writev+0x19d/0x210\n do_writev+0x19d/0x210\n ? __pfx_do_writev+0x10/0x10\n ? mark_held_locks+0x1a/0x90\n do_syscall_64+0x60/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n ? do_syscall_64+0x6c/0x90\n ? lockdep_hardirqs_on_prepare+0x149/0x210\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7ff45cb23e64\nCode: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\nRSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014\nRAX: ffffffffffffffda RBX: \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-07T15:21:29.632Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/59bd1e476bbc7bc6dff3c61bba787095a4839796"
        },
        {
          "url": "https://git.kernel.org/stable/c/093a07052406b363b1b2ab489e17dbadaf3e509b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f7cfcb6f0825652973b780f248603e23f16ee90"
        }
      ],
      "title": "Bluetooth: hci_event: call disconnect callback before deleting conn",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53673",
    "datePublished": "2025-10-07T15:21:29.632Z",
    "dateReserved": "2025-10-07T15:16:59.663Z",
    "dateUpdated": "2025-10-07T15:21:29.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53141 (GCVE-0-2024-53141)

Vulnerability from cvelistv5

Published

2024-12-06 09:37

Modified

2025-11-03 20:46

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks.

References

URL

Tags

	https://git.kernel.org/stable/c/3c20b5948f119ae61ee35ad8584d666020c91581
	https://git.kernel.org/stable/c/78b0f2028f1043227a8eb0c41944027fc6a04596
	https://git.kernel.org/stable/c/2e151b8ca31607d14fddc4ad0f14da0893e1a7c7
	https://git.kernel.org/stable/c/e67471437ae9083fa73fa67eee1573fec1b7c8cf
	https://git.kernel.org/stable/c/7ffef5e5d5eeecd9687204a5ec2d863752aafb7e
	https://git.kernel.org/stable/c/856023ef032d824309abd5c747241dffa33aae8c
	https://git.kernel.org/stable/c/591efa494a1cf649f50a35def649c43ae984cd03
	https://git.kernel.org/stable/c/15794835378ed56fb9bacc6a5dd3b9f33520604e
	https://git.kernel.org/stable/c/35f56c554eb1b56b77b3cf197a6b00922d49033d

Impacted products

Vendor

Product

Version

Linux

Version: 72205fc68bd13109576aa6c4c12c740962d28a6c
Version: 72205fc68bd13109576aa6c4c12c740962d28a6c
Version: 72205fc68bd13109576aa6c4c12c740962d28a6c
Version: 72205fc68bd13109576aa6c4c12c740962d28a6c
Version: 72205fc68bd13109576aa6c4c12c740962d28a6c
Version: 72205fc68bd13109576aa6c4c12c740962d28a6c
Version: 72205fc68bd13109576aa6c4c12c740962d28a6c
Version: 72205fc68bd13109576aa6c4c12c740962d28a6c
Version: 72205fc68bd13109576aa6c4c12c740962d28a6c

Linux

Version: 2.6.39

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:46:21.162Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipset/ip_set_bitmap_ip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c20b5948f119ae61ee35ad8584d666020c91581",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "78b0f2028f1043227a8eb0c41944027fc6a04596",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "2e151b8ca31607d14fddc4ad0f14da0893e1a7c7",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "e67471437ae9083fa73fa67eee1573fec1b7c8cf",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "7ffef5e5d5eeecd9687204a5ec2d863752aafb7e",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "856023ef032d824309abd5c747241dffa33aae8c",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "591efa494a1cf649f50a35def649c43ae984cd03",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "15794835378ed56fb9bacc6a5dd3b9f33520604e",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            },
            {
              "lessThan": "35f56c554eb1b56b77b3cf197a6b00922d49033d",
              "status": "affected",
              "version": "72205fc68bd13109576aa6c4c12c740962d28a6c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipset/ip_set_bitmap_ip.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.39"
            },
            {
              "lessThan": "2.6.39",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.325",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.325",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: add missing range check in bitmap_ip_uadt\n\nWhen tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,\nthe values of ip and ip_to are slightly swapped. Therefore, the range check\nfor ip should be done later, but this part is missing and it seems that the\nvulnerability occurs.\n\nSo we should add missing range checks and remove unnecessary range checks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:54:04.856Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c20b5948f119ae61ee35ad8584d666020c91581"
        },
        {
          "url": "https://git.kernel.org/stable/c/78b0f2028f1043227a8eb0c41944027fc6a04596"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e151b8ca31607d14fddc4ad0f14da0893e1a7c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e67471437ae9083fa73fa67eee1573fec1b7c8cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ffef5e5d5eeecd9687204a5ec2d863752aafb7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/856023ef032d824309abd5c747241dffa33aae8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/591efa494a1cf649f50a35def649c43ae984cd03"
        },
        {
          "url": "https://git.kernel.org/stable/c/15794835378ed56fb9bacc6a5dd3b9f33520604e"
        },
        {
          "url": "https://git.kernel.org/stable/c/35f56c554eb1b56b77b3cf197a6b00922d49033d"
        }
      ],
      "title": "netfilter: ipset: add missing range check in bitmap_ip_uadt",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53141",
    "datePublished": "2024-12-06T09:37:02.009Z",
    "dateReserved": "2024-11-19T17:17:24.997Z",
    "dateUpdated": "2025-11-03T20:46:21.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

suse-su-2025:4215-1

Vulnerability from csaf_suse

CVE-2025-23145 (GCVE-0-2025-23145)

Vulnerability from cvelistv5

CVE-2023-53673 (GCVE-0-2023-53673)

Vulnerability from cvelistv5

CVE-2024-53141 (GCVE-0-2024-53141)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature