Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-1452
Vulnerability from csaf_certbund
Published
2025-07-02 22:00
Modified
2025-08-31 22:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen und andere, nicht spezifizierte Auswirkungen zu verursachen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren und andere, nicht spezifizierte Auswirkungen zu verursachen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2025-1452 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1452.json" }, { "category": "self", "summary": "WID-SEC-2025-1452 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1452" }, { "category": "external", "summary": "Kernel CVE Announce Mailingliste", "url": "https://lore.kernel.org/linux-cve-announce/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38091", "url": "https://lore.kernel.org/linux-cve-announce/2025070235-CVE-2025-38091-cb97@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38092", "url": "https://lore.kernel.org/linux-cve-announce/2025070237-CVE-2025-38092-70a8@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38093", "url": "https://lore.kernel.org/linux-cve-announce/2025070237-CVE-2025-38093-a615@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38094", "url": "https://lore.kernel.org/linux-cve-announce/2025070324-CVE-2025-38094-1b5c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38095", "url": "https://lore.kernel.org/linux-cve-announce/2025070340-CVE-2025-38095-6596@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38096", "url": "https://lore.kernel.org/linux-cve-announce/2025070303-CVE-2025-38096-ae58@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38097", "url": "https://lore.kernel.org/linux-cve-announce/2025070305-CVE-2025-38097-287c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38098", "url": "https://lore.kernel.org/linux-cve-announce/2025070305-CVE-2025-38098-2802@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38099", "url": "https://lore.kernel.org/linux-cve-announce/2025070306-CVE-2025-38099-dffb@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38100", "url": "https://lore.kernel.org/linux-cve-announce/2025070319-CVE-2025-38100-5040@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38101", "url": "https://lore.kernel.org/linux-cve-announce/2025070321-CVE-2025-38101-56c1@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38102", "url": "https://lore.kernel.org/linux-cve-announce/2025070321-CVE-2025-38102-d592@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38103", "url": "https://lore.kernel.org/linux-cve-announce/2025070322-CVE-2025-38103-dd1b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38105", "url": "https://lore.kernel.org/linux-cve-announce/2025070322-CVE-2025-38105-dfcf@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38106", "url": "https://lore.kernel.org/linux-cve-announce/2025070322-CVE-2025-38106-8de3@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38107", "url": "https://lore.kernel.org/linux-cve-announce/2025070323-CVE-2025-38107-9344@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38108", "url": "https://lore.kernel.org/linux-cve-announce/2025070323-CVE-2025-38108-9c8c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38109", "url": "https://lore.kernel.org/linux-cve-announce/2025070323-CVE-2025-38109-f925@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38110", "url": "https://lore.kernel.org/linux-cve-announce/2025070324-CVE-2025-38110-a9c0@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38111", "url": "https://lore.kernel.org/linux-cve-announce/2025070324-CVE-2025-38111-8e9a@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38112", "url": "https://lore.kernel.org/linux-cve-announce/2025070324-CVE-2025-38112-57a2@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38113", "url": "https://lore.kernel.org/linux-cve-announce/2025070325-CVE-2025-38113-d080@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38114", "url": "https://lore.kernel.org/linux-cve-announce/2025070325-CVE-2025-38114-c603@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38115", "url": "https://lore.kernel.org/linux-cve-announce/2025070325-CVE-2025-38115-cce2@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38116", "url": "https://lore.kernel.org/linux-cve-announce/2025070325-CVE-2025-38116-1d80@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38117", "url": "https://lore.kernel.org/linux-cve-announce/2025070326-CVE-2025-38117-3424@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38118", "url": "https://lore.kernel.org/linux-cve-announce/2025070326-CVE-2025-38118-f9ca@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38119", "url": "https://lore.kernel.org/linux-cve-announce/2025070326-CVE-2025-38119-9bbe@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38120", "url": "https://lore.kernel.org/linux-cve-announce/2025070327-CVE-2025-38120-4498@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38121", "url": "https://lore.kernel.org/linux-cve-announce/2025070327-CVE-2025-38121-5390@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38122", "url": "https://lore.kernel.org/linux-cve-announce/2025070327-CVE-2025-38122-cd8d@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38123", "url": "https://lore.kernel.org/linux-cve-announce/2025070328-CVE-2025-38123-3e20@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38124", "url": "https://lore.kernel.org/linux-cve-announce/2025070328-CVE-2025-38124-bc19@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38125", "url": "https://lore.kernel.org/linux-cve-announce/2025070328-CVE-2025-38125-8a6b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38126", "url": "https://lore.kernel.org/linux-cve-announce/2025070329-CVE-2025-38126-3c9b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38127", "url": "https://lore.kernel.org/linux-cve-announce/2025070329-CVE-2025-38127-686d@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38128", "url": "https://lore.kernel.org/linux-cve-announce/2025070329-CVE-2025-38128-5b44@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38129", "url": "https://lore.kernel.org/linux-cve-announce/2025070330-CVE-2025-38129-3c0e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38130", "url": "https://lore.kernel.org/linux-cve-announce/2025070330-CVE-2025-38130-3371@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38131", "url": "https://lore.kernel.org/linux-cve-announce/2025070330-CVE-2025-38131-2350@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38132", "url": "https://lore.kernel.org/linux-cve-announce/2025070331-CVE-2025-38132-bfc9@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38133", "url": "https://lore.kernel.org/linux-cve-announce/2025070331-CVE-2025-38133-5976@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38134", "url": "https://lore.kernel.org/linux-cve-announce/2025070331-CVE-2025-38134-cbff@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38135", "url": "https://lore.kernel.org/linux-cve-announce/2025070331-CVE-2025-38135-20aa@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38136", "url": "https://lore.kernel.org/linux-cve-announce/2025070332-CVE-2025-38136-1489@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38137", "url": "https://lore.kernel.org/linux-cve-announce/2025070332-CVE-2025-38137-d4bf@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38138", "url": "https://lore.kernel.org/linux-cve-announce/2025070332-CVE-2025-38138-e28b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38139", "url": "https://lore.kernel.org/linux-cve-announce/2025070333-CVE-2025-38139-5152@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38140", "url": "https://lore.kernel.org/linux-cve-announce/2025070333-CVE-2025-38140-0ba9@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38141", "url": "https://lore.kernel.org/linux-cve-announce/2025070333-CVE-2025-38141-560e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38142", "url": "https://lore.kernel.org/linux-cve-announce/2025070334-CVE-2025-38142-a038@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38143", "url": "https://lore.kernel.org/linux-cve-announce/2025070334-CVE-2025-38143-09c4@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38144", "url": "https://lore.kernel.org/linux-cve-announce/2025070334-CVE-2025-38144-036b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38145", "url": "https://lore.kernel.org/linux-cve-announce/2025070335-CVE-2025-38145-548b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38146", "url": "https://lore.kernel.org/linux-cve-announce/2025070335-CVE-2025-38146-4390@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38147", "url": "https://lore.kernel.org/linux-cve-announce/2025070335-CVE-2025-38147-52a6@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38148", "url": "https://lore.kernel.org/linux-cve-announce/2025070336-CVE-2025-38148-76a4@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38149", "url": "https://lore.kernel.org/linux-cve-announce/2025070336-CVE-2025-38149-0dad@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38150", "url": "https://lore.kernel.org/linux-cve-announce/2025070336-CVE-2025-38150-3ce8@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38151", "url": "https://lore.kernel.org/linux-cve-announce/2025070336-CVE-2025-38151-6483@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38153", "url": "https://lore.kernel.org/linux-cve-announce/2025070337-CVE-2025-38153-5735@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38154", "url": "https://lore.kernel.org/linux-cve-announce/2025070337-CVE-2025-38154-8353@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38155", "url": "https://lore.kernel.org/linux-cve-announce/2025070337-CVE-2025-38155-9967@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38156", "url": "https://lore.kernel.org/linux-cve-announce/2025070338-CVE-2025-38156-d23e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38157", "url": "https://lore.kernel.org/linux-cve-announce/2025070338-CVE-2025-38157-bc8c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38158", "url": "https://lore.kernel.org/linux-cve-announce/2025070338-CVE-2025-38158-d5f0@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38159", "url": "https://lore.kernel.org/linux-cve-announce/2025070339-CVE-2025-38159-0c95@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38160", "url": "https://lore.kernel.org/linux-cve-announce/2025070339-CVE-2025-38160-04ed@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38161", "url": "https://lore.kernel.org/linux-cve-announce/2025070339-CVE-2025-38161-0949@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38162", "url": "https://lore.kernel.org/linux-cve-announce/2025070340-CVE-2025-38162-cd74@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38163", "url": "https://lore.kernel.org/linux-cve-announce/2025070340-CVE-2025-38163-273b@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38164", "url": "https://lore.kernel.org/linux-cve-announce/2025070340-CVE-2025-38164-2a23@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38165", "url": "https://lore.kernel.org/linux-cve-announce/2025070341-CVE-2025-38165-0d70@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38166", "url": "https://lore.kernel.org/linux-cve-announce/2025070341-CVE-2025-38166-3dc8@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38167", "url": "https://lore.kernel.org/linux-cve-announce/2025070341-CVE-2025-38167-535f@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38168", "url": "https://lore.kernel.org/linux-cve-announce/2025070341-CVE-2025-38168-da4f@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38169", "url": "https://lore.kernel.org/linux-cve-announce/2025070342-CVE-2025-38169-11b6@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38170", "url": "https://lore.kernel.org/linux-cve-announce/2025070342-CVE-2025-38170-0f47@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38171", "url": "https://lore.kernel.org/linux-cve-announce/2025070342-CVE-2025-38171-a380@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38172", "url": "https://lore.kernel.org/linux-cve-announce/2025070343-CVE-2025-38172-13be@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38173", "url": "https://lore.kernel.org/linux-cve-announce/2025070343-CVE-2025-38173-f02e@gregkh/" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:11245 vom 2025-07-16", "url": "https://access.redhat.com/errata/RHSA-2025:11245" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7654-1 vom 2025-07-18", "url": "https://ubuntu.com/security/notices/USN-7654-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7654-2 vom 2025-07-18", "url": "https://ubuntu.com/security/notices/USN-7654-2" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7654-3 vom 2025-07-18", "url": "https://ubuntu.com/security/notices/USN-7654-3" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7655-1 vom 2025-07-18", "url": "https://ubuntu.com/security/notices/USN-7655-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7654-4 vom 2025-07-22", "url": "https://ubuntu.com/security/notices/USN-7654-4" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:11861 vom 2025-07-28", "url": "https://access.redhat.com/errata/RHSA-2025:11861" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:11855 vom 2025-07-28", "url": "https://access.redhat.com/errata/RHSA-2025:11855" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7654-5 vom 2025-07-29", "url": "https://ubuntu.com/security/notices/USN-7654-5" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-11861 vom 2025-07-30", "url": "https://linux.oracle.com/errata/ELSA-2025-11861.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-11855 vom 2025-07-30", "url": "https://linux.oracle.com/errata/ELSA-2025-11855.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2025-098 vom 2025-08-05", "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-098.html" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.4-2025-105 vom 2025-08-05", "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.4-2025-105.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7686-1 vom 2025-08-05", "url": "https://ubuntu.com/security/notices/USN-7686-1" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.4-2025-106 vom 2025-08-09", "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.4-2025-106.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:13589 vom 2025-08-11", "url": "https://access.redhat.com/errata/RHSA-2025:13589" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:13590 vom 2025-08-11", "url": "https://access.redhat.com/errata/RHSA-2025:13590" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:13598 vom 2025-08-11", "url": "https://access.redhat.com/errata/RHSA-2025:13598" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-13589 vom 2025-08-12", "url": "https://linux.oracle.com/errata/ELSA-2025-13589.html" }, { "category": "external", "summary": "Debian Security Advisory DSA-5973 vom 2025-08-12", "url": "https://lists.debian.org/debian-security-announce/2025/msg00137.html" }, { "category": "external", "summary": "Debian Security Advisory DLA-4271 vom 2025-08-13", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-13598 vom 2025-08-15", "url": "https://linux.oracle.com/errata/ELSA-2025-13598.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:13962 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:13962" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02848-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022193.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02851-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022202.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02852-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022201.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02850-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022203.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02853-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022200.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02849-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022204.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02846-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022192.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14009 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:14009" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7699-1 vom 2025-08-18", "url": "https://ubuntu.com/security/notices/USN-7699-1" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALAS2-2025-2968 vom 2025-08-19", "url": "https://alas.aws.amazon.com/AL2/ALAS2-2025-2968.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02923-1 vom 2025-08-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022237.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-13962 vom 2025-08-20", "url": "https://linux.oracle.com/errata/ELSA-2025-13962.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7699-2 vom 2025-08-20", "url": "https://ubuntu.com/security/notices/USN-7699-2" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-14009 vom 2025-08-22", "url": "https://linux.oracle.com/errata/ELSA-2025-14009.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7711-1 vom 2025-08-22", "url": "https://ubuntu.com/security/notices/USN-7711-1" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7712-1 vom 2025-08-22", "url": "https://ubuntu.com/security/notices/USN-7712-1" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02969-1 vom 2025-08-25", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022259.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02997-1 vom 2025-08-27", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022283.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02996-1 vom 2025-08-27", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022291.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20577-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022304.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20586-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022295.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:03011-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022327.html" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7721-1 vom 2025-08-28", "url": "https://ubuntu.com/security/notices/USN-7721-1" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20602-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022362.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:03023-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022329.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20601-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022363.html" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen", "tracking": { "current_release_date": "2025-08-31T22:00:00.000+00:00", "generator": { "date": "2025-09-01T07:27:07.141+00:00", "engine": { "name": "BSI-WID", "version": "1.4.0" } }, "id": "WID-SEC-W-2025-1452", "initial_release_date": "2025-07-02T22:00:00.000+00:00", "revision_history": [ { "date": "2025-07-02T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2025-07-15T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2025-07-17T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2025-07-21T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2025-07-27T22:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2025-07-29T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Ubuntu und Oracle Linux aufgenommen" }, { "date": "2025-07-30T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2025-08-04T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2025-08-05T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2025-08-10T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2025-08-11T22:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2025-08-12T22:00:00.000+00:00", "number": "12", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2025-08-17T22:00:00.000+00:00", "number": "13", "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen" }, { "date": "2025-08-18T22:00:00.000+00:00", "number": "14", "summary": "Neue Updates von SUSE, Red Hat und Ubuntu aufgenommen" }, { "date": "2025-08-19T22:00:00.000+00:00", "number": "15", "summary": "Neue Updates von Amazon aufgenommen" }, { "date": "2025-08-20T22:00:00.000+00:00", "number": "16", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2025-08-21T22:00:00.000+00:00", "number": "17", "summary": "Neue Updates von Oracle Linux aufgenommen" }, { "date": "2025-08-24T22:00:00.000+00:00", "number": "18", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2025-08-27T22:00:00.000+00:00", "number": "19", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-28T22:00:00.000+00:00", "number": "20", "summary": "Neue Updates von SUSE und Ubuntu aufgenommen" }, { "date": "2025-08-31T22:00:00.000+00:00", "number": "21", "summary": "Neue Updates von SUSE aufgenommen" } ], "status": "final", "version": "21" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T045032", "product_identification_helper": { "cpe": "cpe:/o:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-38091", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38091" }, { "cve": "CVE-2025-38092", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38092" }, { "cve": "CVE-2025-38093", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38093" }, { "cve": "CVE-2025-38094", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38094" }, { "cve": "CVE-2025-38095", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38095" }, { "cve": "CVE-2025-38096", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38096" }, { "cve": "CVE-2025-38097", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38097" }, { "cve": "CVE-2025-38098", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38098" }, { "cve": "CVE-2025-38099", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38099" }, { "cve": "CVE-2025-38100", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38100" }, { "cve": "CVE-2025-38101", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38101" }, { "cve": "CVE-2025-38102", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38102" }, { "cve": "CVE-2025-38103", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38103" }, { "cve": "CVE-2025-38105", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38105" }, { "cve": "CVE-2025-38106", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38106" }, { "cve": "CVE-2025-38107", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38107" }, { "cve": "CVE-2025-38108", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38108" }, { "cve": "CVE-2025-38109", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38109" }, { "cve": "CVE-2025-38110", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38110" }, { "cve": "CVE-2025-38111", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38111" }, { "cve": "CVE-2025-38112", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38112" }, { "cve": "CVE-2025-38113", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38113" }, { "cve": "CVE-2025-38114", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38114" }, { "cve": "CVE-2025-38115", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38115" }, { "cve": "CVE-2025-38116", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38116" }, { "cve": "CVE-2025-38117", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38117" }, { "cve": "CVE-2025-38118", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38118" }, { "cve": "CVE-2025-38119", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38119" }, { "cve": "CVE-2025-38120", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38120" }, { "cve": "CVE-2025-38121", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38121" }, { "cve": "CVE-2025-38122", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38122" }, { "cve": "CVE-2025-38123", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38123" }, { "cve": "CVE-2025-38124", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38124" }, { "cve": "CVE-2025-38125", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38125" }, { "cve": "CVE-2025-38126", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38126" }, { "cve": "CVE-2025-38127", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38127" }, { "cve": "CVE-2025-38128", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38128" }, { "cve": "CVE-2025-38129", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38129" }, { "cve": "CVE-2025-38130", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38130" }, { "cve": "CVE-2025-38131", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38131" }, { "cve": "CVE-2025-38132", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38132" }, { "cve": "CVE-2025-38133", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38133" }, { "cve": "CVE-2025-38134", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38134" }, { "cve": "CVE-2025-38135", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38135" }, { "cve": "CVE-2025-38136", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38136" }, { "cve": "CVE-2025-38137", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38137" }, { "cve": "CVE-2025-38138", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38138" }, { "cve": "CVE-2025-38139", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38139" }, { "cve": "CVE-2025-38140", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38140" }, { "cve": "CVE-2025-38141", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38141" }, { "cve": "CVE-2025-38142", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38142" }, { "cve": "CVE-2025-38143", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38143" }, { "cve": "CVE-2025-38144", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38144" }, { "cve": "CVE-2025-38145", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38145" }, { "cve": "CVE-2025-38146", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38146" }, { "cve": "CVE-2025-38147", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38147" }, { "cve": "CVE-2025-38148", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38148" }, { "cve": "CVE-2025-38149", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38149" }, { "cve": "CVE-2025-38150", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38150" }, { "cve": "CVE-2025-38151", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38151" }, { "cve": "CVE-2025-38153", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38153" }, { "cve": "CVE-2025-38154", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38154" }, { "cve": "CVE-2025-38155", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38155" }, { "cve": "CVE-2025-38156", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38156" }, { "cve": "CVE-2025-38157", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38157" }, { "cve": "CVE-2025-38158", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38158" }, { "cve": "CVE-2025-38159", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38159" }, { "cve": "CVE-2025-38160", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38160" }, { "cve": "CVE-2025-38161", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38161" }, { "cve": "CVE-2025-38162", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38162" }, { "cve": "CVE-2025-38163", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38163" }, { "cve": "CVE-2025-38164", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38164" }, { "cve": "CVE-2025-38165", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38165" }, { "cve": "CVE-2025-38166", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38166" }, { "cve": "CVE-2025-38167", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38167" }, { "cve": "CVE-2025-38168", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38168" }, { "cve": "CVE-2025-38169", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38169" }, { "cve": "CVE-2025-38170", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38170" }, { "cve": "CVE-2025-38171", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38171" }, { "cve": "CVE-2025-38172", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38172" }, { "cve": "CVE-2025-38173", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "398363", "T045032", "T004914" ] }, "release_date": "2025-07-02T22:00:00.000+00:00", "title": "CVE-2025-38173" } ] }
CVE-2025-38159 (GCVE-0-2025-38159)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds
Set the size to 6 instead of 2, since 'para' array is passed to
'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads
5 bytes:
void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
{
...
SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
...
SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));
Detected using the static analysis tool - Svace.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4136214f7c46839c15f0f177fe1d5052302c0205 Version: 4136214f7c46839c15f0f177fe1d5052302c0205 Version: 4136214f7c46839c15f0f177fe1d5052302c0205 Version: 4136214f7c46839c15f0f177fe1d5052302c0205 Version: 4136214f7c46839c15f0f177fe1d5052302c0205 Version: 4136214f7c46839c15f0f177fe1d5052302c0205 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/realtek/rtw88/coex.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1ee8ea6937d13b20f90ff35d71ccc03ba448182d", "status": "affected", "version": "4136214f7c46839c15f0f177fe1d5052302c0205", "versionType": "git" }, { "lessThan": "68a1037f0bac4de9a585aa9c879ef886109f3647", "status": "affected", "version": "4136214f7c46839c15f0f177fe1d5052302c0205", "versionType": "git" }, { "lessThan": "74e18211c2c89ab66c9546baa7408288db61aa0d", "status": "affected", "version": "4136214f7c46839c15f0f177fe1d5052302c0205", "versionType": "git" }, { "lessThan": "c13255389499275bc5489a0b5b7940ccea3aef04", "status": "affected", "version": "4136214f7c46839c15f0f177fe1d5052302c0205", "versionType": "git" }, { "lessThan": "9febcc8bded8be0d7efd8237fcef599b6d93b788", "status": "affected", "version": "4136214f7c46839c15f0f177fe1d5052302c0205", "versionType": "git" }, { "lessThan": "4c2c372de2e108319236203cce6de44d70ae15cd", "status": "affected", "version": "4136214f7c46839c15f0f177fe1d5052302c0205", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/realtek/rtw88/coex.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.4" }, { "lessThan": "5.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds\n\nSet the size to 6 instead of 2, since \u0027para\u0027 array is passed to\n\u0027rtw_fw_bt_wifi_control(rtwdev, para[0], \u0026para[1])\u0027, which reads\n5 bytes:\n\nvoid rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)\n{\n ...\n SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);\n SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));\n ...\n SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));\n\nDetected using the static analysis tool - Svace." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:51.003Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1ee8ea6937d13b20f90ff35d71ccc03ba448182d" }, { "url": "https://git.kernel.org/stable/c/68a1037f0bac4de9a585aa9c879ef886109f3647" }, { "url": "https://git.kernel.org/stable/c/74e18211c2c89ab66c9546baa7408288db61aa0d" }, { "url": "https://git.kernel.org/stable/c/c13255389499275bc5489a0b5b7940ccea3aef04" }, { "url": "https://git.kernel.org/stable/c/9febcc8bded8be0d7efd8237fcef599b6d93b788" }, { "url": "https://git.kernel.org/stable/c/4c2c372de2e108319236203cce6de44d70ae15cd" } ], "title": "wifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38159", "datePublished": "2025-07-03T08:36:01.490Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:51.003Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38168 (GCVE-0-2025-38168)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: arm-ni: Unregister PMUs on probe failure
When a resource allocation fails in one clock domain of an NI device,
we need to properly roll back all previously registered perf PMUs in
other clock domains of the same device.
Otherwise, it can lead to kernel panics.
Calling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374
arm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000
arm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16
list_add corruption: next->prev should be prev (fffffd01e9698a18),
but was 0000000000000000. (next=ffff10001a0decc8).
pstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : list_add_valid_or_report+0x7c/0xb8
lr : list_add_valid_or_report+0x7c/0xb8
Call trace:
__list_add_valid_or_report+0x7c/0xb8
perf_pmu_register+0x22c/0x3a0
arm_ni_probe+0x554/0x70c [arm_ni]
platform_probe+0x70/0xe8
really_probe+0xc6/0x4d8
driver_probe_device+0x48/0x170
__driver_attach+0x8e/0x1c0
bus_for_each_dev+0x64/0xf0
driver_add+0x138/0x260
bus_add_driver+0x68/0x138
__platform_driver_register+0x2c/0x40
arm_ni_init+0x14/0x2a [arm_ni]
do_init_module+0x36/0x298
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Oops - BUG: Fatal exception
SMP: stopping secondary CPUs
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/perf/arm-ni.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7e958e116e3be05a1f869b5a885fc5d674c7725f", "status": "affected", "version": "4d5a7680f2b4d0c2955e1d9f9a594b050d637436", "versionType": "git" }, { "lessThan": "72caf9886e9c1731cf7bfe3eabc308b9268b21d6", "status": "affected", "version": "4d5a7680f2b4d0c2955e1d9f9a594b050d637436", "versionType": "git" }, { "lessThan": "7f57afde6a44d9e044885e1125034edd4fda02e8", "status": "affected", "version": "4d5a7680f2b4d0c2955e1d9f9a594b050d637436", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/perf/arm-ni.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.12" }, { "lessThan": "6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: arm-ni: Unregister PMUs on probe failure\n\nWhen a resource allocation fails in one clock domain of an NI device,\nwe need to properly roll back all previously registered perf PMUs in\nother clock domains of the same device.\n\nOtherwise, it can lead to kernel panics.\n\nCalling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374\narm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000\narm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16\nlist_add corruption: next-\u003eprev should be prev (fffffd01e9698a18),\nbut was 0000000000000000. (next=ffff10001a0decc8).\npstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : list_add_valid_or_report+0x7c/0xb8\nlr : list_add_valid_or_report+0x7c/0xb8\nCall trace:\n __list_add_valid_or_report+0x7c/0xb8\n perf_pmu_register+0x22c/0x3a0\n arm_ni_probe+0x554/0x70c [arm_ni]\n platform_probe+0x70/0xe8\n really_probe+0xc6/0x4d8\n driver_probe_device+0x48/0x170\n __driver_attach+0x8e/0x1c0\n bus_for_each_dev+0x64/0xf0\n driver_add+0x138/0x260\n bus_add_driver+0x68/0x138\n __platform_driver_register+0x2c/0x40\n arm_ni_init+0x14/0x2a [arm_ni]\n do_init_module+0x36/0x298\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops - BUG: Fatal exception\nSMP: stopping secondary CPUs" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:14:03.385Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7e958e116e3be05a1f869b5a885fc5d674c7725f" }, { "url": "https://git.kernel.org/stable/c/72caf9886e9c1731cf7bfe3eabc308b9268b21d6" }, { "url": "https://git.kernel.org/stable/c/7f57afde6a44d9e044885e1125034edd4fda02e8" } ], "title": "perf: arm-ni: Unregister PMUs on probe failure", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38168", "datePublished": "2025-07-03T08:36:07.620Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:14:03.385Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38127 (GCVE-0-2025-38127)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix Tx scheduler error handling in XDP callback
When the XDP program is loaded, the XDP callback adds new Tx queues.
This means that the callback must update the Tx scheduler with the new
queue number. In the event of a Tx scheduler failure, the XDP callback
should also fail and roll back any changes previously made for XDP
preparation.
The previous implementation had a bug that not all changes made by the
XDP callback were rolled back. This caused the crash with the following
call trace:
[ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5
[ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI
[ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary)
[ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022
[ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice]
[...]
[ +0.002715] Call Trace:
[ +0.002452] <IRQ>
[ +0.002021] ? __die_body.cold+0x19/0x29
[ +0.003922] ? die_addr+0x3c/0x60
[ +0.003319] ? exc_general_protection+0x17c/0x400
[ +0.004707] ? asm_exc_general_protection+0x26/0x30
[ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice]
[ +0.004835] ice_napi_poll+0x665/0x680 [ice]
[ +0.004320] __napi_poll+0x28/0x190
[ +0.003500] net_rx_action+0x198/0x360
[ +0.003752] ? update_rq_clock+0x39/0x220
[ +0.004013] handle_softirqs+0xf1/0x340
[ +0.003840] ? sched_clock_cpu+0xf/0x1f0
[ +0.003925] __irq_exit_rcu+0xc2/0xe0
[ +0.003665] common_interrupt+0x85/0xa0
[ +0.003839] </IRQ>
[ +0.002098] <TASK>
[ +0.002106] asm_common_interrupt+0x26/0x40
[ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690
Fix this by performing the missing unmapping of XDP queues from
q_vectors and setting the XDP rings pointer back to NULL after all those
queues are released.
Also, add an immediate exit from the XDP callback in case of ring
preparation failure.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/intel/ice/ice_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1d3c5d0dec6797eca3a861dab0816fa9505d9c3e", "status": "affected", "version": "efc2214b6047b6f5b4ca53151eba62521b9452d6", "versionType": "git" }, { "lessThan": "276849954d7cbe6eec827b21fe2df43f9bf07011", "status": "affected", "version": "efc2214b6047b6f5b4ca53151eba62521b9452d6", "versionType": "git" }, { "lessThan": "0e061abaad1498c5b76c10c594d4359ceb6b9145", "status": "affected", "version": "efc2214b6047b6f5b4ca53151eba62521b9452d6", "versionType": "git" }, { "lessThan": "0153f36041b8e52019ebfa8629c13bf8f9b0a951", "status": "affected", "version": "efc2214b6047b6f5b4ca53151eba62521b9452d6", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/intel/ice/ice_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.5" }, { "lessThan": "5.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix Tx scheduler error handling in XDP callback\n\nWhen the XDP program is loaded, the XDP callback adds new Tx queues.\nThis means that the callback must update the Tx scheduler with the new\nqueue number. In the event of a Tx scheduler failure, the XDP callback\nshould also fail and roll back any changes previously made for XDP\npreparation.\n\nThe previous implementation had a bug that not all changes made by the\nXDP callback were rolled back. This caused the crash with the following\ncall trace:\n\n[ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5\n[ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI\n[ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary)\n[ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022\n[ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice]\n\n[...]\n\n[ +0.002715] Call Trace:\n[ +0.002452] \u003cIRQ\u003e\n[ +0.002021] ? __die_body.cold+0x19/0x29\n[ +0.003922] ? die_addr+0x3c/0x60\n[ +0.003319] ? exc_general_protection+0x17c/0x400\n[ +0.004707] ? asm_exc_general_protection+0x26/0x30\n[ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice]\n[ +0.004835] ice_napi_poll+0x665/0x680 [ice]\n[ +0.004320] __napi_poll+0x28/0x190\n[ +0.003500] net_rx_action+0x198/0x360\n[ +0.003752] ? update_rq_clock+0x39/0x220\n[ +0.004013] handle_softirqs+0xf1/0x340\n[ +0.003840] ? sched_clock_cpu+0xf/0x1f0\n[ +0.003925] __irq_exit_rcu+0xc2/0xe0\n[ +0.003665] common_interrupt+0x85/0xa0\n[ +0.003839] \u003c/IRQ\u003e\n[ +0.002098] \u003cTASK\u003e\n[ +0.002106] asm_common_interrupt+0x26/0x40\n[ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690\n\nFix this by performing the missing unmapping of XDP queues from\nq_vectors and setting the XDP rings pointer back to NULL after all those\nqueues are released.\nAlso, add an immediate exit from the XDP callback in case of ring\npreparation failure." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:54.977Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1d3c5d0dec6797eca3a861dab0816fa9505d9c3e" }, { "url": "https://git.kernel.org/stable/c/276849954d7cbe6eec827b21fe2df43f9bf07011" }, { "url": "https://git.kernel.org/stable/c/0e061abaad1498c5b76c10c594d4359ceb6b9145" }, { "url": "https://git.kernel.org/stable/c/0153f36041b8e52019ebfa8629c13bf8f9b0a951" } ], "title": "ice: fix Tx scheduler error handling in XDP callback", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38127", "datePublished": "2025-07-03T08:35:32.453Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:54.977Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38121 (GCVE-0-2025-38121)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: mld: avoid panic on init failure
In case of an error during init, in_hw_restart will be set, but it will
never get cleared.
Instead, we will retry to init again, and then we will act like we are in a
restart when we are actually not.
This causes (among others) to a NULL pointer dereference when canceling
rx_omi::finished_work, that was not even initialized, because we thought
that we are in hw_restart.
Set in_hw_restart to true only if the fw is running, then we know that
FW was loaded successfully and we are not going to the retry loop.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/mld/mld.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a26ec8e16958b6dd37dac9daf5fb6978fe0cb0b8", "status": "affected", "version": "7391b2a4f7dbb7be7dd763bc87506c10f570a8d3", "versionType": "git" }, { "lessThan": "960c7e6d388034d219dafffa6da0a5c2ccd5ff30", "status": "affected", "version": "7391b2a4f7dbb7be7dd763bc87506c10f570a8d3", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/mld/mld.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.14" }, { "lessThan": "6.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mld: avoid panic on init failure\n\nIn case of an error during init, in_hw_restart will be set, but it will\nnever get cleared.\nInstead, we will retry to init again, and then we will act like we are in a\nrestart when we are actually not.\n\nThis causes (among others) to a NULL pointer dereference when canceling\nrx_omi::finished_work, that was not even initialized, because we thought\nthat we are in hw_restart.\n\nSet in_hw_restart to true only if the fw is running, then we know that\nFW was loaded successfully and we are not going to the retry loop." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:41.142Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a26ec8e16958b6dd37dac9daf5fb6978fe0cb0b8" }, { "url": "https://git.kernel.org/stable/c/960c7e6d388034d219dafffa6da0a5c2ccd5ff30" } ], "title": "wifi: iwlwifi: mld: avoid panic on init failure", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38121", "datePublished": "2025-07-03T08:35:27.900Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:41.142Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38144 (GCVE-0-2025-38144)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
watchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe()
devm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe()
does not check for this case, which results in a NULL pointer
dereference.
Add NULL check after devm_ioremap() to prevent this issue.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/watchdog/lenovo_se30_wdt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "57f7a1da0ec06d8579accaf77762d0128d13e4af", "status": "affected", "version": "c284153a2c5537db4fec51ac850c17d2eb1ffcfe", "versionType": "git" }, { "lessThan": "a4e2401438a26131ecff9be6a3a1d4cbfea66f9a", "status": "affected", "version": "c284153a2c5537db4fec51ac850c17d2eb1ffcfe", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/watchdog/lenovo_se30_wdt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe()\n\ndevm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:25.382Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/57f7a1da0ec06d8579accaf77762d0128d13e4af" }, { "url": "https://git.kernel.org/stable/c/a4e2401438a26131ecff9be6a3a1d4cbfea66f9a" } ], "title": "watchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38144", "datePublished": "2025-07-03T08:35:45.584Z", "dateReserved": "2025-04-16T04:51:23.988Z", "dateUpdated": "2025-07-28T04:13:25.382Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38164 (GCVE-0-2025-38164)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: zone: fix to avoid inconsistence in between SIT and SSA
w/ below testcase, it will cause inconsistence in between SIT and SSA.
create_null_blk 512 2 1024 1024
mkfs.f2fs -m /dev/nullb0
mount /dev/nullb0 /mnt/f2fs/
touch /mnt/f2fs/file
f2fs_io pinfile set /mnt/f2fs/file
fallocate -l 4GiB /mnt/f2fs/file
F2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT
CPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84
Tainted: [O]=OOT_MODULE
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Call Trace:
<TASK>
dump_stack_lvl+0xb3/0xd0
dump_stack+0x14/0x20
f2fs_handle_critical_error+0x18c/0x220 [f2fs]
f2fs_stop_checkpoint+0x38/0x50 [f2fs]
do_garbage_collect+0x674/0x6e0 [f2fs]
f2fs_gc_range+0x12b/0x230 [f2fs]
f2fs_allocate_pinning_section+0x5c/0x150 [f2fs]
f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs]
f2fs_fallocate+0x3c3/0x410 [f2fs]
vfs_fallocate+0x15f/0x4b0
__x64_sys_fallocate+0x4a/0x80
x64_sys_call+0x15e8/0x1b80
do_syscall_64+0x68/0x130
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f9dba5197ca
F2FS-fs (nullb0): Stopped filesystem due to reason: 4
The reason is f2fs_gc_range() may try to migrate block in curseg, however,
its SSA block is not uptodate due to the last summary block data is still
in cache of curseg.
In this patch, we add a condition in f2fs_gc_range() to check whether
section is opened or not, and skip block migration for opened section.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/f2fs/gc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "44a51592ac657d8e422585414d7ec17a5b50fb0e", "status": "affected", "version": "9703d69d9d153bb230711d0d577454552aeb13d4", "versionType": "git" }, { "lessThan": "8d9431b0d11a5030aa1ce477defee455b3821701", "status": "affected", "version": "9703d69d9d153bb230711d0d577454552aeb13d4", "versionType": "git" }, { "lessThan": "773704c1ef96a8b70d0d186ab725f50548de82c4", "status": "affected", "version": "9703d69d9d153bb230711d0d577454552aeb13d4", "versionType": "git" }, { "status": "affected", "version": "40d76c393cca83938b11eb7ca8983aa3cd0ed69b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/f2fs/gc.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.9" }, { "lessThan": "6.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.33", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: zone: fix to avoid inconsistence in between SIT and SSA\n\nw/ below testcase, it will cause inconsistence in between SIT and SSA.\n\ncreate_null_blk 512 2 1024 1024\nmkfs.f2fs -m /dev/nullb0\nmount /dev/nullb0 /mnt/f2fs/\ntouch /mnt/f2fs/file\nf2fs_io pinfile set /mnt/f2fs/file\nfallocate -l 4GiB /mnt/f2fs/file\n\nF2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT\nCPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84\nTainted: [O]=OOT_MODULE\nHardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xb3/0xd0\n dump_stack+0x14/0x20\n f2fs_handle_critical_error+0x18c/0x220 [f2fs]\n f2fs_stop_checkpoint+0x38/0x50 [f2fs]\n do_garbage_collect+0x674/0x6e0 [f2fs]\n f2fs_gc_range+0x12b/0x230 [f2fs]\n f2fs_allocate_pinning_section+0x5c/0x150 [f2fs]\n f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs]\n f2fs_fallocate+0x3c3/0x410 [f2fs]\n vfs_fallocate+0x15f/0x4b0\n __x64_sys_fallocate+0x4a/0x80\n x64_sys_call+0x15e8/0x1b80\n do_syscall_64+0x68/0x130\n entry_SYSCALL_64_after_hwframe+0x67/0x6f\nRIP: 0033:0x7f9dba5197ca\nF2FS-fs (nullb0): Stopped filesystem due to reason: 4\n\nThe reason is f2fs_gc_range() may try to migrate block in curseg, however,\nits SSA block is not uptodate due to the last summary block data is still\nin cache of curseg.\n\nIn this patch, we add a condition in f2fs_gc_range() to check whether\nsection is opened or not, and skip block migration for opened section." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:57.750Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/44a51592ac657d8e422585414d7ec17a5b50fb0e" }, { "url": "https://git.kernel.org/stable/c/8d9431b0d11a5030aa1ce477defee455b3821701" }, { "url": "https://git.kernel.org/stable/c/773704c1ef96a8b70d0d186ab725f50548de82c4" } ], "title": "f2fs: zone: fix to avoid inconsistence in between SIT and SSA", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38164", "datePublished": "2025-07-03T08:36:05.017Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:13:57.750Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38156 (GCVE-0-2025-38156)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()
devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init()
does not check for this case, which results in a NULL pointer
dereference.
Prevent null pointer dereference in mt7996_mmio_wed_init()
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/mediatek/mt76/mt7996/mmio.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1072fc0ca1f8d0d5397d24853386876f937b8e63", "status": "affected", "version": "83eafc9251d6d30574b629ac637c56d168fcbdd9", "versionType": "git" }, { "lessThan": "af861c6dea2ef06845a5c7672999a06c06099735", "status": "affected", "version": "83eafc9251d6d30574b629ac637c56d168fcbdd9", "versionType": "git" }, { "lessThan": "8f30e2b059757d8711a823e4c9c023db62a1d171", "status": "affected", "version": "83eafc9251d6d30574b629ac637c56d168fcbdd9", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/mediatek/mt76/mt7996/mmio.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7996_mmio_wed_init()" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:46.699Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1072fc0ca1f8d0d5397d24853386876f937b8e63" }, { "url": "https://git.kernel.org/stable/c/af861c6dea2ef06845a5c7672999a06c06099735" }, { "url": "https://git.kernel.org/stable/c/8f30e2b059757d8711a823e4c9c023db62a1d171" } ], "title": "wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38156", "datePublished": "2025-07-03T08:35:58.950Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:46.699Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38119 (GCVE-0-2025-38119)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: core: ufs: Fix a hang in the error handler
ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter
function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because
resuming involves submitting a SCSI command and ufshcd_queuecommand()
returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this
hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has
been called instead of before.
Backtrace:
__switch_to+0x174/0x338
__schedule+0x600/0x9e4
schedule+0x7c/0xe8
schedule_timeout+0xa4/0x1c8
io_schedule_timeout+0x48/0x70
wait_for_common_io+0xa8/0x160 //waiting on START_STOP
wait_for_completion_io_timeout+0x10/0x20
blk_execute_rq+0xe4/0x1e4
scsi_execute_cmd+0x108/0x244
ufshcd_set_dev_pwr_mode+0xe8/0x250
__ufshcd_wl_resume+0x94/0x354
ufshcd_wl_runtime_resume+0x3c/0x174
scsi_runtime_resume+0x64/0xa4
rpm_resume+0x15c/0xa1c
__pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing
ufshcd_err_handler+0x1a0/0xd08
process_one_work+0x174/0x808
worker_thread+0x15c/0x490
kthread+0xf4/0x1ec
ret_from_fork+0x10/0x20
[ bvanassche: rewrote patch description ]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 62694735ca95c74dac4eb9068d59801ac0ddebaf Version: 62694735ca95c74dac4eb9068d59801ac0ddebaf Version: 62694735ca95c74dac4eb9068d59801ac0ddebaf Version: 62694735ca95c74dac4eb9068d59801ac0ddebaf Version: 62694735ca95c74dac4eb9068d59801ac0ddebaf Version: 62694735ca95c74dac4eb9068d59801ac0ddebaf |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/ufs/core/ufshcd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f592eb12b43f21dbc972cbe583a12d256901e569", "status": "affected", "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf", "versionType": "git" }, { "lessThan": "ded80255c59a57cd3270d98461f6508730f9767c", "status": "affected", "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf", "versionType": "git" }, { "lessThan": "21f071261f946c5ca1adf378f818082a112b34d2", "status": "affected", "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf", "versionType": "git" }, { "lessThan": "3464a707d137efc8aea1d4ae234d26a28d82b78c", "status": "affected", "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf", "versionType": "git" }, { "lessThan": "bb37f795d01961286b8f768a6d7152f32b589067", "status": "affected", "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf", "versionType": "git" }, { "lessThan": "8a3514d348de87a9d5e2ac00fbac4faae0b97996", "status": "affected", "version": "62694735ca95c74dac4eb9068d59801ac0ddebaf", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/ufs/core/ufshcd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.12" }, { "lessThan": "3.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "3.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "3.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "3.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "3.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "3.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: ufs: Fix a hang in the error handler\n\nufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter\nfunction can only succeed if UFSHCD_EH_IN_PROGRESS is not set because\nresuming involves submitting a SCSI command and ufshcd_queuecommand()\nreturns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this\nhang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has\nbeen called instead of before.\n\nBacktrace:\n__switch_to+0x174/0x338\n__schedule+0x600/0x9e4\nschedule+0x7c/0xe8\nschedule_timeout+0xa4/0x1c8\nio_schedule_timeout+0x48/0x70\nwait_for_common_io+0xa8/0x160 //waiting on START_STOP\nwait_for_completion_io_timeout+0x10/0x20\nblk_execute_rq+0xe4/0x1e4\nscsi_execute_cmd+0x108/0x244\nufshcd_set_dev_pwr_mode+0xe8/0x250\n__ufshcd_wl_resume+0x94/0x354\nufshcd_wl_runtime_resume+0x3c/0x174\nscsi_runtime_resume+0x64/0xa4\nrpm_resume+0x15c/0xa1c\n__pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing\nufshcd_err_handler+0x1a0/0xd08\nprocess_one_work+0x174/0x808\nworker_thread+0x15c/0x490\nkthread+0xf4/0x1ec\nret_from_fork+0x10/0x20\n\n[ bvanassche: rewrote patch description ]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:38.426Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f592eb12b43f21dbc972cbe583a12d256901e569" }, { "url": "https://git.kernel.org/stable/c/ded80255c59a57cd3270d98461f6508730f9767c" }, { "url": "https://git.kernel.org/stable/c/21f071261f946c5ca1adf378f818082a112b34d2" }, { "url": "https://git.kernel.org/stable/c/3464a707d137efc8aea1d4ae234d26a28d82b78c" }, { "url": "https://git.kernel.org/stable/c/bb37f795d01961286b8f768a6d7152f32b589067" }, { "url": "https://git.kernel.org/stable/c/8a3514d348de87a9d5e2ac00fbac4faae0b97996" } ], "title": "scsi: core: ufs: Fix a hang in the error handler", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38119", "datePublished": "2025-07-03T08:35:26.616Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:38.426Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38132 (GCVE-0-2025-38132)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: holding cscfg_csdev_lock while removing cscfg from csdev
There'll be possible race scenario for coresight config:
CPU0 CPU1
(perf enable) load module
cscfg_load_config_sets()
activate config. // sysfs
(sys_active_cnt == 1)
...
cscfg_csdev_enable_active_config()
lock(csdev->cscfg_csdev_lock)
deactivate config // sysfs
(sys_activec_cnt == 0)
cscfg_unload_config_sets()
<iterating config_csdev_list> cscfg_remove_owned_csdev_configs()
// here load config activate by CPU1
unlock(csdev->cscfg_csdev_lock)
iterating config_csdev_list could be raced with config_csdev_list's
entry delete.
To resolve this race , hold csdev->cscfg_csdev_lock() while
cscfg_remove_owned_csdev_configs()
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hwtracing/coresight/coresight-syscfg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "42f8afb0b161631fd1d814d017f75f955475ad41", "status": "affected", "version": "02bd588e12df405bdf55244708151b7f238b79ba", "versionType": "git" }, { "lessThan": "53b9e2659719b04f5ba7593f2af0f2335f75e94a", "status": "affected", "version": "02bd588e12df405bdf55244708151b7f238b79ba", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hwtracing/coresight/coresight-syscfg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.17" }, { "lessThan": "5.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.17", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: holding cscfg_csdev_lock while removing cscfg from csdev\n\nThere\u0027ll be possible race scenario for coresight config:\n\nCPU0 CPU1\n(perf enable) load module\n cscfg_load_config_sets()\n activate config. // sysfs\n (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\n lock(csdev-\u003ecscfg_csdev_lock)\n deactivate config // sysfs\n (sys_activec_cnt == 0)\n cscfg_unload_config_sets()\n \u003citerating config_csdev_list\u003e cscfg_remove_owned_csdev_configs()\n // here load config activate by CPU1\n unlock(csdev-\u003ecscfg_csdev_lock)\n\niterating config_csdev_list could be raced with config_csdev_list\u0027s\nentry delete.\n\nTo resolve this race , hold csdev-\u003ecscfg_csdev_lock() while\ncscfg_remove_owned_csdev_configs()" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:02.340Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/42f8afb0b161631fd1d814d017f75f955475ad41" }, { "url": "https://git.kernel.org/stable/c/53b9e2659719b04f5ba7593f2af0f2335f75e94a" } ], "title": "coresight: holding cscfg_csdev_lock while removing cscfg from csdev", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38132", "datePublished": "2025-07-03T08:35:35.695Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:02.340Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38118 (GCVE-0-2025-38118)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to
avoid crashes like bellow:
==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406
Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341
CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406
hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5987:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252
mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279
remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x548/0xa90 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5989:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]
kfree+0x18e/0x440 mm/slub.c:4841
mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242
mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
__sys_bind_socket net/socket.c:1810 [inline]
__sys_bind+0x2c3/0x3e0 net/socket.c:1841
__do_sys_bind net/socket.c:1846 [inline]
__se_sys_bind net/socket.c:1844 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1844
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 66bd095ab5d408af106808cce302406542f70f65 Version: 66bd095ab5d408af106808cce302406542f70f65 Version: 66bd095ab5d408af106808cce302406542f70f65 Version: 66bd095ab5d408af106808cce302406542f70f65 Version: 66bd095ab5d408af106808cce302406542f70f65 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/bluetooth/hci_core.h", "net/bluetooth/hci_core.c", "net/bluetooth/mgmt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3c9aba9cbdf163e2654be9f82d43ff8a04273962", "status": "affected", "version": "66bd095ab5d408af106808cce302406542f70f65", "versionType": "git" }, { "lessThan": "9f66b6531c2b4e996bb61720ee94adb4b2e8d1be", "status": "affected", "version": "66bd095ab5d408af106808cce302406542f70f65", "versionType": "git" }, { "lessThan": "9df3e5e7f7e4653fd9802878cedc36defc5ef42d", "status": "affected", "version": "66bd095ab5d408af106808cce302406542f70f65", "versionType": "git" }, { "lessThan": "32aa2fbe319f33b0318ec6f4fceb63879771a286", "status": "affected", "version": "66bd095ab5d408af106808cce302406542f70f65", "versionType": "git" }, { "lessThan": "e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c", "status": "affected", "version": "66bd095ab5d408af106808cce302406542f70f65", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/bluetooth/hci_core.h", "net/bluetooth/hci_core.c", "net/bluetooth/mgmt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.12" }, { "lessThan": "5.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete\n\nThis reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to\navoid crashes like bellow:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\nRead of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341\n\nCPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: hci0 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xd2/0x2b0 mm/kasan/report.c:521\n kasan_report+0x118/0x150 mm/kasan/report.c:634\n mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406\n hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334\n process_one_work kernel/workqueue.c:3238 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402\n kthread+0x711/0x8a0 kernel/kthread.c:464\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 5987:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252\n mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279\n remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:727\n sock_write_iter+0x258/0x330 net/socket.c:1131\n new_sync_write fs/read_write.c:593 [inline]\n vfs_write+0x548/0xa90 fs/read_write.c:686\n ksys_write+0x145/0x250 fs/read_write.c:738\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 5989:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2380 [inline]\n slab_free mm/slub.c:4642 [inline]\n kfree+0x18e/0x440 mm/slub.c:4841\n mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242\n mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314\n __sys_bind_socket net/socket.c:1810 [inline]\n __sys_bind+0x2c3/0x3e0 net/socket.c:1841\n __do_sys_bind net/socket.c:1846 [inline]\n __se_sys_bind net/socket.c:1844 [inline]\n __x64_sys_bind+0x7a/0x90 net/socket.c:1844\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:36.952Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3c9aba9cbdf163e2654be9f82d43ff8a04273962" }, { "url": "https://git.kernel.org/stable/c/9f66b6531c2b4e996bb61720ee94adb4b2e8d1be" }, { "url": "https://git.kernel.org/stable/c/9df3e5e7f7e4653fd9802878cedc36defc5ef42d" }, { "url": "https://git.kernel.org/stable/c/32aa2fbe319f33b0318ec6f4fceb63879771a286" }, { "url": "https://git.kernel.org/stable/c/e6ed54e86aae9e4f7286ce8d5c73780f91b48d1c" } ], "title": "Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38118", "datePublished": "2025-07-03T08:35:25.992Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:36.952Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38145 (GCVE-0-2025-38145)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
devm_kasprintf() returns NULL when memory allocation fails. Currently,
aspeed_lpc_enable_snoop() does not check for this case, which results in a
NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
[arj: Fix Fixes: tag to use subject from 3772e5da4454]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 3772e5da445420543b25825ac2b5971f3743f6e8 Version: 3772e5da445420543b25825ac2b5971f3743f6e8 Version: 3772e5da445420543b25825ac2b5971f3743f6e8 Version: 3772e5da445420543b25825ac2b5971f3743f6e8 Version: 3772e5da445420543b25825ac2b5971f3743f6e8 Version: 3772e5da445420543b25825ac2b5971f3743f6e8 Version: 3772e5da445420543b25825ac2b5971f3743f6e8 Version: 3772e5da445420543b25825ac2b5971f3743f6e8 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/soc/aspeed/aspeed-lpc-snoop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2beee9cf833374550e673d428ad8b6ab37c175b3", "status": "affected", "version": "3772e5da445420543b25825ac2b5971f3743f6e8", "versionType": "git" }, { "lessThan": "c550999f939b529d28a914d5034cc4290066aea6", "status": "affected", "version": "3772e5da445420543b25825ac2b5971f3743f6e8", "versionType": "git" }, { "lessThan": "1fd889c145722579aa038c31cbc07cfdd4d75166", "status": "affected", "version": "3772e5da445420543b25825ac2b5971f3743f6e8", "versionType": "git" }, { "lessThan": "d62a589eaaec6385e3e2b25cf5a28b4560ace93f", "status": "affected", "version": "3772e5da445420543b25825ac2b5971f3743f6e8", "versionType": "git" }, { "lessThan": "8312b1f776f71979bf33bda7acc05b348e8792c7", "status": "affected", "version": "3772e5da445420543b25825ac2b5971f3743f6e8", "versionType": "git" }, { "lessThan": "f697ef117ecbf3a367dfc559a6a3589905956530", "status": "affected", "version": "3772e5da445420543b25825ac2b5971f3743f6e8", "versionType": "git" }, { "lessThan": "45b2e8b0fdd280aba04c3cc869e9ae500c44e4b7", "status": "affected", "version": "3772e5da445420543b25825ac2b5971f3743f6e8", "versionType": "git" }, { "lessThan": "f1706e0e1a74b095cbc60375b9b1e6205f5f4c98", "status": "affected", "version": "3772e5da445420543b25825ac2b5971f3743f6e8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/soc/aspeed/aspeed-lpc-snoop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.19" }, { "lessThan": "4.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.19", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\naspeed_lpc_enable_snoop() does not check for this case, which results in a\nNULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue.\n\n[arj: Fix Fixes: tag to use subject from 3772e5da4454]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:26.787Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2beee9cf833374550e673d428ad8b6ab37c175b3" }, { "url": "https://git.kernel.org/stable/c/c550999f939b529d28a914d5034cc4290066aea6" }, { "url": "https://git.kernel.org/stable/c/1fd889c145722579aa038c31cbc07cfdd4d75166" }, { "url": "https://git.kernel.org/stable/c/d62a589eaaec6385e3e2b25cf5a28b4560ace93f" }, { "url": "https://git.kernel.org/stable/c/8312b1f776f71979bf33bda7acc05b348e8792c7" }, { "url": "https://git.kernel.org/stable/c/f697ef117ecbf3a367dfc559a6a3589905956530" }, { "url": "https://git.kernel.org/stable/c/45b2e8b0fdd280aba04c3cc869e9ae500c44e4b7" }, { "url": "https://git.kernel.org/stable/c/f1706e0e1a74b095cbc60375b9b1e6205f5f4c98" } ], "title": "soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38145", "datePublished": "2025-07-03T08:35:51.566Z", "dateReserved": "2025-04-16T04:51:23.988Z", "dateUpdated": "2025-07-28T04:13:26.787Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38146 (GCVE-0-2025-38146)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: Fix the dead loop of MPLS parse
The unexpected MPLS packet may not end with the bottom label stack.
When there are many stacks, The label count value has wrapped around.
A dead loop occurs, soft lockup/CPU stuck finally.
stack backtrace:
UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26
index -1 is out of range for type '__be32 [3]'
CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu
Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021
Call Trace:
<IRQ>
show_stack+0x52/0x5c
dump_stack_lvl+0x4a/0x63
dump_stack+0x10/0x16
ubsan_epilogue+0x9/0x36
__ubsan_handle_out_of_bounds.cold+0x44/0x49
key_extract_l3l4+0x82a/0x840 [openvswitch]
? kfree_skbmem+0x52/0xa0
key_extract+0x9c/0x2b0 [openvswitch]
ovs_flow_key_extract+0x124/0x350 [openvswitch]
ovs_vport_receive+0x61/0xd0 [openvswitch]
? kernel_init_free_pages.part.0+0x4a/0x70
? get_page_from_freelist+0x353/0x540
netdev_port_receive+0xc4/0x180 [openvswitch]
? netdev_port_receive+0x180/0x180 [openvswitch]
netdev_frame_hook+0x1f/0x40 [openvswitch]
__netif_receive_skb_core.constprop.0+0x23a/0xf00
__netif_receive_skb_list_core+0xfa/0x240
netif_receive_skb_list_internal+0x18e/0x2a0
napi_complete_done+0x7a/0x1c0
bnxt_poll+0x155/0x1c0 [bnxt_en]
__napi_poll+0x30/0x180
net_rx_action+0x126/0x280
? bnxt_msix+0x67/0x80 [bnxt_en]
handle_softirqs+0xda/0x2d0
irq_exit_rcu+0x96/0xc0
common_interrupt+0x8e/0xa0
</IRQ>
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 Version: fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/openvswitch/flow.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4b9a086eedc1fddae632310386098c12155e3d0a", "status": "affected", "version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3", "versionType": "git" }, { "lessThan": "ad17eb86d042d72a59fd184ad1adf34f5eb36843", "status": "affected", "version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3", "versionType": "git" }, { "lessThan": "f26fe7c3002516dd3c288f1012786df31f4d89e0", "status": "affected", "version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3", "versionType": "git" }, { "lessThan": "8ebcd311b4866ab911d1445ead08690e67f0c488", "status": "affected", "version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3", "versionType": "git" }, { "lessThan": "69541e58323ec3e3904e1fa87a6213961b1f52f4", "status": "affected", "version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3", "versionType": "git" }, { "lessThan": "3c1906a3d50cb94fd0a10e97a1c0a40c0f033cb7", "status": "affected", "version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3", "versionType": "git" }, { "lessThan": "0bdc924bfb319fb10d1113cbf091fc26fb7b1f99", "status": "affected", "version": "fbdcdd78da7c95f1b970d371e1b23cbd3aa990f3", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/openvswitch/flow.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.5" }, { "lessThan": "5.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix the dead loop of MPLS parse\n\nThe unexpected MPLS packet may not end with the bottom label stack.\nWhen there are many stacks, The label count value has wrapped around.\nA dead loop occurs, soft lockup/CPU stuck finally.\n\nstack backtrace:\nUBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26\nindex -1 is out of range for type \u0027__be32 [3]\u0027\nCPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu\nHardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021\nCall Trace:\n \u003cIRQ\u003e\n show_stack+0x52/0x5c\n dump_stack_lvl+0x4a/0x63\n dump_stack+0x10/0x16\n ubsan_epilogue+0x9/0x36\n __ubsan_handle_out_of_bounds.cold+0x44/0x49\n key_extract_l3l4+0x82a/0x840 [openvswitch]\n ? kfree_skbmem+0x52/0xa0\n key_extract+0x9c/0x2b0 [openvswitch]\n ovs_flow_key_extract+0x124/0x350 [openvswitch]\n ovs_vport_receive+0x61/0xd0 [openvswitch]\n ? kernel_init_free_pages.part.0+0x4a/0x70\n ? get_page_from_freelist+0x353/0x540\n netdev_port_receive+0xc4/0x180 [openvswitch]\n ? netdev_port_receive+0x180/0x180 [openvswitch]\n netdev_frame_hook+0x1f/0x40 [openvswitch]\n __netif_receive_skb_core.constprop.0+0x23a/0xf00\n __netif_receive_skb_list_core+0xfa/0x240\n netif_receive_skb_list_internal+0x18e/0x2a0\n napi_complete_done+0x7a/0x1c0\n bnxt_poll+0x155/0x1c0 [bnxt_en]\n __napi_poll+0x30/0x180\n net_rx_action+0x126/0x280\n ? bnxt_msix+0x67/0x80 [bnxt_en]\n handle_softirqs+0xda/0x2d0\n irq_exit_rcu+0x96/0xc0\n common_interrupt+0x8e/0xa0\n \u003c/IRQ\u003e" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:28.266Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4b9a086eedc1fddae632310386098c12155e3d0a" }, { "url": "https://git.kernel.org/stable/c/ad17eb86d042d72a59fd184ad1adf34f5eb36843" }, { "url": "https://git.kernel.org/stable/c/f26fe7c3002516dd3c288f1012786df31f4d89e0" }, { "url": "https://git.kernel.org/stable/c/8ebcd311b4866ab911d1445ead08690e67f0c488" }, { "url": "https://git.kernel.org/stable/c/69541e58323ec3e3904e1fa87a6213961b1f52f4" }, { "url": "https://git.kernel.org/stable/c/3c1906a3d50cb94fd0a10e97a1c0a40c0f033cb7" }, { "url": "https://git.kernel.org/stable/c/0bdc924bfb319fb10d1113cbf091fc26fb7b1f99" } ], "title": "net: openvswitch: Fix the dead loop of MPLS parse", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38146", "datePublished": "2025-07-03T08:35:52.230Z", "dateReserved": "2025-04-16T04:51:23.988Z", "dateUpdated": "2025-07-28T04:13:28.266Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38112 (GCVE-0-2025-38112)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: Fix TOCTOU issue in sk_is_readable()
sk->sk_prot->sock_is_readable is a valid function pointer when sk resides
in a sockmap. After the last sk_psock_put() (which usually happens when
socket is removed from sockmap), sk->sk_prot gets restored and
sk->sk_prot->sock_is_readable becomes NULL.
This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded
after the initial check. Which in turn may lead to a null pointer
dereference.
Ensure the function pointer does not turn NULL after the check.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 Version: 8934ce2fd08171e8605f7fada91ee7619fe17ab8 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/sock.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c2b26638476baee154920bb587fc94ff1bf04336", "status": "affected", "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8", "versionType": "git" }, { "lessThan": "6fa68d7eab34d448a61aa24ea31e68b3231ed20d", "status": "affected", "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8", "versionType": "git" }, { "lessThan": "8926a7ef1977a832dd6bf702f1a99303dbf15b15", "status": "affected", "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8", "versionType": "git" }, { "lessThan": "ff55c85a923e043d59d26b20a673a1b4a219c310", "status": "affected", "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8", "versionType": "git" }, { "lessThan": "1e0de7582ceccbdbb227d4e0ddf65732f92526da", "status": "affected", "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8", "versionType": "git" }, { "lessThan": "1b367ba2f94251822577daed031d6b9a9e11ba91", "status": "affected", "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8", "versionType": "git" }, { "lessThan": "2660a544fdc0940bba15f70508a46cf9a6491230", "status": "affected", "version": "8934ce2fd08171e8605f7fada91ee7619fe17ab8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/sock.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.17" }, { "lessThan": "4.17", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.17", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.17", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Fix TOCTOU issue in sk_is_readable()\n\nsk-\u003esk_prot-\u003esock_is_readable is a valid function pointer when sk resides\nin a sockmap. After the last sk_psock_put() (which usually happens when\nsocket is removed from sockmap), sk-\u003esk_prot gets restored and\nsk-\u003esk_prot-\u003esock_is_readable becomes NULL.\n\nThis makes sk_is_readable() racy, if the value of sk-\u003esk_prot is reloaded\nafter the initial check. Which in turn may lead to a null pointer\ndereference.\n\nEnsure the function pointer does not turn NULL after the check." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:29.484Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c2b26638476baee154920bb587fc94ff1bf04336" }, { "url": "https://git.kernel.org/stable/c/6fa68d7eab34d448a61aa24ea31e68b3231ed20d" }, { "url": "https://git.kernel.org/stable/c/8926a7ef1977a832dd6bf702f1a99303dbf15b15" }, { "url": "https://git.kernel.org/stable/c/ff55c85a923e043d59d26b20a673a1b4a219c310" }, { "url": "https://git.kernel.org/stable/c/1e0de7582ceccbdbb227d4e0ddf65732f92526da" }, { "url": "https://git.kernel.org/stable/c/1b367ba2f94251822577daed031d6b9a9e11ba91" }, { "url": "https://git.kernel.org/stable/c/2660a544fdc0940bba15f70508a46cf9a6491230" } ], "title": "net: Fix TOCTOU issue in sk_is_readable()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38112", "datePublished": "2025-07-03T08:35:21.276Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:29.484Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38106 (GCVE-0-2025-38106)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()
syzbot reports:
BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60
Read of size 8 at addr ffff88810de2d2c8 by task a.out/304
CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
print_report+0xd0/0x670
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? getrusage+0x1109/0x1a60
kasan_report+0xce/0x100
? getrusage+0x1109/0x1a60
getrusage+0x1109/0x1a60
? __pfx_getrusage+0x10/0x10
__io_uring_show_fdinfo+0x9fe/0x1790
? ksys_read+0xf7/0x1c0
? do_syscall_64+0xa4/0x260
? vsnprintf+0x591/0x1100
? __pfx___io_uring_show_fdinfo+0x10/0x10
? __pfx_vsnprintf+0x10/0x10
? mutex_trylock+0xcf/0x130
? __pfx_mutex_trylock+0x10/0x10
? __pfx_show_fd_locks+0x10/0x10
? io_uring_show_fdinfo+0x57/0x80
io_uring_show_fdinfo+0x57/0x80
seq_show+0x38c/0x690
seq_read_iter+0x3f7/0x1180
? inode_set_ctime_current+0x160/0x4b0
seq_read+0x271/0x3e0
? __pfx_seq_read+0x10/0x10
? __pfx__raw_spin_lock+0x10/0x10
? __mark_inode_dirty+0x402/0x810
? selinux_file_permission+0x368/0x500
? file_update_time+0x10f/0x160
vfs_read+0x177/0xa40
? __pfx___handle_mm_fault+0x10/0x10
? __pfx_vfs_read+0x10/0x10
? mutex_lock+0x81/0xe0
? __pfx_mutex_lock+0x10/0x10
? fdget_pos+0x24d/0x4b0
ksys_read+0xf7/0x1c0
? __pfx_ksys_read+0x10/0x10
? do_user_addr_fault+0x43b/0x9c0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0f74170fc9
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8
RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9
RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004
RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90
R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Allocated by task 298:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x6e/0x70
kmem_cache_alloc_node_noprof+0xe8/0x330
copy_process+0x376/0x5e00
create_io_thread+0xab/0xf0
io_sq_offload_create+0x9ed/0xf20
io_uring_setup+0x12b0/0x1cc0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 22:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x37/0x50
kmem_cache_free+0xc4/0x360
rcu_core+0x5ff/0x19f0
handle_softirqs+0x18c/0x530
run_ksoftirqd+0x20/0x30
smpboot_thread_fn+0x287/0x6c0
kthread+0x30d/0x630
ret_from_fork+0xef/0x1a0
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x33/0x60
kasan_record_aux_stack+0x8c/0xa0
__call_rcu_common.constprop.0+0x68/0x940
__schedule+0xff2/0x2930
__cond_resched+0x4c/0x80
mutex_lock+0x5c/0xe0
io_uring_del_tctx_node+0xe1/0x2b0
io_uring_clean_tctx+0xb7/0x160
io_uring_cancel_generic+0x34e/0x760
do_exit+0x240/0x2350
do_group_exit+0xab/0x220
__x64_sys_exit_group+0x39/0x40
x64_sys_call+0x1243/0x1840
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88810de2cb00
which belongs to the cache task_struct of size 3712
The buggy address is located 1992 bytes inside of
freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)
which is caused by the task_struct pointed to by sq->thread being
released while it is being used in the function
__io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre
relase or exit of sq->thread.
Fix this by assigning and looking up ->thread under RCU, and grabbing a
reference to the task_struct. This e
---truncated---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "io_uring/fdinfo.c", "io_uring/sqpoll.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "af8c13f9ee040b9a287ba246cf0055f7c77b7cc8", "status": "affected", "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9", "versionType": "git" }, { "lessThan": "d0932758a0a77b38ba1b39564f3b7aba12407061", "status": "affected", "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9", "versionType": "git" }, { "lessThan": "ac0b8b327a5677dc6fecdf353d808161525b1ff0", "status": "affected", "version": "3fcb9d17206e31630f802a3ab52081d1342b8ed9", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "io_uring/fdinfo.c", "io_uring/sqpoll.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.9" }, { "lessThan": "6.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.9", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix use-after-free of sq-\u003ethread in __io_uring_show_fdinfo()\n\nsyzbot reports:\n\nBUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60\nRead of size 8 at addr ffff88810de2d2c8 by task a.out/304\n\nCPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)\nHardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n print_report+0xd0/0x670\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? getrusage+0x1109/0x1a60\n kasan_report+0xce/0x100\n ? getrusage+0x1109/0x1a60\n getrusage+0x1109/0x1a60\n ? __pfx_getrusage+0x10/0x10\n __io_uring_show_fdinfo+0x9fe/0x1790\n ? ksys_read+0xf7/0x1c0\n ? do_syscall_64+0xa4/0x260\n ? vsnprintf+0x591/0x1100\n ? __pfx___io_uring_show_fdinfo+0x10/0x10\n ? __pfx_vsnprintf+0x10/0x10\n ? mutex_trylock+0xcf/0x130\n ? __pfx_mutex_trylock+0x10/0x10\n ? __pfx_show_fd_locks+0x10/0x10\n ? io_uring_show_fdinfo+0x57/0x80\n io_uring_show_fdinfo+0x57/0x80\n seq_show+0x38c/0x690\n seq_read_iter+0x3f7/0x1180\n ? inode_set_ctime_current+0x160/0x4b0\n seq_read+0x271/0x3e0\n ? __pfx_seq_read+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? __mark_inode_dirty+0x402/0x810\n ? selinux_file_permission+0x368/0x500\n ? file_update_time+0x10f/0x160\n vfs_read+0x177/0xa40\n ? __pfx___handle_mm_fault+0x10/0x10\n ? __pfx_vfs_read+0x10/0x10\n ? mutex_lock+0x81/0xe0\n ? __pfx_mutex_lock+0x10/0x10\n ? fdget_pos+0x24d/0x4b0\n ksys_read+0xf7/0x1c0\n ? __pfx_ksys_read+0x10/0x10\n ? do_user_addr_fault+0x43b/0x9c0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f0f74170fc9\nCode: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 8\nRSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9\nRDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004\nRBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90\nR10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 298:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_slab_alloc+0x6e/0x70\n kmem_cache_alloc_node_noprof+0xe8/0x330\n copy_process+0x376/0x5e00\n create_io_thread+0xab/0xf0\n io_sq_offload_create+0x9ed/0xf20\n io_uring_setup+0x12b0/0x1cc0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 22:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x37/0x50\n kmem_cache_free+0xc4/0x360\n rcu_core+0x5ff/0x19f0\n handle_softirqs+0x18c/0x530\n run_ksoftirqd+0x20/0x30\n smpboot_thread_fn+0x287/0x6c0\n kthread+0x30d/0x630\n ret_from_fork+0xef/0x1a0\n ret_from_fork_asm+0x1a/0x30\n\nLast potentially related work creation:\n kasan_save_stack+0x33/0x60\n kasan_record_aux_stack+0x8c/0xa0\n __call_rcu_common.constprop.0+0x68/0x940\n __schedule+0xff2/0x2930\n __cond_resched+0x4c/0x80\n mutex_lock+0x5c/0xe0\n io_uring_del_tctx_node+0xe1/0x2b0\n io_uring_clean_tctx+0xb7/0x160\n io_uring_cancel_generic+0x34e/0x760\n do_exit+0x240/0x2350\n do_group_exit+0xab/0x220\n __x64_sys_exit_group+0x39/0x40\n x64_sys_call+0x1243/0x1840\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe buggy address belongs to the object at ffff88810de2cb00\n which belongs to the cache task_struct of size 3712\nThe buggy address is located 1992 bytes inside of\n freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)\n\nwhich is caused by the task_struct pointed to by sq-\u003ethread being\nreleased while it is being used in the function\n__io_uring_show_fdinfo(). Holding ctx-\u003euring_lock does not prevent ehre\nrelase or exit of sq-\u003ethread.\n\nFix this by assigning and looking up -\u003ethread under RCU, and grabbing a\nreference to the task_struct. This e\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:21.273Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/af8c13f9ee040b9a287ba246cf0055f7c77b7cc8" }, { "url": "https://git.kernel.org/stable/c/d0932758a0a77b38ba1b39564f3b7aba12407061" }, { "url": "https://git.kernel.org/stable/c/ac0b8b327a5677dc6fecdf353d808161525b1ff0" } ], "title": "io_uring: fix use-after-free of sq-\u003ethread in __io_uring_show_fdinfo()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38106", "datePublished": "2025-07-03T08:35:16.215Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:21.273Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38161 (GCVE-0-2025-38161)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
Upon RQ destruction if the firmware command fails which is the
last resource to be destroyed some SW resources were already cleaned
regardless of the failure.
Now properly rollback the object to its original state upon such failure.
In order to avoid a use-after free in case someone tries to destroy the
object again, which results in the following kernel trace:
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148
Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)
CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0xf4/0x148
lr : refcount_warn_saturate+0xf4/0x148
sp : ffff80008b81b7e0
x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001
x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00
x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000
x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006
x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f
x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78
x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90
x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff
x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600
Call trace:
refcount_warn_saturate+0xf4/0x148
mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]
mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]
mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]
ib_destroy_wq_user+0x30/0xc0 [ib_core]
uverbs_free_wq+0x28/0x58 [ib_uverbs]
destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]
uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]
__uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]
uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]
ib_uverbs_close+0x2c/0x100 [ib_uverbs]
__fput+0xd8/0x2f0
__fput_sync+0x50/0x70
__arm64_sys_close+0x40/0x90
invoke_syscall.constprop.0+0x74/0xd0
do_el0_svc+0x48/0xe8
el0_svc+0x44/0x1d0
el0t_64_sync_handler+0x120/0x130
el0t_64_sync+0x1a4/0x1a8
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e2013b212f9f201c71fc5826ce41f39ebece0852 Version: e2013b212f9f201c71fc5826ce41f39ebece0852 Version: e2013b212f9f201c71fc5826ce41f39ebece0852 Version: e2013b212f9f201c71fc5826ce41f39ebece0852 Version: e2013b212f9f201c71fc5826ce41f39ebece0852 Version: e2013b212f9f201c71fc5826ce41f39ebece0852 Version: e2013b212f9f201c71fc5826ce41f39ebece0852 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/hw/mlx5/qpc.c", "include/linux/mlx5/driver.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "26d2f662d3a6655a82fd8a287e8b1ce471567f36", "status": "affected", "version": "e2013b212f9f201c71fc5826ce41f39ebece0852", "versionType": "git" }, { "lessThan": "f9784da76ad7be66230e829e743bdf68a2c49e56", "status": "affected", "version": "e2013b212f9f201c71fc5826ce41f39ebece0852", "versionType": "git" }, { "lessThan": "cf32affe6f3801cfb72a65e69c4bc7a8ee9be100", "status": "affected", "version": "e2013b212f9f201c71fc5826ce41f39ebece0852", "versionType": "git" }, { "lessThan": "7c4c84cdcc19e89d42f6bf117238e5471173423e", "status": "affected", "version": "e2013b212f9f201c71fc5826ce41f39ebece0852", "versionType": "git" }, { "lessThan": "50ac361ff8914133e3cf6ef184bac90c22cb8d79", "status": "affected", "version": "e2013b212f9f201c71fc5826ce41f39ebece0852", "versionType": "git" }, { "lessThan": "0a7790cbba654e925243571cf2f24d61603d3ed3", "status": "affected", "version": "e2013b212f9f201c71fc5826ce41f39ebece0852", "versionType": "git" }, { "lessThan": "5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6", "status": "affected", "version": "e2013b212f9f201c71fc5826ce41f39ebece0852", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/hw/mlx5/qpc.c", "include/linux/mlx5/driver.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.5" }, { "lessThan": "4.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix error flow upon firmware failure for RQ destruction\n\nUpon RQ destruction if the firmware command fails which is the\nlast resource to be destroyed some SW resources were already cleaned\nregardless of the failure.\n\nNow properly rollback the object to its original state upon such failure.\n\nIn order to avoid a use-after free in case someone tries to destroy the\nobject again, which results in the following kernel trace:\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148\nModules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)\nCPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : refcount_warn_saturate+0xf4/0x148\nlr : refcount_warn_saturate+0xf4/0x148\nsp : ffff80008b81b7e0\nx29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001\nx26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00\nx23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000\nx20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006\nx17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f\nx14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78\nx11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90\nx8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff\nx5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600\nCall trace:\n refcount_warn_saturate+0xf4/0x148\n mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]\n mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]\n mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]\n ib_destroy_wq_user+0x30/0xc0 [ib_core]\n uverbs_free_wq+0x28/0x58 [ib_uverbs]\n destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]\n uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]\n __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]\n uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]\n ib_uverbs_close+0x2c/0x100 [ib_uverbs]\n __fput+0xd8/0x2f0\n __fput_sync+0x50/0x70\n __arm64_sys_close+0x40/0x90\n invoke_syscall.constprop.0+0x74/0xd0\n do_el0_svc+0x48/0xe8\n el0_svc+0x44/0x1d0\n el0t_64_sync_handler+0x120/0x130\n el0t_64_sync+0x1a4/0x1a8" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:53.781Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/26d2f662d3a6655a82fd8a287e8b1ce471567f36" }, { "url": "https://git.kernel.org/stable/c/f9784da76ad7be66230e829e743bdf68a2c49e56" }, { "url": "https://git.kernel.org/stable/c/cf32affe6f3801cfb72a65e69c4bc7a8ee9be100" }, { "url": "https://git.kernel.org/stable/c/7c4c84cdcc19e89d42f6bf117238e5471173423e" }, { "url": "https://git.kernel.org/stable/c/50ac361ff8914133e3cf6ef184bac90c22cb8d79" }, { "url": "https://git.kernel.org/stable/c/0a7790cbba654e925243571cf2f24d61603d3ed3" }, { "url": "https://git.kernel.org/stable/c/5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6" } ], "title": "RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38161", "datePublished": "2025-07-03T08:36:03.087Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:53.781Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38091 (GCVE-0-2025-38091)
Vulnerability from cvelistv5
Published
2025-07-02 14:43
Modified
2025-07-07 08:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: check stream id dml21 wrapper to get plane_id
[Why & How]
Fix a false positive warning which occurs due to lack of correct checks
when querying plane_id in DML21. This fixes the warning when performing a
mode1 reset (cat /sys/kernel/debug/dri/1/amdgpu_gpu_recover):
[ 35.751250] WARNING: CPU: 11 PID: 326 at /tmp/amd.PHpyAl7v/amd/amdgpu/../display/dc/dml2/dml2_dc_resource_mgmt.c:91 dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]
[ 35.751434] Modules linked in: amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_ttm_helper ttm drm_display_helper cec rc_core i2c_algo_bit rfcomm qrtr cmac algif_hash algif_skcipher af_alg bnep amd_atl intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi snd_hda_intel edac_mce_amd snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_hda_core snd_hwdep snd_pcm kvm snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul polyval_clmulni polyval_generic btusb ghash_clmulni_intel sha256_ssse3 btrtl sha1_ssse3 snd_seq btintel aesni_intel btbcm btmtk snd_seq_device crypto_simd sunrpc cryptd bluetooth snd_timer ccp binfmt_misc rapl snd i2c_piix4 wmi_bmof gigabyte_wmi k10temp i2c_smbus soundcore gpio_amdpt mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igc ahci xhci_pci libahci xhci_pci_renesas video wmi
[ 35.751501] CPU: 11 UID: 0 PID: 326 Comm: kworker/u64:9 Tainted: G OE 6.11.0-21-generic #21~24.04.1-Ubuntu
[ 35.751504] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 35.751505] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F30 05/22/2024
[ 35.751506] Workqueue: amdgpu-reset-dev amdgpu_debugfs_reset_work [amdgpu]
[ 35.751638] RIP: 0010:dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]
[ 35.751794] Code: 6d 0c 00 00 8b 84 24 88 00 00 00 41 3b 44 9c 20 0f 84 fc 07 00 00 48 83 c3 01 48 83 fb 06 75 b3 4c 8b 64 24 68 4c 8b 6c 24 40 <0f> 0b b8 06 00 00 00 49 8b 94 24 a0 49 00 00 89 c3 83 f8 07 0f 87
[ 35.751796] RSP: 0018:ffffbfa3805d7680 EFLAGS: 00010246
[ 35.751798] RAX: 0000000000010000 RBX: 0000000000000006 RCX: 0000000000000000
[ 35.751799] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000
[ 35.751800] RBP: ffffbfa3805d78f0 R08: 0000000000000000 R09: 0000000000000000
[ 35.751801] R10: 0000000000000000 R11: 0000000000000000 R12: ffffbfa383249000
[ 35.751802] R13: ffffa0e68f280000 R14: ffffbfa383249658 R15: 0000000000000000
[ 35.751803] FS: 0000000000000000(0000) GS:ffffa0edbe580000(0000) knlGS:0000000000000000
[ 35.751804] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.751805] CR2: 00005d847ef96c58 CR3: 000000041de3e000 CR4: 0000000000f50ef0
[ 35.751806] PKRU: 55555554
[ 35.751807] Call Trace:
[ 35.751810] <TASK>
[ 35.751816] ? show_regs+0x6c/0x80
[ 35.751820] ? __warn+0x88/0x140
[ 35.751822] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]
[ 35.751964] ? report_bug+0x182/0x1b0
[ 35.751969] ? handle_bug+0x6e/0xb0
[ 35.751972] ? exc_invalid_op+0x18/0x80
[ 35.751974] ? asm_exc_invalid_op+0x1b/0x20
[ 35.751978] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]
[ 35.752117] ? math_pow+0x48/0xa0 [amdgpu]
[ 35.752256] ? srso_alias_return_thunk+0x5/0xfbef5
[ 35.752260] ? math_pow+0x48/0xa0 [amdgpu]
[ 35.752400] ? srso_alias_return_thunk+0x5/0xfbef5
[ 35.752403] ? math_pow+0x11/0xa0 [amdgpu]
[ 35.752524] ? srso_alias_return_thunk+0x5/0xfbef5
[ 35.752526] ? core_dcn4_mode_programming+0xe4d/0x20d0 [amdgpu]
[ 35.752663] ? srso_alias_return_thunk+0x5/0xfbef5
[ 35.752669] dml21_validate+0x3d4/0x980 [amdgpu]
(cherry picked from commit f8ad62c0a93e5dd94243e10f1b742232e4d6411e)
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6f47d7408133631a1b178f8a04e79aee189ef046", "status": "affected", "version": "70839da6360500a82e4d5f78499284474cbed7c1", "versionType": "git" }, { "lessThan": "c53f23f7075c9f63f14d7ec8f2cc3e33e118d986", "status": "affected", "version": "70839da6360500a82e4d5f78499284474cbed7c1", "versionType": "git" }, { "lessThan": "2ddac70fed50485aa4ae49cdb7478ce41d8d4715", "status": "affected", "version": "70839da6360500a82e4d5f78499284474cbed7c1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.32", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.32", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.10", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "6.11", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: check stream id dml21 wrapper to get plane_id\n\n[Why \u0026 How]\nFix a false positive warning which occurs due to lack of correct checks\nwhen querying plane_id in DML21. This fixes the warning when performing a\nmode1 reset (cat /sys/kernel/debug/dri/1/amdgpu_gpu_recover):\n\n[ 35.751250] WARNING: CPU: 11 PID: 326 at /tmp/amd.PHpyAl7v/amd/amdgpu/../display/dc/dml2/dml2_dc_resource_mgmt.c:91 dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]\n[ 35.751434] Modules linked in: amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_ttm_helper ttm drm_display_helper cec rc_core i2c_algo_bit rfcomm qrtr cmac algif_hash algif_skcipher af_alg bnep amd_atl intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi snd_hda_intel edac_mce_amd snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_hda_core snd_hwdep snd_pcm kvm snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul polyval_clmulni polyval_generic btusb ghash_clmulni_intel sha256_ssse3 btrtl sha1_ssse3 snd_seq btintel aesni_intel btbcm btmtk snd_seq_device crypto_simd sunrpc cryptd bluetooth snd_timer ccp binfmt_misc rapl snd i2c_piix4 wmi_bmof gigabyte_wmi k10temp i2c_smbus soundcore gpio_amdpt mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igc ahci xhci_pci libahci xhci_pci_renesas video wmi\n[ 35.751501] CPU: 11 UID: 0 PID: 326 Comm: kworker/u64:9 Tainted: G OE 6.11.0-21-generic #21~24.04.1-Ubuntu\n[ 35.751504] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[ 35.751505] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F30 05/22/2024\n[ 35.751506] Workqueue: amdgpu-reset-dev amdgpu_debugfs_reset_work [amdgpu]\n[ 35.751638] RIP: 0010:dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]\n[ 35.751794] Code: 6d 0c 00 00 8b 84 24 88 00 00 00 41 3b 44 9c 20 0f 84 fc 07 00 00 48 83 c3 01 48 83 fb 06 75 b3 4c 8b 64 24 68 4c 8b 6c 24 40 \u003c0f\u003e 0b b8 06 00 00 00 49 8b 94 24 a0 49 00 00 89 c3 83 f8 07 0f 87\n[ 35.751796] RSP: 0018:ffffbfa3805d7680 EFLAGS: 00010246\n[ 35.751798] RAX: 0000000000010000 RBX: 0000000000000006 RCX: 0000000000000000\n[ 35.751799] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000\n[ 35.751800] RBP: ffffbfa3805d78f0 R08: 0000000000000000 R09: 0000000000000000\n[ 35.751801] R10: 0000000000000000 R11: 0000000000000000 R12: ffffbfa383249000\n[ 35.751802] R13: ffffa0e68f280000 R14: ffffbfa383249658 R15: 0000000000000000\n[ 35.751803] FS: 0000000000000000(0000) GS:ffffa0edbe580000(0000) knlGS:0000000000000000\n[ 35.751804] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 35.751805] CR2: 00005d847ef96c58 CR3: 000000041de3e000 CR4: 0000000000f50ef0\n[ 35.751806] PKRU: 55555554\n[ 35.751807] Call Trace:\n[ 35.751810] \u003cTASK\u003e\n[ 35.751816] ? show_regs+0x6c/0x80\n[ 35.751820] ? __warn+0x88/0x140\n[ 35.751822] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]\n[ 35.751964] ? report_bug+0x182/0x1b0\n[ 35.751969] ? handle_bug+0x6e/0xb0\n[ 35.751972] ? exc_invalid_op+0x18/0x80\n[ 35.751974] ? asm_exc_invalid_op+0x1b/0x20\n[ 35.751978] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu]\n[ 35.752117] ? math_pow+0x48/0xa0 [amdgpu]\n[ 35.752256] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 35.752260] ? math_pow+0x48/0xa0 [amdgpu]\n[ 35.752400] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 35.752403] ? math_pow+0x11/0xa0 [amdgpu]\n[ 35.752524] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 35.752526] ? core_dcn4_mode_programming+0xe4d/0x20d0 [amdgpu]\n[ 35.752663] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 35.752669] dml21_validate+0x3d4/0x980 [amdgpu]\n\n(cherry picked from commit f8ad62c0a93e5dd94243e10f1b742232e4d6411e)" } ], "providerMetadata": { "dateUpdated": "2025-07-07T08:45:54.144Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6f47d7408133631a1b178f8a04e79aee189ef046" }, { "url": "https://git.kernel.org/stable/c/c53f23f7075c9f63f14d7ec8f2cc3e33e118d986" }, { "url": "https://git.kernel.org/stable/c/2ddac70fed50485aa4ae49cdb7478ce41d8d4715" } ], "title": "drm/amd/display: check stream id dml21 wrapper to get plane_id", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38091", "datePublished": "2025-07-02T14:43:30.118Z", "dateReserved": "2025-04-16T04:51:23.982Z", "dateUpdated": "2025-07-07T08:45:54.144Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38166 (GCVE-0-2025-38166)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: fix ktls panic with sockmap
[ 2172.936997] ------------[ cut here ]------------
[ 2172.936999] kernel BUG at lib/iov_iter.c:629!
......
[ 2172.944996] PKRU: 55555554
[ 2172.945155] Call Trace:
[ 2172.945299] <TASK>
[ 2172.945428] ? die+0x36/0x90
[ 2172.945601] ? do_trap+0xdd/0x100
[ 2172.945795] ? iov_iter_revert+0x178/0x180
[ 2172.946031] ? iov_iter_revert+0x178/0x180
[ 2172.946267] ? do_error_trap+0x7d/0x110
[ 2172.946499] ? iov_iter_revert+0x178/0x180
[ 2172.946736] ? exc_invalid_op+0x50/0x70
[ 2172.946961] ? iov_iter_revert+0x178/0x180
[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20
[ 2172.947446] ? iov_iter_revert+0x178/0x180
[ 2172.947683] ? iov_iter_revert+0x5c/0x180
[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840
[ 2172.948206] tls_sw_sendmsg+0x52/0x80
[ 2172.948420] ? inet_sendmsg+0x1f/0x70
[ 2172.948634] __sys_sendto+0x1cd/0x200
[ 2172.948848] ? find_held_lock+0x2b/0x80
[ 2172.949072] ? syscall_trace_enter+0x140/0x270
[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170
[ 2172.949595] ? find_held_lock+0x2b/0x80
[ 2172.949817] ? syscall_trace_enter+0x140/0x270
[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190
[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0
[ 2172.951036] __x64_sys_sendto+0x24/0x30
[ 2172.951382] do_syscall_64+0x90/0x170
......
After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase,
e.g., when the BPF program executes bpf_msg_push_data().
If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,
it will return -ENOSPC and attempt to roll back to the non-zero copy
logic. However, during rollback, msg->msg_iter is reset, but since
msg_pl->sg.size has been increased, subsequent executions will exceed the
actual size of msg_iter.
'''
iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size);
'''
The changes in this commit are based on the following considerations:
1. When cork_bytes is set, rolling back to non-zero copy logic is
pointless and can directly go to zero-copy logic.
2. We can not calculate the correct number of bytes to revert msg_iter.
Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes
by the BPF program, it becomes 11-byte data: "abc?de?fgh?".
Then, we set cork_bytes to 6, which means the first 6 bytes have been
processed, and the remaining 5 bytes "?fgh?" will be cached until the
length meets the cork_bytes requirement.
However, some data in "?fgh?" is not within 'sg->msg_iter'
(but in msg_pl instead), especially the data "?" we pushed.
So it doesn't seem as simple as just reverting through an offset of
msg_iter.
3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs,
the user-space send() doesn't return an error, and the returned length is
the same as the input length parameter, even if some data is cached.
Additionally, I saw that the current non-zero-copy logic for handling
corking is written as:
'''
line 1177
else if (ret != -EAGAIN) {
if (ret == -ENOSPC)
ret = 0;
goto send_end;
'''
So it's ok to just return 'copied' without error when a "cork" situation
occurs.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca Version: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca Version: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca Version: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca Version: d3b18ad31f93d0b6bae105c679018a1ba7daa9ca |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/tls/tls_sw.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "328cac3f9f8ae394748485e769a527518a9137c8", "status": "affected", "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca", "versionType": "git" }, { "lessThan": "2e36a81d388ec9c3f78b6223f7eda2088cd40adb", "status": "affected", "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca", "versionType": "git" }, { "lessThan": "57fbbe29e86042bbaa31c1a30d2afa16c427e3f7", "status": "affected", "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca", "versionType": "git" }, { "lessThan": "603943f022a7fe5cc83ca7005faf34798fb7853f", "status": "affected", "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca", "versionType": "git" }, { "lessThan": "54a3ecaeeeae8176da8badbd7d72af1017032c39", "status": "affected", "version": "d3b18ad31f93d0b6bae105c679018a1ba7daa9ca", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/tls/tls_sw.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.20" }, { "lessThan": "4.20", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.20", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.20", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix ktls panic with sockmap\n\n[ 2172.936997] ------------[ cut here ]------------\n[ 2172.936999] kernel BUG at lib/iov_iter.c:629!\n......\n[ 2172.944996] PKRU: 55555554\n[ 2172.945155] Call Trace:\n[ 2172.945299] \u003cTASK\u003e\n[ 2172.945428] ? die+0x36/0x90\n[ 2172.945601] ? do_trap+0xdd/0x100\n[ 2172.945795] ? iov_iter_revert+0x178/0x180\n[ 2172.946031] ? iov_iter_revert+0x178/0x180\n[ 2172.946267] ? do_error_trap+0x7d/0x110\n[ 2172.946499] ? iov_iter_revert+0x178/0x180\n[ 2172.946736] ? exc_invalid_op+0x50/0x70\n[ 2172.946961] ? iov_iter_revert+0x178/0x180\n[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20\n[ 2172.947446] ? iov_iter_revert+0x178/0x180\n[ 2172.947683] ? iov_iter_revert+0x5c/0x180\n[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840\n[ 2172.948206] tls_sw_sendmsg+0x52/0x80\n[ 2172.948420] ? inet_sendmsg+0x1f/0x70\n[ 2172.948634] __sys_sendto+0x1cd/0x200\n[ 2172.948848] ? find_held_lock+0x2b/0x80\n[ 2172.949072] ? syscall_trace_enter+0x140/0x270\n[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170\n[ 2172.949595] ? find_held_lock+0x2b/0x80\n[ 2172.949817] ? syscall_trace_enter+0x140/0x270\n[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190\n[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0\n[ 2172.951036] __x64_sys_sendto+0x24/0x30\n[ 2172.951382] do_syscall_64+0x90/0x170\n......\n\nAfter calling bpf_exec_tx_verdict(), the size of msg_pl-\u003esg may increase,\ne.g., when the BPF program executes bpf_msg_push_data().\n\nIf the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,\nit will return -ENOSPC and attempt to roll back to the non-zero copy\nlogic. However, during rollback, msg-\u003emsg_iter is reset, but since\nmsg_pl-\u003esg.size has been increased, subsequent executions will exceed the\nactual size of msg_iter.\n\u0027\u0027\u0027\niov_iter_revert(\u0026msg-\u003emsg_iter, msg_pl-\u003esg.size - orig_size);\n\u0027\u0027\u0027\n\nThe changes in this commit are based on the following considerations:\n\n1. When cork_bytes is set, rolling back to non-zero copy logic is\npointless and can directly go to zero-copy logic.\n\n2. We can not calculate the correct number of bytes to revert msg_iter.\n\nAssume the original data is \"abcdefgh\" (8 bytes), and after 3 pushes\nby the BPF program, it becomes 11-byte data: \"abc?de?fgh?\".\nThen, we set cork_bytes to 6, which means the first 6 bytes have been\nprocessed, and the remaining 5 bytes \"?fgh?\" will be cached until the\nlength meets the cork_bytes requirement.\n\nHowever, some data in \"?fgh?\" is not within \u0027sg-\u003emsg_iter\u0027\n(but in msg_pl instead), especially the data \"?\" we pushed.\n\nSo it doesn\u0027t seem as simple as just reverting through an offset of\nmsg_iter.\n\n3. For non-TLS sockets in tcp_bpf_sendmsg, when a \"cork\" situation occurs,\nthe user-space send() doesn\u0027t return an error, and the returned length is\nthe same as the input length parameter, even if some data is cached.\n\nAdditionally, I saw that the current non-zero-copy logic for handling\ncorking is written as:\n\u0027\u0027\u0027\nline 1177\nelse if (ret != -EAGAIN) {\n\tif (ret == -ENOSPC)\n\t\tret = 0;\n\tgoto send_end;\n\u0027\u0027\u0027\n\nSo it\u0027s ok to just return \u0027copied\u0027 without error when a \"cork\" situation\noccurs." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:14:00.334Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/328cac3f9f8ae394748485e769a527518a9137c8" }, { "url": "https://git.kernel.org/stable/c/2e36a81d388ec9c3f78b6223f7eda2088cd40adb" }, { "url": "https://git.kernel.org/stable/c/57fbbe29e86042bbaa31c1a30d2afa16c427e3f7" }, { "url": "https://git.kernel.org/stable/c/603943f022a7fe5cc83ca7005faf34798fb7853f" }, { "url": "https://git.kernel.org/stable/c/54a3ecaeeeae8176da8badbd7d72af1017032c39" } ], "title": "bpf: fix ktls panic with sockmap", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38166", "datePublished": "2025-07-03T08:36:06.372Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:14:00.334Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38113 (GCVE-0-2025-38113)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
With nosmp in cmdline, other CPUs are not brought up, leaving
their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu()
dereferences these NULL pointers, causing panic.
Panic backtrace:
[ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8
...
[ 0.403255] [<ffffffff809a5818>] cppc_allow_fast_switch+0x6a/0xd4
...
Kernel panic - not syncing: Attempted to kill init!
[ rjw: New subject ]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 Version: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 Version: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 Version: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 Version: 3cc30dd00a580ca0c9c0b01639841cfd72d10129 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/acpi/cppc_acpi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "356d09c7f5bf525086002a34f8bae40b134d1611", "status": "affected", "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129", "versionType": "git" }, { "lessThan": "c6dad167aade4bf0bef9130f2f149f4249fc4ad0", "status": "affected", "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129", "versionType": "git" }, { "lessThan": "32a48db4cf28ea087214c261da8476db218d08bd", "status": "affected", "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129", "versionType": "git" }, { "lessThan": "1a677d0ceb4a5d62117b711a8b2e0aee80d33015", "status": "affected", "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129", "versionType": "git" }, { "lessThan": "15eece6c5b05e5f9db0711978c3e3b7f1a2cfe12", "status": "affected", "version": "3cc30dd00a580ca0c9c0b01639841cfd72d10129", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/acpi/cppc_acpi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.19", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Fix NULL pointer dereference when nosmp is used\n\nWith nosmp in cmdline, other CPUs are not brought up, leaving\ntheir cpc_desc_ptr NULL. CPU0\u0027s iteration via for_each_possible_cpu()\ndereferences these NULL pointers, causing panic.\n\nPanic backtrace:\n\n[ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8\n...\n[ 0.403255] [\u003cffffffff809a5818\u003e] cppc_allow_fast_switch+0x6a/0xd4\n...\nKernel panic - not syncing: Attempted to kill init!\n\n[ rjw: New subject ]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:30.925Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/356d09c7f5bf525086002a34f8bae40b134d1611" }, { "url": "https://git.kernel.org/stable/c/c6dad167aade4bf0bef9130f2f149f4249fc4ad0" }, { "url": "https://git.kernel.org/stable/c/32a48db4cf28ea087214c261da8476db218d08bd" }, { "url": "https://git.kernel.org/stable/c/1a677d0ceb4a5d62117b711a8b2e0aee80d33015" }, { "url": "https://git.kernel.org/stable/c/15eece6c5b05e5f9db0711978c3e3b7f1a2cfe12" } ], "title": "ACPI: CPPC: Fix NULL pointer dereference when nosmp is used", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38113", "datePublished": "2025-07-03T08:35:22.207Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:30.925Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38093 (GCVE-0-2025-38093)
Vulnerability from cvelistv5
Published
2025-07-02 14:43
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: dts: qcom: x1e80100: Add GPU cooling
Unlike the CPU, the GPU does not throttle its speed automatically when it
reaches high temperatures. With certain high GPU loads it is possible to
reach the critical hardware shutdown temperature of 120°C, endangering the
hardware and making it impossible to run certain applications.
Set up GPU cooling similar to the ACPI tables, by throttling the GPU speed
when reaching 95°C and polling every 200ms.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm64/boot/dts/qcom/x1e80100.dtsi" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "cd9d354bdd28b20a8f3170dab3bc0f096e66d6b4", "status": "affected", "version": "721e38301b79a6ee8375cb0ebd586699a7f353e3", "versionType": "git" }, { "lessThan": "ae664ca09072857349857530dce12e09c048b12d", "status": "affected", "version": "721e38301b79a6ee8375cb0ebd586699a7f353e3", "versionType": "git" }, { "lessThan": "d145a6a3e252f093dc243d2944fecb2387a3d690", "status": "affected", "version": "721e38301b79a6ee8375cb0ebd586699a7f353e3", "versionType": "git" }, { "lessThan": "5ba21fa11f473c9827f378ace8c9f983de9e0287", "status": "affected", "version": "721e38301b79a6ee8375cb0ebd586699a7f353e3", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm64/boot/dts/qcom/x1e80100.dtsi" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.10", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.1", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.10", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.1", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.11", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: qcom: x1e80100: Add GPU cooling\n\nUnlike the CPU, the GPU does not throttle its speed automatically when it\nreaches high temperatures. With certain high GPU loads it is possible to\nreach the critical hardware shutdown temperature of 120\u00b0C, endangering the\nhardware and making it impossible to run certain applications.\n\nSet up GPU cooling similar to the ACPI tables, by throttling the GPU speed\nwhen reaching 95\u00b0C and polling every 200ms." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:07.474Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/cd9d354bdd28b20a8f3170dab3bc0f096e66d6b4" }, { "url": "https://git.kernel.org/stable/c/ae664ca09072857349857530dce12e09c048b12d" }, { "url": "https://git.kernel.org/stable/c/d145a6a3e252f093dc243d2944fecb2387a3d690" }, { "url": "https://git.kernel.org/stable/c/5ba21fa11f473c9827f378ace8c9f983de9e0287" } ], "title": "arm64: dts: qcom: x1e80100: Add GPU cooling", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38093", "datePublished": "2025-07-02T14:43:31.415Z", "dateReserved": "2025-04-16T04:51:23.984Z", "dateUpdated": "2025-07-28T04:12:07.474Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38171 (GCVE-0-2025-38171)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: max77705: Fix workqueue error handling in probe
The create_singlethread_workqueue() doesn't return error pointers, it
returns NULL. Also cleanup the workqueue on the error paths.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/power/supply/max77705_charger.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7f16be2b2927fdcfe40b596b7411c46d23a82034", "status": "affected", "version": "a6a494c8e3ce1fe84aac538b087a4cab868ed83f", "versionType": "git" }, { "lessThan": "11741b8e382d34b13277497ab91123d8b0b5c2db", "status": "affected", "version": "a6a494c8e3ce1fe84aac538b087a4cab868ed83f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/power/supply/max77705_charger.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: max77705: Fix workqueue error handling in probe\n\nThe create_singlethread_workqueue() doesn\u0027t return error pointers, it\nreturns NULL. Also cleanup the workqueue on the error paths." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:14:12.480Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7f16be2b2927fdcfe40b596b7411c46d23a82034" }, { "url": "https://git.kernel.org/stable/c/11741b8e382d34b13277497ab91123d8b0b5c2db" } ], "title": "power: supply: max77705: Fix workqueue error handling in probe", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38171", "datePublished": "2025-07-03T08:36:09.651Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:14:12.480Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38102 (GCVE-0-2025-38102)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
During our test, it is found that a warning can be trigger in try_grab_folio
as follow:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130
Modules linked in:
CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)
RIP: 0010:try_grab_folio+0x106/0x130
Call Trace:
<TASK>
follow_huge_pmd+0x240/0x8e0
follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0
follow_pud_mask.constprop.0.isra.0+0x14a/0x170
follow_page_mask+0x1c2/0x1f0
__get_user_pages+0x176/0x950
__gup_longterm_locked+0x15b/0x1060
? gup_fast+0x120/0x1f0
gup_fast_fallback+0x17e/0x230
get_user_pages_fast+0x5f/0x80
vmci_host_unlocked_ioctl+0x21c/0xf80
RIP: 0033:0x54d2cd
---[ end trace 0000000000000000 ]---
Digging into the source, context->notify_page may init by get_user_pages_fast
and can be seen in vmci_ctx_unset_notify which will try to put_page. However
get_user_pages_fast is not finished here and lead to following
try_grab_folio warning. The race condition is shown as follow:
cpu0 cpu1
vmci_host_do_set_notify
vmci_host_setup_notify
get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);
lockless_pages_from_mm
gup_pgd_range
gup_huge_pmd // update &context->notify_page
vmci_host_do_set_notify
vmci_ctx_unset_notify
notify_page = context->notify_page;
if (notify_page)
put_page(notify_page); // page is freed
__gup_longterm_locked
__get_user_pages
follow_trans_huge_pmd
try_grab_folio // warn here
To slove this, use local variable page to make notify_page can be seen
after finish get_user_pages_fast.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc Version: a1d88436d53a75e950db15834b3d2f8c0c358fdc |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/misc/vmw_vmci/vmci_host.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "74095bbbb19ca74a0368d857603a2438c88ca86c", "status": "affected", "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "versionType": "git" }, { "lessThan": "468aec888f838ce5174b96e0cb4396790d6f60ca", "status": "affected", "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "versionType": "git" }, { "lessThan": "b4209e4b778e4e57d0636e1c9fc07a924dbc6043", "status": "affected", "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "versionType": "git" }, { "lessThan": "58a90db70aa6616411e5f69d1982d9b1dd97d774", "status": "affected", "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "versionType": "git" }, { "lessThan": "6e3af836805ed1d7a699f76ec798626198917aa4", "status": "affected", "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "versionType": "git" }, { "lessThan": "00ddc7dad55b7bbb78df80d6e174d0c4764dea0c", "status": "affected", "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "versionType": "git" }, { "lessThan": "75b5313c80c39a26d27cbb602f968a05576c36f9", "status": "affected", "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "versionType": "git" }, { "lessThan": "1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4", "status": "affected", "version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/misc/vmw_vmci/vmci_host.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.0" }, { "lessThan": "4.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.296", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.240", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.296", "versionStartIncluding": "4.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.240", "versionStartIncluding": "4.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n Modules linked in:\n CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n RIP: 0010:try_grab_folio+0x106/0x130\n Call Trace:\n \u003cTASK\u003e\n follow_huge_pmd+0x240/0x8e0\n follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n follow_page_mask+0x1c2/0x1f0\n __get_user_pages+0x176/0x950\n __gup_longterm_locked+0x15b/0x1060\n ? gup_fast+0x120/0x1f0\n gup_fast_fallback+0x17e/0x230\n get_user_pages_fast+0x5f/0x80\n vmci_host_unlocked_ioctl+0x21c/0xf80\n RIP: 0033:0x54d2cd\n ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context-\u003enotify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, \u0026context-\u003enotify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd // update \u0026context-\u003enotify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context-\u003enotify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:16.696Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c" }, { "url": "https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca" }, { "url": "https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043" }, { "url": "https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774" }, { "url": "https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4" }, { "url": "https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c" }, { "url": "https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9" }, { "url": "https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4" } ], "title": "VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38102", "datePublished": "2025-07-03T08:35:12.255Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:16.696Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38092 (GCVE-0-2025-38092)
Vulnerability from cvelistv5
Published
2025-07-02 14:43
Modified
2025-07-07 08:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: use list_first_entry_or_null for opinfo_get_list()
The list_first_entry() macro never returns NULL. If the list is
empty then it returns an invalid pointer. Use list_first_entry_or_null()
to check if the list is empty.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/server/oplock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c78abb646ff823e7d22faad4cc0703d4484da9e8", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "334da674b25fdb7a1a4d4b89dcd7795144fc7e11", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "cb7e06e9736d73007dc8dab7b353733bb37df86b", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" }, { "lessThan": "10379171f346e6f61d30d9949500a8de4336444a", "status": "affected", "version": "0626e6641f6b467447c81dd7678a69c66f7746cf", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/server/oplock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.93", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.32", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.10", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.93", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.32", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.10", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "5.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: use list_first_entry_or_null for opinfo_get_list()\n\nThe list_first_entry() macro never returns NULL. If the list is\nempty then it returns an invalid pointer. Use list_first_entry_or_null()\nto check if the list is empty." } ], "providerMetadata": { "dateUpdated": "2025-07-07T08:45:56.120Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c78abb646ff823e7d22faad4cc0703d4484da9e8" }, { "url": "https://git.kernel.org/stable/c/334da674b25fdb7a1a4d4b89dcd7795144fc7e11" }, { "url": "https://git.kernel.org/stable/c/cb7e06e9736d73007dc8dab7b353733bb37df86b" }, { "url": "https://git.kernel.org/stable/c/10379171f346e6f61d30d9949500a8de4336444a" } ], "title": "ksmbd: use list_first_entry_or_null for opinfo_get_list()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38092", "datePublished": "2025-07-02T14:43:30.776Z", "dateReserved": "2025-04-16T04:51:23.983Z", "dateUpdated": "2025-07-07T08:45:56.120Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38154 (GCVE-0-2025-38154)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Avoid using sk_socket after free when sending
The sk->sk_socket is not locked or referenced in backlog thread, and
during the call to skb_send_sock(), there is a race condition with
the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)
will be affected.
Race conditions:
'''
CPU0 CPU1
backlog::skb_send_sock
sendmsg_unlocked
sock_sendmsg
sock_sendmsg_nosec
close(fd):
...
ops->release() -> sock_map_close()
sk_socket->ops = NULL
free(socket)
sock->ops->sendmsg
^
panic here
'''
The ref of psock become 0 after sock_map_close() executed.
'''
void sock_map_close()
{
...
if (likely(psock)) {
...
// !! here we remove psock and the ref of psock become 0
sock_map_remove_links(sk, psock)
psock = sk_psock_get(sk);
if (unlikely(!psock))
goto no_psock; <=== Control jumps here via goto
...
cancel_delayed_work_sync(&psock->work); <=== not executed
sk_psock_put(sk, psock);
...
}
'''
Based on the fact that we already wait for the workqueue to finish in
sock_map_close() if psock is held, we simply increase the psock
reference count to avoid race conditions.
With this patch, if the backlog thread is running, sock_map_close() will
wait for the backlog thread to complete and cancel all pending work.
If no backlog running, any pending work that hasn't started by then will
fail when invoked by sk_psock_get(), as the psock reference count have
been zeroed, and sk_psock_drop() will cancel all jobs via
cancel_delayed_work_sync().
In summary, we require synchronization to coordinate the backlog thread
and close() thread.
The panic I catched:
'''
Workqueue: events sk_psock_backlog
RIP: 0010:sock_sendmsg+0x21d/0x440
RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001
...
Call Trace:
<TASK>
? die_addr+0x40/0xa0
? exc_general_protection+0x14c/0x230
? asm_exc_general_protection+0x26/0x30
? sock_sendmsg+0x21d/0x440
? sock_sendmsg+0x3e0/0x440
? __pfx_sock_sendmsg+0x10/0x10
__skb_send_sock+0x543/0xb70
sk_psock_backlog+0x247/0xb80
...
'''
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 4959ffc65a0e94f8acaac20deac49f89e6ded52d Version: 5eabdf17fed2ad41b836bb4055ec36d95e512c50 Version: e946428439a0d2079959f5603256ac51b6047017 Version: 4b4647add7d3c8530493f7247d11e257ee425bf0 Version: 4b4647add7d3c8530493f7247d11e257ee425bf0 Version: 4b4647add7d3c8530493f7247d11e257ee425bf0 Version: 3627605de498639a3c586c8684d12c89cba11073 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/core/skmsg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4edb40b05cb6a261775abfd8046804ca139a5546", "status": "affected", "version": "4959ffc65a0e94f8acaac20deac49f89e6ded52d", "versionType": "git" }, { "lessThan": "b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9", "status": "affected", "version": "5eabdf17fed2ad41b836bb4055ec36d95e512c50", "versionType": "git" }, { "lessThan": "4c6fa65ab2aec7df94809478c8d28ef38676a1b7", "status": "affected", "version": "e946428439a0d2079959f5603256ac51b6047017", "versionType": "git" }, { "lessThan": "15c0250dae3b48a398447d2b364603821ed4ed90", "status": "affected", "version": "4b4647add7d3c8530493f7247d11e257ee425bf0", "versionType": "git" }, { "lessThan": "7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987", "status": "affected", "version": "4b4647add7d3c8530493f7247d11e257ee425bf0", "versionType": "git" }, { "lessThan": "8259eb0e06d8f64c700f5fbdb28a5c18e10de291", "status": "affected", "version": "4b4647add7d3c8530493f7247d11e257ee425bf0", "versionType": "git" }, { "status": "affected", "version": "3627605de498639a3c586c8684d12c89cba11073", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/core/skmsg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.10" }, { "lessThan": "6.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.15.162", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "6.1.95", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.6.35", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Avoid using sk_socket after free when sending\n\nThe sk-\u003esk_socket is not locked or referenced in backlog thread, and\nduring the call to skb_send_sock(), there is a race condition with\nthe release of sk_socket. All types of sockets(tcp/udp/unix/vsock)\nwill be affected.\n\nRace conditions:\n\u0027\u0027\u0027\nCPU0 CPU1\n\nbacklog::skb_send_sock\n sendmsg_unlocked\n sock_sendmsg\n sock_sendmsg_nosec\n close(fd):\n ...\n ops-\u003erelease() -\u003e sock_map_close()\n sk_socket-\u003eops = NULL\n free(socket)\n sock-\u003eops-\u003esendmsg\n ^\n panic here\n\u0027\u0027\u0027\n\nThe ref of psock become 0 after sock_map_close() executed.\n\u0027\u0027\u0027\nvoid sock_map_close()\n{\n ...\n if (likely(psock)) {\n ...\n // !! here we remove psock and the ref of psock become 0\n sock_map_remove_links(sk, psock)\n psock = sk_psock_get(sk);\n if (unlikely(!psock))\n goto no_psock; \u003c=== Control jumps here via goto\n ...\n cancel_delayed_work_sync(\u0026psock-\u003ework); \u003c=== not executed\n sk_psock_put(sk, psock);\n ...\n}\n\u0027\u0027\u0027\n\nBased on the fact that we already wait for the workqueue to finish in\nsock_map_close() if psock is held, we simply increase the psock\nreference count to avoid race conditions.\n\nWith this patch, if the backlog thread is running, sock_map_close() will\nwait for the backlog thread to complete and cancel all pending work.\n\nIf no backlog running, any pending work that hasn\u0027t started by then will\nfail when invoked by sk_psock_get(), as the psock reference count have\nbeen zeroed, and sk_psock_drop() will cancel all jobs via\ncancel_delayed_work_sync().\n\nIn summary, we require synchronization to coordinate the backlog thread\nand close() thread.\n\nThe panic I catched:\n\u0027\u0027\u0027\nWorkqueue: events sk_psock_backlog\nRIP: 0010:sock_sendmsg+0x21d/0x440\nRAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001\n...\nCall Trace:\n \u003cTASK\u003e\n ? die_addr+0x40/0xa0\n ? exc_general_protection+0x14c/0x230\n ? asm_exc_general_protection+0x26/0x30\n ? sock_sendmsg+0x21d/0x440\n ? sock_sendmsg+0x3e0/0x440\n ? __pfx_sock_sendmsg+0x10/0x10\n __skb_send_sock+0x543/0xb70\n sk_psock_backlog+0x247/0xb80\n...\n\u0027\u0027\u0027" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:44.043Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4edb40b05cb6a261775abfd8046804ca139a5546" }, { "url": "https://git.kernel.org/stable/c/b19cbf0b9a91f5a0d93fbcd761ff71c48ab40ed9" }, { "url": "https://git.kernel.org/stable/c/4c6fa65ab2aec7df94809478c8d28ef38676a1b7" }, { "url": "https://git.kernel.org/stable/c/15c0250dae3b48a398447d2b364603821ed4ed90" }, { "url": "https://git.kernel.org/stable/c/7c0a16f6ea2b1c82a03bccd5d1bdb4a7bbd4d987" }, { "url": "https://git.kernel.org/stable/c/8259eb0e06d8f64c700f5fbdb28a5c18e10de291" } ], "title": "bpf, sockmap: Avoid using sk_socket after free when sending", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38154", "datePublished": "2025-07-03T08:35:57.188Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:44.043Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38095 (GCVE-0-2025-38095)
Vulnerability from cvelistv5
Published
2025-07-03 07:44
Modified
2025-08-28 14:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dma-buf: insert memory barrier before updating num_fences
smp_store_mb() inserts memory barrier after storing operation.
It is different with what the comment is originally aiming so Null
pointer dereference can be happened if memory update is reordered.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 Version: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 Version: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 Version: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 Version: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 Version: a590d0fdbaa56f482ff515e1040b6d9b1b200d63 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/dma-buf/dma-resv.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "90eb79c4ed98a4e24a62ccf61c199ab0f680fa8f", "status": "affected", "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63", "versionType": "git" }, { "lessThan": "3becc659f9cb76b481ad1fb71f54d5c8d6332d3f", "status": "affected", "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63", "versionType": "git" }, { "lessThan": "c9d2b9a80d06a58f37e0dc8c827075639b443927", "status": "affected", "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63", "versionType": "git" }, { "lessThan": "fe1bebd0edb22e3536cbc920ec713331d1367ad4", "status": "affected", "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63", "versionType": "git" }, { "lessThan": "08680c4dadc6e736c75bc2409d833f03f9003c51", "status": "affected", "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63", "versionType": "git" }, { "lessThan": "72c7d62583ebce7baeb61acce6057c361f73be4a", "status": "affected", "version": "a590d0fdbaa56f482ff515e1040b6d9b1b200d63", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/dma-buf/dma-resv.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.140", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.92", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.30", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.140", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.92", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.30", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.8", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "5.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: insert memory barrier before updating num_fences\n\nsmp_store_mb() inserts memory barrier after storing operation.\nIt is different with what the comment is originally aiming so Null\npointer dereference can be happened if memory update is reordered." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:42:56.364Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/90eb79c4ed98a4e24a62ccf61c199ab0f680fa8f" }, { "url": "https://git.kernel.org/stable/c/3becc659f9cb76b481ad1fb71f54d5c8d6332d3f" }, { "url": "https://git.kernel.org/stable/c/c9d2b9a80d06a58f37e0dc8c827075639b443927" }, { "url": "https://git.kernel.org/stable/c/fe1bebd0edb22e3536cbc920ec713331d1367ad4" }, { "url": "https://git.kernel.org/stable/c/08680c4dadc6e736c75bc2409d833f03f9003c51" }, { "url": "https://git.kernel.org/stable/c/72c7d62583ebce7baeb61acce6057c361f73be4a" } ], "title": "dma-buf: insert memory barrier before updating num_fences", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38095", "datePublished": "2025-07-03T07:44:18.214Z", "dateReserved": "2025-04-16T04:51:23.984Z", "dateUpdated": "2025-08-28T14:42:56.364Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38143 (GCVE-0-2025-38143)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
backlight: pm8941: Add NULL check in wled_configure()
devm_kasprintf() returns NULL when memory allocation fails. Currently,
wled_configure() does not check for this case, which results in a NULL
pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f86b77583d88c8402e8d89a339d96f847318f8a8 Version: f86b77583d88c8402e8d89a339d96f847318f8a8 Version: f86b77583d88c8402e8d89a339d96f847318f8a8 Version: f86b77583d88c8402e8d89a339d96f847318f8a8 Version: f86b77583d88c8402e8d89a339d96f847318f8a8 Version: f86b77583d88c8402e8d89a339d96f847318f8a8 Version: f86b77583d88c8402e8d89a339d96f847318f8a8 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/video/backlight/qcom-wled.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6a56446595730a5e3f06a30902e23cb037d28146", "status": "affected", "version": "f86b77583d88c8402e8d89a339d96f847318f8a8", "versionType": "git" }, { "lessThan": "9d06ac32c202142da40904180f2669ed4f5073ac", "status": "affected", "version": "f86b77583d88c8402e8d89a339d96f847318f8a8", "versionType": "git" }, { "lessThan": "21528806560510458378ea52c37e35b0773afaea", "status": "affected", "version": "f86b77583d88c8402e8d89a339d96f847318f8a8", "versionType": "git" }, { "lessThan": "fde314445332015273c8f51d2659885c606fe135", "status": "affected", "version": "f86b77583d88c8402e8d89a339d96f847318f8a8", "versionType": "git" }, { "lessThan": "1be2000b703b02e149f8f2061054489f6c18c972", "status": "affected", "version": "f86b77583d88c8402e8d89a339d96f847318f8a8", "versionType": "git" }, { "lessThan": "4a715be3fe80b68fa55cb3569af3d294be101626", "status": "affected", "version": "f86b77583d88c8402e8d89a339d96f847318f8a8", "versionType": "git" }, { "lessThan": "e12d3e1624a02706cdd3628bbf5668827214fa33", "status": "affected", "version": "f86b77583d88c8402e8d89a339d96f847318f8a8", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/video/backlight/qcom-wled.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: pm8941: Add NULL check in wled_configure()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nwled_configure() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:23.772Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6a56446595730a5e3f06a30902e23cb037d28146" }, { "url": "https://git.kernel.org/stable/c/9d06ac32c202142da40904180f2669ed4f5073ac" }, { "url": "https://git.kernel.org/stable/c/21528806560510458378ea52c37e35b0773afaea" }, { "url": "https://git.kernel.org/stable/c/fde314445332015273c8f51d2659885c606fe135" }, { "url": "https://git.kernel.org/stable/c/1be2000b703b02e149f8f2061054489f6c18c972" }, { "url": "https://git.kernel.org/stable/c/4a715be3fe80b68fa55cb3569af3d294be101626" }, { "url": "https://git.kernel.org/stable/c/e12d3e1624a02706cdd3628bbf5668827214fa33" } ], "title": "backlight: pm8941: Add NULL check in wled_configure()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38143", "datePublished": "2025-07-03T08:35:44.224Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:23.772Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38100 (GCVE-0-2025-38100)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/iopl: Cure TIF_IO_BITMAP inconsistencies
io_bitmap_exit() is invoked from exit_thread() when a task exists or
when a fork fails. In the latter case the exit_thread() cleans up
resources which were allocated during fork().
io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up
in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the
current task. If current has TIF_IO_BITMAP set, but no bitmap installed,
tss_update_io_bitmap() crashes with a NULL pointer dereference.
There are two issues, which lead to that problem:
1) io_bitmap_exit() should not invoke task_update_io_bitmap() when
the task, which is cleaned up, is not the current task. That's a
clear indicator for a cleanup after a failed fork().
2) A task should not have TIF_IO_BITMAP set and neither a bitmap
installed nor IOPL emulation level 3 activated.
This happens when a kernel thread is created in the context of
a user space thread, which has TIF_IO_BITMAP set as the thread
flags are copied and the IO bitmap pointer is cleared.
Other than in the failed fork() case this has no impact because
kernel threads including IO workers never return to user space and
therefore never invoke tss_update_io_bitmap().
Cure this by adding the missing cleanups and checks:
1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if
the to be cleaned up task is not the current task.
2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user
space forks it is set later, when the IO bitmap is inherited in
io_bitmap_share().
For paranoia sake, add a warning into tss_update_io_bitmap() to catch
the case, when that code is invoked with inconsistent state.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 Version: ea5f1cd7ab494f65f50f338299eabb40ad6a1767 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/x86/kernel/ioport.c", "arch/x86/kernel/process.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "d64b7b05a827f98d068f412969eef65489b0cf03", "status": "affected", "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767", "versionType": "git" }, { "lessThan": "2dace5e016c991424a3dc6e83b1ae5dca8992d08", "status": "affected", "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767", "versionType": "git" }, { "lessThan": "aa5ce1485562f20235b4c759eee5ab0c41d2c220", "status": "affected", "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767", "versionType": "git" }, { "lessThan": "2cfcbe1554c119402e7382de974c26b0549899fe", "status": "affected", "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767", "versionType": "git" }, { "lessThan": "b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c", "status": "affected", "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767", "versionType": "git" }, { "lessThan": "73cfcc8445585b8af7e18be3c9246b851fdf336c", "status": "affected", "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767", "versionType": "git" }, { "lessThan": "8b68e978718f14fdcb080c2a7791c52a0d09bc6d", "status": "affected", "version": "ea5f1cd7ab494f65f50f338299eabb40ad6a1767", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/x86/kernel/ioport.c", "arch/x86/kernel/process.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.5" }, { "lessThan": "5.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/iopl: Cure TIF_IO_BITMAP inconsistencies\n\nio_bitmap_exit() is invoked from exit_thread() when a task exists or\nwhen a fork fails. In the latter case the exit_thread() cleans up\nresources which were allocated during fork().\n\nio_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up\nin tss_update_io_bitmap(). tss_update_io_bitmap() operates on the\ncurrent task. If current has TIF_IO_BITMAP set, but no bitmap installed,\ntss_update_io_bitmap() crashes with a NULL pointer dereference.\n\nThere are two issues, which lead to that problem:\n\n 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when\n the task, which is cleaned up, is not the current task. That\u0027s a\n clear indicator for a cleanup after a failed fork().\n\n 2) A task should not have TIF_IO_BITMAP set and neither a bitmap\n installed nor IOPL emulation level 3 activated.\n\n This happens when a kernel thread is created in the context of\n a user space thread, which has TIF_IO_BITMAP set as the thread\n flags are copied and the IO bitmap pointer is cleared.\n\n Other than in the failed fork() case this has no impact because\n kernel threads including IO workers never return to user space and\n therefore never invoke tss_update_io_bitmap().\n\nCure this by adding the missing cleanups and checks:\n\n 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if\n the to be cleaned up task is not the current task.\n\n 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user\n space forks it is set later, when the IO bitmap is inherited in\n io_bitmap_share().\n\nFor paranoia sake, add a warning into tss_update_io_bitmap() to catch\nthe case, when that code is invoked with inconsistent state." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:08.909Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/d64b7b05a827f98d068f412969eef65489b0cf03" }, { "url": "https://git.kernel.org/stable/c/2dace5e016c991424a3dc6e83b1ae5dca8992d08" }, { "url": "https://git.kernel.org/stable/c/aa5ce1485562f20235b4c759eee5ab0c41d2c220" }, { "url": "https://git.kernel.org/stable/c/2cfcbe1554c119402e7382de974c26b0549899fe" }, { "url": "https://git.kernel.org/stable/c/b3b3b6366dc8eb5b22edba9adc4bff3cdacfd64c" }, { "url": "https://git.kernel.org/stable/c/73cfcc8445585b8af7e18be3c9246b851fdf336c" }, { "url": "https://git.kernel.org/stable/c/8b68e978718f14fdcb080c2a7791c52a0d09bc6d" } ], "title": "x86/iopl: Cure TIF_IO_BITMAP inconsistencies", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38100", "datePublished": "2025-07-03T08:35:09.487Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:08.909Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38157 (GCVE-0-2025-38157)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k_htc: Abort software beacon handling if disabled
A malicious USB device can send a WMI_SWBA_EVENTID event from an
ath9k_htc-managed device before beaconing has been enabled. This causes
a device-by-zero error in the driver, leading to either a crash or an
out of bounds read.
Prevent this by aborting the handling in ath9k_htc_swba() if beacons are
not enabled.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 832f6a18fc2aead14954c081ece03b7a5b425f81 Version: 832f6a18fc2aead14954c081ece03b7a5b425f81 Version: 832f6a18fc2aead14954c081ece03b7a5b425f81 Version: 832f6a18fc2aead14954c081ece03b7a5b425f81 Version: 832f6a18fc2aead14954c081ece03b7a5b425f81 Version: 832f6a18fc2aead14954c081ece03b7a5b425f81 Version: 832f6a18fc2aead14954c081ece03b7a5b425f81 Version: 832f6a18fc2aead14954c081ece03b7a5b425f81 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/ath/ath9k/htc_drv_beacon.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e5ce9df1d68094d37360dbd9b09289d42fa21e54", "status": "affected", "version": "832f6a18fc2aead14954c081ece03b7a5b425f81", "versionType": "git" }, { "lessThan": "0281c19074976ec48f0078d50530b406ddae75bc", "status": "affected", "version": "832f6a18fc2aead14954c081ece03b7a5b425f81", "versionType": "git" }, { "lessThan": "7ee3fb6258da8c890a51b514f60d7570dc703605", "status": "affected", "version": "832f6a18fc2aead14954c081ece03b7a5b425f81", "versionType": "git" }, { "lessThan": "40471b23147c86ea3ed97faee79937c618250bd0", "status": "affected", "version": "832f6a18fc2aead14954c081ece03b7a5b425f81", "versionType": "git" }, { "lessThan": "5482ef9875eaa43f0435e14570e1193823de857e", "status": "affected", "version": "832f6a18fc2aead14954c081ece03b7a5b425f81", "versionType": "git" }, { "lessThan": "ee5ee646385f5846dcbc881389f3c44a197c402a", "status": "affected", "version": "832f6a18fc2aead14954c081ece03b7a5b425f81", "versionType": "git" }, { "lessThan": "5a85c21f812e02cb00ca07007d88acdd42d08c46", "status": "affected", "version": "832f6a18fc2aead14954c081ece03b7a5b425f81", "versionType": "git" }, { "lessThan": "ac4e317a95a1092b5da5b9918b7118759342641c", "status": "affected", "version": "832f6a18fc2aead14954c081ece03b7a5b425f81", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/ath/ath9k/htc_drv_beacon.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.0" }, { "lessThan": "3.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k_htc: Abort software beacon handling if disabled\n\nA malicious USB device can send a WMI_SWBA_EVENTID event from an\nath9k_htc-managed device before beaconing has been enabled. This causes\na device-by-zero error in the driver, leading to either a crash or an\nout of bounds read.\n\nPrevent this by aborting the handling in ath9k_htc_swba() if beacons are\nnot enabled." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:48.044Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e5ce9df1d68094d37360dbd9b09289d42fa21e54" }, { "url": "https://git.kernel.org/stable/c/0281c19074976ec48f0078d50530b406ddae75bc" }, { "url": "https://git.kernel.org/stable/c/7ee3fb6258da8c890a51b514f60d7570dc703605" }, { "url": "https://git.kernel.org/stable/c/40471b23147c86ea3ed97faee79937c618250bd0" }, { "url": "https://git.kernel.org/stable/c/5482ef9875eaa43f0435e14570e1193823de857e" }, { "url": "https://git.kernel.org/stable/c/ee5ee646385f5846dcbc881389f3c44a197c402a" }, { "url": "https://git.kernel.org/stable/c/5a85c21f812e02cb00ca07007d88acdd42d08c46" }, { "url": "https://git.kernel.org/stable/c/ac4e317a95a1092b5da5b9918b7118759342641c" } ], "title": "wifi: ath9k_htc: Abort software beacon handling if disabled", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38157", "datePublished": "2025-07-03T08:35:59.734Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:48.044Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38116 (GCVE-0-2025-38116)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: fix uaf in ath12k_core_init()
When the execution of ath12k_core_hw_group_assign() or
ath12k_core_hw_group_create() fails, the registered notifier chain is not
unregistered properly. Its memory is freed after rmmod, which may trigger
to a use-after-free (UAF) issue if there is a subsequent access to this
notifier chain.
Fixes the issue by calling ath12k_core_panic_notifier_unregister() in
failure cases.
Call trace:
notifier_chain_register+0x4c/0x1f0 (P)
atomic_notifier_chain_register+0x38/0x68
ath12k_core_init+0x50/0x4e8 [ath12k]
ath12k_pci_probe+0x5f8/0xc28 [ath12k]
pci_device_probe+0xbc/0x1a8
really_probe+0xc8/0x3a0
__driver_probe_device+0x84/0x1b0
driver_probe_device+0x44/0x130
__driver_attach+0xcc/0x208
bus_for_each_dev+0x84/0x100
driver_attach+0x2c/0x40
bus_add_driver+0x130/0x260
driver_register+0x70/0x138
__pci_register_driver+0x68/0x80
ath12k_pci_init+0x30/0x68 [ath12k]
ath12k_init+0x28/0x78 [ath12k]
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/ath/ath12k/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "65e1b3404c211dcfaea02698539cdcd26647130f", "status": "affected", "version": "6f245ea0ec6c29b90c8fa4fdf6e178c646125d7e", "versionType": "git" }, { "lessThan": "f3fe49dbddd73f0155a8935af47cb63693069dbe", "status": "affected", "version": "6f245ea0ec6c29b90c8fa4fdf6e178c646125d7e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/ath/ath12k/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.14" }, { "lessThan": "6.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix uaf in ath12k_core_init()\n\nWhen the execution of ath12k_core_hw_group_assign() or\nath12k_core_hw_group_create() fails, the registered notifier chain is not\nunregistered properly. Its memory is freed after rmmod, which may trigger\nto a use-after-free (UAF) issue if there is a subsequent access to this\nnotifier chain.\n\nFixes the issue by calling ath12k_core_panic_notifier_unregister() in\nfailure cases.\n\nCall trace:\n notifier_chain_register+0x4c/0x1f0 (P)\n atomic_notifier_chain_register+0x38/0x68\n ath12k_core_init+0x50/0x4e8 [ath12k]\n ath12k_pci_probe+0x5f8/0xc28 [ath12k]\n pci_device_probe+0xbc/0x1a8\n really_probe+0xc8/0x3a0\n __driver_probe_device+0x84/0x1b0\n driver_probe_device+0x44/0x130\n __driver_attach+0xcc/0x208\n bus_for_each_dev+0x84/0x100\n driver_attach+0x2c/0x40\n bus_add_driver+0x130/0x260\n driver_register+0x70/0x138\n __pci_register_driver+0x68/0x80\n ath12k_pci_init+0x30/0x68 [ath12k]\n ath12k_init+0x28/0x78 [ath12k]\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:34.607Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/65e1b3404c211dcfaea02698539cdcd26647130f" }, { "url": "https://git.kernel.org/stable/c/f3fe49dbddd73f0155a8935af47cb63693069dbe" } ], "title": "wifi: ath12k: fix uaf in ath12k_core_init()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38116", "datePublished": "2025-07-03T08:35:24.413Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:34.607Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38123 (GCVE-0-2025-38123)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: t7xx: Fix napi rx poll issue
When driver handles the napi rx polling requests, the netdev might
have been released by the dellink logic triggered by the disconnect
operation on user plane. However, in the logic of processing skb in
polling, an invalid netdev is still being used, which causes a panic.
BUG: kernel NULL pointer dereference, address: 00000000000000f1
Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:dev_gro_receive+0x3a/0x620
[...]
Call Trace:
<IRQ>
? __die_body+0x68/0xb0
? page_fault_oops+0x379/0x3e0
? exc_page_fault+0x4f/0xa0
? asm_exc_page_fault+0x22/0x30
? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)]
? dev_gro_receive+0x3a/0x620
napi_gro_receive+0xad/0x170
t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)]
t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)]
net_rx_action+0x103/0x470
irq_exit_rcu+0x13a/0x310
sysvec_apic_timer_interrupt+0x56/0x90
</IRQ>
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wwan/t7xx/t7xx_netdev.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "cc89f457d9133a558d4e8ef26dc20843c2d12073", "status": "affected", "version": "5545b7b9f294de7f95ec6a7cb1de0db52296001c", "versionType": "git" }, { "lessThan": "e2df04e69c3f10b412f54be036dd0ed3b14756cf", "status": "affected", "version": "5545b7b9f294de7f95ec6a7cb1de0db52296001c", "versionType": "git" }, { "lessThan": "66542e9430c625f878a5b5dc0fe41e3458d614bf", "status": "affected", "version": "5545b7b9f294de7f95ec6a7cb1de0db52296001c", "versionType": "git" }, { "lessThan": "905fe0845bb27e4eed2ca27ea06e6c4847f1b2b1", "status": "affected", "version": "5545b7b9f294de7f95ec6a7cb1de0db52296001c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wwan/t7xx/t7xx_netdev.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: Fix napi rx poll issue\n\nWhen driver handles the napi rx polling requests, the netdev might\nhave been released by the dellink logic triggered by the disconnect\noperation on user plane. However, in the logic of processing skb in\npolling, an invalid netdev is still being used, which causes a panic.\n\nBUG: kernel NULL pointer dereference, address: 00000000000000f1\nOops: 0000 [#1] PREEMPT SMP NOPTI\nRIP: 0010:dev_gro_receive+0x3a/0x620\n[...]\nCall Trace:\n \u003cIRQ\u003e\n ? __die_body+0x68/0xb0\n ? page_fault_oops+0x379/0x3e0\n ? exc_page_fault+0x4f/0xa0\n ? asm_exc_page_fault+0x22/0x30\n ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)]\n ? dev_gro_receive+0x3a/0x620\n napi_gro_receive+0xad/0x170\n t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)]\n t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)]\n net_rx_action+0x103/0x470\n irq_exit_rcu+0x13a/0x310\n sysvec_apic_timer_interrupt+0x56/0x90\n \u003c/IRQ\u003e" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:48.944Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/cc89f457d9133a558d4e8ef26dc20843c2d12073" }, { "url": "https://git.kernel.org/stable/c/e2df04e69c3f10b412f54be036dd0ed3b14756cf" }, { "url": "https://git.kernel.org/stable/c/66542e9430c625f878a5b5dc0fe41e3458d614bf" }, { "url": "https://git.kernel.org/stable/c/905fe0845bb27e4eed2ca27ea06e6c4847f1b2b1" } ], "title": "net: wwan: t7xx: Fix napi rx poll issue", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38123", "datePublished": "2025-07-03T08:35:29.312Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:48.944Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38142 (GCVE-0-2025-38142)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (asus-ec-sensors) check sensor index in read_string()
Prevent a potential invalid memory access when the requested sensor
is not found.
find_ec_sensor_index() may return a negative value (e.g. -ENOENT),
but its result was used without checking, which could lead to
undefined behavior when passed to get_sensor_info().
Add a proper check to return -EINVAL if sensor_index is negative.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
[groeck: Return error code returned from find_ec_sensor_index]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d0ddfd241e5719d696bc0b081e260db69d368668 Version: d0ddfd241e5719d696bc0b081e260db69d368668 Version: d0ddfd241e5719d696bc0b081e260db69d368668 Version: d0ddfd241e5719d696bc0b081e260db69d368668 Version: d0ddfd241e5719d696bc0b081e260db69d368668 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hwmon/asus-ec-sensors.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6bf529ce84dccc0074dbc704e70aee4aa545057e", "status": "affected", "version": "d0ddfd241e5719d696bc0b081e260db69d368668", "versionType": "git" }, { "lessThan": "4e9e45746b861ebd54c03ef301da2cb8fc990536", "status": "affected", "version": "d0ddfd241e5719d696bc0b081e260db69d368668", "versionType": "git" }, { "lessThan": "19bd9cde38dd4ca1771aed7afba623e7f4247c8e", "status": "affected", "version": "d0ddfd241e5719d696bc0b081e260db69d368668", "versionType": "git" }, { "lessThan": "7eeb3df6f07a886bdfd52757ede127a59a8784dc", "status": "affected", "version": "d0ddfd241e5719d696bc0b081e260db69d368668", "versionType": "git" }, { "lessThan": "25be318324563c63cbd9cb53186203a08d2f83a1", "status": "affected", "version": "d0ddfd241e5719d696bc0b081e260db69d368668", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hwmon/asus-ec-sensors.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.18" }, { "lessThan": "5.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.18", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (asus-ec-sensors) check sensor index in read_string()\n\nPrevent a potential invalid memory access when the requested sensor\nis not found.\n\nfind_ec_sensor_index() may return a negative value (e.g. -ENOENT),\nbut its result was used without checking, which could lead to\nundefined behavior when passed to get_sensor_info().\n\nAdd a proper check to return -EINVAL if sensor_index is negative.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[groeck: Return error code returned from find_ec_sensor_index]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:22.109Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6bf529ce84dccc0074dbc704e70aee4aa545057e" }, { "url": "https://git.kernel.org/stable/c/4e9e45746b861ebd54c03ef301da2cb8fc990536" }, { "url": "https://git.kernel.org/stable/c/19bd9cde38dd4ca1771aed7afba623e7f4247c8e" }, { "url": "https://git.kernel.org/stable/c/7eeb3df6f07a886bdfd52757ede127a59a8784dc" }, { "url": "https://git.kernel.org/stable/c/25be318324563c63cbd9cb53186203a08d2f83a1" } ], "title": "hwmon: (asus-ec-sensors) check sensor index in read_string()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38142", "datePublished": "2025-07-03T08:35:43.521Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:22.109Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38155 (GCVE-0-2025-38155)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()
devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()
does not check for this case, which results in a NULL pointer
dereference.
Prevent null pointer dereference in mt7915_mmio_wed_init().
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/mediatek/mt76/mt7915/mmio.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e9f9cef1877ac32285dbc1f31b86c8955b712fc2", "status": "affected", "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a", "versionType": "git" }, { "lessThan": "790d05cde359356feea8915094a51166af1629f5", "status": "affected", "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a", "versionType": "git" }, { "lessThan": "d825ed9fd768be10d52beba6f57a4b50c0c154aa", "status": "affected", "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a", "versionType": "git" }, { "lessThan": "efb95439c1477bbc955cacd0179c35e7861b437c", "status": "affected", "version": "4f831d18d12da80cec0bebe5b8ca8702a528195a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/mediatek/mt76/mt7915/mmio.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()\n\ndevm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()\ndoes not check for this case, which results in a NULL pointer\ndereference.\n\nPrevent null pointer dereference in mt7915_mmio_wed_init()." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:45.339Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e9f9cef1877ac32285dbc1f31b86c8955b712fc2" }, { "url": "https://git.kernel.org/stable/c/790d05cde359356feea8915094a51166af1629f5" }, { "url": "https://git.kernel.org/stable/c/d825ed9fd768be10d52beba6f57a4b50c0c154aa" }, { "url": "https://git.kernel.org/stable/c/efb95439c1477bbc955cacd0179c35e7861b437c" } ], "title": "wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38155", "datePublished": "2025-07-03T08:35:58.185Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:45.339Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38105 (GCVE-0-2025-38105)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Kill timer properly at removal
The USB-audio MIDI code initializes the timer, but in a rare case, the
driver might be freed without the disconnect call. This leaves the
timer in an active state while the assigned object is released via
snd_usbmidi_free(), which ends up with a kernel warning when the debug
configuration is enabled, as spotted by fuzzer.
For avoiding the problem, put timer_shutdown_sync() at
snd_usbmidi_free(), so that the timer can be killed properly.
While we're at it, replace the existing timer_delete_sync() at the
disconnect callback with timer_shutdown_sync(), too.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "sound/usb/midi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "62066758d2ae169278e5d6aea5995b1b6f6ddeb5", "status": "affected", "version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d", "versionType": "git" }, { "lessThan": "0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1", "status": "affected", "version": "c88469704d63787e8d44ca5ea1c1bd0adc29572d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "sound/usb/midi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.14" }, { "lessThan": "2.6.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "2.6.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Kill timer properly at removal\n\nThe USB-audio MIDI code initializes the timer, but in a rare case, the\ndriver might be freed without the disconnect call. This leaves the\ntimer in an active state while the assigned object is released via\nsnd_usbmidi_free(), which ends up with a kernel warning when the debug\nconfiguration is enabled, as spotted by fuzzer.\n\nFor avoiding the problem, put timer_shutdown_sync() at\nsnd_usbmidi_free(), so that the timer can be killed properly.\nWhile we\u0027re at it, replace the existing timer_delete_sync() at the\ndisconnect callback with timer_shutdown_sync(), too." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:19.852Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/62066758d2ae169278e5d6aea5995b1b6f6ddeb5" }, { "url": "https://git.kernel.org/stable/c/0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1" } ], "title": "ALSA: usb-audio: Kill timer properly at removal", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38105", "datePublished": "2025-07-03T08:35:15.301Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:19.852Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38128 (GCVE-0-2025-38128)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands
In 'mgmt_hci_cmd_sync()', check whether the size of parameters passed
in 'struct mgmt_cp_hci_cmd_sync' matches the total size of the data
(i.e. 'sizeof(struct mgmt_cp_hci_cmd_sync)' plus trailing bytes).
Otherwise, large invalid 'params_len' will cause 'hci_cmd_sync_alloc()'
to do 'skb_put_data()' from an area beyond the one actually passed to
'mgmt_hci_cmd_sync()'.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bluetooth/mgmt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "9eeafd16d76a7642d12b3442a26c15cd345e12f7", "status": "affected", "version": "827af4787e74e8df9e8e0677a69fbb15e0856d2f", "versionType": "git" }, { "lessThan": "03f1700b9b4d4f2fed3165370f3c23db76553178", "status": "affected", "version": "827af4787e74e8df9e8e0677a69fbb15e0856d2f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bluetooth/mgmt.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.13" }, { "lessThan": "6.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.13", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: reject malformed HCI_CMD_SYNC commands\n\nIn \u0027mgmt_hci_cmd_sync()\u0027, check whether the size of parameters passed\nin \u0027struct mgmt_cp_hci_cmd_sync\u0027 matches the total size of the data\n(i.e. \u0027sizeof(struct mgmt_cp_hci_cmd_sync)\u0027 plus trailing bytes).\nOtherwise, large invalid \u0027params_len\u0027 will cause \u0027hci_cmd_sync_alloc()\u0027\nto do \u0027skb_put_data()\u0027 from an area beyond the one actually passed to\n\u0027mgmt_hci_cmd_sync()\u0027." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:56.421Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/9eeafd16d76a7642d12b3442a26c15cd345e12f7" }, { "url": "https://git.kernel.org/stable/c/03f1700b9b4d4f2fed3165370f3c23db76553178" } ], "title": "Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38128", "datePublished": "2025-07-03T08:35:33.089Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:56.421Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38103 (GCVE-0-2025-38103)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
Update struct hid_descriptor to better reflect the mandatory and
optional parts of the HID Descriptor as per USB HID 1.11 specification.
Note: the kernel currently does not parse any optional HID class
descriptors, only the mandatory report descriptor.
Update all references to member element desc[0] to rpt_desc.
Add test to verify bLength and bNumDescriptors values are valid.
Replace the for loop with direct access to the mandatory HID class
descriptor member for the report descriptor. This eliminates the
possibility of getting an out-of-bounds fault.
Add a warning message if the HID descriptor contains any unsupported
optional HID class descriptors.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: f043bfc98c193c284e2cd768fefabe18ac2fed9b Version: 99de0781e0de7c866f762b931351c2a501c3074f Version: 8d675aa967d3927ac100f7af48f2a2af8a041d2d Version: f4cf5d75416ae3d79e03179fe6f4b9f1231ae42c Version: 439f76690d7d5dd212ea7bebc1f2fa077e3d645d Version: 2929cb995378205bceda86d6fd3cbc22e522f97f Version: 57265cddde308292af881ce634a5378dd4e25900 Version: 984154e7eef1f9e543dabd7422cfc99015778732 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/hid-hyperv.c", "drivers/hid/usbhid/hid-core.c", "drivers/usb/gadget/function/f_hid.c", "include/linux/hid.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b", "status": "affected", "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "versionType": "git" }, { "lessThan": "41827a2dbdd7880df9881506dee13bc88d4230bb", "status": "affected", "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "versionType": "git" }, { "lessThan": "1df80d748f984290c895e843401824215dcfbfb0", "status": "affected", "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "versionType": "git" }, { "lessThan": "a8f842534807985d3a676006d140541b87044345", "status": "affected", "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "versionType": "git" }, { "lessThan": "4fa7831cf0ac71a0a345369d1a6084f2b096e55e", "status": "affected", "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "versionType": "git" }, { "lessThan": "74388368927e9c52a69524af5bbd6c55eb4690de", "status": "affected", "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "versionType": "git" }, { "lessThan": "485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf", "status": "affected", "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "versionType": "git" }, { "lessThan": "fe7f7ac8e0c708446ff017453add769ffc15deed", "status": "affected", "version": "f043bfc98c193c284e2cd768fefabe18ac2fed9b", "versionType": "git" }, { "status": "affected", "version": "99de0781e0de7c866f762b931351c2a501c3074f", "versionType": "git" }, { "status": "affected", "version": "8d675aa967d3927ac100f7af48f2a2af8a041d2d", "versionType": "git" }, { "status": "affected", "version": "f4cf5d75416ae3d79e03179fe6f4b9f1231ae42c", "versionType": "git" }, { "status": "affected", "version": "439f76690d7d5dd212ea7bebc1f2fa077e3d645d", "versionType": "git" }, { "status": "affected", "version": "2929cb995378205bceda86d6fd3cbc22e522f97f", "versionType": "git" }, { "status": "affected", "version": "57265cddde308292af881ce634a5378dd4e25900", "versionType": "git" }, { "status": "affected", "version": "984154e7eef1f9e543dabd7422cfc99015778732", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/hid-hyperv.c", "drivers/hid/usbhid/hid-core.c", "drivers/usb/gadget/function/f_hid.c", "include/linux/hid.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.14" }, { "lessThan": "4.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "4.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "4.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.95", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16.50", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.18.76", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.46", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.93", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.57", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.13.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()\n\nUpdate struct hid_descriptor to better reflect the mandatory and\noptional parts of the HID Descriptor as per USB HID 1.11 specification.\nNote: the kernel currently does not parse any optional HID class\ndescriptors, only the mandatory report descriptor.\n\nUpdate all references to member element desc[0] to rpt_desc.\n\nAdd test to verify bLength and bNumDescriptors values are valid.\n\nReplace the for loop with direct access to the mandatory HID class\ndescriptor member for the report descriptor. This eliminates the\npossibility of getting an out-of-bounds fault.\n\nAdd a warning message if the HID descriptor contains any unsupported\noptional HID class descriptors." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:18.213Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7a6d6b68db128da2078ccd9a751dfa3f75c9cf5b" }, { "url": "https://git.kernel.org/stable/c/41827a2dbdd7880df9881506dee13bc88d4230bb" }, { "url": "https://git.kernel.org/stable/c/1df80d748f984290c895e843401824215dcfbfb0" }, { "url": "https://git.kernel.org/stable/c/a8f842534807985d3a676006d140541b87044345" }, { "url": "https://git.kernel.org/stable/c/4fa7831cf0ac71a0a345369d1a6084f2b096e55e" }, { "url": "https://git.kernel.org/stable/c/74388368927e9c52a69524af5bbd6c55eb4690de" }, { "url": "https://git.kernel.org/stable/c/485e1b741eb838cbe1d6b0e81e5ab62ae6c095cf" }, { "url": "https://git.kernel.org/stable/c/fe7f7ac8e0c708446ff017453add769ffc15deed" } ], "title": "HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38103", "datePublished": "2025-07-03T08:35:13.941Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:18.213Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38151 (GCVE-0-2025-38151)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work
The cited commit fixed a crash when cma_netevent_callback was called for
a cma_id while work on that id from a previous call had not yet started.
The work item was re-initialized in the second call, which corrupted the
work item currently in the work queue.
However, it left a problem when queue_work fails (because the item is
still pending in the work queue from a previous call). In this case,
cma_id_put (which is called in the work handler) is therefore not
called. This results in a userspace process hang (zombie process).
Fix this by calling cma_id_put() if queue_work fails.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 51003b2c872c63d28bcf5fbcc52cf7b05615f7b7 Version: c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a Version: d23fd7a539ac078df119707110686a5b226ee3bb Version: 45f5dcdd049719fb999393b30679605f16ebce14 Version: 45f5dcdd049719fb999393b30679605f16ebce14 Version: b172a4a0de254f1fcce7591833a9a63547c2f447 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/infiniband/core/cma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1ac40736c8c4255d8417b937c9715b193f4a87b3", "status": "affected", "version": "51003b2c872c63d28bcf5fbcc52cf7b05615f7b7", "versionType": "git" }, { "lessThan": "ac7897c0124066b9705ffca252a3662d54fc0c9b", "status": "affected", "version": "c2b169fc7a12665d8a675c1ff14bca1b9c63fb9a", "versionType": "git" }, { "lessThan": "02e45168e0fd6fdc6f8f7c42c4b500857aa5efb0", "status": "affected", "version": "d23fd7a539ac078df119707110686a5b226ee3bb", "versionType": "git" }, { "lessThan": "8b05aa3692e45b8249379dc52b14acc6a104d2e5", "status": "affected", "version": "45f5dcdd049719fb999393b30679605f16ebce14", "versionType": "git" }, { "lessThan": "92a251c3df8ea1991cd9fe00f1ab0cfce18d7711", "status": "affected", "version": "45f5dcdd049719fb999393b30679605f16ebce14", "versionType": "git" }, { "status": "affected", "version": "b172a4a0de254f1fcce7591833a9a63547c2f447", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/infiniband/core/cma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "6.1.135", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.6.88", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.12.25", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14.4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix hang when cma_netevent_callback fails to queue_work\n\nThe cited commit fixed a crash when cma_netevent_callback was called for\na cma_id while work on that id from a previous call had not yet started.\nThe work item was re-initialized in the second call, which corrupted the\nwork item currently in the work queue.\n\nHowever, it left a problem when queue_work fails (because the item is\nstill pending in the work queue from a previous call). In this case,\ncma_id_put (which is called in the work handler) is therefore not\ncalled. This results in a userspace process hang (zombie process).\n\nFix this by calling cma_id_put() if queue_work fails." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:40.970Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1ac40736c8c4255d8417b937c9715b193f4a87b3" }, { "url": "https://git.kernel.org/stable/c/ac7897c0124066b9705ffca252a3662d54fc0c9b" }, { "url": "https://git.kernel.org/stable/c/02e45168e0fd6fdc6f8f7c42c4b500857aa5efb0" }, { "url": "https://git.kernel.org/stable/c/8b05aa3692e45b8249379dc52b14acc6a104d2e5" }, { "url": "https://git.kernel.org/stable/c/92a251c3df8ea1991cd9fe00f1ab0cfce18d7711" } ], "title": "RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38151", "datePublished": "2025-07-03T08:35:55.879Z", "dateReserved": "2025-04-16T04:51:23.989Z", "dateUpdated": "2025-07-28T04:13:40.970Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38136 (GCVE-0-2025-38136)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: renesas_usbhs: Reorder clock handling and power management in probe
Reorder the initialization sequence in `usbhs_probe()` to enable runtime
PM before accessing registers, preventing potential crashes due to
uninitialized clocks.
Currently, in the probe path, registers are accessed before enabling the
clocks, leading to a synchronous external abort on the RZ/V2H SoC.
The problematic call flow is as follows:
usbhs_probe()
usbhs_sys_clock_ctrl()
usbhs_bset()
usbhs_write()
iowrite16() <-- Register access before enabling clocks
Since `iowrite16()` is performed without ensuring the required clocks are
enabled, this can lead to access errors. To fix this, enable PM runtime
early in the probe function and ensure clocks are acquired before register
access, preventing crashes like the following on RZ/V2H:
[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP
[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6
[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98
[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)
[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]
[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]
[13.321138] sp : ffff8000827e3850
[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0
[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025
[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010
[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff
[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce
[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000
[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750
[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c
[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000
[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080
[13.395574] Call trace:
[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P)
[13.403076] platform_probe+0x68/0xdc
[13.406738] really_probe+0xbc/0x2c0
[13.410306] __driver_probe_device+0x78/0x120
[13.414653] driver_probe_device+0x3c/0x154
[13.418825] __driver_attach+0x90/0x1a0
[13.422647] bus_for_each_dev+0x7c/0xe0
[13.426470] driver_attach+0x24/0x30
[13.430032] bus_add_driver+0xe4/0x208
[13.433766] driver_register+0x68/0x130
[13.437587] __platform_driver_register+0x24/0x30
[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]
[13.448450] do_one_initcall+0x60/0x1d4
[13.452276] do_init_module+0x54/0x1f8
[13.456014] load_module+0x1754/0x1c98
[13.459750] init_module_from_file+0x88/0xcc
[13.464004] __arm64_sys_finit_module+0x1c4/0x328
[13.468689] invoke_syscall+0x48/0x104
[13.472426] el0_svc_common.constprop.0+0xc0/0xe0
[13.477113] do_el0_svc+0x1c/0x28
[13.480415] el0_svc+0x30/0xcc
[13.483460] el0t_64_sync_handler+0x10c/0x138
[13.487800] el0t_64_sync+0x198/0x19c
[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)
[13.497522] ---[ end trace 0000000000000000 ]---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 Version: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/renesas_usbhs/common.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "095cc0b5888acc228f12344e85b17539b9ce9367", "status": "affected", "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "versionType": "git" }, { "lessThan": "155453ada562c450a4ff5fcf4852b9fa5b6b793a", "status": "affected", "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "versionType": "git" }, { "lessThan": "0a1e16a6cbf4452b46f20b862d6141a1e90844ee", "status": "affected", "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "versionType": "git" }, { "lessThan": "1637623ad6205162b17804d07512e6f4cbd2a050", "status": "affected", "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "versionType": "git" }, { "lessThan": "db96a4fd8614d47c0def265e0e6c996b0ee52a38", "status": "affected", "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "versionType": "git" }, { "lessThan": "d4c368e4a638ddf4a9d6d687b0ff691aa46cce53", "status": "affected", "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "versionType": "git" }, { "lessThan": "6bab152e817fd41b9e178fa6b275354795c9703d", "status": "affected", "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "versionType": "git" }, { "lessThan": "ffb34a60ce86656ba12d46e91f1ccc71dd221251", "status": "affected", "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/renesas_usbhs/common.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.0" }, { "lessThan": "3.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "3.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Reorder clock handling and power management in probe\n\nReorder the initialization sequence in `usbhs_probe()` to enable runtime\nPM before accessing registers, preventing potential crashes due to\nuninitialized clocks.\n\nCurrently, in the probe path, registers are accessed before enabling the\nclocks, leading to a synchronous external abort on the RZ/V2H SoC.\nThe problematic call flow is as follows:\n\n usbhs_probe()\n usbhs_sys_clock_ctrl()\n usbhs_bset()\n usbhs_write()\n iowrite16() \u003c-- Register access before enabling clocks\n\nSince `iowrite16()` is performed without ensuring the required clocks are\nenabled, this can lead to access errors. To fix this, enable PM runtime\nearly in the probe function and ensure clocks are acquired before register\naccess, preventing crashes like the following on RZ/V2H:\n\n[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP\n[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6\n[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98\n[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)\n[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]\n[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]\n[13.321138] sp : ffff8000827e3850\n[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0\n[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025\n[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010\n[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff\n[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce\n[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000\n[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750\n[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c\n[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000\n[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080\n[13.395574] Call trace:\n[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P)\n[13.403076] platform_probe+0x68/0xdc\n[13.406738] really_probe+0xbc/0x2c0\n[13.410306] __driver_probe_device+0x78/0x120\n[13.414653] driver_probe_device+0x3c/0x154\n[13.418825] __driver_attach+0x90/0x1a0\n[13.422647] bus_for_each_dev+0x7c/0xe0\n[13.426470] driver_attach+0x24/0x30\n[13.430032] bus_add_driver+0xe4/0x208\n[13.433766] driver_register+0x68/0x130\n[13.437587] __platform_driver_register+0x24/0x30\n[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]\n[13.448450] do_one_initcall+0x60/0x1d4\n[13.452276] do_init_module+0x54/0x1f8\n[13.456014] load_module+0x1754/0x1c98\n[13.459750] init_module_from_file+0x88/0xcc\n[13.464004] __arm64_sys_finit_module+0x1c4/0x328\n[13.468689] invoke_syscall+0x48/0x104\n[13.472426] el0_svc_common.constprop.0+0xc0/0xe0\n[13.477113] do_el0_svc+0x1c/0x28\n[13.480415] el0_svc+0x30/0xcc\n[13.483460] el0t_64_sync_handler+0x10c/0x138\n[13.487800] el0t_64_sync+0x198/0x19c\n[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)\n[13.497522] ---[ end trace 0000000000000000 ]---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:13.215Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/095cc0b5888acc228f12344e85b17539b9ce9367" }, { "url": "https://git.kernel.org/stable/c/155453ada562c450a4ff5fcf4852b9fa5b6b793a" }, { "url": "https://git.kernel.org/stable/c/0a1e16a6cbf4452b46f20b862d6141a1e90844ee" }, { "url": "https://git.kernel.org/stable/c/1637623ad6205162b17804d07512e6f4cbd2a050" }, { "url": "https://git.kernel.org/stable/c/db96a4fd8614d47c0def265e0e6c996b0ee52a38" }, { "url": "https://git.kernel.org/stable/c/d4c368e4a638ddf4a9d6d687b0ff691aa46cce53" }, { "url": "https://git.kernel.org/stable/c/6bab152e817fd41b9e178fa6b275354795c9703d" }, { "url": "https://git.kernel.org/stable/c/ffb34a60ce86656ba12d46e91f1ccc71dd221251" } ], "title": "usb: renesas_usbhs: Reorder clock handling and power management in probe", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38136", "datePublished": "2025-07-03T08:35:39.207Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:13.215Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38097 (GCVE-0-2025-38097)
Vulnerability from cvelistv5
Published
2025-07-03 08:13
Modified
2025-07-03 08:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
espintcp: remove encap socket caching to avoid reference leak
The current scheme for caching the encap socket can lead to reference
leaks when we try to delete the netns.
The reference chain is: xfrm_state -> enacp_sk -> netns
Since the encap socket is a userspace socket, it holds a reference on
the netns. If we delete the espintcp state (through flush or
individual delete) before removing the netns, the reference on the
socket is dropped and the netns is correctly deleted. Otherwise, the
netns may not be reachable anymore (if all processes within the ns
have terminated), so we cannot delete the xfrm state to drop its
reference on the socket.
This patch results in a small (~2% in my tests) performance
regression.
A GC-type mechanism could be added for the socket cache, to clear
references if the state hasn't been used "recently", but it's a lot
more complex than just not caching the socket.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 Version: e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/xfrm.h", "net/ipv4/esp4.c", "net/ipv6/esp6.c", "net/xfrm/xfrm_state.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e4cde54b46a87231c77256a633be1bef62687d69", "status": "affected", "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "versionType": "git" }, { "lessThan": "b58a295d10065960bcb9d60cb8ca6ead9837cd27", "status": "affected", "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "versionType": "git" }, { "lessThan": "9cbca30102028f9ad3d2098f935c4368f581fd07", "status": "affected", "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "versionType": "git" }, { "lessThan": "74fd327767fb784c5875cf7c4ba1217f26020943", "status": "affected", "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "versionType": "git" }, { "lessThan": "028363685bd0b7a19b4a820f82dd905b1dc83999", "status": "affected", "version": "e27cca96cd68fa2c6814c90f9a1cfd36bb68c593", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/xfrm.h", "net/ipv4/esp4.c", "net/ipv6/esp6.c", "net/xfrm/xfrm_state.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.6" }, { "lessThan": "5.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.141", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.93", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.31", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.141", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.93", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.31", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.9", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "5.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nespintcp: remove encap socket caching to avoid reference leak\n\nThe current scheme for caching the encap socket can lead to reference\nleaks when we try to delete the netns.\n\nThe reference chain is: xfrm_state -\u003e enacp_sk -\u003e netns\n\nSince the encap socket is a userspace socket, it holds a reference on\nthe netns. If we delete the espintcp state (through flush or\nindividual delete) before removing the netns, the reference on the\nsocket is dropped and the netns is correctly deleted. Otherwise, the\nnetns may not be reachable anymore (if all processes within the ns\nhave terminated), so we cannot delete the xfrm state to drop its\nreference on the socket.\n\nThis patch results in a small (~2% in my tests) performance\nregression.\n\nA GC-type mechanism could be added for the socket cache, to clear\nreferences if the state hasn\u0027t been used \"recently\", but it\u0027s a lot\nmore complex than just not caching the socket." } ], "providerMetadata": { "dateUpdated": "2025-07-03T08:13:57.694Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e4cde54b46a87231c77256a633be1bef62687d69" }, { "url": "https://git.kernel.org/stable/c/b58a295d10065960bcb9d60cb8ca6ead9837cd27" }, { "url": "https://git.kernel.org/stable/c/9cbca30102028f9ad3d2098f935c4368f581fd07" }, { "url": "https://git.kernel.org/stable/c/74fd327767fb784c5875cf7c4ba1217f26020943" }, { "url": "https://git.kernel.org/stable/c/028363685bd0b7a19b4a820f82dd905b1dc83999" } ], "title": "espintcp: remove encap socket caching to avoid reference leak", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38097", "datePublished": "2025-07-03T08:13:57.694Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-03T08:13:57.694Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38125 (GCVE-0-2025-38125)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: make sure that ptp_rate is not 0 before configuring EST
If the ptp_rate recorded earlier in the driver happens to be 0, this
bogus value will propagate up to EST configuration, where it will
trigger a division by 0.
Prevent this division by 0 by adding the corresponding check and error
code.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/stmicro/stmmac/stmmac_est.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "451ee661d0f6272017fa012f99617101aa8ddf2c", "status": "affected", "version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b", "versionType": "git" }, { "lessThan": "d5e3bfdba0dc419499b801937128957f77503761", "status": "affected", "version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b", "versionType": "git" }, { "lessThan": "cbefe2ffa7784525ec5d008ba87c7add19ec631a", "status": "affected", "version": "8572aec3d0dc43045254fd1bf581fb980bfdbc4b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/stmicro/stmmac/stmmac_est.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.6" }, { "lessThan": "5.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring EST\n\nIf the ptp_rate recorded earlier in the driver happens to be 0, this\nbogus value will propagate up to EST configuration, where it will\ntrigger a division by 0.\n\nPrevent this division by 0 by adding the corresponding check and error\ncode." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:51.703Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/451ee661d0f6272017fa012f99617101aa8ddf2c" }, { "url": "https://git.kernel.org/stable/c/d5e3bfdba0dc419499b801937128957f77503761" }, { "url": "https://git.kernel.org/stable/c/cbefe2ffa7784525ec5d008ba87c7add19ec631a" } ], "title": "net: stmmac: make sure that ptp_rate is not 0 before configuring EST", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38125", "datePublished": "2025-07-03T08:35:31.176Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:51.703Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38108 (GCVE-0-2025-38108)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: red: fix a race in __red_change()
Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0c8d13ac96070000da33f394f45e9c19638483c5 Version: 0c8d13ac96070000da33f394f45e9c19638483c5 Version: 0c8d13ac96070000da33f394f45e9c19638483c5 Version: 0c8d13ac96070000da33f394f45e9c19638483c5 Version: 0c8d13ac96070000da33f394f45e9c19638483c5 Version: 0c8d13ac96070000da33f394f45e9c19638483c5 Version: 0c8d13ac96070000da33f394f45e9c19638483c5 Version: 0c8d13ac96070000da33f394f45e9c19638483c5 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/sch_red.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2790c4ec481be45a80948d059cd7c9a06bc37493", "status": "affected", "version": "0c8d13ac96070000da33f394f45e9c19638483c5", "versionType": "git" }, { "lessThan": "a1bf6a4e9264a685b0e642994031f9c5aad72414", "status": "affected", "version": "0c8d13ac96070000da33f394f45e9c19638483c5", "versionType": "git" }, { "lessThan": "110a47efcf23438ff8d31dbd9c854fae2a48bf98", "status": "affected", "version": "0c8d13ac96070000da33f394f45e9c19638483c5", "versionType": "git" }, { "lessThan": "f569984417a4e12c67366e69bdcb752970de921d", "status": "affected", "version": "0c8d13ac96070000da33f394f45e9c19638483c5", "versionType": "git" }, { "lessThan": "2a71924ca4af59ffc00f0444732b6cd54b153d0e", "status": "affected", "version": "0c8d13ac96070000da33f394f45e9c19638483c5", "versionType": "git" }, { "lessThan": "4b755305b2b0618e857fdadb499365b5f2e478d1", "status": "affected", "version": "0c8d13ac96070000da33f394f45e9c19638483c5", "versionType": "git" }, { "lessThan": "444ad445df5496a785705019268a8a84b84484bb", "status": "affected", "version": "0c8d13ac96070000da33f394f45e9c19638483c5", "versionType": "git" }, { "lessThan": "85a3e0ede38450ea3053b8c45d28cf55208409b8", "status": "affected", "version": "0c8d13ac96070000da33f394f45e9c19638483c5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/sch_red.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: red: fix a race in __red_change()\n\nGerrard Tai reported a race condition in RED, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n | [5]: lock root\n | [6]: rehash\n | [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent\u0027s qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:23.828Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2790c4ec481be45a80948d059cd7c9a06bc37493" }, { "url": "https://git.kernel.org/stable/c/a1bf6a4e9264a685b0e642994031f9c5aad72414" }, { "url": "https://git.kernel.org/stable/c/110a47efcf23438ff8d31dbd9c854fae2a48bf98" }, { "url": "https://git.kernel.org/stable/c/f569984417a4e12c67366e69bdcb752970de921d" }, { "url": "https://git.kernel.org/stable/c/2a71924ca4af59ffc00f0444732b6cd54b153d0e" }, { "url": "https://git.kernel.org/stable/c/4b755305b2b0618e857fdadb499365b5f2e478d1" }, { "url": "https://git.kernel.org/stable/c/444ad445df5496a785705019268a8a84b84484bb" }, { "url": "https://git.kernel.org/stable/c/85a3e0ede38450ea3053b8c45d28cf55208409b8" } ], "title": "net_sched: red: fix a race in __red_change()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38108", "datePublished": "2025-07-03T08:35:18.523Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:23.828Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38160 (GCVE-0-2025-38160)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
devm_kasprintf() returns NULL when memory allocation fails. Currently,
raspberrypi_clk_register() does not check for this case, which results
in a NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 Version: 93d2725affd65686792f4b57e49ef660f3c8c0f9 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/clk/bcm/clk-raspberrypi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "938f625bd3364cfdc93916739add3b637ff90368", "status": "affected", "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9", "versionType": "git" }, { "lessThan": "54ce9bcdaee59d4ef0703f390d55708557818f9e", "status": "affected", "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9", "versionType": "git" }, { "lessThan": "52562161df3567cdaedada46834a7a8d8c4ab737", "status": "affected", "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9", "versionType": "git" }, { "lessThan": "3c1adc2f8c732ea09e8c4bce5941fec019c6205d", "status": "affected", "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9", "versionType": "git" }, { "lessThan": "0a2712cd24ecfeb520af60f6f859b442c7ab01ff", "status": "affected", "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9", "versionType": "git" }, { "lessThan": "1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f", "status": "affected", "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9", "versionType": "git" }, { "lessThan": "73c46d9a93d071ca69858dea3f569111b03e549e", "status": "affected", "version": "93d2725affd65686792f4b57e49ef660f3c8c0f9", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/clk/bcm/clk-raspberrypi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.9" }, { "lessThan": "5.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.9", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: bcm: rpi: Add NULL check in raspberrypi_clk_register()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nraspberrypi_clk_register() does not check for this case, which results\nin a NULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:52.430Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/938f625bd3364cfdc93916739add3b637ff90368" }, { "url": "https://git.kernel.org/stable/c/54ce9bcdaee59d4ef0703f390d55708557818f9e" }, { "url": "https://git.kernel.org/stable/c/52562161df3567cdaedada46834a7a8d8c4ab737" }, { "url": "https://git.kernel.org/stable/c/3c1adc2f8c732ea09e8c4bce5941fec019c6205d" }, { "url": "https://git.kernel.org/stable/c/0a2712cd24ecfeb520af60f6f859b442c7ab01ff" }, { "url": "https://git.kernel.org/stable/c/1b69a5299f28ce8e6afa37c3690dbc14c3a1f53f" }, { "url": "https://git.kernel.org/stable/c/73c46d9a93d071ca69858dea3f569111b03e549e" } ], "title": "clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38160", "datePublished": "2025-07-03T08:36:02.357Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:52.430Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38122 (GCVE-0-2025-38122)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()
did not check for this case before dereferencing the returned pointer.
Add a missing NULL check to prevent a potential NULL pointer
dereference when allocation fails.
This improves robustness in low-memory scenarios.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 Version: a57e5de476be0b4b7f42beb6a21c19ad9c577aa3 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/google/gve/gve_tx_dqo.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ae98a1787fdcb0096d122bc80d93c3c7d812c04b", "status": "affected", "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3", "versionType": "git" }, { "lessThan": "2e5ead9e4e91fbe7799bd38afd8904543be1cb51", "status": "affected", "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3", "versionType": "git" }, { "lessThan": "7f6265fce3bd424ded666481b37f106d7915fb6b", "status": "affected", "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3", "versionType": "git" }, { "lessThan": "a0319c9b1648a67511e947a596ca86888451c0a7", "status": "affected", "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3", "versionType": "git" }, { "lessThan": "c741a7ef68023ac800054e2131c3e22e647fd7e3", "status": "affected", "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3", "versionType": "git" }, { "lessThan": "12c331b29c7397ac3b03584e12902990693bc248", "status": "affected", "version": "a57e5de476be0b4b7f42beb6a21c19ad9c577aa3", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/google/gve/gve_tx_dqo.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: add missing NULL check for gve_alloc_pending_packet() in TX DQO\n\ngve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()\ndid not check for this case before dereferencing the returned pointer.\n\nAdd a missing NULL check to prevent a potential NULL pointer\ndereference when allocation fails.\n\nThis improves robustness in low-memory scenarios." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:42.700Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ae98a1787fdcb0096d122bc80d93c3c7d812c04b" }, { "url": "https://git.kernel.org/stable/c/2e5ead9e4e91fbe7799bd38afd8904543be1cb51" }, { "url": "https://git.kernel.org/stable/c/7f6265fce3bd424ded666481b37f106d7915fb6b" }, { "url": "https://git.kernel.org/stable/c/a0319c9b1648a67511e947a596ca86888451c0a7" }, { "url": "https://git.kernel.org/stable/c/c741a7ef68023ac800054e2131c3e22e647fd7e3" }, { "url": "https://git.kernel.org/stable/c/12c331b29c7397ac3b03584e12902990693bc248" } ], "title": "gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38122", "datePublished": "2025-07-03T08:35:28.582Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:42.700Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38139 (GCVE-0-2025-38139)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix oops in write-retry from mis-resetting the subreq iterator
Fix the resetting of the subrequest iterator in netfs_retry_write_stream()
to use the iterator-reset function as the iterator may have been shortened
by a previous retry. In such a case, the amount of data to be written by
the subrequest is not "subreq->len" but "subreq->len -
subreq->transferred".
Without this, KASAN may see an error in iov_iter_revert():
BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline]
BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611
Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147
CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound netfs_write_collection_worker
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
iov_iter_revert lib/iov_iter.c:633 [inline]
iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611
netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline]
netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231
netfs_collect_write_results fs/netfs/write_collect.c:352 [inline]
netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/netfs/write_retry.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e0fefe9bc07e6101fdc57abda3644f296c114e31", "status": "affected", "version": "cd0277ed0c188dd40e7744e89299af7b78831ca4", "versionType": "git" }, { "lessThan": "bd0edaf99a920b1a9decd773179caacacb61d0fd", "status": "affected", "version": "cd0277ed0c188dd40e7744e89299af7b78831ca4", "versionType": "git" }, { "lessThan": "4481f7f2b3df123ec77e828c849138f75cff2bf2", "status": "affected", "version": "cd0277ed0c188dd40e7744e89299af7b78831ca4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/netfs/write_retry.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.12" }, { "lessThan": "6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.37", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.37", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix oops in write-retry from mis-resetting the subreq iterator\n\nFix the resetting of the subrequest iterator in netfs_retry_write_stream()\nto use the iterator-reset function as the iterator may have been shortened\nby a previous retry. In such a case, the amount of data to be written by\nthe subrequest is not \"subreq-\u003elen\" but \"subreq-\u003elen -\nsubreq-\u003etransferred\".\n\nWithout this, KASAN may see an error in iov_iter_revert():\n\n BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline]\n BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611\n Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147\n\n CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n Workqueue: events_unbound netfs_write_collection_worker\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n iov_iter_revert lib/iov_iter.c:633 [inline]\n iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611\n netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline]\n netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231\n netfs_collect_write_results fs/netfs/write_collect.c:352 [inline]\n netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374\n process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3319 [inline]\n worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400\n kthread+0x3c2/0x780 kernel/kthread.c:464\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:17.620Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e0fefe9bc07e6101fdc57abda3644f296c114e31" }, { "url": "https://git.kernel.org/stable/c/bd0edaf99a920b1a9decd773179caacacb61d0fd" }, { "url": "https://git.kernel.org/stable/c/4481f7f2b3df123ec77e828c849138f75cff2bf2" } ], "title": "netfs: Fix oops in write-retry from mis-resetting the subreq iterator", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38139", "datePublished": "2025-07-03T08:35:41.271Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:17.620Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38101 (GCVE-0-2025-38101)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()
Enlarge the critical section in ring_buffer_subbuf_order_set() to
ensure that error handling takes place with per-buffer mutex held,
thus preventing list corruption and other concurrency-related issues.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/trace/ring_buffer.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e09c0600beea469b3ebf974464e526a02d59ad62", "status": "affected", "version": "f9b94daa542a8d2532f0930f01cd9aec2d19621b", "versionType": "git" }, { "lessThan": "0fc9a295cd8e59c3636e97395e7c74a9c89fee42", "status": "affected", "version": "f9b94daa542a8d2532f0930f01cd9aec2d19621b", "versionType": "git" }, { "lessThan": "40ee2afafc1d9fe3aa44a6fbe440d78a5c96a72e", "status": "affected", "version": "f9b94daa542a8d2532f0930f01cd9aec2d19621b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/trace/ring_buffer.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.8" }, { "lessThan": "6.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()\n\nEnlarge the critical section in ring_buffer_subbuf_order_set() to\nensure that error handling takes place with per-buffer mutex held,\nthus preventing list corruption and other concurrency-related issues." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:15.362Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e09c0600beea469b3ebf974464e526a02d59ad62" }, { "url": "https://git.kernel.org/stable/c/0fc9a295cd8e59c3636e97395e7c74a9c89fee42" }, { "url": "https://git.kernel.org/stable/c/40ee2afafc1d9fe3aa44a6fbe440d78a5c96a72e" } ], "title": "ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38101", "datePublished": "2025-07-03T08:35:10.844Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:15.362Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38096 (GCVE-0-2025-38096)
Vulnerability from cvelistv5
Published
2025-07-03 08:13
Modified
2025-07-03 08:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: iwlwifi: don't warn when if there is a FW error
iwl_trans_reclaim is warning if it is called when the FW is not alive.
But if it is called when there is a pending restart, i.e. after a FW
error, there is no need to warn, instead - return silently.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/iwl-trans.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0446d34a853d9576e2a7628c803d2abd2f8cf3a8", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d07a08f42dc7230c902e1af2a899a72b0a03aa69", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "c7f50d0433a016d43681592836a3d484817bfb34", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/wireless/intel/iwlwifi/iwl-trans.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.31", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.31", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: don\u0027t warn when if there is a FW error\n\niwl_trans_reclaim is warning if it is called when the FW is not alive.\nBut if it is called when there is a pending restart, i.e. after a FW\nerror, there is no need to warn, instead - return silently." } ], "providerMetadata": { "dateUpdated": "2025-07-03T08:13:57.007Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0446d34a853d9576e2a7628c803d2abd2f8cf3a8" }, { "url": "https://git.kernel.org/stable/c/d07a08f42dc7230c902e1af2a899a72b0a03aa69" }, { "url": "https://git.kernel.org/stable/c/c7f50d0433a016d43681592836a3d484817bfb34" } ], "title": "wifi: iwlwifi: don\u0027t warn when if there is a FW error", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38096", "datePublished": "2025-07-03T08:13:57.007Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-03T08:13:57.007Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38130 (GCVE-0-2025-38130)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/connector: only call HDMI audio helper plugged cb if non-null
On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb
with NULL as the callback function and codec_dev, as seen in its
hdmi_remove function.
The HDMI audio helper then happily tries calling said null function
pointer, and produces an Oops as a result.
Fix this by only executing the callback if fn is non-null. This means
the .plugged_cb and .plugged_cb_dev members still get appropriately
cleared.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/display/drm_hdmi_audio_helper.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "933f3eab1d489af8d734bff855b10d29dd5968a4", "status": "affected", "version": "baf616647fe6f857a0cf2187197de31e9bb17a71", "versionType": "git" }, { "lessThan": "be9b3f9a54101c19226c25ba7163d291183777a0", "status": "affected", "version": "baf616647fe6f857a0cf2187197de31e9bb17a71", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/display/drm_hdmi_audio_helper.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.14" }, { "lessThan": "6.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/connector: only call HDMI audio helper plugged cb if non-null\n\nOn driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb\nwith NULL as the callback function and codec_dev, as seen in its\nhdmi_remove function.\n\nThe HDMI audio helper then happily tries calling said null function\npointer, and produces an Oops as a result.\n\nFix this by only executing the callback if fn is non-null. This means\nthe .plugged_cb and .plugged_cb_dev members still get appropriately\ncleared." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:59.341Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/933f3eab1d489af8d734bff855b10d29dd5968a4" }, { "url": "https://git.kernel.org/stable/c/be9b3f9a54101c19226c25ba7163d291183777a0" } ], "title": "drm/connector: only call HDMI audio helper plugged cb if non-null", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38130", "datePublished": "2025-07-03T08:35:34.385Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:12:59.341Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38162 (GCVE-0-2025-38162)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_pipapo: prevent overflow in lookup table allocation
When calculating the lookup table size, ensure the following
multiplication does not overflow:
- desc->field_len[] maximum value is U8_MAX multiplied by
NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case.
- NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case.
- sizeof(unsigned long), from sizeof(*f->lt), lt in
struct nft_pipapo_field.
Then, use check_mul_overflow() to multiply by bucket size and then use
check_add_overflow() to the alignment for avx2 (if needed). Finally, add
lt_size_check_overflow() helper and use it to consolidate this.
While at it, replace leftover allocation using the GFP_KERNEL to
GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize().
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/netfilter/nft_set_pipapo.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c1360ac8156c0a3f2385baef91d8d26fd9d39701", "status": "affected", "version": "3c4287f62044a90e73a561aa05fc46e62da173da", "versionType": "git" }, { "lessThan": "43fe1181f738295624696ae9ff611790edb65b5e", "status": "affected", "version": "3c4287f62044a90e73a561aa05fc46e62da173da", "versionType": "git" }, { "lessThan": "4c5c6aa9967dbe55bd017bb509885928d0f31206", "status": "affected", "version": "3c4287f62044a90e73a561aa05fc46e62da173da", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/netfilter/nft_set_pipapo.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.6" }, { "lessThan": "5.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: prevent overflow in lookup table allocation\n\nWhen calculating the lookup table size, ensure the following\nmultiplication does not overflow:\n\n- desc-\u003efield_len[] maximum value is U8_MAX multiplied by\n NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case.\n- NFT_PIPAPO_BUCKETS(f-\u003ebb) is 2^8, worst case.\n- sizeof(unsigned long), from sizeof(*f-\u003elt), lt in\n struct nft_pipapo_field.\n\nThen, use check_mul_overflow() to multiply by bucket size and then use\ncheck_add_overflow() to the alignment for avx2 (if needed). Finally, add\nlt_size_check_overflow() helper and use it to consolidate this.\n\nWhile at it, replace leftover allocation using the GFP_KERNEL to\nGFP_KERNEL_ACCOUNT for consistency, in pipapo_resize()." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:55.195Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c1360ac8156c0a3f2385baef91d8d26fd9d39701" }, { "url": "https://git.kernel.org/stable/c/43fe1181f738295624696ae9ff611790edb65b5e" }, { "url": "https://git.kernel.org/stable/c/4c5c6aa9967dbe55bd017bb509885928d0f31206" } ], "title": "netfilter: nft_set_pipapo: prevent overflow in lookup table allocation", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38162", "datePublished": "2025-07-03T08:36:03.731Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:55.195Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38149 (GCVE-0-2025-38149)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: clear phydev->devlink when the link is deleted
There is a potential crash issue when disabling and re-enabling the
network port. When disabling the network port, phy_detach() calls
device_link_del() to remove the device link, but it does not clear
phydev->devlink, so phydev->devlink is not a NULL pointer. Then the
network port is re-enabled, but if phy_attach_direct() fails before
calling device_link_add(), the code jumps to the "error" label and
calls phy_detach(). Since phydev->devlink retains the old value from
the previous attach/detach cycle, device_link_del() uses the old value,
which accesses a NULL pointer and causes a crash. The simplified crash
log is as follows.
[ 24.702421] Call trace:
[ 24.704856] device_link_put_kref+0x20/0x120
[ 24.709124] device_link_del+0x30/0x48
[ 24.712864] phy_detach+0x24/0x168
[ 24.716261] phy_attach_direct+0x168/0x3a4
[ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c
[ 24.725140] phylink_of_phy_connect+0x1c/0x34
Therefore, phydev->devlink needs to be cleared when the device link is
deleted.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/phy/phy_device.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "363fdf2777423ad346d781f09548cca14877f729", "status": "affected", "version": "bc66fa87d4fda9053a8145e5718fc278c2b88253", "versionType": "git" }, { "lessThan": "ddc654e89ace723b78c34911c65243accbc9b75c", "status": "affected", "version": "bc66fa87d4fda9053a8145e5718fc278c2b88253", "versionType": "git" }, { "lessThan": "034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87", "status": "affected", "version": "bc66fa87d4fda9053a8145e5718fc278c2b88253", "versionType": "git" }, { "lessThan": "0795b05a59b1371b18ffbf09d385296b12e9f5d5", "status": "affected", "version": "bc66fa87d4fda9053a8145e5718fc278c2b88253", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/phy/phy_device.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: clear phydev-\u003edevlink when the link is deleted\n\nThere is a potential crash issue when disabling and re-enabling the\nnetwork port. When disabling the network port, phy_detach() calls\ndevice_link_del() to remove the device link, but it does not clear\nphydev-\u003edevlink, so phydev-\u003edevlink is not a NULL pointer. Then the\nnetwork port is re-enabled, but if phy_attach_direct() fails before\ncalling device_link_add(), the code jumps to the \"error\" label and\ncalls phy_detach(). Since phydev-\u003edevlink retains the old value from\nthe previous attach/detach cycle, device_link_del() uses the old value,\nwhich accesses a NULL pointer and causes a crash. The simplified crash\nlog is as follows.\n\n[ 24.702421] Call trace:\n[ 24.704856] device_link_put_kref+0x20/0x120\n[ 24.709124] device_link_del+0x30/0x48\n[ 24.712864] phy_detach+0x24/0x168\n[ 24.716261] phy_attach_direct+0x168/0x3a4\n[ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c\n[ 24.725140] phylink_of_phy_connect+0x1c/0x34\n\nTherefore, phydev-\u003edevlink needs to be cleared when the device link is\ndeleted." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:37.893Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/363fdf2777423ad346d781f09548cca14877f729" }, { "url": "https://git.kernel.org/stable/c/ddc654e89ace723b78c34911c65243accbc9b75c" }, { "url": "https://git.kernel.org/stable/c/034bc4a2a72dea2cfcaf24c6bae03c38ad5a0b87" }, { "url": "https://git.kernel.org/stable/c/0795b05a59b1371b18ffbf09d385296b12e9f5d5" } ], "title": "net: phy: clear phydev-\u003edevlink when the link is deleted", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38149", "datePublished": "2025-07-03T08:35:54.405Z", "dateReserved": "2025-04-16T04:51:23.988Z", "dateUpdated": "2025-07-28T04:13:37.893Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38141 (GCVE-0-2025-38141)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix dm_blk_report_zones
If dm_get_live_table() returned NULL, dm_put_live_table() was never
called. Also, it is possible that md->zone_revalidate_map will change
while calling this function. Only read it once, so that we are always
using the same value. Otherwise we might miss a call to
dm_put_live_table().
Finally, while md->zone_revalidate_map is set and a process is calling
blk_revalidate_disk_zones() to set up the zone append emulation
resources, it is possible that another process, perhaps triggered by
blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If
blk_revalidate_disk_zones() fails, these resources can be freed while
the other process is still using them, causing a use-after-free error.
blk_revalidate_disk_zones() will only ever be called when initially
setting up the zone append emulation resources, such as when setting up
a zoned dm-crypt table for the first time. Further table swaps will not
set md->zone_revalidate_map or call blk_revalidate_disk_zones().
However it must be called using the new table (referenced by
md->zone_revalidate_map) and the new queue limits while the DM device is
suspended. dm_blk_report_zones() needs some way to distinguish between a
call from blk_revalidate_disk_zones(), which must be allowed to use
md->zone_revalidate_map to access this not yet activated table, and all
other calls to dm_blk_report_zones(), which should not be allowed while
the device is suspended and cannot use md->zone_revalidate_map, since
the zone resources might be freed by the process currently calling
blk_revalidate_disk_zones().
Solve this by tracking the process that sets md->zone_revalidate_map in
dm_revalidate_zones() and only allowing that process to make use of it
in dm_blk_report_zones().
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm-core.h", "drivers/md/dm-zone.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f9c1bdf24615303d48a2d0fd629c88f3189563aa", "status": "affected", "version": "f211268ed1f9bdf48f06a3ead5f5d88437450579", "versionType": "git" }, { "lessThan": "d19bc1b4dd5f322980b1f05f79b2ea4f0db10920", "status": "affected", "version": "f211268ed1f9bdf48f06a3ead5f5d88437450579", "versionType": "git" }, { "lessThan": "37f53a2c60d03743e0eacf7a0c01c279776fef4e", "status": "affected", "version": "f211268ed1f9bdf48f06a3ead5f5d88437450579", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm-core.h", "drivers/md/dm-zone.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.10" }, { "lessThan": "6.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.10", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix dm_blk_report_zones\n\nIf dm_get_live_table() returned NULL, dm_put_live_table() was never\ncalled. Also, it is possible that md-\u003ezone_revalidate_map will change\nwhile calling this function. Only read it once, so that we are always\nusing the same value. Otherwise we might miss a call to\ndm_put_live_table().\n\nFinally, while md-\u003ezone_revalidate_map is set and a process is calling\nblk_revalidate_disk_zones() to set up the zone append emulation\nresources, it is possible that another process, perhaps triggered by\nblkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If\nblk_revalidate_disk_zones() fails, these resources can be freed while\nthe other process is still using them, causing a use-after-free error.\n\nblk_revalidate_disk_zones() will only ever be called when initially\nsetting up the zone append emulation resources, such as when setting up\na zoned dm-crypt table for the first time. Further table swaps will not\nset md-\u003ezone_revalidate_map or call blk_revalidate_disk_zones().\nHowever it must be called using the new table (referenced by\nmd-\u003ezone_revalidate_map) and the new queue limits while the DM device is\nsuspended. dm_blk_report_zones() needs some way to distinguish between a\ncall from blk_revalidate_disk_zones(), which must be allowed to use\nmd-\u003ezone_revalidate_map to access this not yet activated table, and all\nother calls to dm_blk_report_zones(), which should not be allowed while\nthe device is suspended and cannot use md-\u003ezone_revalidate_map, since\nthe zone resources might be freed by the process currently calling\nblk_revalidate_disk_zones().\n\nSolve this by tracking the process that sets md-\u003ezone_revalidate_map in\ndm_revalidate_zones() and only allowing that process to make use of it\nin dm_blk_report_zones()." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:20.687Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f9c1bdf24615303d48a2d0fd629c88f3189563aa" }, { "url": "https://git.kernel.org/stable/c/d19bc1b4dd5f322980b1f05f79b2ea4f0db10920" }, { "url": "https://git.kernel.org/stable/c/37f53a2c60d03743e0eacf7a0c01c279776fef4e" } ], "title": "dm: fix dm_blk_report_zones", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38141", "datePublished": "2025-07-03T08:35:42.787Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:20.687Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38131 (GCVE-0-2025-38131)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: prevent deactivate active config while enabling the config
While enable active config via cscfg_csdev_enable_active_config(),
active config could be deactivated via configfs' sysfs interface.
This could make UAF issue in below scenario:
CPU0 CPU1
(sysfs enable) load module
cscfg_load_config_sets()
activate config. // sysfs
(sys_active_cnt == 1)
...
cscfg_csdev_enable_active_config()
lock(csdev->cscfg_csdev_lock)
// here load config activate by CPU1
unlock(csdev->cscfg_csdev_lock)
deactivate config // sysfs
(sys_activec_cnt == 0)
cscfg_unload_config_sets()
unload module
// access to config_desc which freed
// while unloading module.
cscfg_csdev_enable_config
To address this, use cscfg_config_desc's active_cnt as a reference count
which will be holded when
- activate the config.
- enable the activated config.
and put the module reference when config_active_cnt == 0.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f8cce2ff3c04361b8843d8489620fda8880f668b Version: f8cce2ff3c04361b8843d8489620fda8880f668b Version: f8cce2ff3c04361b8843d8489620fda8880f668b Version: f8cce2ff3c04361b8843d8489620fda8880f668b Version: f8cce2ff3c04361b8843d8489620fda8880f668b |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hwtracing/coresight/coresight-config.h", "drivers/hwtracing/coresight/coresight-syscfg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "dfe8224c9c7a43d356eb9f74b06868aa05f90223", "status": "affected", "version": "f8cce2ff3c04361b8843d8489620fda8880f668b", "versionType": "git" }, { "lessThan": "b3b4efa2e623aecaebd7c9b9e4171f5c659e9724", "status": "affected", "version": "f8cce2ff3c04361b8843d8489620fda8880f668b", "versionType": "git" }, { "lessThan": "31028812724cef7bd57a51525ce58a32a6d73b22", "status": "affected", "version": "f8cce2ff3c04361b8843d8489620fda8880f668b", "versionType": "git" }, { "lessThan": "ed42ee1ed05ff2f4c36938379057413a40c56680", "status": "affected", "version": "f8cce2ff3c04361b8843d8489620fda8880f668b", "versionType": "git" }, { "lessThan": "408c97c4a5e0b634dcd15bf8b8808b382e888164", "status": "affected", "version": "f8cce2ff3c04361b8843d8489620fda8880f668b", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hwtracing/coresight/coresight-config.h", "drivers/hwtracing/coresight/coresight-syscfg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: prevent deactivate active config while enabling the config\n\nWhile enable active config via cscfg_csdev_enable_active_config(),\nactive config could be deactivated via configfs\u0027 sysfs interface.\nThis could make UAF issue in below scenario:\n\nCPU0 CPU1\n(sysfs enable) load module\n cscfg_load_config_sets()\n activate config. // sysfs\n (sys_active_cnt == 1)\n...\ncscfg_csdev_enable_active_config()\nlock(csdev-\u003ecscfg_csdev_lock)\n// here load config activate by CPU1\nunlock(csdev-\u003ecscfg_csdev_lock)\n\n deactivate config // sysfs\n (sys_activec_cnt == 0)\n cscfg_unload_config_sets()\n unload module\n\n// access to config_desc which freed\n// while unloading module.\ncscfg_csdev_enable_config\n\nTo address this, use cscfg_config_desc\u0027s active_cnt as a reference count\n which will be holded when\n - activate the config.\n - enable the activated config.\nand put the module reference when config_active_cnt == 0." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:00.836Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/dfe8224c9c7a43d356eb9f74b06868aa05f90223" }, { "url": "https://git.kernel.org/stable/c/b3b4efa2e623aecaebd7c9b9e4171f5c659e9724" }, { "url": "https://git.kernel.org/stable/c/31028812724cef7bd57a51525ce58a32a6d73b22" }, { "url": "https://git.kernel.org/stable/c/ed42ee1ed05ff2f4c36938379057413a40c56680" }, { "url": "https://git.kernel.org/stable/c/408c97c4a5e0b634dcd15bf8b8808b382e888164" } ], "title": "coresight: prevent deactivate active config while enabling the config", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38131", "datePublished": "2025-07-03T08:35:35.036Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:00.836Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38170 (GCVE-0-2025-38170)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: Discard stale CPU state when handling SME traps
The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state
incorrectly, and a race with preemption can result in a task having
TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
is stale (e.g. with SME traps enabled). This can result in warnings from
do_sme_acc() where SME traps are not expected while TIF_SME is set:
| /* With TIF_SME userspace shouldn't generate any traps */
| if (test_and_set_thread_flag(TIF_SME))
| WARN_ON(1);
This is very similar to the SVE issue we fixed in commit:
751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps")
The race can occur when the SME trap handler is preempted before and
after manipulating the saved FPSIMD/SVE/SME state, starting and ending on
the same CPU, e.g.
| void do_sme_acc(unsigned long esr, struct pt_regs *regs)
| {
| // Trap on CPU 0 with TIF_SME clear, SME traps enabled
| // task->fpsimd_cpu is 0.
| // per_cpu_ptr(&fpsimd_last_state, 0) is task.
|
| ...
|
| // Preempted; migrated from CPU 0 to CPU 1.
| // TIF_FOREIGN_FPSTATE is set.
|
| get_cpu_fpsimd_context();
|
| /* With TIF_SME userspace shouldn't generate any traps */
| if (test_and_set_thread_flag(TIF_SME))
| WARN_ON(1);
|
| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
| unsigned long vq_minus_one =
| sve_vq_from_vl(task_get_sme_vl(current)) - 1;
| sme_set_vq(vq_minus_one);
|
| fpsimd_bind_task_to_cpu();
| }
|
| put_cpu_fpsimd_context();
|
| // Preempted; migrated from CPU 1 to CPU 0.
| // task->fpsimd_cpu is still 0
| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
| // - Stale HW state is reused (with SME traps enabled)
| // - TIF_FOREIGN_FPSTATE is cleared
| // - A return to userspace skips HW state restore
| }
Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
by calling fpsimd_flush_task_state() to detach from the saved CPU
state. This ensures that a subsequent context switch will not reuse the
stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
new state to be reloaded from memory prior to a return to userspace.
Note: this was originallly posted as [1].
[ Rutland: rewrite commit message ]
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd Version: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd Version: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd Version: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd Version: 8bd7f91c03d886f41d35f6108078d20be5a4a1bd |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm64/kernel/fpsimd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "de89368de3894a8db27caeb8fd902ba1c49f696a", "status": "affected", "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd", "versionType": "git" }, { "lessThan": "43be952e885476dafb74aa832c0847b2f4f650c6", "status": "affected", "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd", "versionType": "git" }, { "lessThan": "6103f9ba51a59afb5a0f32299c837377c5a5a693", "status": "affected", "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd", "versionType": "git" }, { "lessThan": "c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3", "status": "affected", "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd", "versionType": "git" }, { "lessThan": "d3eaab3c70905c5467e5c4ea403053d67505adeb", "status": "affected", "version": "8bd7f91c03d886f41d35f6108078d20be5a4a1bd", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm64/kernel/fpsimd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.19", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Discard stale CPU state when handling SME traps\n\nThe logic for handling SME traps manipulates saved FPSIMD/SVE/SME state\nincorrectly, and a race with preemption can result in a task having\nTIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SME traps enabled). This can result in warnings from\ndo_sme_acc() where SME traps are not expected while TIF_SME is set:\n\n| /* With TIF_SME userspace shouldn\u0027t generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n\nThis is very similar to the SVE issue we fixed in commit:\n\n 751ecf6afd6568ad (\"arm64/sve: Discard stale CPU state when handling SVE traps\")\n\nThe race can occur when the SME trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE/SME state, starting and ending on\nthe same CPU, e.g.\n\n| void do_sme_acc(unsigned long esr, struct pt_regs *regs)\n| {\n| // Trap on CPU 0 with TIF_SME clear, SME traps enabled\n| // task-\u003efpsimd_cpu is 0.\n| // per_cpu_ptr(\u0026fpsimd_last_state, 0) is task.\n|\n| ...\n|\n| // Preempted; migrated from CPU 0 to CPU 1.\n| // TIF_FOREIGN_FPSTATE is set.\n|\n| get_cpu_fpsimd_context();\n|\n| /* With TIF_SME userspace shouldn\u0027t generate any traps */\n| if (test_and_set_thread_flag(TIF_SME))\n| WARN_ON(1);\n|\n| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n| unsigned long vq_minus_one =\n| sve_vq_from_vl(task_get_sme_vl(current)) - 1;\n| sme_set_vq(vq_minus_one);\n|\n| fpsimd_bind_task_to_cpu();\n| }\n|\n| put_cpu_fpsimd_context();\n|\n| // Preempted; migrated from CPU 1 to CPU 0.\n| // task-\u003efpsimd_cpu is still 0\n| // If per_cpu_ptr(\u0026fpsimd_last_state, 0) is still task then:\n| // - Stale HW state is reused (with SME traps enabled)\n| // - TIF_FOREIGN_FPSTATE is cleared\n| // - A return to userspace skips HW state restore\n| }\n\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace.\n\nNote: this was originallly posted as [1].\n\n[ Rutland: rewrite commit message ]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:14:10.966Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/de89368de3894a8db27caeb8fd902ba1c49f696a" }, { "url": "https://git.kernel.org/stable/c/43be952e885476dafb74aa832c0847b2f4f650c6" }, { "url": "https://git.kernel.org/stable/c/6103f9ba51a59afb5a0f32299c837377c5a5a693" }, { "url": "https://git.kernel.org/stable/c/c4a4786d93e99517d6f10ed56b9ffba4ce88d3b3" }, { "url": "https://git.kernel.org/stable/c/d3eaab3c70905c5467e5c4ea403053d67505adeb" } ], "title": "arm64/fpsimd: Discard stale CPU state when handling SME traps", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38170", "datePublished": "2025-07-03T08:36:09.012Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:14:10.966Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38114 (GCVE-0-2025-38114)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
e1000: Move cancel_work_sync to avoid deadlock
Previously, e1000_down called cancel_work_sync for the e1000 reset task
(via e1000_down_and_stop), which takes RTNL.
As reported by users and syzbot, a deadlock is possible in the following
scenario:
CPU 0:
- RTNL is held
- e1000_close
- e1000_down
- cancel_work_sync (cancel / wait for e1000_reset_task())
CPU 1:
- process_one_work
- e1000_reset_task
- take RTNL
To remedy this, avoid calling cancel_work_sync from e1000_down
(e1000_reset_task does nothing if the device is down anyway). Instead,
call cancel_work_sync for e1000_reset_task when the device is being
removed.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/intel/e1000/e1000_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "1fd4438ddcc4958ed24662d5125114299e19bae4", "status": "affected", "version": "e400c7444d84b0fd2ebb34e618f83abe05917543", "versionType": "git" }, { "lessThan": "b4a8085ceefb7bbb12c2b71c55e71fc946c6929f", "status": "affected", "version": "e400c7444d84b0fd2ebb34e618f83abe05917543", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/intel/e1000/e1000_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.13" }, { "lessThan": "6.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.13", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ne1000: Move cancel_work_sync to avoid deadlock\n\nPreviously, e1000_down called cancel_work_sync for the e1000 reset task\n(via e1000_down_and_stop), which takes RTNL.\n\nAs reported by users and syzbot, a deadlock is possible in the following\nscenario:\n\nCPU 0:\n - RTNL is held\n - e1000_close\n - e1000_down\n - cancel_work_sync (cancel / wait for e1000_reset_task())\n\nCPU 1:\n - process_one_work\n - e1000_reset_task\n - take RTNL\n\nTo remedy this, avoid calling cancel_work_sync from e1000_down\n(e1000_reset_task does nothing if the device is down anyway). Instead,\ncall cancel_work_sync for e1000_reset_task when the device is being\nremoved." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:32.203Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/1fd4438ddcc4958ed24662d5125114299e19bae4" }, { "url": "https://git.kernel.org/stable/c/b4a8085ceefb7bbb12c2b71c55e71fc946c6929f" } ], "title": "e1000: Move cancel_work_sync to avoid deadlock", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38114", "datePublished": "2025-07-03T08:35:23.047Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:32.203Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38111 (GCVE-0-2025-38111)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mdiobus: Fix potential out-of-bounds read/write access
When using publicly available tools like 'mdio-tools' to read/write data
from/to network interface and its PHY via mdiobus, there is no verification of
parameters passed to the ioctl and it accepts any mdio address.
Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,
but it is possible to pass higher value than that via ioctl.
While read/write operation should generally fail in this case,
mdiobus provides stats array, where wrong address may allow out-of-bounds
read/write.
Fix that by adding address verification before read/write operation.
While this excludes this access from any statistics, it improves security of
read/write operation.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 080bb352fad00d04995102f681b134e3754bfb6e Version: 080bb352fad00d04995102f681b134e3754bfb6e Version: 080bb352fad00d04995102f681b134e3754bfb6e Version: 080bb352fad00d04995102f681b134e3754bfb6e Version: 080bb352fad00d04995102f681b134e3754bfb6e Version: 080bb352fad00d04995102f681b134e3754bfb6e Version: 080bb352fad00d04995102f681b134e3754bfb6e |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/phy/mdio_bus.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "19c5875e26c4ed5686d82a7d8f7051385461b9eb", "status": "affected", "version": "080bb352fad00d04995102f681b134e3754bfb6e", "versionType": "git" }, { "lessThan": "014ad9210373d2104f6ef10e6bb999a7a0a4c50e", "status": "affected", "version": "080bb352fad00d04995102f681b134e3754bfb6e", "versionType": "git" }, { "lessThan": "73d478234a619f3476028cb02dee699c30ae8262", "status": "affected", "version": "080bb352fad00d04995102f681b134e3754bfb6e", "versionType": "git" }, { "lessThan": "bab6bca0834cbb5be2a7cfe59ec6ad016ec72608", "status": "affected", "version": "080bb352fad00d04995102f681b134e3754bfb6e", "versionType": "git" }, { "lessThan": "b02d9d2732483e670bc34cb233d28e1d43b15da4", "status": "affected", "version": "080bb352fad00d04995102f681b134e3754bfb6e", "versionType": "git" }, { "lessThan": "049af7ac45a6b407748ee0995278fd861e36df8f", "status": "affected", "version": "080bb352fad00d04995102f681b134e3754bfb6e", "versionType": "git" }, { "lessThan": "0e629694126ca388916f059453a1c36adde219c4", "status": "affected", "version": "080bb352fad00d04995102f681b134e3754bfb6e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/phy/mdio_bus.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.6" }, { "lessThan": "5.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via mdiobus, there is no verification of\nparameters passed to the ioctl and it accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:27.829Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/19c5875e26c4ed5686d82a7d8f7051385461b9eb" }, { "url": "https://git.kernel.org/stable/c/014ad9210373d2104f6ef10e6bb999a7a0a4c50e" }, { "url": "https://git.kernel.org/stable/c/73d478234a619f3476028cb02dee699c30ae8262" }, { "url": "https://git.kernel.org/stable/c/bab6bca0834cbb5be2a7cfe59ec6ad016ec72608" }, { "url": "https://git.kernel.org/stable/c/b02d9d2732483e670bc34cb233d28e1d43b15da4" }, { "url": "https://git.kernel.org/stable/c/049af7ac45a6b407748ee0995278fd861e36df8f" }, { "url": "https://git.kernel.org/stable/c/0e629694126ca388916f059453a1c36adde219c4" } ], "title": "net/mdiobus: Fix potential out-of-bounds read/write access", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38111", "datePublished": "2025-07-03T08:35:20.643Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:27.829Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38148 (GCVE-0-2025-38148)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: mscc: Fix memory leak when using one step timestamping
Fix memory leak when running one-step timestamping. When running
one-step sync timestamping, the HW is configured to insert the TX time
into the frame, so there is no reason to keep the skb anymore. As in
this case the HW will never generate an interrupt to say that the frame
was timestamped, then the frame will never released.
Fix this by freeing the frame in case of one-step timestamping.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 7d272e63e0979d38a6256108adbe462d621c26c5 Version: 7d272e63e0979d38a6256108adbe462d621c26c5 Version: 7d272e63e0979d38a6256108adbe462d621c26c5 Version: 7d272e63e0979d38a6256108adbe462d621c26c5 Version: 7d272e63e0979d38a6256108adbe462d621c26c5 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/phy/mscc/mscc_ptp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "db2a12ddd3a31f668137ff6a4befc1343c79cbc4", "status": "affected", "version": "7d272e63e0979d38a6256108adbe462d621c26c5", "versionType": "git" }, { "lessThan": "0b40aeaf83ca04d4c9801e235b7533400c8b5f17", "status": "affected", "version": "7d272e63e0979d38a6256108adbe462d621c26c5", "versionType": "git" }, { "lessThan": "66abe22017522dd56b820e41ca3a5b131a637001", "status": "affected", "version": "7d272e63e0979d38a6256108adbe462d621c26c5", "versionType": "git" }, { "lessThan": "cdbabd316c5a4a9b0fda6aafe491e2db17fbb95d", "status": "affected", "version": "7d272e63e0979d38a6256108adbe462d621c26c5", "versionType": "git" }, { "lessThan": "846992645b25ec4253167e3f931e4597eb84af56", "status": "affected", "version": "7d272e63e0979d38a6256108adbe462d621c26c5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/phy/mscc/mscc_ptp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.9" }, { "lessThan": "5.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.9", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: mscc: Fix memory leak when using one step timestamping\n\nFix memory leak when running one-step timestamping. When running\none-step sync timestamping, the HW is configured to insert the TX time\ninto the frame, so there is no reason to keep the skb anymore. As in\nthis case the HW will never generate an interrupt to say that the frame\nwas timestamped, then the frame will never released.\nFix this by freeing the frame in case of one-step timestamping." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:36.247Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/db2a12ddd3a31f668137ff6a4befc1343c79cbc4" }, { "url": "https://git.kernel.org/stable/c/0b40aeaf83ca04d4c9801e235b7533400c8b5f17" }, { "url": "https://git.kernel.org/stable/c/66abe22017522dd56b820e41ca3a5b131a637001" }, { "url": "https://git.kernel.org/stable/c/cdbabd316c5a4a9b0fda6aafe491e2db17fbb95d" }, { "url": "https://git.kernel.org/stable/c/846992645b25ec4253167e3f931e4597eb84af56" } ], "title": "net: phy: mscc: Fix memory leak when using one step timestamping", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38148", "datePublished": "2025-07-03T08:35:53.544Z", "dateReserved": "2025-04-16T04:51:23.988Z", "dateUpdated": "2025-07-28T04:13:36.247Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38163 (GCVE-0-2025-38163)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on sbi->total_valid_block_count
syzbot reported a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/f2fs.h:2521!
RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521
Call Trace:
f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695
truncate_dnode+0x417/0x740 fs/f2fs/node.c:973
truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014
f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197
f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810
f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838
f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888
f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112
notify_change+0xbca/0xe90 fs/attr.c:552
do_truncate+0x222/0x310 fs/open.c:65
handle_truncate fs/namei.c:3466 [inline]
do_open fs/namei.c:3849 [inline]
path_openat+0x2e4f/0x35d0 fs/namei.c:4004
do_filp_open+0x284/0x4e0 fs/namei.c:4031
do_sys_openat2+0x12b/0x1d0 fs/open.c:1429
do_sys_open fs/open.c:1444 [inline]
__do_sys_creat fs/open.c:1522 [inline]
__se_sys_creat fs/open.c:1516 [inline]
__x64_sys_creat+0x124/0x170 fs/open.c:1516
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
The reason is: in fuzzed image, sbi->total_valid_block_count is
inconsistent w/ mapped blocks indexed by inode, so, we should
not trigger panic for such case, instead, let's print log and
set fsck flag.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 Version: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 Version: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 Version: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 Version: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 Version: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 Version: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 Version: 39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/f2fs/f2fs.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "49bc7bf38e42cfa642787e947f5721696ea73ac3", "status": "affected", "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5", "versionType": "git" }, { "lessThan": "f1b743c1955151bd392539b739a3ad155296be13", "status": "affected", "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5", "versionType": "git" }, { "lessThan": "6a324d77f7ea1a91d55c4b6ad970e3ac9ab6a20d", "status": "affected", "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5", "versionType": "git" }, { "lessThan": "25f3776b58c1c45ad2e50ab4b263505b4d2378ca", "status": "affected", "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5", "versionType": "git" }, { "lessThan": "a39cc43efc1bca74ed9d6cf9e60b995071f7d178", "status": "affected", "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5", "versionType": "git" }, { "lessThan": "65b3f76592aed5a43c4d79375ac097acf975972b", "status": "affected", "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5", "versionType": "git" }, { "lessThan": "ccc28c0397f75a3ec9539cceed9db014d7b73869", "status": "affected", "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5", "versionType": "git" }, { "lessThan": "05872a167c2cab80ef186ef23cc34a6776a1a30c", "status": "affected", "version": "39a53e0ce0df01b3cf4bb898c7ae2fd2189647d5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/f2fs/f2fs.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.8" }, { "lessThan": "3.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on sbi-\u003etotal_valid_block_count\n\nsyzbot reported a f2fs bug as below:\n\n------------[ cut here ]------------\nkernel BUG at fs/f2fs/f2fs.h:2521!\nRIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521\nCall Trace:\n f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695\n truncate_dnode+0x417/0x740 fs/f2fs/node.c:973\n truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014\n f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197\n f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810\n f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838\n f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888\n f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112\n notify_change+0xbca/0xe90 fs/attr.c:552\n do_truncate+0x222/0x310 fs/open.c:65\n handle_truncate fs/namei.c:3466 [inline]\n do_open fs/namei.c:3849 [inline]\n path_openat+0x2e4f/0x35d0 fs/namei.c:4004\n do_filp_open+0x284/0x4e0 fs/namei.c:4031\n do_sys_openat2+0x12b/0x1d0 fs/open.c:1429\n do_sys_open fs/open.c:1444 [inline]\n __do_sys_creat fs/open.c:1522 [inline]\n __se_sys_creat fs/open.c:1516 [inline]\n __x64_sys_creat+0x124/0x170 fs/open.c:1516\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94\n\nThe reason is: in fuzzed image, sbi-\u003etotal_valid_block_count is\ninconsistent w/ mapped blocks indexed by inode, so, we should\nnot trigger panic for such case, instead, let\u0027s print log and\nset fsck flag." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:56.526Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/49bc7bf38e42cfa642787e947f5721696ea73ac3" }, { "url": "https://git.kernel.org/stable/c/f1b743c1955151bd392539b739a3ad155296be13" }, { "url": "https://git.kernel.org/stable/c/6a324d77f7ea1a91d55c4b6ad970e3ac9ab6a20d" }, { "url": "https://git.kernel.org/stable/c/25f3776b58c1c45ad2e50ab4b263505b4d2378ca" }, { "url": "https://git.kernel.org/stable/c/a39cc43efc1bca74ed9d6cf9e60b995071f7d178" }, { "url": "https://git.kernel.org/stable/c/65b3f76592aed5a43c4d79375ac097acf975972b" }, { "url": "https://git.kernel.org/stable/c/ccc28c0397f75a3ec9539cceed9db014d7b73869" }, { "url": "https://git.kernel.org/stable/c/05872a167c2cab80ef186ef23cc34a6776a1a30c" } ], "title": "f2fs: fix to do sanity check on sbi-\u003etotal_valid_block_count", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38163", "datePublished": "2025-07-03T08:36:04.397Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:13:56.526Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38167 (GCVE-0-2025-38167)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: handle hdr_first_de() return value
The hdr_first_de() function returns a pointer to a struct NTFS_DE. This
pointer may be NULL. To handle the NULL error effectively, it is important
to implement an error handler. This will help manage potential errors
consistently.
Additionally, error handling for the return value already exists at other
points where this function is called.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 Version: 82cae269cfa953032fbb8980a7d554d60fb00b17 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/ntfs3/index.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5390b3d4c6d41d05bb9149d094d504cbc9ea85bf", "status": "affected", "version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "versionType": "git" }, { "lessThan": "83cd0aa74793384dbdffc140500b200e9776a302", "status": "affected", "version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "versionType": "git" }, { "lessThan": "701340a25b1ad210e6b8192195be21fd3fcc22c7", "status": "affected", "version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "versionType": "git" }, { "lessThan": "2d5879f64554181b89f44d4817b9ea86e8e913e1", "status": "affected", "version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "versionType": "git" }, { "lessThan": "4ecd0cde89feee26525ccdf1af0c1ae156ca010b", "status": "affected", "version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "versionType": "git" }, { "lessThan": "af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70", "status": "affected", "version": "82cae269cfa953032fbb8980a7d554d60fb00b17", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/ntfs3/index.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.15" }, { "lessThan": "5.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: handle hdr_first_de() return value\n\nThe hdr_first_de() function returns a pointer to a struct NTFS_DE. This\npointer may be NULL. To handle the NULL error effectively, it is important\nto implement an error handler. This will help manage potential errors\nconsistently.\n\nAdditionally, error handling for the return value already exists at other\npoints where this function is called.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:14:01.630Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5390b3d4c6d41d05bb9149d094d504cbc9ea85bf" }, { "url": "https://git.kernel.org/stable/c/83cd0aa74793384dbdffc140500b200e9776a302" }, { "url": "https://git.kernel.org/stable/c/701340a25b1ad210e6b8192195be21fd3fcc22c7" }, { "url": "https://git.kernel.org/stable/c/2d5879f64554181b89f44d4817b9ea86e8e913e1" }, { "url": "https://git.kernel.org/stable/c/4ecd0cde89feee26525ccdf1af0c1ae156ca010b" }, { "url": "https://git.kernel.org/stable/c/af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70" } ], "title": "fs/ntfs3: handle hdr_first_de() return value", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38167", "datePublished": "2025-07-03T08:36:06.987Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:14:01.630Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38099 (GCVE-0-2025-38099)
Vulnerability from cvelistv5
Published
2025-07-03 08:13
Modified
2025-07-03 08:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken
A SCO connection without the proper voice_setting can cause
the controller to lock up.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_event.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "f48ee562c095e552a30b8d9cc0566a267b410f8a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "ec1f015ec0c6fd250a6564e8452f7bb3160b9cb1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "14d17c78a4b1660c443bae9d38c814edea506f62", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bluetooth/hci_event.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.31", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.31", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken\n\nA SCO connection without the proper voice_setting can cause\nthe controller to lock up." } ], "providerMetadata": { "dateUpdated": "2025-07-03T08:13:59.288Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/f48ee562c095e552a30b8d9cc0566a267b410f8a" }, { "url": "https://git.kernel.org/stable/c/ec1f015ec0c6fd250a6564e8452f7bb3160b9cb1" }, { "url": "https://git.kernel.org/stable/c/14d17c78a4b1660c443bae9d38c814edea506f62" } ], "title": "Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38099", "datePublished": "2025-07-03T08:13:59.288Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-03T08:13:59.288Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38138 (GCVE-0-2025-38138)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: ti: Add NULL check in udma_probe()
devm_kasprintf() returns NULL when memory allocation fails. Currently,
udma_probe() does not check for this case, which results in a NULL
pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 25dcb5dd7b7ce5587c1df18f584ff78f51a68a94 Version: 25dcb5dd7b7ce5587c1df18f584ff78f51a68a94 Version: 25dcb5dd7b7ce5587c1df18f584ff78f51a68a94 Version: 25dcb5dd7b7ce5587c1df18f584ff78f51a68a94 Version: 25dcb5dd7b7ce5587c1df18f584ff78f51a68a94 Version: 25dcb5dd7b7ce5587c1df18f584ff78f51a68a94 Version: 25dcb5dd7b7ce5587c1df18f584ff78f51a68a94 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/dma/ti/k3-udma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ec1ea394c40523835bbedd8fc4934b77b461b6fe", "status": "affected", "version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94", "versionType": "git" }, { "lessThan": "9f133e04c62246353b8b1f0a679535c65161ebcf", "status": "affected", "version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94", "versionType": "git" }, { "lessThan": "d61d5ba5bd5b0e39e30b34dcd92946e084bca0d0", "status": "affected", "version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94", "versionType": "git" }, { "lessThan": "b79e10050d9d1e200541d25751dd5cb8ec58483c", "status": "affected", "version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94", "versionType": "git" }, { "lessThan": "bc6ddff79835f71310a21645d8fcf08ec473e969", "status": "affected", "version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94", "versionType": "git" }, { "lessThan": "643db430f4cbd91dd2b63c49d62d0abb6debc13b", "status": "affected", "version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94", "versionType": "git" }, { "lessThan": "fd447415e74bccd7362f760d4ea727f8e1ebfe91", "status": "affected", "version": "25dcb5dd7b7ce5587c1df18f584ff78f51a68a94", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/dma/ti/k3-udma.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.6" }, { "lessThan": "5.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: Add NULL check in udma_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\nudma_probe() does not check for this case, which results in a NULL\npointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:16.378Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ec1ea394c40523835bbedd8fc4934b77b461b6fe" }, { "url": "https://git.kernel.org/stable/c/9f133e04c62246353b8b1f0a679535c65161ebcf" }, { "url": "https://git.kernel.org/stable/c/d61d5ba5bd5b0e39e30b34dcd92946e084bca0d0" }, { "url": "https://git.kernel.org/stable/c/b79e10050d9d1e200541d25751dd5cb8ec58483c" }, { "url": "https://git.kernel.org/stable/c/bc6ddff79835f71310a21645d8fcf08ec473e969" }, { "url": "https://git.kernel.org/stable/c/643db430f4cbd91dd2b63c49d62d0abb6debc13b" }, { "url": "https://git.kernel.org/stable/c/fd447415e74bccd7362f760d4ea727f8e1ebfe91" } ], "title": "dmaengine: ti: Add NULL check in udma_probe()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38138", "datePublished": "2025-07-03T08:35:40.499Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:16.378Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38134 (GCVE-0-2025-38134)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink()
As demonstrated by the fix for update_port_device_state,
commit 12783c0b9e2c ("usb: core: Prevent null pointer dereference in update_port_device_state"),
usb_hub_to_struct_hub() can return NULL in certain scenarios,
such as during hub driver unbind or teardown race conditions,
even if the underlying usb_device structure exists.
Plus, all other places that call usb_hub_to_struct_hub() in the same file
do check for NULL return values.
If usb_hub_to_struct_hub() returns NULL, the subsequent access to
hub->ports[udev->portnum - 1] will cause a null pointer dereference.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/core/usb-acpi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8fa544bff8466062e42949c93f3e528f4be5624b", "status": "affected", "version": "f1bfb4a6fed64de1771b43a76631942279851744", "versionType": "git" }, { "lessThan": "e3d530173b70514d4390a94f9f979acad689b70a", "status": "affected", "version": "f1bfb4a6fed64de1771b43a76631942279851744", "versionType": "git" }, { "lessThan": "73fb0ec9436ae87bcae067ce35d6cdd72bade86c", "status": "affected", "version": "f1bfb4a6fed64de1771b43a76631942279851744", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/core/usb-acpi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.12" }, { "lessThan": "6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink()\n\nAs demonstrated by the fix for update_port_device_state,\ncommit 12783c0b9e2c (\"usb: core: Prevent null pointer dereference in update_port_device_state\"),\nusb_hub_to_struct_hub() can return NULL in certain scenarios,\nsuch as during hub driver unbind or teardown race conditions,\neven if the underlying usb_device structure exists.\n\nPlus, all other places that call usb_hub_to_struct_hub() in the same file\ndo check for NULL return values.\n\nIf usb_hub_to_struct_hub() returns NULL, the subsequent access to\nhub-\u003eports[udev-\u003eportnum - 1] will cause a null pointer dereference." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:10.210Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8fa544bff8466062e42949c93f3e528f4be5624b" }, { "url": "https://git.kernel.org/stable/c/e3d530173b70514d4390a94f9f979acad689b70a" }, { "url": "https://git.kernel.org/stable/c/73fb0ec9436ae87bcae067ce35d6cdd72bade86c" } ], "title": "usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38134", "datePublished": "2025-07-03T08:35:37.674Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:10.210Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38110 (GCVE-0-2025-38110)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mdiobus: Fix potential out-of-bounds clause 45 read/write access
When using publicly available tools like 'mdio-tools' to read/write data
from/to network interface and its PHY via C45 (clause 45) mdiobus,
there is no verification of parameters passed to the ioctl and
it accepts any mdio address.
Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,
but it is possible to pass higher value than that via ioctl.
While read/write operation should generally fail in this case,
mdiobus provides stats array, where wrong address may allow out-of-bounds
read/write.
Fix that by adding address verification before C45 read/write operation.
While this excludes this access from any statistics, it improves security of
read/write operation.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/phy/mdio_bus.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "abb0605ca00979a49572a6516f6db22c3dc57223", "status": "affected", "version": "4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a", "versionType": "git" }, { "lessThan": "31bf7b2b92563a352788cf9df3698682f659bacc", "status": "affected", "version": "4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a", "versionType": "git" }, { "lessThan": "4ded22f7f3ce9714ed72c3e9c68fea1cb9388ae7", "status": "affected", "version": "4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a", "versionType": "git" }, { "lessThan": "260388f79e94fb3026c419a208ece8358bb7b555", "status": "affected", "version": "4e4aafcddbbfcdd6eed5780e190fcbfac8b4685a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/phy/mdio_bus.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds clause 45 read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via C45 (clause 45) mdiobus,\nthere is no verification of parameters passed to the ioctl and\nit accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before C45 read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:26.552Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/abb0605ca00979a49572a6516f6db22c3dc57223" }, { "url": "https://git.kernel.org/stable/c/31bf7b2b92563a352788cf9df3698682f659bacc" }, { "url": "https://git.kernel.org/stable/c/4ded22f7f3ce9714ed72c3e9c68fea1cb9388ae7" }, { "url": "https://git.kernel.org/stable/c/260388f79e94fb3026c419a208ece8358bb7b555" } ], "title": "net/mdiobus: Fix potential out-of-bounds clause 45 read/write access", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38110", "datePublished": "2025-07-03T08:35:19.928Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:26.552Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38165 (GCVE-0-2025-38165)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-08-28 14:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix panic when calling skb_linearize
The panic can be reproduced by executing the command:
./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000
Then a kernel panic was captured:
'''
[ 657.460555] kernel BUG at net/core/skbuff.c:2178!
[ 657.462680] Tainted: [W]=WARN
[ 657.463287] Workqueue: events sk_psock_backlog
...
[ 657.469610] <TASK>
[ 657.469738] ? die+0x36/0x90
[ 657.469916] ? do_trap+0x1d0/0x270
[ 657.470118] ? pskb_expand_head+0x612/0xf40
[ 657.470376] ? pskb_expand_head+0x612/0xf40
[ 657.470620] ? do_error_trap+0xa3/0x170
[ 657.470846] ? pskb_expand_head+0x612/0xf40
[ 657.471092] ? handle_invalid_op+0x2c/0x40
[ 657.471335] ? pskb_expand_head+0x612/0xf40
[ 657.471579] ? exc_invalid_op+0x2d/0x40
[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20
[ 657.472052] ? pskb_expand_head+0xd1/0xf40
[ 657.472292] ? pskb_expand_head+0x612/0xf40
[ 657.472540] ? lock_acquire+0x18f/0x4e0
[ 657.472766] ? find_held_lock+0x2d/0x110
[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10
[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470
[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10
[ 657.473826] __pskb_pull_tail+0xfd/0x1d20
[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90
[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510
[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0
[ 657.476010] sk_psock_backlog+0x5cf/0xd70
[ 657.476637] process_one_work+0x858/0x1a20
'''
The panic originates from the assertion BUG_ON(skb_shared(skb)) in
skb_linearize(). A previous commit(see Fixes tag) introduced skb_get()
to avoid race conditions between skb operations in the backlog and skb
release in the recvmsg path. However, this caused the panic to always
occur when skb_linearize is executed.
The "--rx-strp 100000" parameter forces the RX path to use the strparser
module which aggregates data until it reaches 100KB before calling sockmap
logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.
To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.
'''
sk_psock_backlog:
sk_psock_handle_skb
skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'
sk_psock_skb_ingress____________
↓
|
| → sk_psock_skb_ingress_self
| sk_psock_skb_ingress_enqueue
sk_psock_verdict_apply_________________↑ skb_linearize
'''
Note that for verdict_apply path, the skb_get operation is unnecessary so
we add 'take_ref' param to control it's behavior.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 65ad600b9bde68d2d28709943ab00b51ca8f0a1d Version: 923877254f002ae87d441382bb1096d9e773d56d Version: a454d84ee20baf7bd7be90721b9821f73c7d23d9 Version: a454d84ee20baf7bd7be90721b9821f73c7d23d9 Version: a454d84ee20baf7bd7be90721b9821f73c7d23d9 Version: a454d84ee20baf7bd7be90721b9821f73c7d23d9 Version: e6b5e47adb9166e732cdf7e6e034946e3f89f36d |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/core/skmsg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4dba44333a11522df54b49aa1f2edfaf6ce35fc7", "status": "affected", "version": "65ad600b9bde68d2d28709943ab00b51ca8f0a1d", "versionType": "git" }, { "lessThan": "9718ba6490732dbe70190d42c21deb1440834402", "status": "affected", "version": "923877254f002ae87d441382bb1096d9e773d56d", "versionType": "git" }, { "lessThan": "db1d15a26f21f97459508c42ae87cabe8d3afc3b", "status": "affected", "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9", "versionType": "git" }, { "lessThan": "3d25fa2d7f127348c818e1dab9e58534f7ac56cc", "status": "affected", "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9", "versionType": "git" }, { "lessThan": "e9c1299d813fc04668042690f2c3cc76d013959a", "status": "affected", "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9", "versionType": "git" }, { "lessThan": "5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e", "status": "affected", "version": "a454d84ee20baf7bd7be90721b9821f73c7d23d9", "versionType": "git" }, { "status": "affected", "version": "e6b5e47adb9166e732cdf7e6e034946e3f89f36d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/core/skmsg.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "5.15.189", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "6.1.54", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5.4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix panic when calling skb_linearize\n\nThe panic can be reproduced by executing the command:\n./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000\n\nThen a kernel panic was captured:\n\u0027\u0027\u0027\n[ 657.460555] kernel BUG at net/core/skbuff.c:2178!\n[ 657.462680] Tainted: [W]=WARN\n[ 657.463287] Workqueue: events sk_psock_backlog\n...\n[ 657.469610] \u003cTASK\u003e\n[ 657.469738] ? die+0x36/0x90\n[ 657.469916] ? do_trap+0x1d0/0x270\n[ 657.470118] ? pskb_expand_head+0x612/0xf40\n[ 657.470376] ? pskb_expand_head+0x612/0xf40\n[ 657.470620] ? do_error_trap+0xa3/0x170\n[ 657.470846] ? pskb_expand_head+0x612/0xf40\n[ 657.471092] ? handle_invalid_op+0x2c/0x40\n[ 657.471335] ? pskb_expand_head+0x612/0xf40\n[ 657.471579] ? exc_invalid_op+0x2d/0x40\n[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20\n[ 657.472052] ? pskb_expand_head+0xd1/0xf40\n[ 657.472292] ? pskb_expand_head+0x612/0xf40\n[ 657.472540] ? lock_acquire+0x18f/0x4e0\n[ 657.472766] ? find_held_lock+0x2d/0x110\n[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10\n[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470\n[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10\n[ 657.473826] __pskb_pull_tail+0xfd/0x1d20\n[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90\n[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510\n[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0\n[ 657.476010] sk_psock_backlog+0x5cf/0xd70\n[ 657.476637] process_one_work+0x858/0x1a20\n\u0027\u0027\u0027\n\nThe panic originates from the assertion BUG_ON(skb_shared(skb)) in\nskb_linearize(). A previous commit(see Fixes tag) introduced skb_get()\nto avoid race conditions between skb operations in the backlog and skb\nrelease in the recvmsg path. However, this caused the panic to always\noccur when skb_linearize is executed.\n\nThe \"--rx-strp 100000\" parameter forces the RX path to use the strparser\nmodule which aggregates data until it reaches 100KB before calling sockmap\nlogic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.\n\nTo fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.\n\n\u0027\u0027\u0027\nsk_psock_backlog:\n sk_psock_handle_skb\n skb_get(skb) \u003c== we move it into \u0027sk_psock_skb_ingress_enqueue\u0027\n sk_psock_skb_ingress____________\n \u2193\n |\n | \u2192 sk_psock_skb_ingress_self\n | sk_psock_skb_ingress_enqueue\nsk_psock_verdict_apply_________________\u2191 skb_linearize\n\u0027\u0027\u0027\n\nNote that for verdict_apply path, the skb_get operation is unnecessary so\nwe add \u0027take_ref\u0027 param to control it\u0027s behavior." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:42:57.617Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4dba44333a11522df54b49aa1f2edfaf6ce35fc7" }, { "url": "https://git.kernel.org/stable/c/9718ba6490732dbe70190d42c21deb1440834402" }, { "url": "https://git.kernel.org/stable/c/db1d15a26f21f97459508c42ae87cabe8d3afc3b" }, { "url": "https://git.kernel.org/stable/c/3d25fa2d7f127348c818e1dab9e58534f7ac56cc" }, { "url": "https://git.kernel.org/stable/c/e9c1299d813fc04668042690f2c3cc76d013959a" }, { "url": "https://git.kernel.org/stable/c/5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e" } ], "title": "bpf, sockmap: Fix panic when calling skb_linearize", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38165", "datePublished": "2025-07-03T08:36:05.738Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-08-28T14:42:57.617Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38115 (GCVE-0-2025-38115)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: sch_sfq: fix a potential crash on gso_skb handling
SFQ has an assumption of always being able to queue at least one packet.
However, after the blamed commit, sch->q.len can be inflated by packets
in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed
by an immediate drop.
Fix sfq_drop() to properly clear q->tail in this situation.
ip netns add lb
ip link add dev to-lb type veth peer name in-lb netns lb
ethtool -K to-lb tso off # force qdisc to requeue gso_skb
ip netns exec lb ethtool -K in-lb gro on # enable NAPI
ip link set dev to-lb up
ip -netns lb link set dev in-lb up
ip addr add dev to-lb 192.168.20.1/24
ip -netns lb addr add dev in-lb 192.168.20.2/24
tc qdisc replace dev to-lb root sfq limit 100
ip netns exec lb netserver
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
netperf -H 192.168.20.2 -l 100 &
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a53851e2c3218aa30b77abd6e68cf1c371f15afe Version: a53851e2c3218aa30b77abd6e68cf1c371f15afe Version: a53851e2c3218aa30b77abd6e68cf1c371f15afe Version: a53851e2c3218aa30b77abd6e68cf1c371f15afe Version: a53851e2c3218aa30b77abd6e68cf1c371f15afe Version: a53851e2c3218aa30b77abd6e68cf1c371f15afe Version: a53851e2c3218aa30b77abd6e68cf1c371f15afe Version: a53851e2c3218aa30b77abd6e68cf1c371f15afe |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/sch_sfq.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c337efb20d6d9f9bbb4746f6b119917af5c886dc", "status": "affected", "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe", "versionType": "git" }, { "lessThan": "b44f791f27b14c9eb6b907fbe51f2ba8bec32085", "status": "affected", "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe", "versionType": "git" }, { "lessThan": "5814a7fc3abb41f63f2d44c9d3ff9d4e62965b72", "status": "affected", "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe", "versionType": "git" }, { "lessThan": "9c19498bdd7cb9d854bd3c54260f71cf7408495e", "status": "affected", "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe", "versionType": "git" }, { "lessThan": "b4e9bab6011b9559b7c157b16b91ae46d4d8c533", "status": "affected", "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe", "versionType": "git" }, { "lessThan": "d1bc80da75c789f2f6830df89d91fb2f7a509943", "status": "affected", "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe", "versionType": "git" }, { "lessThan": "82448d4dcd8406dec688632a405fdcf7f170ec69", "status": "affected", "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe", "versionType": "git" }, { "lessThan": "82ffbe7776d0ac084031f114167712269bf3d832", "status": "affected", "version": "a53851e2c3218aa30b77abd6e68cf1c371f15afe", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/sch_sfq.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.16" }, { "lessThan": "4.16", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "4.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "4.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.16", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.16", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: fix a potential crash on gso_skb handling\n\nSFQ has an assumption of always being able to queue at least one packet.\n\nHowever, after the blamed commit, sch-\u003eq.len can be inflated by packets\nin sch-\u003egso_skb, and an enqueue() on an empty SFQ qdisc can be followed\nby an immediate drop.\n\nFix sfq_drop() to properly clear q-\u003etail in this situation.\n\n\nip netns add lb\nip link add dev to-lb type veth peer name in-lb netns lb\nethtool -K to-lb tso off # force qdisc to requeue gso_skb\nip netns exec lb ethtool -K in-lb gro on # enable NAPI\nip link set dev to-lb up\nip -netns lb link set dev in-lb up\nip addr add dev to-lb 192.168.20.1/24\nip -netns lb addr add dev in-lb 192.168.20.2/24\ntc qdisc replace dev to-lb root sfq limit 100\n\nip netns exec lb netserver\n\nnetperf -H 192.168.20.2 -l 100 \u0026\nnetperf -H 192.168.20.2 -l 100 \u0026\nnetperf -H 192.168.20.2 -l 100 \u0026\nnetperf -H 192.168.20.2 -l 100 \u0026" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:33.385Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c337efb20d6d9f9bbb4746f6b119917af5c886dc" }, { "url": "https://git.kernel.org/stable/c/b44f791f27b14c9eb6b907fbe51f2ba8bec32085" }, { "url": "https://git.kernel.org/stable/c/5814a7fc3abb41f63f2d44c9d3ff9d4e62965b72" }, { "url": "https://git.kernel.org/stable/c/9c19498bdd7cb9d854bd3c54260f71cf7408495e" }, { "url": "https://git.kernel.org/stable/c/b4e9bab6011b9559b7c157b16b91ae46d4d8c533" }, { "url": "https://git.kernel.org/stable/c/d1bc80da75c789f2f6830df89d91fb2f7a509943" }, { "url": "https://git.kernel.org/stable/c/82448d4dcd8406dec688632a405fdcf7f170ec69" }, { "url": "https://git.kernel.org/stable/c/82ffbe7776d0ac084031f114167712269bf3d832" } ], "title": "net_sched: sch_sfq: fix a potential crash on gso_skb handling", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38115", "datePublished": "2025-07-03T08:35:23.750Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:33.385Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38129 (GCVE-0-2025-38129)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
page_pool: Fix use-after-free in page_pool_recycle_in_ring
syzbot reported a uaf in page_pool_recycle_in_ring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]
_raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]
page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]
page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826
page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]
page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]
napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036
skb_pp_recycle net/core/skbuff.c:1047 [inline]
skb_free_head net/core/skbuff.c:1094 [inline]
skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242
kfree_skb_reason include/linux/skbuff.h:1263 [inline]
__skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]
root cause is:
page_pool_recycle_in_ring
ptr_ring_produce
spin_lock(&r->producer_lock);
WRITE_ONCE(r->queue[r->producer++], ptr)
//recycle last page to pool
page_pool_release
page_pool_scrub
page_pool_empty_ring
ptr_ring_consume
page_pool_return_page //release all page
__page_pool_destroy
free_percpu(pool->recycle_stats);
free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf read
recycle_stat_inc(pool, ring);
page_pool can be free while page pool recycle the last page in ring.
Add producer-lock barrier to page_pool_release to prevent the page
pool from being free before all pages have been recycled.
recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not
enabled, which will trigger Wempty-body build warning. Add definition
for pool stat macro to fix warning.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/core/page_pool.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "e869a85acc2e60dc554579b910826a4919d8cd98", "status": "affected", "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f", "versionType": "git" }, { "lessThan": "4ab8c0f8905c9c4d05e7f437e65a9a365573ff02", "status": "affected", "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f", "versionType": "git" }, { "lessThan": "271683bb2cf32e5126c592b5d5e6a756fa374fd9", "status": "affected", "version": "ff7d6b27f894f1469dc51ccb828b7363ccd9799f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/core/page_pool.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.18" }, { "lessThan": "4.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.18", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n ptr_ring_produce\n spin_lock(\u0026r-\u003eproducer_lock);\n WRITE_ONCE(r-\u003equeue[r-\u003eproducer++], ptr)\n //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t page_pool_scrub\n\t\t\t\t page_pool_empty_ring\n\t\t\t\t ptr_ring_consume\n\t\t\t\t page_pool_return_page //release all page\n\t\t\t\t __page_pool_destroy\n\t\t\t\t free_percpu(pool-\u003erecycle_stats);\n\t\t\t\t free(pool) //free\n\n spin_unlock(\u0026r-\u003eproducer_lock); //pool-\u003ering uaf read\n recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:58.108Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98" }, { "url": "https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02" }, { "url": "https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9" } ], "title": "page_pool: Fix use-after-free in page_pool_recycle_in_ring", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38129", "datePublished": "2025-07-03T08:35:33.728Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:12:58.108Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38173 (GCVE-0-2025-38173)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: marvell/cesa - Handle zero-length skcipher requests
Do not access random memory for zero-length skcipher requests.
Just return 0.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c Version: f63601fd616ab370774fa00ea10bcaaa9e48e84c |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/crypto/marvell/cesa/cipher.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "32d3e8049a8b60f18c5c39f5931bfb1130ac11c9", "status": "affected", "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c", "versionType": "git" }, { "lessThan": "c064ae2881d839709bd72d484d5f2af157f46024", "status": "affected", "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c", "versionType": "git" }, { "lessThan": "e1cc69da619588b1488689fe3535a0ba75a2b0e7", "status": "affected", "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c", "versionType": "git" }, { "lessThan": "78ea1ff6cb413a03ff6f7af4e28e24b4461a0965", "status": "affected", "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c", "versionType": "git" }, { "lessThan": "5e9666ac8b94c978690f937d59170c5237bd2c45", "status": "affected", "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c", "versionType": "git" }, { "lessThan": "7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13", "status": "affected", "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c", "versionType": "git" }, { "lessThan": "c9610dda42bd382a96f97e68825cb5f66cd9e1dc", "status": "affected", "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c", "versionType": "git" }, { "lessThan": "8a4e047c6cc07676f637608a9dd675349b5de0a7", "status": "affected", "version": "f63601fd616ab370774fa00ea10bcaaa9e48e84c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/crypto/marvell/cesa/cipher.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.2" }, { "lessThan": "4.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: marvell/cesa - Handle zero-length skcipher requests\n\nDo not access random memory for zero-length skcipher requests.\nJust return 0." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:14:15.078Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/32d3e8049a8b60f18c5c39f5931bfb1130ac11c9" }, { "url": "https://git.kernel.org/stable/c/c064ae2881d839709bd72d484d5f2af157f46024" }, { "url": "https://git.kernel.org/stable/c/e1cc69da619588b1488689fe3535a0ba75a2b0e7" }, { "url": "https://git.kernel.org/stable/c/78ea1ff6cb413a03ff6f7af4e28e24b4461a0965" }, { "url": "https://git.kernel.org/stable/c/5e9666ac8b94c978690f937d59170c5237bd2c45" }, { "url": "https://git.kernel.org/stable/c/7894694b5d5b2ecfd7fb081d6f60b9e169ab4d13" }, { "url": "https://git.kernel.org/stable/c/c9610dda42bd382a96f97e68825cb5f66cd9e1dc" }, { "url": "https://git.kernel.org/stable/c/8a4e047c6cc07676f637608a9dd675349b5de0a7" } ], "title": "crypto: marvell/cesa - Handle zero-length skcipher requests", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38173", "datePublished": "2025-07-03T08:36:10.969Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:14:15.078Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38147 (GCVE-0-2025-38147)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
calipso: Don't call calipso functions for AF_INET sk.
syzkaller reported a null-ptr-deref in txopt_get(). [0]
The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,
so struct ipv6_pinfo was NULL there.
However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6
is always set in inet6_create(), meaning the socket was not IPv6 one.
The root cause is missing validation in netlbl_conn_setattr().
netlbl_conn_setattr() switches branches based on struct
sockaddr.sa_family, which is passed from userspace. However,
netlbl_conn_setattr() does not check if the address family matches
the socket.
The syzkaller must have called connect() for an IPv6 address on
an IPv4 socket.
We have a proper validation in tcp_v[46]_connect(), but
security_socket_connect() is called in the earlier stage.
Let's copy the validation to netlbl_conn_setattr().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:txopt_get include/net/ipv6.h:390 [inline]
RIP: 0010:
Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00
RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c
RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070
RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e
R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00
R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80
FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0
PKRU: 80000000
Call Trace:
<TASK>
calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557
netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177
selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569
selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]
selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615
selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931
security_socket_connect+0x50/0xa0 security/security.c:4598
__sys_connect_file+0xa4/0x190 net/socket.c:2067
__sys_connect+0x12c/0x170 net/socket.c:2088
__do_sys_connect net/socket.c:2098 [inline]
__se_sys_connect net/socket.c:2095 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:2095
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f901b61a12d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d
RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003
RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000
</TASK>
Modules linked in:
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ceba1832b1b2da0149c51de62a847c00bca1677a Version: ceba1832b1b2da0149c51de62a847c00bca1677a Version: ceba1832b1b2da0149c51de62a847c00bca1677a Version: ceba1832b1b2da0149c51de62a847c00bca1677a Version: ceba1832b1b2da0149c51de62a847c00bca1677a Version: ceba1832b1b2da0149c51de62a847c00bca1677a Version: ceba1832b1b2da0149c51de62a847c00bca1677a Version: ceba1832b1b2da0149c51de62a847c00bca1677a |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/netlabel/netlabel_kapi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "fc2da88411470480b8b7e9177e930cedd893cf56", "status": "affected", "version": "ceba1832b1b2da0149c51de62a847c00bca1677a", "versionType": "git" }, { "lessThan": "0c813dbc851dbf418fdc6dc883fd0592d6c555cd", "status": "affected", "version": "ceba1832b1b2da0149c51de62a847c00bca1677a", "versionType": "git" }, { "lessThan": "26ce90f1ce60b0ff587de8d6aec399aa55cab28e", "status": "affected", "version": "ceba1832b1b2da0149c51de62a847c00bca1677a", "versionType": "git" }, { "lessThan": "c32ebe33626335a536dbbdd09571c06dd9bc1729", "status": "affected", "version": "ceba1832b1b2da0149c51de62a847c00bca1677a", "versionType": "git" }, { "lessThan": "946bfdfcb76ac2bac5b8526447035885ff41c598", "status": "affected", "version": "ceba1832b1b2da0149c51de62a847c00bca1677a", "versionType": "git" }, { "lessThan": "dd8928897594931d6912ef2f7a43e110b4958d3d", "status": "affected", "version": "ceba1832b1b2da0149c51de62a847c00bca1677a", "versionType": "git" }, { "lessThan": "e2ec310c7a50271843c585e27ef14e48c66ce649", "status": "affected", "version": "ceba1832b1b2da0149c51de62a847c00bca1677a", "versionType": "git" }, { "lessThan": "6e9f2df1c550ead7cecb3e450af1105735020c92", "status": "affected", "version": "ceba1832b1b2da0149c51de62a847c00bca1677a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/netlabel/netlabel_kapi.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.8" }, { "lessThan": "4.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "4.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "4.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "4.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncalipso: Don\u0027t call calipso functions for AF_INET sk.\n\nsyzkaller reported a null-ptr-deref in txopt_get(). [0]\n\nThe offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,\nso struct ipv6_pinfo was NULL there.\n\nHowever, this never happens for IPv6 sockets as inet_sk(sk)-\u003epinet6\nis always set in inet6_create(), meaning the socket was not IPv6 one.\n\nThe root cause is missing validation in netlbl_conn_setattr().\n\nnetlbl_conn_setattr() switches branches based on struct\nsockaddr.sa_family, which is passed from userspace. However,\nnetlbl_conn_setattr() does not check if the address family matches\nthe socket.\n\nThe syzkaller must have called connect() for an IPv6 address on\nan IPv4 socket.\n\nWe have a proper validation in tcp_v[46]_connect(), but\nsecurity_socket_connect() is called in the earlier stage.\n\nLet\u0027s copy the validation to netlbl_conn_setattr().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nRIP: 0010:txopt_get include/net/ipv6.h:390 [inline]\nRIP: 0010:\nCode: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00\nRSP: 0018:ffff88811b8afc48 EFLAGS: 00010212\nRAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c\nRDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070\nRBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e\nR10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00\nR13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80\nFS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0\nPKRU: 80000000\nCall Trace:\n \u003cTASK\u003e\n calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557\n netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177\n selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569\n selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]\n selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615\n selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931\n security_socket_connect+0x50/0xa0 security/security.c:4598\n __sys_connect_file+0xa4/0x190 net/socket.c:2067\n __sys_connect+0x12c/0x170 net/socket.c:2088\n __do_sys_connect net/socket.c:2098 [inline]\n __se_sys_connect net/socket.c:2095 [inline]\n __x64_sys_connect+0x73/0xb0 net/socket.c:2095\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f901b61a12d\nCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d\nRDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003\nRBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000\n \u003c/TASK\u003e\nModules linked in:" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:34.888Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/fc2da88411470480b8b7e9177e930cedd893cf56" }, { "url": "https://git.kernel.org/stable/c/0c813dbc851dbf418fdc6dc883fd0592d6c555cd" }, { "url": "https://git.kernel.org/stable/c/26ce90f1ce60b0ff587de8d6aec399aa55cab28e" }, { "url": "https://git.kernel.org/stable/c/c32ebe33626335a536dbbdd09571c06dd9bc1729" }, { "url": "https://git.kernel.org/stable/c/946bfdfcb76ac2bac5b8526447035885ff41c598" }, { "url": "https://git.kernel.org/stable/c/dd8928897594931d6912ef2f7a43e110b4958d3d" }, { "url": "https://git.kernel.org/stable/c/e2ec310c7a50271843c585e27ef14e48c66ce649" }, { "url": "https://git.kernel.org/stable/c/6e9f2df1c550ead7cecb3e450af1105735020c92" } ], "title": "calipso: Don\u0027t call calipso functions for AF_INET sk.", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38147", "datePublished": "2025-07-03T08:35:52.921Z", "dateReserved": "2025-04-16T04:51:23.988Z", "dateUpdated": "2025-07-28T04:13:34.888Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38117 (GCVE-0-2025-38117)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: Protect mgmt_pending list with its own lock
This uses a mutex to protect from concurrent access of mgmt_pending
list which can cause crashes like:
==================================================================
BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91
Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318
CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x254 mm/kasan/report.c:408
print_report+0x68/0x84 mm/kasan/report.c:521
kasan_report+0xb0/0x110 mm/kasan/report.c:634
__asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379
hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91
mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223
pending_find net/bluetooth/mgmt.c:947 [inline]
remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445
hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
sock_write_iter+0x25c/0x378 net/socket.c:1131
new_sync_write fs/read_write.c:591 [inline]
vfs_write+0x62c/0x97c fs/read_write.c:684
ksys_write+0x120/0x210 fs/read_write.c:736
__do_sys_write fs/read_write.c:747 [inline]
__se_sys_write fs/read_write.c:744 [inline]
__arm64_sys_write+0x7c/0x90 fs/read_write.c:744
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Allocated by task 7037:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339
kmalloc_noprof include/linux/slab.h:909 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198
sk_alloc+0x44/0x3ac net/core/sock.c:2254
bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148
hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202
bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132
__sock_create+0x43c/0x91c net/socket.c:1541
sock_create net/socket.c:1599 [inline]
__sys_socket_create net/socket.c:1636 [inline]
__sys_socket+0xd4/0x1c0 net/socket.c:1683
__do_sys_socket net/socket.c:1697 [inline]
__se_sys_socket net/socket.c:1695 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1695
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Freed by task 6607:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline
---truncated---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/bluetooth/hci_core.h", "net/bluetooth/hci_core.c", "net/bluetooth/mgmt.c", "net/bluetooth/mgmt_util.c", "net/bluetooth/mgmt_util.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "bdd56875c6926d8009914f427df71797693e90d4", "status": "affected", "version": "a380b6cff1a2d2139772e88219d08330f84d0381", "versionType": "git" }, { "lessThan": "4e83f2dbb2bf677e614109df24426c4dded472d4", "status": "affected", "version": "a380b6cff1a2d2139772e88219d08330f84d0381", "versionType": "git" }, { "lessThan": "d7882db79135c829a922daf3571f33ea1e056ae3", "status": "affected", "version": "a380b6cff1a2d2139772e88219d08330f84d0381", "versionType": "git" }, { "lessThan": "6fe26f694c824b8a4dbf50c635bee1302e3f099c", "status": "affected", "version": "a380b6cff1a2d2139772e88219d08330f84d0381", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/bluetooth/hci_core.h", "net/bluetooth/hci_core.c", "net/bluetooth/mgmt.c", "net/bluetooth/mgmt_util.c", "net/bluetooth/mgmt_util.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.1" }, { "lessThan": "4.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.1", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Protect mgmt_pending list with its own lock\n\nThis uses a mutex to protect from concurrent access of mgmt_pending\nlist which can cause crashes like:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91\nRead of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318\n\nCPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_address_description+0xa8/0x254 mm/kasan/report.c:408\n print_report+0x68/0x84 mm/kasan/report.c:521\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379\n hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91\n mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223\n pending_find net/bluetooth/mgmt.c:947 [inline]\n remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445\n hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712\n hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n sock_write_iter+0x25c/0x378 net/socket.c:1131\n new_sync_write fs/read_write.c:591 [inline]\n vfs_write+0x62c/0x97c fs/read_write.c:684\n ksys_write+0x120/0x210 fs/read_write.c:736\n __do_sys_write fs/read_write.c:747 [inline]\n __se_sys_write fs/read_write.c:744 [inline]\n __arm64_sys_write+0x7c/0x90 fs/read_write.c:744\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nAllocated by task 7037:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4327 [inline]\n __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198\n sk_alloc+0x44/0x3ac net/core/sock.c:2254\n bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148\n hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202\n bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132\n __sock_create+0x43c/0x91c net/socket.c:1541\n sock_create net/socket.c:1599 [inline]\n __sys_socket_create net/socket.c:1636 [inline]\n __sys_socket+0xd4/0x1c0 net/socket.c:1683\n __do_sys_socket net/socket.c:1697 [inline]\n __se_sys_socket net/socket.c:1695 [inline]\n __arm64_sys_socket+0x7c/0x94 net/socket.c:1695\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767\n el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nFreed by task 6607:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:247 [inline]\n __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264\n kasan_slab_free include/linux/kasan.h:233 [inline\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:35.763Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/bdd56875c6926d8009914f427df71797693e90d4" }, { "url": "https://git.kernel.org/stable/c/4e83f2dbb2bf677e614109df24426c4dded472d4" }, { "url": "https://git.kernel.org/stable/c/d7882db79135c829a922daf3571f33ea1e056ae3" }, { "url": "https://git.kernel.org/stable/c/6fe26f694c824b8a4dbf50c635bee1302e3f099c" } ], "title": "Bluetooth: MGMT: Protect mgmt_pending list with its own lock", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38117", "datePublished": "2025-07-03T08:35:25.060Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:35.763Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38094 (GCVE-0-2025-38094)
Vulnerability from cvelistv5
Published
2025-07-03 07:44
Modified
2025-07-03 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: cadence: macb: Fix a possible deadlock in macb_halt_tx.
There is a situation where after THALT is set high, TGO stays high as
well. Because jiffies are never updated, as we are in a context with
interrupts disabled, we never exit that loop and have a deadlock.
That deadlock was noticed on a sama5d4 device that stayed locked for days.
Use retries instead of jiffies so that the timeout really works and we do
not have a deadlock anymore.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e86cd53afc5907f7c221b709916e2dd354e14691 Version: e86cd53afc5907f7c221b709916e2dd354e14691 Version: e86cd53afc5907f7c221b709916e2dd354e14691 Version: e86cd53afc5907f7c221b709916e2dd354e14691 Version: e86cd53afc5907f7c221b709916e2dd354e14691 Version: e86cd53afc5907f7c221b709916e2dd354e14691 Version: e86cd53afc5907f7c221b709916e2dd354e14691 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/cadence/macb_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0772a608d799ac0d127c0a36047a2725777aba9d", "status": "affected", "version": "e86cd53afc5907f7c221b709916e2dd354e14691", "versionType": "git" }, { "lessThan": "64675a9c00443b2e8af42af08c38fc1b78b68ba2", "status": "affected", "version": "e86cd53afc5907f7c221b709916e2dd354e14691", "versionType": "git" }, { "lessThan": "aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7", "status": "affected", "version": "e86cd53afc5907f7c221b709916e2dd354e14691", "versionType": "git" }, { "lessThan": "1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4", "status": "affected", "version": "e86cd53afc5907f7c221b709916e2dd354e14691", "versionType": "git" }, { "lessThan": "3e64d35475aa21d13dab71da51de51923c1a3a48", "status": "affected", "version": "e86cd53afc5907f7c221b709916e2dd354e14691", "versionType": "git" }, { "lessThan": "84f98955a9de0e0f591df85aa1a44f3ebcf1cb37", "status": "affected", "version": "e86cd53afc5907f7c221b709916e2dd354e14691", "versionType": "git" }, { "lessThan": "c92d6089d8ad7d4d815ebcedee3f3907b539ff1f", "status": "affected", "version": "e86cd53afc5907f7c221b709916e2dd354e14691", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/cadence/macb_main.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.8" }, { "lessThan": "3.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.238", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.184", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.140", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.92", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.30", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.238", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.184", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.140", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.92", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.30", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.8", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "3.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cadence: macb: Fix a possible deadlock in macb_halt_tx.\n\nThere is a situation where after THALT is set high, TGO stays high as\nwell. Because jiffies are never updated, as we are in a context with\ninterrupts disabled, we never exit that loop and have a deadlock.\n\nThat deadlock was noticed on a sama5d4 device that stayed locked for days.\n\nUse retries instead of jiffies so that the timeout really works and we do\nnot have a deadlock anymore." } ], "providerMetadata": { "dateUpdated": "2025-07-03T07:44:17.442Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0772a608d799ac0d127c0a36047a2725777aba9d" }, { "url": "https://git.kernel.org/stable/c/64675a9c00443b2e8af42af08c38fc1b78b68ba2" }, { "url": "https://git.kernel.org/stable/c/aace6b63892ce8307e502a60fe2f5a4bc6e1cfe7" }, { "url": "https://git.kernel.org/stable/c/1d60c0781c1bbeaa1196b0d8aad5c435f06cb7c4" }, { "url": "https://git.kernel.org/stable/c/3e64d35475aa21d13dab71da51de51923c1a3a48" }, { "url": "https://git.kernel.org/stable/c/84f98955a9de0e0f591df85aa1a44f3ebcf1cb37" }, { "url": "https://git.kernel.org/stable/c/c92d6089d8ad7d4d815ebcedee3f3907b539ff1f" } ], "title": "net: cadence: macb: Fix a possible deadlock in macb_halt_tx.", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38094", "datePublished": "2025-07-03T07:44:17.442Z", "dateReserved": "2025-04-16T04:51:23.984Z", "dateUpdated": "2025-07-03T07:44:17.442Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38137 (GCVE-0-2025-38137)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/pwrctrl: Cancel outstanding rescan work when unregistering
It's possible to trigger use-after-free here by:
(a) forcing rescan_work_func() to take a long time and
(b) utilizing a pwrctrl driver that may be unloaded for some reason
Cancel outstanding work to ensure it is finished before we allow our data
structures to be cleaned up.
[bhelgaas: tidy commit log]
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/pci/pwrctrl/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b3ad6d23fec23fbef382ce9ea640c37446593cf5", "status": "affected", "version": "8f62819aaace77dd85037ae766eb767f8c4417ce", "versionType": "git" }, { "lessThan": "8b926f237743f020518162c62b93cb7107a2b5eb", "status": "affected", "version": "8f62819aaace77dd85037ae766eb767f8c4417ce", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/pci/pwrctrl/core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.11", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/pwrctrl: Cancel outstanding rescan work when unregistering\n\nIt\u0027s possible to trigger use-after-free here by:\n\n (a) forcing rescan_work_func() to take a long time and\n (b) utilizing a pwrctrl driver that may be unloaded for some reason\n\nCancel outstanding work to ensure it is finished before we allow our data\nstructures to be cleaned up.\n\n[bhelgaas: tidy commit log]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:14.854Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b3ad6d23fec23fbef382ce9ea640c37446593cf5" }, { "url": "https://git.kernel.org/stable/c/8b926f237743f020518162c62b93cb7107a2b5eb" } ], "title": "PCI/pwrctrl: Cancel outstanding rescan work when unregistering", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38137", "datePublished": "2025-07-03T08:35:39.849Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:14.854Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38135 (GCVE-0-2025-38135)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
serial: Fix potential null-ptr-deref in mlb_usio_probe()
devm_ioremap() can return NULL on error. Currently, mlb_usio_probe()
does not check for this case, which could result in a NULL pointer
dereference.
Add NULL check after devm_ioremap() to prevent this issue.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ba44dc04300441b47618f9933bf36e75a280e5fe Version: ba44dc04300441b47618f9933bf36e75a280e5fe Version: ba44dc04300441b47618f9933bf36e75a280e5fe Version: ba44dc04300441b47618f9933bf36e75a280e5fe Version: ba44dc04300441b47618f9933bf36e75a280e5fe Version: ba44dc04300441b47618f9933bf36e75a280e5fe Version: ba44dc04300441b47618f9933bf36e75a280e5fe Version: ba44dc04300441b47618f9933bf36e75a280e5fe |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/tty/serial/milbeaut_usio.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a05ebe384c7ca75476453f3070c67d9cf1d1a89f", "status": "affected", "version": "ba44dc04300441b47618f9933bf36e75a280e5fe", "versionType": "git" }, { "lessThan": "81159a6b064142b993f2f39828b77e199c77872a", "status": "affected", "version": "ba44dc04300441b47618f9933bf36e75a280e5fe", "versionType": "git" }, { "lessThan": "19fd9f5a69363d33079097d866eb6082d61bf31d", "status": "affected", "version": "ba44dc04300441b47618f9933bf36e75a280e5fe", "versionType": "git" }, { "lessThan": "548b0e81b9a0902a8bc8259430ed965663baadfc", "status": "affected", "version": "ba44dc04300441b47618f9933bf36e75a280e5fe", "versionType": "git" }, { "lessThan": "a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea", "status": "affected", "version": "ba44dc04300441b47618f9933bf36e75a280e5fe", "versionType": "git" }, { "lessThan": "c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d", "status": "affected", "version": "ba44dc04300441b47618f9933bf36e75a280e5fe", "versionType": "git" }, { "lessThan": "e1b144aebe6fb898d96ced8c990d7aa38fda4a7a", "status": "affected", "version": "ba44dc04300441b47618f9933bf36e75a280e5fe", "versionType": "git" }, { "lessThan": "86bcae88c9209e334b2f8c252f4cc66beb261886", "status": "affected", "version": "ba44dc04300441b47618f9933bf36e75a280e5fe", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/tty/serial/milbeaut_usio.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.2" }, { "lessThan": "5.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix potential null-ptr-deref in mlb_usio_probe()\n\ndevm_ioremap() can return NULL on error. Currently, mlb_usio_probe()\ndoes not check for this case, which could result in a NULL pointer\ndereference.\n\nAdd NULL check after devm_ioremap() to prevent this issue." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:11.475Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a05ebe384c7ca75476453f3070c67d9cf1d1a89f" }, { "url": "https://git.kernel.org/stable/c/81159a6b064142b993f2f39828b77e199c77872a" }, { "url": "https://git.kernel.org/stable/c/19fd9f5a69363d33079097d866eb6082d61bf31d" }, { "url": "https://git.kernel.org/stable/c/548b0e81b9a0902a8bc8259430ed965663baadfc" }, { "url": "https://git.kernel.org/stable/c/a6c7c365734cd0fa1c5aa225a6294fdf80cad2ea" }, { "url": "https://git.kernel.org/stable/c/c23d87b43f7dba5eb12820f6cf21a1cd4f63eb3d" }, { "url": "https://git.kernel.org/stable/c/e1b144aebe6fb898d96ced8c990d7aa38fda4a7a" }, { "url": "https://git.kernel.org/stable/c/86bcae88c9209e334b2f8c252f4cc66beb261886" } ], "title": "serial: Fix potential null-ptr-deref in mlb_usio_probe()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38135", "datePublished": "2025-07-03T08:35:38.295Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:11.475Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38172 (GCVE-0-2025-38172)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: avoid using multiple devices with different type
For multiple devices, both primary and extra devices should be the
same type. `erofs_init_device` has already guaranteed that if the
primary is a file-backed device, extra devices should also be
regular files.
However, if the primary is a block device while the extra device
is a file-backed device, `erofs_init_device` will get an ENOTBLK,
which is not treated as an error in `erofs_fc_get_tree`, and that
leads to an UAF:
erofs_fc_get_tree
get_tree_bdev_flags(erofs_fc_fill_super)
erofs_read_superblock
erofs_init_device // sbi->dif0 is not inited yet,
// return -ENOTBLK
deactivate_locked_super
free(sbi)
if (err is -ENOTBLK)
sbi->dif0.file = filp_open() // sbi UAF
So if -ENOTBLK is hitted in `erofs_init_device`, it means the
primary device must be a block device, and the extra device
is not a block device. The error can be converted to -EINVAL.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/erofs/super.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "65115472f741ca000d7ea4a5922214f93cd1516e", "status": "affected", "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847", "versionType": "git" }, { "lessThan": "cd04beb9ce2773a16057248bb4fa424068ae3807", "status": "affected", "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847", "versionType": "git" }, { "lessThan": "9748f2f54f66743ac77275c34886a9f890e18409", "status": "affected", "version": "fb176750266a3d7f42ebdcf28e8ba40350b27847", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/erofs/super.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.12" }, { "lessThan": "6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: avoid using multiple devices with different type\n\nFor multiple devices, both primary and extra devices should be the\nsame type. `erofs_init_device` has already guaranteed that if the\nprimary is a file-backed device, extra devices should also be\nregular files.\n\nHowever, if the primary is a block device while the extra device\nis a file-backed device, `erofs_init_device` will get an ENOTBLK,\nwhich is not treated as an error in `erofs_fc_get_tree`, and that\nleads to an UAF:\n\n erofs_fc_get_tree\n get_tree_bdev_flags(erofs_fc_fill_super)\n erofs_read_superblock\n erofs_init_device // sbi-\u003edif0 is not inited yet,\n // return -ENOTBLK\n deactivate_locked_super\n free(sbi)\n if (err is -ENOTBLK)\n sbi-\u003edif0.file = filp_open() // sbi UAF\n\nSo if -ENOTBLK is hitted in `erofs_init_device`, it means the\nprimary device must be a block device, and the extra device\nis not a block device. The error can be converted to -EINVAL." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:14:13.860Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/65115472f741ca000d7ea4a5922214f93cd1516e" }, { "url": "https://git.kernel.org/stable/c/cd04beb9ce2773a16057248bb4fa424068ae3807" }, { "url": "https://git.kernel.org/stable/c/9748f2f54f66743ac77275c34886a9f890e18409" } ], "title": "erofs: avoid using multiple devices with different type", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38172", "datePublished": "2025-07-03T08:36:10.334Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:14:13.860Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38140 (GCVE-0-2025-38140)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: limit swapping tables for devices with zone write plugs
dm_revalidate_zones() only allowed new or previously unzoned devices to
call blk_revalidate_disk_zones(). If the device was already zoned,
disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones()
returned without doing any work. This would make the zoned settings for
the device not match the new table. If the device had zone write plug
resources, it could run into errors like bdev_zone_is_seq() reading
invalid memory because disk->conv_zones_bitmap was the wrong size.
If the device doesn't have any zone write plug resources, calling
blk_revalidate_disk_zones() will always correctly update device. If
blk_revalidate_disk_zones() fails, it can still overwrite or clear the
current disk->nr_zones value. In this case, DM must restore the previous
value of disk->nr_zones, so that the zoned settings will continue to
match the previous value that it fell back to.
If the device already has zone write plug resources,
blk_revalidate_disk_zones() will not correctly update them, if it is
called for arbitrary zoned device changes. Since there is not much need
for this ability, the easiest solution is to disallow any table reloads
that change the zoned settings, for devices that already have zone plug
resources. Specifically, if a device already has zone plug resources
allocated, it can only switch to another zoned table that also emulates
zone append. Also, it cannot change the device size or the zone size. A
device can switch to an error target.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm-table.c", "drivers/md/dm-zone.c", "drivers/md/dm.c", "drivers/md/dm.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ac8acb0bfd98a1c65f3ca9a3e217a766124eebd8", "status": "affected", "version": "bb37d77239af25cde59693dbe3fac04dd17d7b29", "versionType": "git" }, { "lessThan": "121218bef4c1df165181f5cd8fc3a2246bac817e", "status": "affected", "version": "bb37d77239af25cde59693dbe3fac04dd17d7b29", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm-table.c", "drivers/md/dm-zone.c", "drivers/md/dm.c", "drivers/md/dm.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: limit swapping tables for devices with zone write plugs\n\ndm_revalidate_zones() only allowed new or previously unzoned devices to\ncall blk_revalidate_disk_zones(). If the device was already zoned,\ndisk-\u003enr_zones would always equal md-\u003enr_zones, so dm_revalidate_zones()\nreturned without doing any work. This would make the zoned settings for\nthe device not match the new table. If the device had zone write plug\nresources, it could run into errors like bdev_zone_is_seq() reading\ninvalid memory because disk-\u003econv_zones_bitmap was the wrong size.\n\nIf the device doesn\u0027t have any zone write plug resources, calling\nblk_revalidate_disk_zones() will always correctly update device. If\nblk_revalidate_disk_zones() fails, it can still overwrite or clear the\ncurrent disk-\u003enr_zones value. In this case, DM must restore the previous\nvalue of disk-\u003enr_zones, so that the zoned settings will continue to\nmatch the previous value that it fell back to.\n\nIf the device already has zone write plug resources,\nblk_revalidate_disk_zones() will not correctly update them, if it is\ncalled for arbitrary zoned device changes. Since there is not much need\nfor this ability, the easiest solution is to disallow any table reloads\nthat change the zoned settings, for devices that already have zone plug\nresources. Specifically, if a device already has zone plug resources\nallocated, it can only switch to another zoned table that also emulates\nzone append. Also, it cannot change the device size or the zone size. A\ndevice can switch to an error target." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:19.143Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ac8acb0bfd98a1c65f3ca9a3e217a766124eebd8" }, { "url": "https://git.kernel.org/stable/c/121218bef4c1df165181f5cd8fc3a2246bac817e" } ], "title": "dm: limit swapping tables for devices with zone write plugs", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38140", "datePublished": "2025-07-03T08:35:41.929Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:19.143Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38133 (GCVE-0-2025-38133)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: adc: ad4851: fix ad4858 chan pointer handling
The pointer returned from ad4851_parse_channels_common() is incremented
internally as each channel is populated. In ad4858_parse_channels(),
the same pointer was further incremented while setting ext_scan_type
fields for each channel. This resulted in indio_dev->channels being set
to a pointer past the end of the allocated array, potentially causing
memory corruption or undefined behavior.
Fix this by iterating over the channels using an explicit index instead
of incrementing the pointer. This preserves the original base pointer
and ensures all channel metadata is set correctly.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iio/adc/ad4851.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6c3b9e1167d072ce2d01cafec7866647cf8d3616", "status": "affected", "version": "6250803fe2ec92be32a4df1c3a39c4a460d5bd58", "versionType": "git" }, { "lessThan": "499a8cee812588905cc940837e69918c1649a19e", "status": "affected", "version": "6250803fe2ec92be32a4df1c3a39c4a460d5bd58", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iio/adc/ad4851.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: ad4851: fix ad4858 chan pointer handling\n\nThe pointer returned from ad4851_parse_channels_common() is incremented\ninternally as each channel is populated. In ad4858_parse_channels(),\nthe same pointer was further incremented while setting ext_scan_type\nfields for each channel. This resulted in indio_dev-\u003echannels being set\nto a pointer past the end of the allocated array, potentially causing\nmemory corruption or undefined behavior.\n\nFix this by iterating over the channels using an explicit index instead\nof incrementing the pointer. This preserves the original base pointer\nand ensures all channel metadata is set correctly." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:08.930Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6c3b9e1167d072ce2d01cafec7866647cf8d3616" }, { "url": "https://git.kernel.org/stable/c/499a8cee812588905cc940837e69918c1649a19e" } ], "title": "iio: adc: ad4851: fix ad4858 chan pointer handling", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38133", "datePublished": "2025-07-03T08:35:36.802Z", "dateReserved": "2025-04-16T04:51:23.987Z", "dateUpdated": "2025-07-28T04:13:08.930Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38126 (GCVE-0-2025-38126)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping
The stmmac platform drivers that do not open-code the clk_ptp_rate value
after having retrieved the default one from the device-tree can end up
with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will
eventually propagate up to PTP initialization when bringing up the
interface, leading to a divide by 0:
Division by zero in kernel.
CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22
Hardware name: STM32 (Device Tree Support)
Call trace:
unwind_backtrace from show_stack+0x18/0x1c
show_stack from dump_stack_lvl+0x6c/0x8c
dump_stack_lvl from Ldiv0_64+0x8/0x18
Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4
stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c
stmmac_hw_setup from __stmmac_open+0x18c/0x434
__stmmac_open from stmmac_open+0x3c/0xbc
stmmac_open from __dev_open+0xf4/0x1ac
__dev_open from __dev_change_flags+0x1cc/0x224
__dev_change_flags from dev_change_flags+0x24/0x60
dev_change_flags from ip_auto_config+0x2e8/0x11a0
ip_auto_config from do_one_initcall+0x84/0x33c
do_one_initcall from kernel_init_freeable+0x1b8/0x214
kernel_init_freeable from kernel_init+0x24/0x140
kernel_init from ret_from_fork+0x14/0x28
Exception stack(0xe0815fb0 to 0xe0815ff8)
Prevent this division by 0 by adding an explicit check and error log
about the actual issue. While at it, remove the same check from
stmmac_ptp_register, which then becomes duplicate
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 19d857c9038e5c07db8f8cc02b5ad0cd0098714f Version: 19d857c9038e5c07db8f8cc02b5ad0cd0098714f Version: 19d857c9038e5c07db8f8cc02b5ad0cd0098714f Version: 19d857c9038e5c07db8f8cc02b5ad0cd0098714f Version: 19d857c9038e5c07db8f8cc02b5ad0cd0098714f |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c", "drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "32af9c289234990752281c805500dfe03c5b2b8f", "status": "affected", "version": "19d857c9038e5c07db8f8cc02b5ad0cd0098714f", "versionType": "git" }, { "lessThan": "b263088ee8ab14563817a8be3519af8e25225793", "status": "affected", "version": "19d857c9038e5c07db8f8cc02b5ad0cd0098714f", "versionType": "git" }, { "lessThan": "bb033c6781ce1b0264c3993b767b4aa9021959c2", "status": "affected", "version": "19d857c9038e5c07db8f8cc02b5ad0cd0098714f", "versionType": "git" }, { "lessThan": "379cd990dfe752b38fcf46034698a9a150626c7a", "status": "affected", "version": "19d857c9038e5c07db8f8cc02b5ad0cd0098714f", "versionType": "git" }, { "lessThan": "030ce919e114a111e83b7976ecb3597cefd33f26", "status": "affected", "version": "19d857c9038e5c07db8f8cc02b5ad0cd0098714f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c", "drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.5" }, { "lessThan": "4.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "4.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: make sure that ptp_rate is not 0 before configuring timestamping\n\nThe stmmac platform drivers that do not open-code the clk_ptp_rate value\nafter having retrieved the default one from the device-tree can end up\nwith 0 in clk_ptp_rate (as clk_get_rate can return 0). It will\neventually propagate up to PTP initialization when bringing up the\ninterface, leading to a divide by 0:\n\n Division by zero in kernel.\n CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22\n Hardware name: STM32 (Device Tree Support)\n Call trace:\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x6c/0x8c\n dump_stack_lvl from Ldiv0_64+0x8/0x18\n Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4\n stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c\n stmmac_hw_setup from __stmmac_open+0x18c/0x434\n __stmmac_open from stmmac_open+0x3c/0xbc\n stmmac_open from __dev_open+0xf4/0x1ac\n __dev_open from __dev_change_flags+0x1cc/0x224\n __dev_change_flags from dev_change_flags+0x24/0x60\n dev_change_flags from ip_auto_config+0x2e8/0x11a0\n ip_auto_config from do_one_initcall+0x84/0x33c\n do_one_initcall from kernel_init_freeable+0x1b8/0x214\n kernel_init_freeable from kernel_init+0x24/0x140\n kernel_init from ret_from_fork+0x14/0x28\n Exception stack(0xe0815fb0 to 0xe0815ff8)\n\nPrevent this division by 0 by adding an explicit check and error log\nabout the actual issue. While at it, remove the same check from\nstmmac_ptp_register, which then becomes duplicate" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:53.339Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/32af9c289234990752281c805500dfe03c5b2b8f" }, { "url": "https://git.kernel.org/stable/c/b263088ee8ab14563817a8be3519af8e25225793" }, { "url": "https://git.kernel.org/stable/c/bb033c6781ce1b0264c3993b767b4aa9021959c2" }, { "url": "https://git.kernel.org/stable/c/379cd990dfe752b38fcf46034698a9a150626c7a" }, { "url": "https://git.kernel.org/stable/c/030ce919e114a111e83b7976ecb3597cefd33f26" } ], "title": "net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38126", "datePublished": "2025-07-03T08:35:31.812Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:53.339Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38153 (GCVE-0-2025-38153)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: aqc111: fix error handling of usbnet read calls
Syzkaller, courtesy of syzbot, identified an error (see report [1]) in
aqc111 driver, caused by incomplete sanitation of usb read calls'
results. This problem is quite similar to the one fixed in commit
920a9fa27e78 ("net: asix: add proper error handling of usb read errors").
For instance, usbnet_read_cmd() may read fewer than 'size' bytes,
even if the caller expected the full amount, and aqc111_read_cmd()
will not check its result properly. As [1] shows, this may lead
to MAC address in aqc111_bind() being only partly initialized,
triggering KMSAN warnings.
Fix the issue by verifying that the number of bytes read is
as expected and not less.
[1] Partial syzbot report:
BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x4d1/0xd90 drivers/base/dd.c:658
__driver_probe_device+0x268/0x380 drivers/base/dd.c:800
...
Uninit was stored to memory at:
dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582
__dev_addr_set include/linux/netdevice.h:4874 [inline]
eth_hw_addr_set include/linux/etherdevice.h:325 [inline]
aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
...
Uninit was stored to memory at:
ether_addr_copy include/linux/etherdevice.h:305 [inline]
aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]
aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
...
Local variable buf.i created at:
aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]
aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713
usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f Version: df2d59a2ab6c9ceac2c4104272fce03493b8f62f |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/usb/aqc111.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8c97655275482ef5384ce0501640630a0fc0f6f4", "status": "affected", "version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f", "versionType": "git" }, { "lessThan": "11273279012c922f37cfb4dd95d142803fc07b98", "status": "affected", "version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f", "versionType": "git" }, { "lessThan": "f398d2dfe450ce2c031d10b585448862d74a0501", "status": "affected", "version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f", "versionType": "git" }, { "lessThan": "acb47a40b5e38be03ef659b7bacdddc592ed73b7", "status": "affected", "version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f", "versionType": "git" }, { "lessThan": "60790d287c1a1ced3554d4a87c2f27bf299a932a", "status": "affected", "version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f", "versionType": "git" }, { "lessThan": "30a9e834c74e260533b8d0885e3c89f6f32f7993", "status": "affected", "version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f", "versionType": "git" }, { "lessThan": "7c01863b1c47f040d9674171e77789a423b9b128", "status": "affected", "version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f", "versionType": "git" }, { "lessThan": "405b0d610745fb5e84fc2961d9b960abb9f3d107", "status": "affected", "version": "df2d59a2ab6c9ceac2c4104272fce03493b8f62f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/usb/aqc111.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.0" }, { "lessThan": "5.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.295", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.295", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: fix error handling of usbnet read calls\n\nSyzkaller, courtesy of syzbot, identified an error (see report [1]) in\naqc111 driver, caused by incomplete sanitation of usb read calls\u0027\nresults. This problem is quite similar to the one fixed in commit\n920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\").\n\nFor instance, usbnet_read_cmd() may read fewer than \u0027size\u0027 bytes,\neven if the caller expected the full amount, and aqc111_read_cmd()\nwill not check its result properly. As [1] shows, this may lead\nto MAC address in aqc111_bind() being only partly initialized,\ntriggering KMSAN warnings.\n\nFix the issue by verifying that the number of bytes read is\nas expected and not less.\n\n[1] Partial syzbot report:\nBUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\nBUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\n usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n really_probe+0x4d1/0xd90 drivers/base/dd.c:658\n __driver_probe_device+0x268/0x380 drivers/base/dd.c:800\n...\n\nUninit was stored to memory at:\n dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582\n __dev_addr_set include/linux/netdevice.h:4874 [inline]\n eth_hw_addr_set include/linux/etherdevice.h:325 [inline]\n aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n...\n\nUninit was stored to memory at:\n ether_addr_copy include/linux/etherdevice.h:305 [inline]\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]\n aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n...\n\nLocal variable buf.i created at:\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]\n aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:42.491Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8c97655275482ef5384ce0501640630a0fc0f6f4" }, { "url": "https://git.kernel.org/stable/c/11273279012c922f37cfb4dd95d142803fc07b98" }, { "url": "https://git.kernel.org/stable/c/f398d2dfe450ce2c031d10b585448862d74a0501" }, { "url": "https://git.kernel.org/stable/c/acb47a40b5e38be03ef659b7bacdddc592ed73b7" }, { "url": "https://git.kernel.org/stable/c/60790d287c1a1ced3554d4a87c2f27bf299a932a" }, { "url": "https://git.kernel.org/stable/c/30a9e834c74e260533b8d0885e3c89f6f32f7993" }, { "url": "https://git.kernel.org/stable/c/7c01863b1c47f040d9674171e77789a423b9b128" }, { "url": "https://git.kernel.org/stable/c/405b0d610745fb5e84fc2961d9b960abb9f3d107" } ], "title": "net: usb: aqc111: fix error handling of usbnet read calls", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38153", "datePublished": "2025-07-03T08:35:56.526Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:42.491Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38150 (GCVE-0-2025-38150)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_packet: move notifier's packet_dev_mc out of rcu critical section
Syzkaller reports the following issue:
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578
__mutex_lock+0x106/0xe80 kernel/locking/mutex.c:746
team_change_rx_flags+0x38/0x220 drivers/net/team/team_core.c:1781
dev_change_rx_flags net/core/dev.c:9145 [inline]
__dev_set_promiscuity+0x3f8/0x590 net/core/dev.c:9189
netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201
dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 packet_dev_mc net/packet/af_packet.c:3698 [inline]
packet_dev_mclist_delete net/packet/af_packet.c:3722 [inline]
packet_notifier+0x292/0xa60 net/packet/af_packet.c:4247
notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2214 [inline]
call_netdevice_notifiers net/core/dev.c:2228 [inline]
unregister_netdevice_many_notify+0x15d8/0x2330 net/core/dev.c:11972
rtnl_delete_link net/core/rtnetlink.c:3522 [inline]
rtnl_dellink+0x488/0x710 net/core/rtnetlink.c:3564
rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6955
netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534
Calling `PACKET_ADD_MEMBERSHIP` on an ops-locked device can trigger
the `NETDEV_UNREGISTER` notifier, which may require disabling promiscuous
and/or allmulti mode. Both of these operations require acquiring
the netdev instance lock.
Move the call to `packet_dev_mc` outside of the RCU critical section.
The `mclist` modifications (add, del, flush, unregister) are protected by
the RTNL, not the RCU. The RCU only protects the `sklist` and its
associated `sks`. The delayed operation on the `mclist` entry remains
within the RTNL.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/packet/af_packet.c", "net/packet/internal.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "2dd4781c5af99415ebbd2f7cc763feb109863c05", "status": "affected", "version": "ad7c7b2172c388818a111455643491d75f535e90", "versionType": "git" }, { "lessThan": "d8d85ef0a631df9127f202e6371bb33a0b589952", "status": "affected", "version": "ad7c7b2172c388818a111455643491d75f535e90", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/packet/af_packet.c", "net/packet/internal.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_packet: move notifier\u0027s packet_dev_mc out of rcu critical section\n\nSyzkaller reports the following issue:\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578\n __mutex_lock+0x106/0xe80 kernel/locking/mutex.c:746\n team_change_rx_flags+0x38/0x220 drivers/net/team/team_core.c:1781\n dev_change_rx_flags net/core/dev.c:9145 [inline]\n __dev_set_promiscuity+0x3f8/0x590 net/core/dev.c:9189\n netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201\n dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 packet_dev_mc net/packet/af_packet.c:3698 [inline]\n packet_dev_mclist_delete net/packet/af_packet.c:3722 [inline]\n packet_notifier+0x292/0xa60 net/packet/af_packet.c:4247\n notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85\n call_netdevice_notifiers_extack net/core/dev.c:2214 [inline]\n call_netdevice_notifiers net/core/dev.c:2228 [inline]\n unregister_netdevice_many_notify+0x15d8/0x2330 net/core/dev.c:11972\n rtnl_delete_link net/core/rtnetlink.c:3522 [inline]\n rtnl_dellink+0x488/0x710 net/core/rtnetlink.c:3564\n rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6955\n netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534\n\nCalling `PACKET_ADD_MEMBERSHIP` on an ops-locked device can trigger\nthe `NETDEV_UNREGISTER` notifier, which may require disabling promiscuous\nand/or allmulti mode. Both of these operations require acquiring\nthe netdev instance lock.\n\nMove the call to `packet_dev_mc` outside of the RCU critical section.\nThe `mclist` modifications (add, del, flush, unregister) are protected by\nthe RTNL, not the RCU. The RCU only protects the `sklist` and its\nassociated `sks`. The delayed operation on the `mclist` entry remains\nwithin the RTNL." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:39.528Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/2dd4781c5af99415ebbd2f7cc763feb109863c05" }, { "url": "https://git.kernel.org/stable/c/d8d85ef0a631df9127f202e6371bb33a0b589952" } ], "title": "af_packet: move notifier\u0027s packet_dev_mc out of rcu critical section", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38150", "datePublished": "2025-07-03T08:35:55.257Z", "dateReserved": "2025-04-16T04:51:23.988Z", "dateUpdated": "2025-07-28T04:13:39.528Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38107 (GCVE-0-2025-38107)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: ets: fix a race in ets_qdisc_change()
Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 699d82e9a6db29d509a71f1f2f4316231e6232e6 Version: ce881ddbdc028fb1988b66e40e45ca0529c23b46 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: fffa19b5e58c34004a0d6f642d9c24b11d213994 Version: fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/sch_ets.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "eb7b74e9754e1ba2088f914ad1f57a778b11894b", "status": "affected", "version": "699d82e9a6db29d509a71f1f2f4316231e6232e6", "versionType": "git" }, { "lessThan": "0b479d0aa488cb478eb2e1d8868be946ac8afb4f", "status": "affected", "version": "ce881ddbdc028fb1988b66e40e45ca0529c23b46", "versionType": "git" }, { "lessThan": "347867cb424edae5fec1622712c8dd0a2c42918f", "status": "affected", "version": "b05972f01e7d30419987a1f221b5593668fd6448", "versionType": "git" }, { "lessThan": "0383b25488a545be168744336847549d4a2d3d6c", "status": "affected", "version": "b05972f01e7d30419987a1f221b5593668fd6448", "versionType": "git" }, { "lessThan": "073f64c03516bcfaf790f8edc772e0cfb8a84ec3", "status": "affected", "version": "b05972f01e7d30419987a1f221b5593668fd6448", "versionType": "git" }, { "lessThan": "fed94bd51d62d2e0e006aa61480e94e5cd0582b0", "status": "affected", "version": "b05972f01e7d30419987a1f221b5593668fd6448", "versionType": "git" }, { "lessThan": "d92adacdd8c2960be856e0b82acc5b7c5395fddb", "status": "affected", "version": "b05972f01e7d30419987a1f221b5593668fd6448", "versionType": "git" }, { "status": "affected", "version": "fffa19b5e58c34004a0d6f642d9c24b11d213994", "versionType": "git" }, { "status": "affected", "version": "fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/sch_ets.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.0" }, { "lessThan": "6.0", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.239", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.239", "versionStartIncluding": "5.10.142", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.15.66", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "6.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.0", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.213", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: fix a race in ets_qdisc_change()\n\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n | [5]: lock root\n | [6]: rehash\n | [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent\u0027s qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:22.514Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b" }, { "url": "https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f" }, { "url": "https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f" }, { "url": "https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c" }, { "url": "https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3" }, { "url": "https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0" }, { "url": "https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb" } ], "title": "net_sched: ets: fix a race in ets_qdisc_change()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38107", "datePublished": "2025-07-03T08:35:17.487Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:22.514Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38158 (GCVE-0-2025-38158)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
hisi_acc_vfio_pci: fix XQE dma address error
The dma addresses of EQE and AEQE are wrong after migration and
results in guest kernel-mode encryption services failure.
Comparing the definition of hardware registers, we found that
there was an error when the data read from the register was
combined into an address. Therefore, the address combination
sequence needs to be corrected.
Even after fixing the above problem, we still have an issue
where the Guest from an old kernel can get migrated to
new kernel and may result in wrong data.
In order to ensure that the address is correct after migration,
if an old magic number is detected, the dma address needs to be
updated.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: b0eed085903e7758532696d64397901a75bba8ba Version: b0eed085903e7758532696d64397901a75bba8ba Version: b0eed085903e7758532696d64397901a75bba8ba Version: b0eed085903e7758532696d64397901a75bba8ba Version: b0eed085903e7758532696d64397901a75bba8ba |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c", "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "809a9c10274e1bcf6d05f1c0341459a425a4f05f", "status": "affected", "version": "b0eed085903e7758532696d64397901a75bba8ba", "versionType": "git" }, { "lessThan": "f0423873e7aeb69cb68f4e8fa3827832e7b037ba", "status": "affected", "version": "b0eed085903e7758532696d64397901a75bba8ba", "versionType": "git" }, { "lessThan": "884a76e813178778d271fea59783763d32bb7e72", "status": "affected", "version": "b0eed085903e7758532696d64397901a75bba8ba", "versionType": "git" }, { "lessThan": "7710c883eb8cb5cf510ca47ec0e26c6cb7e94a4f", "status": "affected", "version": "b0eed085903e7758532696d64397901a75bba8ba", "versionType": "git" }, { "lessThan": "8bb7170c5a055ea17c6857c256ee73c10ff872eb", "status": "affected", "version": "b0eed085903e7758532696d64397901a75bba8ba", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c", "drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.18" }, { "lessThan": "5.18", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "5.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "5.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "5.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "5.18", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.18", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhisi_acc_vfio_pci: fix XQE dma address error\n\nThe dma addresses of EQE and AEQE are wrong after migration and\nresults in guest kernel-mode encryption services failure.\nComparing the definition of hardware registers, we found that\nthere was an error when the data read from the register was\ncombined into an address. Therefore, the address combination\nsequence needs to be corrected.\n\nEven after fixing the above problem, we still have an issue\nwhere the Guest from an old kernel can get migrated to\nnew kernel and may result in wrong data.\n\nIn order to ensure that the address is correct after migration,\nif an old magic number is detected, the dma address needs to be\nupdated." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:13:49.556Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/809a9c10274e1bcf6d05f1c0341459a425a4f05f" }, { "url": "https://git.kernel.org/stable/c/f0423873e7aeb69cb68f4e8fa3827832e7b037ba" }, { "url": "https://git.kernel.org/stable/c/884a76e813178778d271fea59783763d32bb7e72" }, { "url": "https://git.kernel.org/stable/c/7710c883eb8cb5cf510ca47ec0e26c6cb7e94a4f" }, { "url": "https://git.kernel.org/stable/c/8bb7170c5a055ea17c6857c256ee73c10ff872eb" } ], "title": "hisi_acc_vfio_pci: fix XQE dma address error", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38158", "datePublished": "2025-07-03T08:36:00.776Z", "dateReserved": "2025-04-16T04:51:23.990Z", "dateUpdated": "2025-07-28T04:13:49.556Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38109 (GCVE-0-2025-38109)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix ECVF vports unload on shutdown flow
Fix shutdown flow UAF when a virtual function is created on the embedded
chip (ECVF) of a BlueField device. In such case the vport acl ingress
table is not properly destroyed.
ECVF functionality is independent of ecpf_vport_exists capability and
thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not
test it when enabling/disabling ECVF vports.
kernel log:
[] refcount_t: underflow; use-after-free.
[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28
refcount_warn_saturate+0x124/0x220
----------------
[] Call trace:
[] refcount_warn_saturate+0x124/0x220
[] tree_put_node+0x164/0x1e0 [mlx5_core]
[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]
[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]
[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]
[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]
[] esw_vport_cleanup+0x64/0x90 [mlx5_core]
[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]
[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]
[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]
[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]
[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]
[] mlx5_unload+0x40/0xc4 [mlx5_core]
[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]
[] mlx5_unload_one+0x3c/0x60 [mlx5_core]
[] shutdown+0x7c/0xa4 [mlx5_core]
[] pci_device_shutdown+0x3c/0xa0
[] device_shutdown+0x170/0x340
[] __do_sys_reboot+0x1f4/0x2a0
[] __arm64_sys_reboot+0x2c/0x40
[] invoke_syscall+0x78/0x100
[] el0_svc_common.constprop.0+0x54/0x184
[] do_el0_svc+0x30/0xac
[] el0_svc+0x48/0x160
[] el0t_64_sync_handler+0xa4/0x12c
[] el0t_64_sync+0x1a4/0x1a8
[] --[ end trace 9c4601d68c70030e ]---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/eswitch.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5953ae44dfe5dbad374318875be834c3b7b71ee6", "status": "affected", "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045", "versionType": "git" }, { "lessThan": "da15ca0553325acf68039015f2f4db750c8e2b96", "status": "affected", "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045", "versionType": "git" }, { "lessThan": "24db585d369f949f698e03d7d8017e5ae19d0497", "status": "affected", "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045", "versionType": "git" }, { "lessThan": "687560d8a9a2d654829ad0da1ec24242f1de711d", "status": "affected", "version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/mellanox/mlx5/core/eswitch.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.5" }, { "lessThan": "6.5", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.5", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix ECVF vports unload on shutdown flow\n\nFix shutdown flow UAF when a virtual function is created on the embedded\nchip (ECVF) of a BlueField device. In such case the vport acl ingress\ntable is not properly destroyed.\n\nECVF functionality is independent of ecpf_vport_exists capability and\nthus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not\ntest it when enabling/disabling ECVF vports.\n\nkernel log:\n[] refcount_t: underflow; use-after-free.\n[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28\n refcount_warn_saturate+0x124/0x220\n----------------\n[] Call trace:\n[] refcount_warn_saturate+0x124/0x220\n[] tree_put_node+0x164/0x1e0 [mlx5_core]\n[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]\n[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]\n[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]\n[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]\n[] esw_vport_cleanup+0x64/0x90 [mlx5_core]\n[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]\n[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]\n[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]\n[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]\n[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]\n[] mlx5_unload+0x40/0xc4 [mlx5_core]\n[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]\n[] mlx5_unload_one+0x3c/0x60 [mlx5_core]\n[] shutdown+0x7c/0xa4 [mlx5_core]\n[] pci_device_shutdown+0x3c/0xa0\n[] device_shutdown+0x170/0x340\n[] __do_sys_reboot+0x1f4/0x2a0\n[] __arm64_sys_reboot+0x2c/0x40\n[] invoke_syscall+0x78/0x100\n[] el0_svc_common.constprop.0+0x54/0x184\n[] do_el0_svc+0x30/0xac\n[] el0_svc+0x48/0x160\n[] el0t_64_sync_handler+0xa4/0x12c\n[] el0t_64_sync+0x1a4/0x1a8\n[] --[ end trace 9c4601d68c70030e ]---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:25.395Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5953ae44dfe5dbad374318875be834c3b7b71ee6" }, { "url": "https://git.kernel.org/stable/c/da15ca0553325acf68039015f2f4db750c8e2b96" }, { "url": "https://git.kernel.org/stable/c/24db585d369f949f698e03d7d8017e5ae19d0497" }, { "url": "https://git.kernel.org/stable/c/687560d8a9a2d654829ad0da1ec24242f1de711d" } ], "title": "net/mlx5: Fix ECVF vports unload on shutdown flow", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38109", "datePublished": "2025-07-03T08:35:19.240Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-28T04:12:25.395Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38098 (GCVE-0-2025-38098)
Vulnerability from cvelistv5
Published
2025-07-03 08:13
Modified
2025-07-11 17:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink
Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector.
While dereferencing aconnector->base will "work" it's wrong and
might lead to unknown bad things. Just... don't.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c", "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h", "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b14e726d57f61085485f107a6203c50a09695abd", "status": "affected", "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "versionType": "git" }, { "lessThan": "18ca68f7c657721583a75cab01f0d0d2ec63a6c9", "status": "affected", "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "versionType": "git" }, { "lessThan": "cbf4890c6f28fb1ad733e14613fbd33c2004bced", "status": "affected", "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c", "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h", "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.15" }, { "lessThan": "4.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.31", "versionType": "semver" }, { "lessThanOrEqual": "6.14.*", "status": "unaffected", "version": "6.14.9", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.15", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.31", "versionStartIncluding": "4.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.14.9", "versionStartIncluding": "4.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15", "versionStartIncluding": "4.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Don\u0027t treat wb connector as physical in create_validate_stream_for_sink\n\nDon\u0027t try to operate on a drm_wb_connector as an amdgpu_dm_connector.\nWhile dereferencing aconnector-\u003ebase will \"work\" it\u0027s wrong and\nmight lead to unknown bad things. Just... don\u0027t." } ], "providerMetadata": { "dateUpdated": "2025-07-11T17:21:44.396Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b14e726d57f61085485f107a6203c50a09695abd" }, { "url": "https://git.kernel.org/stable/c/18ca68f7c657721583a75cab01f0d0d2ec63a6c9" }, { "url": "https://git.kernel.org/stable/c/cbf4890c6f28fb1ad733e14613fbd33c2004bced" } ], "title": "drm/amd/display: Don\u0027t treat wb connector as physical in create_validate_stream_for_sink", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38098", "datePublished": "2025-07-03T08:13:58.603Z", "dateReserved": "2025-04-16T04:51:23.985Z", "dateUpdated": "2025-07-11T17:21:44.396Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38169 (GCVE-0-2025-38169)
Vulnerability from cvelistv5
Published
2025-07-03 08:36
Modified
2025-07-28 04:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP
On system with SME, a thread's kernel FPSIMD state may be erroneously
clobbered during a context switch immediately after that state is
restored. Systems without SME are unaffected.
If the CPU happens to be in streaming SVE mode before a context switch
to a thread with kernel FPSIMD state, fpsimd_thread_switch() will
restore the kernel FPSIMD state using fpsimd_load_kernel_state() while
the CPU is still in streaming SVE mode. When fpsimd_thread_switch()
subsequently calls fpsimd_flush_cpu_state(), this will execute an
SMSTOP, causing an exit from streaming SVE mode. The exit from
streaming SVE mode will cause the hardware to reset a number of
FPSIMD/SVE/SME registers, clobbering the FPSIMD state.
Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel
FPSIMD state.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: e92bee9f861b466c676f0200be3e46af7bc4ac6b Version: e92bee9f861b466c676f0200be3e46af7bc4ac6b Version: e92bee9f861b466c676f0200be3e46af7bc4ac6b Version: e003c485ac82a9f8de4204912ed059ac6dd4257c Version: 25b90cd122d546823da90b916f7c3289dfe83a99 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/arm64/kernel/fpsimd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "55d52af498daea75aa03ba9b7e444c8ae495ac20", "status": "affected", "version": "e92bee9f861b466c676f0200be3e46af7bc4ac6b", "versionType": "git" }, { "lessThan": "a305821f597ec943849d3e53924adb88c61ed682", "status": "affected", "version": "e92bee9f861b466c676f0200be3e46af7bc4ac6b", "versionType": "git" }, { "lessThan": "01098d893fa8a6edb2b56e178b798e3e6b674f02", "status": "affected", "version": "e92bee9f861b466c676f0200be3e46af7bc4ac6b", "versionType": "git" }, { "status": "affected", "version": "e003c485ac82a9f8de4204912ed059ac6dd4257c", "versionType": "git" }, { "status": "affected", "version": "25b90cd122d546823da90b916f7c3289dfe83a99", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/arm64/kernel/fpsimd.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.10" }, { "lessThan": "6.10", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.10", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP\n\nOn system with SME, a thread\u0027s kernel FPSIMD state may be erroneously\nclobbered during a context switch immediately after that state is\nrestored. Systems without SME are unaffected.\n\nIf the CPU happens to be in streaming SVE mode before a context switch\nto a thread with kernel FPSIMD state, fpsimd_thread_switch() will\nrestore the kernel FPSIMD state using fpsimd_load_kernel_state() while\nthe CPU is still in streaming SVE mode. When fpsimd_thread_switch()\nsubsequently calls fpsimd_flush_cpu_state(), this will execute an\nSMSTOP, causing an exit from streaming SVE mode. The exit from\nstreaming SVE mode will cause the hardware to reset a number of\nFPSIMD/SVE/SME registers, clobbering the FPSIMD state.\n\nFix this by calling fpsimd_flush_cpu_state() before restoring the kernel\nFPSIMD state." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:14:09.744Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/55d52af498daea75aa03ba9b7e444c8ae495ac20" }, { "url": "https://git.kernel.org/stable/c/a305821f597ec943849d3e53924adb88c61ed682" }, { "url": "https://git.kernel.org/stable/c/01098d893fa8a6edb2b56e178b798e3e6b674f02" } ], "title": "arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38169", "datePublished": "2025-07-03T08:36:08.393Z", "dateReserved": "2025-04-16T04:51:23.991Z", "dateUpdated": "2025-07-28T04:14:09.744Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38120 (GCVE-0-2025-38120)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_set_pipapo_avx2: fix initial map fill
If the first field doesn't cover the entire start map, then we must zero
out the remainder, else we leak those bits into the next match round map.
The early fix was incomplete and did only fix up the generic C
implementation.
A followup patch adds a test case to nft_concat_range.sh.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 957a4d1c4c5849e4515c9fb4db21bf85318103dc Version: 9625c46ce6fd4f922595a4b32b1de5066d70464f Version: 69b6a67f7052905e928d75a0c5871de50e686986 Version: 791a615b7ad2258c560f91852be54b0480837c93 Version: 791a615b7ad2258c560f91852be54b0480837c93 Version: 791a615b7ad2258c560f91852be54b0480837c93 Version: 8058c88ac0df21239daee54b5934d5c80ca9685f |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/netfilter/nft_set_pipapo_avx2.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "b5ad58285f9217d68cd5ea2ad86ce254a3fe7c4d", "status": "affected", "version": "957a4d1c4c5849e4515c9fb4db21bf85318103dc", "versionType": "git" }, { "lessThan": "90bc7f5a244aadee4292b28098b7c98aadd4b3aa", "status": "affected", "version": "9625c46ce6fd4f922595a4b32b1de5066d70464f", "versionType": "git" }, { "lessThan": "39bab2d3517b5b50c609b4f8c66129bf619fffa0", "status": "affected", "version": "69b6a67f7052905e928d75a0c5871de50e686986", "versionType": "git" }, { "lessThan": "251496ce1728c9fd47bd2b20a7b21b20b9a020ca", "status": "affected", "version": "791a615b7ad2258c560f91852be54b0480837c93", "versionType": "git" }, { "lessThan": "8068e1e42b46518ce680dc6470bcd710efc3fa0a", "status": "affected", "version": "791a615b7ad2258c560f91852be54b0480837c93", "versionType": "git" }, { "lessThan": "ea77c397bff8b6d59f6d83dae1425b08f465e8b5", "status": "affected", "version": "791a615b7ad2258c560f91852be54b0480837c93", "versionType": "git" }, { "status": "affected", "version": "8058c88ac0df21239daee54b5934d5c80ca9685f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/netfilter/nft_set_pipapo_avx2.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.186", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.186", "versionStartIncluding": "5.15.165", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "6.1.103", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.6.44", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_set_pipapo_avx2: fix initial map fill\n\nIf the first field doesn\u0027t cover the entire start map, then we must zero\nout the remainder, else we leak those bits into the next match round map.\n\nThe early fix was incomplete and did only fix up the generic C\nimplementation.\n\nA followup patch adds a test case to nft_concat_range.sh." } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:39.824Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/b5ad58285f9217d68cd5ea2ad86ce254a3fe7c4d" }, { "url": "https://git.kernel.org/stable/c/90bc7f5a244aadee4292b28098b7c98aadd4b3aa" }, { "url": "https://git.kernel.org/stable/c/39bab2d3517b5b50c609b4f8c66129bf619fffa0" }, { "url": "https://git.kernel.org/stable/c/251496ce1728c9fd47bd2b20a7b21b20b9a020ca" }, { "url": "https://git.kernel.org/stable/c/8068e1e42b46518ce680dc6470bcd710efc3fa0a" }, { "url": "https://git.kernel.org/stable/c/ea77c397bff8b6d59f6d83dae1425b08f465e8b5" } ], "title": "netfilter: nf_set_pipapo_avx2: fix initial map fill", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38120", "datePublished": "2025-07-03T08:35:27.233Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:39.824Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38124 (GCVE-0-2025-38124)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix udp gso skb_segment after pull from frag_list
Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after
pull from frag_list") detected invalid geometry in frag_list skbs and
redirects them from skb_segment_list to more robust skb_segment. But some
packets with modified geometry can also hit bugs in that code. We don't
know how many such cases exist. Addressing each one by one also requires
touching the complex skb_segment code, which risks introducing bugs for
other types of skbs. Instead, linearize all these packets that fail the
basic invariants on gso fraglist skbs. That is more robust.
If only part of the fraglist payload is pulled into head_skb, it will
always cause exception when splitting skbs by skb_segment. For detailed
call stack information, see below.
Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size
Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify fraglist skbs, breaking these invariants.
In extreme cases they pull one part of data into skb linear. For UDP,
this causes three payloads with lengths of (11,11,10) bytes were
pulled tail to become (12,10,10) bytes.
The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because
payload was pulled into head_skb, it needs to be linearized before pass
to regular skb_segment.
skb_segment+0xcd0/0xd14
__udp_gso_segment+0x334/0x5f4
udp4_ufo_fragment+0x118/0x15c
inet_gso_segment+0x164/0x338
skb_mac_gso_segment+0xc4/0x13c
__skb_gso_segment+0xc4/0x124
validate_xmit_skb+0x9c/0x2c0
validate_xmit_skb_list+0x4c/0x80
sch_direct_xmit+0x70/0x404
__dev_queue_xmit+0x64c/0xe5c
neigh_resolve_output+0x178/0x1c4
ip_finish_output2+0x37c/0x47c
__ip_finish_output+0x194/0x240
ip_finish_output+0x20/0xf4
ip_output+0x100/0x1a0
NF_HOOK+0xc4/0x16c
ip_forward+0x314/0x32c
ip_rcv+0x90/0x118
__netif_receive_skb+0x74/0x124
process_backlog+0xe8/0x1a4
__napi_poll+0x5c/0x1f8
net_rx_action+0x154/0x314
handle_softirqs+0x154/0x4b8
[118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!
[118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
[118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000
[118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000
[118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)
[118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14
[118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14
[118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 080e6c9a3908de193a48f646c5ce1bfb15676ffc Version: af3122f5fdc0d00581d6e598a668df6bf54c9daa Version: a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab Version: a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab Version: a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab Version: 33e28acf42ee863f332a958bfc2f1a284a3659df Version: 3cd00d2e3655fad3bda96dc1ebf17b6495f86fea |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv4/udp_offload.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0e65f38bd1aa14ea86e221b7bb814d38278d86c3", "status": "affected", "version": "080e6c9a3908de193a48f646c5ce1bfb15676ffc", "versionType": "git" }, { "lessThan": "85eef1748c024da1a191aed56b30a3a65958c50c", "status": "affected", "version": "af3122f5fdc0d00581d6e598a668df6bf54c9daa", "versionType": "git" }, { "lessThan": "4399f59a9467a324ed46657555f0e1f209a14acb", "status": "affected", "version": "a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab", "versionType": "git" }, { "lessThan": "a04302867094bdc6efac1b598370fc47cf3f2388", "status": "affected", "version": "a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab", "versionType": "git" }, { "lessThan": "3382a1ed7f778db841063f5d7e317ac55f9e7f72", "status": "affected", "version": "a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab", "versionType": "git" }, { "status": "affected", "version": "33e28acf42ee863f332a958bfc2f1a284a3659df", "versionType": "git" }, { "status": "affected", "version": "3cd00d2e3655fad3bda96dc1ebf17b6495f86fea", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv4/udp_offload.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.12" }, { "lessThan": "6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.142", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.94", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.34", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.3", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.142", "versionStartIncluding": "6.1.113", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.94", "versionStartIncluding": "6.6.55", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.34", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.3", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix udp gso skb_segment after pull from frag_list\n\nCommit a1e40ac5b5e9 (\"net: gso: fix udp gso fraglist segmentation after\npull from frag_list\") detected invalid geometry in frag_list skbs and\nredirects them from skb_segment_list to more robust skb_segment. But some\npackets with modified geometry can also hit bugs in that code. We don\u0027t\nknow how many such cases exist. Addressing each one by one also requires\ntouching the complex skb_segment code, which risks introducing bugs for\nother types of skbs. Instead, linearize all these packets that fail the\nbasic invariants on gso fraglist skbs. That is more robust.\n\nIf only part of the fraglist payload is pulled into head_skb, it will\nalways cause exception when splitting skbs by skb_segment. For detailed\ncall stack information, see below.\n\nValid SKB_GSO_FRAGLIST skbs\n- consist of two or more segments\n- the head_skb holds the protocol headers plus first gso_size\n- one or more frag_list skbs hold exactly one segment\n- all but the last must be gso_size\n\nOptional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can\nmodify fraglist skbs, breaking these invariants.\n\nIn extreme cases they pull one part of data into skb linear. For UDP,\nthis causes three payloads with lengths of (11,11,10) bytes were\npulled tail to become (12,10,10) bytes.\n\nThe skbs no longer meets the above SKB_GSO_FRAGLIST conditions because\npayload was pulled into head_skb, it needs to be linearized before pass\nto regular skb_segment.\n\n skb_segment+0xcd0/0xd14\n __udp_gso_segment+0x334/0x5f4\n udp4_ufo_fragment+0x118/0x15c\n inet_gso_segment+0x164/0x338\n skb_mac_gso_segment+0xc4/0x13c\n __skb_gso_segment+0xc4/0x124\n validate_xmit_skb+0x9c/0x2c0\n validate_xmit_skb_list+0x4c/0x80\n sch_direct_xmit+0x70/0x404\n __dev_queue_xmit+0x64c/0xe5c\n neigh_resolve_output+0x178/0x1c4\n ip_finish_output2+0x37c/0x47c\n __ip_finish_output+0x194/0x240\n ip_finish_output+0x20/0xf4\n ip_output+0x100/0x1a0\n NF_HOOK+0xc4/0x16c\n ip_forward+0x314/0x32c\n ip_rcv+0x90/0x118\n __netif_receive_skb+0x74/0x124\n process_backlog+0xe8/0x1a4\n __napi_poll+0x5c/0x1f8\n net_rx_action+0x154/0x314\n handle_softirqs+0x154/0x4b8\n\n [118.376811] [C201134] rxq0_pus: [name:bug\u0026]kernel BUG at net/core/skbuff.c:4278!\n [118.376829] [C201134] rxq0_pus: [name:traps\u0026]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n [118.470774] [C201134] rxq0_pus: [name:mrdump\u0026]Kernel Offset: 0x178cc00000 from 0xffffffc008000000\n [118.470810] [C201134] rxq0_pus: [name:mrdump\u0026]PHYS_OFFSET: 0x40000000\n [118.470827] [C201134] rxq0_pus: [name:mrdump\u0026]pstate: 60400005 (nZCv daif +PAN -UAO)\n [118.470848] [C201134] rxq0_pus: [name:mrdump\u0026]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14\n [118.470900] [C201134] rxq0_pus: [name:mrdump\u0026]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14\n [118.470928] [C201134] rxq0_pus: [name:mrdump\u0026]sp : ffffffc008013770" } ], "providerMetadata": { "dateUpdated": "2025-07-28T04:12:50.274Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0e65f38bd1aa14ea86e221b7bb814d38278d86c3" }, { "url": "https://git.kernel.org/stable/c/85eef1748c024da1a191aed56b30a3a65958c50c" }, { "url": "https://git.kernel.org/stable/c/4399f59a9467a324ed46657555f0e1f209a14acb" }, { "url": "https://git.kernel.org/stable/c/a04302867094bdc6efac1b598370fc47cf3f2388" }, { "url": "https://git.kernel.org/stable/c/3382a1ed7f778db841063f5d7e317ac55f9e7f72" } ], "title": "net: fix udp gso skb_segment after pull from frag_list", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38124", "datePublished": "2025-07-03T08:35:30.499Z", "dateReserved": "2025-04-16T04:51:23.986Z", "dateUpdated": "2025-07-28T04:12:50.274Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…