Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-1665
Vulnerability from csaf_certbund
Published
2025-07-28 22:00
Modified
2025-08-31 22:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder andere nicht spezifizierte Angriffe durchzuführen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder andere nicht spezifizierte Angriffe durchzuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2025-1665 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1665.json" }, { "category": "self", "summary": "WID-SEC-2025-1665 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1665" }, { "category": "external", "summary": "Kernel CVE Announce Mailingliste", "url": "https://lore.kernel.org/linux-cve-announce/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38468", "url": "https://lore.kernel.org/linux-cve-announce/2025072834-CVE-2025-38468-4110@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38469", "url": "https://lore.kernel.org/linux-cve-announce/2025072811-CVE-2025-38469-4e11@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38470", "url": "https://lore.kernel.org/linux-cve-announce/2025072811-CVE-2025-38470-a4d4@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38471", "url": "https://lore.kernel.org/linux-cve-announce/2025072812-CVE-2025-38471-ca92@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38472", "url": "https://lore.kernel.org/linux-cve-announce/2025072812-CVE-2025-38472-fa6d@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38473", "url": "https://lore.kernel.org/linux-cve-announce/2025072812-CVE-2025-38473-e8bb@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38474", "url": "https://lore.kernel.org/linux-cve-announce/2025072812-CVE-2025-38474-0663@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38475", "url": "https://lore.kernel.org/linux-cve-announce/2025072813-CVE-2025-38475-deb5@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38476", "url": "https://lore.kernel.org/linux-cve-announce/2025072813-CVE-2025-38476-ab35@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38477", "url": "https://lore.kernel.org/linux-cve-announce/2025072813-CVE-2025-38477-8b42@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38478", "url": "https://lore.kernel.org/linux-cve-announce/2025072814-CVE-2025-38478-298f@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38480", "url": "https://lore.kernel.org/linux-cve-announce/2025072814-CVE-2025-38480-d8ab@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38481", "url": "https://lore.kernel.org/linux-cve-announce/2025072814-CVE-2025-38481-1476@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38482", "url": "https://lore.kernel.org/linux-cve-announce/2025072814-CVE-2025-38482-f4ed@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38483", "url": "https://lore.kernel.org/linux-cve-announce/2025072815-CVE-2025-38483-ab88@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38484", "url": "https://lore.kernel.org/linux-cve-announce/2025072815-CVE-2025-38484-4faf@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38485", "url": "https://lore.kernel.org/linux-cve-announce/2025072815-CVE-2025-38485-3cec@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38486", "url": "https://lore.kernel.org/linux-cve-announce/2025072815-CVE-2025-38486-e3f6@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38487", "url": "https://lore.kernel.org/linux-cve-announce/2025072816-CVE-2025-38487-1ffa@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38488", "url": "https://lore.kernel.org/linux-cve-announce/2025072816-CVE-2025-38488-7f36@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38489", "url": "https://lore.kernel.org/linux-cve-announce/2025072816-CVE-2025-38489-0fd7@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38490", "url": "https://lore.kernel.org/linux-cve-announce/2025072816-CVE-2025-38490-7528@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38491", "url": "https://lore.kernel.org/linux-cve-announce/2025072817-CVE-2025-38491-859c@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38492", "url": "https://lore.kernel.org/linux-cve-announce/2025072817-CVE-2025-38492-d59e@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38493", "url": "https://lore.kernel.org/linux-cve-announce/2025072817-CVE-2025-38493-32f7@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38494", "url": "https://lore.kernel.org/linux-cve-announce/2025072818-CVE-2025-38494-63e4@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38495", "url": "https://lore.kernel.org/linux-cve-announce/2025072818-CVE-2025-38495-3b28@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38496", "url": "https://lore.kernel.org/linux-cve-announce/2025072818-CVE-2025-38496-4301@gregkh/" }, { "category": "external", "summary": "Linux Kernel CVE Announcement CVE-2025-38497", "url": "https://lore.kernel.org/linux-cve-announce/2025072818-CVE-2025-38497-b5c7@gregkh/" }, { "category": "external", "summary": "Ubuntu Security Notice USN-7686-1 vom 2025-08-05", "url": "https://ubuntu.com/security/notices/USN-7686-1" }, { "category": "external", "summary": "Debian Security Advisory DSA-5973 vom 2025-08-12", "url": "https://lists.debian.org/debian-security-announce/2025/msg00137.html" }, { "category": "external", "summary": "Debian Security Advisory DSA-5975 vom 2025-08-13", "url": "https://lists.debian.org/debian-security-announce/2025/msg00139.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:13962 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:13962" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02823-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022188.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02830-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022186.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02834-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022183.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02827-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022187.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02833-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022184.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02832-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022185.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02820-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022190.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02821-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022189.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02852-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022201.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02846-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022192.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02849-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022204.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14009 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:14009" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14005 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:14005" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02850-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022203.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02851-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022202.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02848-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022193.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02853-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022200.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02854-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022199.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14003 vom 2025-08-18", "url": "https://access.redhat.com/errata/RHSA-2025:14003" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02857-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022198.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02858-1 vom 2025-08-18", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022197.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02859-1 vom 2025-08-19", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LD4YB6F7MNGQGQU73AT5B2DURSYKBLRI/" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02878-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022207.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02860-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022212.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02884-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022205.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02875-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022211.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02871-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022210.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02876-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022208.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02873-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022209.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02883-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022206.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14082 vom 2025-08-19", "url": "https://access.redhat.com/errata/RHSA-2025:14082" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02897-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022217.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02909-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022224.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02911-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022223.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02922-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022235.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02917-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022222.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02918-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022221.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02894-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022219.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02908-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022218.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02902-1 vom 2025-08-19", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022216.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02923-1 vom 2025-08-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022237.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-13962 vom 2025-08-20", "url": "https://linux.oracle.com/errata/ELSA-2025-13962.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02930-1 vom 2025-08-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022240.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02926-1 vom 2025-08-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022238.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02932-1 vom 2025-08-20", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022241.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02933-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022243.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02934-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022242.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02942-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022247.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02936-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022250.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02944-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022245.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02945-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022244.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02937-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022249.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02955-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022252.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02938-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022248.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02943-1 vom 2025-08-21", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022246.html" }, { "category": "external", "summary": "Oracle Linux Security Advisory ELSA-2025-14009 vom 2025-08-22", "url": "https://linux.oracle.com/errata/ELSA-2025-14009.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02969-1 vom 2025-08-25", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022259.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14497 vom 2025-08-25", "url": "https://access.redhat.com/errata/RHSA-2025:14497" }, { "category": "external", "summary": "Google Cloud Platform Security Bulletin GCP-2025-046 vom 2025-08-25", "url": "https://cloud.google.com/support/bulletins#gcp-2025-046" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14599 vom 2025-08-26", "url": "https://access.redhat.com/errata/RHSA-2025:14599" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2025:14811 vom 2025-08-28", "url": "https://access.redhat.com/errata/RHSA-2025:14811" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02997-1 vom 2025-08-27", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022283.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:02996-1 vom 2025-08-27", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022291.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20586-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022295.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20577-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022304.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:03011-1 vom 2025-08-28", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022327.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20602-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022362.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:20601-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022363.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2025:03023-1 vom 2025-08-29", "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022329.html" } ], "source_lang": "en-US", "title": "Linux Kernel: Mehrere Schwachstellen", "tracking": { "current_release_date": "2025-08-31T22:00:00.000+00:00", "generator": { "date": "2025-09-01T07:11:11.220+00:00", "engine": { "name": "BSI-WID", "version": "1.4.0" } }, "id": "WID-SEC-W-2025-1665", "initial_release_date": "2025-07-28T22:00:00.000+00:00", "revision_history": [ { "date": "2025-07-28T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2025-08-05T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Ubuntu aufgenommen" }, { "date": "2025-08-12T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2025-08-13T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2025-08-17T22:00:00.000+00:00", "number": "5", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2025-08-18T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von SUSE und Red Hat aufgenommen" }, { "date": "2025-08-19T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-20T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-21T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-24T22:00:00.000+00:00", "number": "10", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-25T22:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Red Hat und Google aufgenommen" }, { "date": "2025-08-27T22:00:00.000+00:00", "number": "12", "summary": "Neue Updates von Red Hat und SUSE aufgenommen" }, { "date": "2025-08-28T22:00:00.000+00:00", "number": "13", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2025-08-31T22:00:00.000+00:00", "number": "14", "summary": "Neue Updates von SUSE aufgenommen" } ], "status": "final", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "category": "product_name", "name": "Google Container-Optimized OS", "product": { "name": "Google Container-Optimized OS", "product_id": "1607324", "product_identification_helper": { "cpe": "cpe:/o:google:container-optimized_os:-" } } } ], "category": "vendor", "name": "Google" }, { "branches": [ { "category": "product_name", "name": "Open Source Linux Kernel", "product": { "name": "Open Source Linux Kernel", "product_id": "T008144", "product_identification_helper": { "cpe": "cpe:/a:linux:linux_kernel:-" } } } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Oracle Linux", "product": { "name": "Oracle Linux", "product_id": "T004914", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" }, { "branches": [ { "category": "product_name", "name": "Ubuntu Linux", "product": { "name": "Ubuntu Linux", "product_id": "T000126", "product_identification_helper": { "cpe": "cpe:/o:canonical:ubuntu_linux:-" } } } ], "category": "vendor", "name": "Ubuntu" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-50047", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2024-50047" }, { "cve": "CVE-2025-38468", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38468" }, { "cve": "CVE-2025-38469", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38469" }, { "cve": "CVE-2025-38470", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38470" }, { "cve": "CVE-2025-38471", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38471" }, { "cve": "CVE-2025-38472", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38472" }, { "cve": "CVE-2025-38473", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38473" }, { "cve": "CVE-2025-38474", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38474" }, { "cve": "CVE-2025-38475", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38475" }, { "cve": "CVE-2025-38476", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38476" }, { "cve": "CVE-2025-38477", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38477" }, { "cve": "CVE-2025-38478", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38478" }, { "cve": "CVE-2025-38480", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38480" }, { "cve": "CVE-2025-38481", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38481" }, { "cve": "CVE-2025-38482", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38482" }, { "cve": "CVE-2025-38483", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38483" }, { "cve": "CVE-2025-38484", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38484" }, { "cve": "CVE-2025-38485", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38485" }, { "cve": "CVE-2025-38486", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38486" }, { "cve": "CVE-2025-38487", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38487" }, { "cve": "CVE-2025-38488", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38488" }, { "cve": "CVE-2025-38489", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38489" }, { "cve": "CVE-2025-38490", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38490" }, { "cve": "CVE-2025-38491", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38491" }, { "cve": "CVE-2025-38492", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38492" }, { "cve": "CVE-2025-38493", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38493" }, { "cve": "CVE-2025-38494", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38494" }, { "cve": "CVE-2025-38495", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38495" }, { "cve": "CVE-2025-38496", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38496" }, { "cve": "CVE-2025-38497", "product_status": { "known_affected": [ "2951", "T002207", "67646", "T000126", "T004914", "1607324", "T008144" ] }, "release_date": "2025-07-28T22:00:00.000+00:00", "title": "CVE-2025-38497" } ] }
CVE-2025-38475 (GCVE-0-2025-38475)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smc: Fix various oops due to inet_sock type confusion.
syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while
freeing inet_sk(sk)->inet_opt.
The address was freed multiple times even though it was read-only memory.
cipso_v4_sock_setattr() did nothing wrong, and the root cause was type
confusion.
The cited commit made it possible to create smc_sock as an INET socket.
The issue is that struct smc_sock does not have struct inet_sock as the
first member but hijacks AF_INET and AF_INET6 sk_family, which confuses
various places.
In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),
which is an address of a function in the text segment.
$ pahole -C inet_sock vmlinux
struct inet_sock {
...
struct ip_options_rcu * inet_opt; /* 784 8 */
$ pahole -C smc_sock vmlinux
struct smc_sock {
...
void (*clcsk_data_ready)(struct sock *); /* 784 8 */
The same issue for another field was reported before. [2][3]
At that time, an ugly hack was suggested [4], but it makes both INET
and SMC code error-prone and hard to change.
Also, yet another variant was fixed by a hacky commit 98d4435efcbf3
("net/smc: prevent NULL pointer dereference in txopt_get").
Instead of papering over the root cause by such hacks, we should not
allow non-INET socket to reuse the INET infra.
Let's add inet_sock as the first member of smc_sock.
[0]:
kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73
WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955
Modules linked in:
CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955
lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955
sp : ffff8000a03a7730
x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3
x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00
x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0
x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff
x17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c
x14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000
x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360
x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000
Call trace:
kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P)
cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914
netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000
smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581
smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912
security_inode_setsecurity+0x118/0x3c0 security/security.c:2706
__vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251
__vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295
vfs_setxattr+0x158/0x2ac fs/xattr.c:321
do_setxattr fs/xattr.c:636 [inline]
file_setxattr+0x1b8/0x294 fs/xattr.c:646
path_setxattrat+0x2ac/0x320 fs/xattr.c:711
__do_sys_fsetxattr fs/xattr.c:761 [inline]
__se_sys_fsetxattr fs/xattr.c:758 [inline]
__arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
[
---truncated---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/smc/af_smc.c", "net/smc/smc.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5b02e397929e5b13b969ef1f8e43c7951e2864f5", "status": "affected", "version": "d25a92ccae6bed02327b63d138e12e7806830f78", "versionType": "git" }, { "lessThan": "67a167a6b8b45607bc34aa541d1c75097d18d460", "status": "affected", "version": "d25a92ccae6bed02327b63d138e12e7806830f78", "versionType": "git" }, { "lessThan": "60ada4fe644edaa6c2da97364184b0425e8aeaf5", "status": "affected", "version": "d25a92ccae6bed02327b63d138e12e7806830f78", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/smc/af_smc.c", "net/smc/smc.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.11" }, { "lessThan": "6.11", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.11", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix various oops due to inet_sock type confusion.\n\nsyzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while\nfreeing inet_sk(sk)-\u003einet_opt.\n\nThe address was freed multiple times even though it was read-only memory.\n\ncipso_v4_sock_setattr() did nothing wrong, and the root cause was type\nconfusion.\n\nThe cited commit made it possible to create smc_sock as an INET socket.\n\nThe issue is that struct smc_sock does not have struct inet_sock as the\nfirst member but hijacks AF_INET and AF_INET6 sk_family, which confuses\nvarious places.\n\nIn this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),\nwhich is an address of a function in the text segment.\n\n $ pahole -C inet_sock vmlinux\n struct inet_sock {\n ...\n struct ip_options_rcu * inet_opt; /* 784 8 */\n\n $ pahole -C smc_sock vmlinux\n struct smc_sock {\n ...\n void (*clcsk_data_ready)(struct sock *); /* 784 8 */\n\nThe same issue for another field was reported before. [2][3]\n\nAt that time, an ugly hack was suggested [4], but it makes both INET\nand SMC code error-prone and hard to change.\n\nAlso, yet another variant was fixed by a hacky commit 98d4435efcbf3\n(\"net/smc: prevent NULL pointer dereference in txopt_get\").\n\nInstead of papering over the root cause by such hacks, we should not\nallow non-INET socket to reuse the INET infra.\n\nLet\u0027s add inet_sock as the first member of smc_sock.\n\n[0]:\nkvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73\nWARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nModules linked in:\nCPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nTainted: [W]=WARN\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nlr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955\nsp : ffff8000a03a7730\nx29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3\nx26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00\nx23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0\nx20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff\nx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c\nx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff\nx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000\nx8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001\nx5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360\nx2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000\nCall trace:\n kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P)\n cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914\n netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000\n smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581\n smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912\n security_inode_setsecurity+0x118/0x3c0 security/security.c:2706\n __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251\n __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295\n vfs_setxattr+0x158/0x2ac fs/xattr.c:321\n do_setxattr fs/xattr.c:636 [inline]\n file_setxattr+0x1b8/0x294 fs/xattr.c:646\n path_setxattrat+0x2ac/0x320 fs/xattr.c:711\n __do_sys_fsetxattr fs/xattr.c:761 [inline]\n __se_sys_fsetxattr fs/xattr.c:758 [inline]\n __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879\n el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\n[\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:36.293Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5b02e397929e5b13b969ef1f8e43c7951e2864f5" }, { "url": "https://git.kernel.org/stable/c/67a167a6b8b45607bc34aa541d1c75097d18d460" }, { "url": "https://git.kernel.org/stable/c/60ada4fe644edaa6c2da97364184b0425e8aeaf5" } ], "title": "smc: Fix various oops due to inet_sock type confusion.", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38475", "datePublished": "2025-07-28T11:21:36.293Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:21:36.293Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38486 (GCVE-0-2025-38486)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soundwire: Revert "soundwire: qcom: Add set_channel_map api support"
This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.
This patch broke Dragonboard 845c (sdm845). I see:
Unexpected kernel BRK exception at EL1
Internal error: BRK handler: 00000000f20003e8 [#1] SMP
pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]
lr : snd_soc_dai_set_channel_map+0x34/0x78
Call trace:
qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)
sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]
snd_soc_link_init+0x28/0x6c
snd_soc_bind_card+0x5f4/0xb0c
snd_soc_register_card+0x148/0x1a4
devm_snd_soc_register_card+0x50/0xb0
sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]
platform_probe+0x6c/0xd0
really_probe+0xc0/0x2a4
__driver_probe_device+0x7c/0x130
driver_probe_device+0x40/0x118
__device_attach_driver+0xc4/0x108
bus_for_each_drv+0x8c/0xf0
__device_attach+0xa4/0x198
device_initial_probe+0x18/0x28
bus_probe_device+0xb8/0xbc
deferred_probe_work_func+0xac/0xfc
process_one_work+0x244/0x658
worker_thread+0x1b4/0x360
kthread+0x148/0x228
ret_from_fork+0x10/0x20
Kernel panic - not syncing: BRK handler: Fatal exception
Dan has also reported following issues with the original patch
https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/
Bug #1:
The zeroeth element of ctrl->pconfig[] is supposed to be unused. We
start counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128.
Bug #2:
There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only
QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts
memory like Yongqin Liu pointed out.
Bug 3:
Like Jie Gan pointed out, it erases all the tx information with the rx
information.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/soundwire/qcom.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "207cea8b72fcbdf4e6db178e54186ed4f1514b3c", "status": "affected", "version": "7796c97df6b1b2206681a07f3c80f6023a6593d5", "versionType": "git" }, { "lessThan": "834bce6a715ae9a9c4dce7892454a19adf22b013", "status": "affected", "version": "7796c97df6b1b2206681a07f3c80f6023a6593d5", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/soundwire/qcom.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoundwire: Revert \"soundwire: qcom: Add set_channel_map api support\"\n\nThis reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5.\n\nThis patch broke Dragonboard 845c (sdm845). I see:\n\n Unexpected kernel BRK exception at EL1\n Internal error: BRK handler: 00000000f20003e8 [#1] SMP\n pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom]\n lr : snd_soc_dai_set_channel_map+0x34/0x78\n Call trace:\n qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P)\n sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845]\n snd_soc_link_init+0x28/0x6c\n snd_soc_bind_card+0x5f4/0xb0c\n snd_soc_register_card+0x148/0x1a4\n devm_snd_soc_register_card+0x50/0xb0\n sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845]\n platform_probe+0x6c/0xd0\n really_probe+0xc0/0x2a4\n __driver_probe_device+0x7c/0x130\n driver_probe_device+0x40/0x118\n __device_attach_driver+0xc4/0x108\n bus_for_each_drv+0x8c/0xf0\n __device_attach+0xa4/0x198\n device_initial_probe+0x18/0x28\n bus_probe_device+0xb8/0xbc\n deferred_probe_work_func+0xac/0xfc\n process_one_work+0x244/0x658\n worker_thread+0x1b4/0x360\n kthread+0x148/0x228\n ret_from_fork+0x10/0x20\n Kernel panic - not syncing: BRK handler: Fatal exception\n\nDan has also reported following issues with the original patch\nhttps://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/\n\nBug #1:\nThe zeroeth element of ctrl-\u003epconfig[] is supposed to be unused. We\nstart counting at 1. However this code sets ctrl-\u003epconfig[0].ch_mask = 128.\n\nBug #2:\nThere are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only\nQCOM_SDW_MAX_PORTS + 1 (15) in the ctrl-\u003epconfig[] array so it corrupts\nmemory like Yongqin Liu pointed out.\n\nBug 3:\nLike Jie Gan pointed out, it erases all the tx information with the rx\ninformation." } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:50.349Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/207cea8b72fcbdf4e6db178e54186ed4f1514b3c" }, { "url": "https://git.kernel.org/stable/c/834bce6a715ae9a9c4dce7892454a19adf22b013" } ], "title": "soundwire: Revert \"soundwire: qcom: Add set_channel_map api support\"", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38486", "datePublished": "2025-07-28T11:21:50.349Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:21:50.349Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38488 (GCVE-0-2025-38488)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix use-after-free in crypt_message when using async crypto
The CVE-2024-50047 fix removed asynchronous crypto handling from
crypt_message(), assuming all crypto operations are synchronous.
However, when hardware crypto accelerators are used, this can cause
use-after-free crashes:
crypt_message()
// Allocate the creq buffer containing the req
creq = smb2_get_aead_req(..., &req);
// Async encryption returns -EINPROGRESS immediately
rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
// Free creq while async operation is still in progress
kvfree_sensitive(creq, ...);
Hardware crypto modules often implement async AEAD operations for
performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,
the operation completes asynchronously. Without crypto_wait_req(),
the function immediately frees the request buffer, leading to crashes
when the driver later accesses the freed memory.
This results in a use-after-free condition when the hardware crypto
driver later accesses the freed request structure, leading to kernel
crashes with NULL pointer dereferences.
The issue occurs because crypto_alloc_aead() with mask=0 doesn't
guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in
the mask, async implementations can be selected.
Fix by restoring the async crypto handling:
- DECLARE_CRYPTO_WAIT(wait) for completion tracking
- aead_request_set_callback() for async completion notification
- crypto_wait_req() to wait for operation completion
This ensures the request buffer isn't freed until the crypto operation
completes, whether synchronous or asynchronous, while preserving the
CVE-2024-50047 fix.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 8f14a476abba13144df5434871a7225fd29af633 Version: ef51c0d544b1518b35364480317ab6d3468f205d Version: bce966530fd5542bbb422cb45ecb775f7a1a6bc3 Version: 0809fb86ad13b29e1d6d491364fc7ea4fb545995 Version: b0abcd65ec545701b8793e12bc27dc98042b151a Version: b0abcd65ec545701b8793e12bc27dc98042b151a Version: b0abcd65ec545701b8793e12bc27dc98042b151a Version: 538c26d9bf70c90edc460d18c81008a4e555925a |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/client/smb2ops.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5d047b12f86cc3b9fde1171c02d9bccf4dba0632", "status": "affected", "version": "8f14a476abba13144df5434871a7225fd29af633", "versionType": "git" }, { "lessThan": "6550b2bef095d0dd2d2c8390d2ea4c3837028833", "status": "affected", "version": "ef51c0d544b1518b35364480317ab6d3468f205d", "versionType": "git" }, { "lessThan": "9a1d3e8d40f151c2d5a5f40c410e6e433f62f438", "status": "affected", "version": "bce966530fd5542bbb422cb45ecb775f7a1a6bc3", "versionType": "git" }, { "lessThan": "15a0a5de49507062bc3be4014a403d8cea5533de", "status": "affected", "version": "0809fb86ad13b29e1d6d491364fc7ea4fb545995", "versionType": "git" }, { "lessThan": "2a76bc2b24ed889a689fb1c9015307bf16aafb5b", "status": "affected", "version": "b0abcd65ec545701b8793e12bc27dc98042b151a", "versionType": "git" }, { "lessThan": "8ac90f6824fc44d2e55a82503ddfc95defb19ae0", "status": "affected", "version": "b0abcd65ec545701b8793e12bc27dc98042b151a", "versionType": "git" }, { "lessThan": "b220bed63330c0e1733dc06ea8e75d5b9962b6b6", "status": "affected", "version": "b0abcd65ec545701b8793e12bc27dc98042b151a", "versionType": "git" }, { "status": "affected", "version": "538c26d9bf70c90edc460d18c81008a4e555925a", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/client/smb2ops.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.12" }, { "lessThan": "6.12", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "5.10.237", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "5.15.181", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "6.1.128", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "6.6.57", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.12", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in crypt_message when using async crypto\n\nThe CVE-2024-50047 fix removed asynchronous crypto handling from\ncrypt_message(), assuming all crypto operations are synchronous.\nHowever, when hardware crypto accelerators are used, this can cause\nuse-after-free crashes:\n\n crypt_message()\n // Allocate the creq buffer containing the req\n creq = smb2_get_aead_req(..., \u0026req);\n\n // Async encryption returns -EINPROGRESS immediately\n rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);\n\n // Free creq while async operation is still in progress\n kvfree_sensitive(creq, ...);\n\nHardware crypto modules often implement async AEAD operations for\nperformance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,\nthe operation completes asynchronously. Without crypto_wait_req(),\nthe function immediately frees the request buffer, leading to crashes\nwhen the driver later accesses the freed memory.\n\nThis results in a use-after-free condition when the hardware crypto\ndriver later accesses the freed request structure, leading to kernel\ncrashes with NULL pointer dereferences.\n\nThe issue occurs because crypto_alloc_aead() with mask=0 doesn\u0027t\nguarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in\nthe mask, async implementations can be selected.\n\nFix by restoring the async crypto handling:\n- DECLARE_CRYPTO_WAIT(wait) for completion tracking\n- aead_request_set_callback() for async completion notification\n- crypto_wait_req() to wait for operation completion\n\nThis ensures the request buffer isn\u0027t freed until the crypto operation\ncompletes, whether synchronous or asynchronous, while preserving the\nCVE-2024-50047 fix." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:26.223Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5d047b12f86cc3b9fde1171c02d9bccf4dba0632" }, { "url": "https://git.kernel.org/stable/c/6550b2bef095d0dd2d2c8390d2ea4c3837028833" }, { "url": "https://git.kernel.org/stable/c/9a1d3e8d40f151c2d5a5f40c410e6e433f62f438" }, { "url": "https://git.kernel.org/stable/c/15a0a5de49507062bc3be4014a403d8cea5533de" }, { "url": "https://git.kernel.org/stable/c/2a76bc2b24ed889a689fb1c9015307bf16aafb5b" }, { "url": "https://git.kernel.org/stable/c/8ac90f6824fc44d2e55a82503ddfc95defb19ae0" }, { "url": "https://git.kernel.org/stable/c/b220bed63330c0e1733dc06ea8e75d5b9962b6b6" } ], "title": "smb: client: fix use-after-free in crypt_message when using async crypto", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38488", "datePublished": "2025-07-28T11:21:52.085Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:26.223Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38495 (GCVE-0-2025-38495)
Vulnerability from cvelistv5
Published
2025-07-28 11:22
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: ensure the allocated report buffer can contain the reserved report ID
When the report ID is not used, the low level transport drivers expect
the first byte to be 0. However, currently the allocated buffer not
account for that extra byte, meaning that instead of having 8 guaranteed
bytes for implement to be working, we only have 7.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/hid-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "7228e36c7875e4b035374cf68ca5e44dffa596b2", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "9f2892f7233a8f1320fe671d0f95f122191bfbcd", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "7fa83d0043370003e9a0b46ab7ae8f53b00fab06", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d3ed1d84a84538a39b3eb2055d6a97a936c108f2", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "fcda39a9c5b834346088c14b1374336b079466c1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a262370f385e53ff7470efdcdaf40468e5756717", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a47d9d9895bad9ce0e840a39836f19ca0b2a343a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "4f15ee98304b96e164ff2340e1dfd6181c3f42aa", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/hid-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: ensure the allocated report buffer can contain the reserved report ID\n\nWhen the report ID is not used, the low level transport drivers expect\nthe first byte to be 0. However, currently the allocated buffer not\naccount for that extra byte, meaning that instead of having 8 guaranteed\nbytes for implement to be working, we only have 7." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:29.931Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/7228e36c7875e4b035374cf68ca5e44dffa596b2" }, { "url": "https://git.kernel.org/stable/c/9f2892f7233a8f1320fe671d0f95f122191bfbcd" }, { "url": "https://git.kernel.org/stable/c/7fa83d0043370003e9a0b46ab7ae8f53b00fab06" }, { "url": "https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2" }, { "url": "https://git.kernel.org/stable/c/fcda39a9c5b834346088c14b1374336b079466c1" }, { "url": "https://git.kernel.org/stable/c/a262370f385e53ff7470efdcdaf40468e5756717" }, { "url": "https://git.kernel.org/stable/c/a47d9d9895bad9ce0e840a39836f19ca0b2a343a" }, { "url": "https://git.kernel.org/stable/c/4f15ee98304b96e164ff2340e1dfd6181c3f42aa" } ], "title": "HID: core: ensure the allocated report buffer can contain the reserved report ID", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38495", "datePublished": "2025-07-28T11:22:04.169Z", "dateReserved": "2025-04-16T04:51:24.022Z", "dateUpdated": "2025-08-28T14:43:29.931Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38481 (GCVE-0-2025-38481)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to
hold the array of `struct comedi_insn`, getting the length from the
`n_insns` member of the `struct comedi_insnlist` supplied by the user.
The allocation will fail with a WARNING and a stack dump if it is too
large.
Avoid that by failing with an `-EINVAL` error if the supplied `n_insns`
value is unreasonable.
Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set
this to the same value as `MAX_SAMPLES` (65536), which is the maximum
allowed sum of the values of the member `n` in the array of `struct
comedi_insn`, and sensible comedi instructions will have an `n` of at
least 1.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/comedi/comedi_fops.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "454d732dfd0aef7d7aa950c409215ca06d717e93", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "c68257588e87f45530235701a42496b7e9e56adb", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "69dc06b9514522de532e997a21d035cd29b0db44", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "d4c73ce13f5b5a0fe0319f1f352ff602f0ace8e3", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "c9d3d9667443caafa804cd07940aeaef8e53aa90", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "992d600f284e719242a434166e86c1999649b71c", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "e3b8322cc8081d142ee4c1a43e1d702bdba1ed76", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "08ae4b20f5e82101d77326ecab9089e110f224cc", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/comedi/comedi_fops.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.29" }, { "lessThan": "2.6.29", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.29", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large\n\nThe handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to\nhold the array of `struct comedi_insn`, getting the length from the\n`n_insns` member of the `struct comedi_insnlist` supplied by the user.\nThe allocation will fail with a WARNING and a stack dump if it is too\nlarge.\n\nAvoid that by failing with an `-EINVAL` error if the supplied `n_insns`\nvalue is unreasonable.\n\nDefine the limit on the `n_insns` value in the `MAX_INSNS` macro. Set\nthis to the same value as `MAX_SAMPLES` (65536), which is the maximum\nallowed sum of the values of the member `n` in the array of `struct\ncomedi_insn`, and sensible comedi instructions will have an `n` of at\nleast 1." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:20.991Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/454d732dfd0aef7d7aa950c409215ca06d717e93" }, { "url": "https://git.kernel.org/stable/c/c68257588e87f45530235701a42496b7e9e56adb" }, { "url": "https://git.kernel.org/stable/c/69dc06b9514522de532e997a21d035cd29b0db44" }, { "url": "https://git.kernel.org/stable/c/d4c73ce13f5b5a0fe0319f1f352ff602f0ace8e3" }, { "url": "https://git.kernel.org/stable/c/c9d3d9667443caafa804cd07940aeaef8e53aa90" }, { "url": "https://git.kernel.org/stable/c/992d600f284e719242a434166e86c1999649b71c" }, { "url": "https://git.kernel.org/stable/c/e3b8322cc8081d142ee4c1a43e1d702bdba1ed76" }, { "url": "https://git.kernel.org/stable/c/08ae4b20f5e82101d77326ecab9089e110f224cc" } ], "title": "comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38481", "datePublished": "2025-07-28T11:21:46.147Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:20.991Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38471 (GCVE-0-2025-38471)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: always refresh the queue when reading sock
After recent changes in net-next TCP compacts skbs much more
aggressively. This unearthed a bug in TLS where we may try
to operate on an old skb when checking if all skbs in the
queue have matching decrypt state and geometry.
BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]
(net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)
Read of size 4 at addr ffff888013085750 by task tls/13529
CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme
Call Trace:
kasan_report+0xca/0x100
tls_strp_check_rcv+0x898/0x9a0 [tls]
tls_rx_rec_wait+0x2c9/0x8d0 [tls]
tls_sw_recvmsg+0x40f/0x1aa0 [tls]
inet_recvmsg+0x1c3/0x1f0
Always reload the queue, fast path is to have the record in the queue
when we wake, anyway (IOW the path going down "if !strp->stm.full_len").
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0d87bbd39d7fd1135ab9eca672d760470f6508e8 Version: 0d87bbd39d7fd1135ab9eca672d760470f6508e8 Version: 0d87bbd39d7fd1135ab9eca672d760470f6508e8 Version: 0d87bbd39d7fd1135ab9eca672d760470f6508e8 Version: 0d87bbd39d7fd1135ab9eca672d760470f6508e8 Version: 2277d7cbdf47531b2c3cd01ba15255fa955aab35 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/tls/tls_strp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "730fed2ff5e259495712518e18d9f521f61972bb", "status": "affected", "version": "0d87bbd39d7fd1135ab9eca672d760470f6508e8", "versionType": "git" }, { "lessThan": "1f3a429c21e0e43e8b8c55d30701e91411a4df02", "status": "affected", "version": "0d87bbd39d7fd1135ab9eca672d760470f6508e8", "versionType": "git" }, { "lessThan": "cdb767915fc9a15d88d19d52a1455f1dc3e5ddc8", "status": "affected", "version": "0d87bbd39d7fd1135ab9eca672d760470f6508e8", "versionType": "git" }, { "lessThan": "c76f6f437c46b2390888e0e1dc7aafafa9f4e0c6", "status": "affected", "version": "0d87bbd39d7fd1135ab9eca672d760470f6508e8", "versionType": "git" }, { "lessThan": "4ab26bce3969f8fd925fe6f6f551e4d1a508c68b", "status": "affected", "version": "0d87bbd39d7fd1135ab9eca672d760470f6508e8", "versionType": "git" }, { "status": "affected", "version": "2277d7cbdf47531b2c3cd01ba15255fa955aab35", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/tls/tls_strp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "6.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "6.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.1", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: always refresh the queue when reading sock\n\nAfter recent changes in net-next TCP compacts skbs much more\naggressively. This unearthed a bug in TLS where we may try\nto operate on an old skb when checking if all skbs in the\nqueue have matching decrypt state and geometry.\n\n BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]\n (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)\n Read of size 4 at addr ffff888013085750 by task tls/13529\n\n CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme\n Call Trace:\n kasan_report+0xca/0x100\n tls_strp_check_rcv+0x898/0x9a0 [tls]\n tls_rx_rec_wait+0x2c9/0x8d0 [tls]\n tls_sw_recvmsg+0x40f/0x1aa0 [tls]\n inet_recvmsg+0x1c3/0x1f0\n\nAlways reload the queue, fast path is to have the record in the queue\nwhen we wake, anyway (IOW the path going down \"if !strp-\u003estm.full_len\")." } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:32.927Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/730fed2ff5e259495712518e18d9f521f61972bb" }, { "url": "https://git.kernel.org/stable/c/1f3a429c21e0e43e8b8c55d30701e91411a4df02" }, { "url": "https://git.kernel.org/stable/c/cdb767915fc9a15d88d19d52a1455f1dc3e5ddc8" }, { "url": "https://git.kernel.org/stable/c/c76f6f437c46b2390888e0e1dc7aafafa9f4e0c6" }, { "url": "https://git.kernel.org/stable/c/4ab26bce3969f8fd925fe6f6f551e4d1a508c68b" } ], "title": "tls: always refresh the queue when reading sock", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38471", "datePublished": "2025-07-28T11:21:32.927Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:21:32.927Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38484 (GCVE-0-2025-38484)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: backend: fix out-of-bound write
The buffer is set to 80 character. If a caller write more characters,
count is truncated to the max available space in "simple_write_to_buffer".
But afterwards a string terminator is written to the buffer at offset count
without boundary check. The zero termination is written OUT-OF-BOUND.
Add a check that the given buffer is smaller then the buffer to prevent.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: df3892e5e861c43d5612728ed259634675b8a71f Version: 035b4989211dc1c8626e186d655ae8ca5141bb73 Version: 035b4989211dc1c8626e186d655ae8ca5141bb73 Version: 04271a4d2740f98bbe36f82cd3d74677a839d1eb Version: fd791c81f410ab1c554686a6f486dc7a176dfe35 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iio/industrialio-backend.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6eea9f7648ddb9e4903735a1f77cf196c957aa38", "status": "affected", "version": "df3892e5e861c43d5612728ed259634675b8a71f", "versionType": "git" }, { "lessThan": "01e941aa7f5175125df4ac5d3aab099961525602", "status": "affected", "version": "035b4989211dc1c8626e186d655ae8ca5141bb73", "versionType": "git" }, { "lessThan": "da9374819eb3885636934c1006d450c3cb1a02ed", "status": "affected", "version": "035b4989211dc1c8626e186d655ae8ca5141bb73", "versionType": "git" }, { "status": "affected", "version": "04271a4d2740f98bbe36f82cd3d74677a839d1eb", "versionType": "git" }, { "status": "affected", "version": "fd791c81f410ab1c554686a6f486dc7a176dfe35", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iio/industrialio-backend.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.15" }, { "lessThan": "6.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.12.23", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.11", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: backend: fix out-of-bound write\n\nThe buffer is set to 80 character. If a caller write more characters,\ncount is truncated to the max available space in \"simple_write_to_buffer\".\nBut afterwards a string terminator is written to the buffer at offset count\nwithout boundary check. The zero termination is written OUT-OF-BOUND.\n\nAdd a check that the given buffer is smaller then the buffer to prevent." } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:48.690Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6eea9f7648ddb9e4903735a1f77cf196c957aa38" }, { "url": "https://git.kernel.org/stable/c/01e941aa7f5175125df4ac5d3aab099961525602" }, { "url": "https://git.kernel.org/stable/c/da9374819eb3885636934c1006d450c3cb1a02ed" } ], "title": "iio: backend: fix out-of-bound write", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38484", "datePublished": "2025-07-28T11:21:48.690Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:21:48.690Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38483 (GCVE-0-2025-38483)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: das16m1: Fix bit shift out of bounds
When checking for a supported IRQ number, the following test is used:
/* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */
if ((1 << it->options[1]) & 0xdcfc) {
However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 729988507680b2ce934bce61d9ce0ea7b235914c Version: 729988507680b2ce934bce61d9ce0ea7b235914c Version: 729988507680b2ce934bce61d9ce0ea7b235914c Version: 729988507680b2ce934bce61d9ce0ea7b235914c Version: 729988507680b2ce934bce61d9ce0ea7b235914c Version: 729988507680b2ce934bce61d9ce0ea7b235914c Version: 729988507680b2ce934bce61d9ce0ea7b235914c Version: 729988507680b2ce934bce61d9ce0ea7b235914c |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/comedi/drivers/das16m1.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "539bdff832adac9ea653859fa0b6bc62e743329c", "status": "affected", "version": "729988507680b2ce934bce61d9ce0ea7b235914c", "versionType": "git" }, { "lessThan": "d1291c69f46d6572b2cf75960dd8975d7ab2176b", "status": "affected", "version": "729988507680b2ce934bce61d9ce0ea7b235914c", "versionType": "git" }, { "lessThan": "b3c95fa508e5dc3da60520eea92a5241095ceef1", "status": "affected", "version": "729988507680b2ce934bce61d9ce0ea7b235914c", "versionType": "git" }, { "lessThan": "65c03e6fc524eb2868abedffd8a4613d78abc288", "status": "affected", "version": "729988507680b2ce934bce61d9ce0ea7b235914c", "versionType": "git" }, { "lessThan": "adb7df8a8f9d788423e161b779764527dd3ec2d0", "status": "affected", "version": "729988507680b2ce934bce61d9ce0ea7b235914c", "versionType": "git" }, { "lessThan": "076b13ee60eb01ed0d140ef261f95534562a3077", "status": "affected", "version": "729988507680b2ce934bce61d9ce0ea7b235914c", "versionType": "git" }, { "lessThan": "f211572818ed5bec2b3f5d4e0719ef8699b3c269", "status": "affected", "version": "729988507680b2ce934bce61d9ce0ea7b235914c", "versionType": "git" }, { "lessThan": "ed93c6f68a3be06e4e0c331c6e751f462dee3932", "status": "affected", "version": "729988507680b2ce934bce61d9ce0ea7b235914c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/comedi/drivers/das16m1.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.14" }, { "lessThan": "3.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "3.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "3.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "3.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "3.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "3.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "3.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "3.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: das16m1: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\t/* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */\n\tif ((1 \u003c\u003c it-\u003eoptions[1]) \u0026 0xdcfc) {\n\nHowever, `it-\u003eoptions[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds. Fix the test by\nrequiring `it-\u003eoptions[1]` to be within bounds before proceeding with\nthe original test." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:23.600Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/539bdff832adac9ea653859fa0b6bc62e743329c" }, { "url": "https://git.kernel.org/stable/c/d1291c69f46d6572b2cf75960dd8975d7ab2176b" }, { "url": "https://git.kernel.org/stable/c/b3c95fa508e5dc3da60520eea92a5241095ceef1" }, { "url": "https://git.kernel.org/stable/c/65c03e6fc524eb2868abedffd8a4613d78abc288" }, { "url": "https://git.kernel.org/stable/c/adb7df8a8f9d788423e161b779764527dd3ec2d0" }, { "url": "https://git.kernel.org/stable/c/076b13ee60eb01ed0d140ef261f95534562a3077" }, { "url": "https://git.kernel.org/stable/c/f211572818ed5bec2b3f5d4e0719ef8699b3c269" }, { "url": "https://git.kernel.org/stable/c/ed93c6f68a3be06e4e0c331c6e751f462dee3932" } ], "title": "comedi: das16m1: Fix bit shift out of bounds", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38483", "datePublished": "2025-07-28T11:21:47.895Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:23.600Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38496 (GCVE-0-2025-38496)
Vulnerability from cvelistv5
Published
2025-07-28 11:22
Modified
2025-07-28 11:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-bufio: fix sched in atomic context
If "try_verify_in_tasklet" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP
is enabled for dm-bufio. However, when bufio tries to evict buffers, there
is a chance to trigger scheduling in spin_lock_bh, the following warning
is hit:
BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
4 locks held by kworker/2:2/123:
#0: ffff88800a2d1548 ((wq_completion)dm_bufio_cache){....}-{0:0}, at: process_one_work+0xe46/0x1970
#1: ffffc90000d97d20 ((work_completion)(&dm_bufio_replacement_work)){....}-{0:0}, at: process_one_work+0x763/0x1970
#2: ffffffff8555b528 (dm_bufio_clients_lock){....}-{3:3}, at: do_global_cleanup+0x1ce/0x710
#3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: do_global_cleanup+0x2a5/0x710
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
Workqueue: dm_bufio_cache do_global_cleanup
Call Trace:
<TASK>
dump_stack_lvl+0x53/0x70
__might_resched+0x360/0x4e0
do_global_cleanup+0x2f5/0x710
process_one_work+0x7db/0x1970
worker_thread+0x518/0xea0
kthread+0x359/0x690
ret_from_fork+0xf3/0x1b0
ret_from_fork_asm+0x1a/0x30
</TASK>
That can be reproduced by:
veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb
SIZE=$(blockdev --getsz /dev/vda)
dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 try_verify_in_tasklet"
mount /dev/dm-0 /mnt -o ro
echo 102400 > /sys/module/dm_bufio/parameters/max_cache_size_bytes
[read files in /mnt]
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/md/dm-bufio.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "469a39a33a9934af157299bf11c58f6e6cb53f85", "status": "affected", "version": "450e8dee51aa6fa1dd0f64073e88235f1a77b035", "versionType": "git" }, { "lessThan": "68860d1ade385eef9fcdbf6552f061283091fdb8", "status": "affected", "version": "450e8dee51aa6fa1dd0f64073e88235f1a77b035", "versionType": "git" }, { "lessThan": "3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86", "status": "affected", "version": "450e8dee51aa6fa1dd0f64073e88235f1a77b035", "versionType": "git" }, { "lessThan": "b1bf1a782fdf5c482215c0c661b5da98b8e75773", "status": "affected", "version": "450e8dee51aa6fa1dd0f64073e88235f1a77b035", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/md/dm-bufio.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.4" }, { "lessThan": "6.4", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "6.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.4", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-bufio: fix sched in atomic context\n\nIf \"try_verify_in_tasklet\" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP\nis enabled for dm-bufio. However, when bufio tries to evict buffers, there\nis a chance to trigger scheduling in spin_lock_bh, the following warning\nis hit:\n\nBUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2\npreempt_count: 201, expected: 0\nRCU nest depth: 0, expected: 0\n4 locks held by kworker/2:2/123:\n #0: ffff88800a2d1548 ((wq_completion)dm_bufio_cache){....}-{0:0}, at: process_one_work+0xe46/0x1970\n #1: ffffc90000d97d20 ((work_completion)(\u0026dm_bufio_replacement_work)){....}-{0:0}, at: process_one_work+0x763/0x1970\n #2: ffffffff8555b528 (dm_bufio_clients_lock){....}-{3:3}, at: do_global_cleanup+0x1ce/0x710\n #3: ffff88801d5820b8 (\u0026c-\u003espinlock){....}-{2:2}, at: do_global_cleanup+0x2a5/0x710\nPreemption disabled at:\n[\u003c0000000000000000\u003e] 0x0\nCPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nWorkqueue: dm_bufio_cache do_global_cleanup\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x53/0x70\n __might_resched+0x360/0x4e0\n do_global_cleanup+0x2f5/0x710\n process_one_work+0x7db/0x1970\n worker_thread+0x518/0xea0\n kthread+0x359/0x690\n ret_from_fork+0xf3/0x1b0\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nThat can be reproduced by:\n\n veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb\n SIZE=$(blockdev --getsz /dev/vda)\n dmsetup create myverity -r --table \"0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 \u003cdata_blocks\u003e 1 sha256 \u003croot_hash\u003e \u003csalt\u003e 1 try_verify_in_tasklet\"\n mount /dev/dm-0 /mnt -o ro\n echo 102400 \u003e /sys/module/dm_bufio/parameters/max_cache_size_bytes\n [read files in /mnt]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:22:05.091Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/469a39a33a9934af157299bf11c58f6e6cb53f85" }, { "url": "https://git.kernel.org/stable/c/68860d1ade385eef9fcdbf6552f061283091fdb8" }, { "url": "https://git.kernel.org/stable/c/3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86" }, { "url": "https://git.kernel.org/stable/c/b1bf1a782fdf5c482215c0c661b5da98b8e75773" } ], "title": "dm-bufio: fix sched in atomic context", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38496", "datePublished": "2025-07-28T11:22:05.091Z", "dateReserved": "2025-04-16T04:51:24.022Z", "dateUpdated": "2025-07-28T11:22:05.091Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38477 (GCVE-0-2025-38477)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix race condition on qfq_aggregate
A race condition can occur when 'agg' is modified in qfq_change_agg
(called during qfq_enqueue) while other threads access it
concurrently. For example, qfq_dump_class may trigger a NULL
dereference, and qfq_delete_class may cause a use-after-free.
This patch addresses the issue by:
1. Moved qfq_destroy_class into the critical section.
2. Added sch_tree_lock protection to qfq_dump_class and
qfq_dump_class_stats.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd Version: 462dbc9101acd38e92eda93c0726857517a24bbd |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/sch_qfq.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "aa7a22c4d678bf649fd3a1d27debec583563414d", "status": "affected", "version": "462dbc9101acd38e92eda93c0726857517a24bbd", "versionType": "git" }, { "lessThan": "d841aa5518508ab195b6781ad0d73ee378d713dd", "status": "affected", "version": "462dbc9101acd38e92eda93c0726857517a24bbd", "versionType": "git" }, { "lessThan": "c6df794000147a3a02f79984aada4ce83f8d0a1e", "status": "affected", "version": "462dbc9101acd38e92eda93c0726857517a24bbd", "versionType": "git" }, { "lessThan": "466e10194ab81caa2ee6a332d33ba16bcceeeba6", "status": "affected", "version": "462dbc9101acd38e92eda93c0726857517a24bbd", "versionType": "git" }, { "lessThan": "fbe48f06e64134dfeafa89ad23387f66ebca3527", "status": "affected", "version": "462dbc9101acd38e92eda93c0726857517a24bbd", "versionType": "git" }, { "lessThan": "a6d735100f602c830c16d69fb6d780eebd8c9ae1", "status": "affected", "version": "462dbc9101acd38e92eda93c0726857517a24bbd", "versionType": "git" }, { "lessThan": "c000a3a330d97f6c073ace5aa5faf94b9adb4b79", "status": "affected", "version": "462dbc9101acd38e92eda93c0726857517a24bbd", "versionType": "git" }, { "lessThan": "5e28d5a3f774f118896aec17a3a20a9c5c9dfc64", "status": "affected", "version": "462dbc9101acd38e92eda93c0726857517a24bbd", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/sch_qfq.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.8" }, { "lessThan": "3.8", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "3.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.8", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when \u0027agg\u0027 is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:15.237Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d" }, { "url": "https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd" }, { "url": "https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e" }, { "url": "https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6" }, { "url": "https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527" }, { "url": "https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1" }, { "url": "https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79" }, { "url": "https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64" } ], "title": "net/sched: sch_qfq: Fix race condition on qfq_aggregate", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38477", "datePublished": "2025-07-28T11:21:38.319Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:15.237Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38492 (GCVE-0-2025-38492)
Vulnerability from cvelistv5
Published
2025-07-28 11:22
Modified
2025-07-28 11:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix race between cache write completion and ALL_QUEUED being set
When netfslib is issuing subrequests, the subrequests start processing
immediately and may complete before we reach the end of the issuing
function. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED
to indicate to the collector that we aren't going to issue any more subreqs
and that it can do the final notifications and cleanup.
Now, this isn't a problem if the request is synchronous
(NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be
done in-thread and we're guaranteed an opportunity to run the collector.
However, if the request is asynchronous, collection is primarily triggered
by the termination of subrequests queuing it on a workqueue. Now, a race
can occur here if the app thread sets ALL_QUEUED after the last subrequest
terminates.
This can happen most easily with the copy2cache code (as used by Ceph)
where, in the collection routine of a read request, an asynchronous write
request is spawned to copy data to the cache. Folios are added to the
write request as they're unlocked, but there may be a delay before
ALL_QUEUED is set as the write subrequests may complete before we get
there.
If all the write subreqs have finished by the ALL_QUEUED point, no further
events happen and the collection never happens, leaving the request
hanging.
Fix this by queuing the collector after setting ALL_QUEUED. This is a bit
heavy-handed and it may be sufficient to do it only if there are no extant
subreqs.
Also add a tracepoint to cross-reference both requests in a copy-to-request
operation and add a trace to the netfs_rreq tracepoint to indicate the
setting of ALL_QUEUED.
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/netfs/read_pgpriv2.c", "include/trace/events/netfs.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "110188a13c4853bd4c342e600ced4dfd26c3feb5", "status": "affected", "version": "e2d46f2ec332533816417b60933954173f602121", "versionType": "git" }, { "lessThan": "89635eae076cd8eaa5cb752f66538c9dc6c9fdc3", "status": "affected", "version": "e2d46f2ec332533816417b60933954173f602121", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/netfs/read_pgpriv2.c", "include/trace/events/netfs.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.14" }, { "lessThan": "6.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix race between cache write completion and ALL_QUEUED being set\n\nWhen netfslib is issuing subrequests, the subrequests start processing\nimmediately and may complete before we reach the end of the issuing\nfunction. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED\nto indicate to the collector that we aren\u0027t going to issue any more subreqs\nand that it can do the final notifications and cleanup.\n\nNow, this isn\u0027t a problem if the request is synchronous\n(NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be\ndone in-thread and we\u0027re guaranteed an opportunity to run the collector.\n\nHowever, if the request is asynchronous, collection is primarily triggered\nby the termination of subrequests queuing it on a workqueue. Now, a race\ncan occur here if the app thread sets ALL_QUEUED after the last subrequest\nterminates.\n\nThis can happen most easily with the copy2cache code (as used by Ceph)\nwhere, in the collection routine of a read request, an asynchronous write\nrequest is spawned to copy data to the cache. Folios are added to the\nwrite request as they\u0027re unlocked, but there may be a delay before\nALL_QUEUED is set as the write subrequests may complete before we get\nthere.\n\nIf all the write subreqs have finished by the ALL_QUEUED point, no further\nevents happen and the collection never happens, leaving the request\nhanging.\n\nFix this by queuing the collector after setting ALL_QUEUED. This is a bit\nheavy-handed and it may be sufficient to do it only if there are no extant\nsubreqs.\n\nAlso add a tracepoint to cross-reference both requests in a copy-to-request\noperation and add a trace to the netfs_rreq tracepoint to indicate the\nsetting of ALL_QUEUED." } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:22:01.017Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/110188a13c4853bd4c342e600ced4dfd26c3feb5" }, { "url": "https://git.kernel.org/stable/c/89635eae076cd8eaa5cb752f66538c9dc6c9fdc3" } ], "title": "netfs: Fix race between cache write completion and ALL_QUEUED being set", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38492", "datePublished": "2025-07-28T11:22:01.017Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:22:01.017Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38478 (GCVE-0-2025-38478)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix initialization of data for instructions that write to subdevice
Some Comedi subdevice instruction handlers are known to access
instruction data elements beyond the first `insn->n` elements in some
cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions
allocate at least `MIN_SAMPLES` (16) data elements to deal with this,
but they do not initialize all of that. For Comedi instruction codes
that write to the subdevice, the first `insn->n` data elements are
copied from user-space, but the remaining elements are left
uninitialized. That could be a problem if the subdevice instruction
handler reads the uninitialized data. Ensure that the first
`MIN_SAMPLES` elements are initialized before calling these instruction
handlers, filling the uncopied elements with 0. For
`do_insnlist_ioctl()`, the same data buffer elements are used for
handling a list of instructions, so ensure the first `MIN_SAMPLES`
elements are initialized for each instruction that writes to the
subdevice.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/comedi/comedi_fops.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6f38c6380c3b38a05032b8881e41137385a6ce02", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "13e4d9038a1e869445a996a3f604a84ef52fe8f4", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "020eed5681d0f9bced73970368078a92d6cfaa9c", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "d3436638738ace8f101af7bdee2eae1bc38e9b29", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "673ee92bd2d31055bca98a1d96b653f5284289c4", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "c42116dc70af6664526f7aa82cf937824ab42649", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "46d8c744136ce2454aa4c35c138cc06817f92b8e", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/comedi/comedi_fops.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.29" }, { "lessThan": "2.6.29", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.29", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix initialization of data for instructions that write to subdevice\n\nSome Comedi subdevice instruction handlers are known to access\ninstruction data elements beyond the first `insn-\u003en` elements in some\ncases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions\nallocate at least `MIN_SAMPLES` (16) data elements to deal with this,\nbut they do not initialize all of that. For Comedi instruction codes\nthat write to the subdevice, the first `insn-\u003en` data elements are\ncopied from user-space, but the remaining elements are left\nuninitialized. That could be a problem if the subdevice instruction\nhandler reads the uninitialized data. Ensure that the first\n`MIN_SAMPLES` elements are initialized before calling these instruction\nhandlers, filling the uncopied elements with 0. For\n`do_insnlist_ioctl()`, the same data buffer elements are used for\nhandling a list of instructions, so ensure the first `MIN_SAMPLES`\nelements are initialized for each instruction that writes to the\nsubdevice." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:17.668Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6f38c6380c3b38a05032b8881e41137385a6ce02" }, { "url": "https://git.kernel.org/stable/c/13e4d9038a1e869445a996a3f604a84ef52fe8f4" }, { "url": "https://git.kernel.org/stable/c/020eed5681d0f9bced73970368078a92d6cfaa9c" }, { "url": "https://git.kernel.org/stable/c/d3436638738ace8f101af7bdee2eae1bc38e9b29" }, { "url": "https://git.kernel.org/stable/c/673ee92bd2d31055bca98a1d96b653f5284289c4" }, { "url": "https://git.kernel.org/stable/c/c42116dc70af6664526f7aa82cf937824ab42649" }, { "url": "https://git.kernel.org/stable/c/fe8713fb4e4e82a4f91910d9a41bf0613e69a0b9" }, { "url": "https://git.kernel.org/stable/c/46d8c744136ce2454aa4c35c138cc06817f92b8e" } ], "title": "comedi: Fix initialization of data for instructions that write to subdevice", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38478", "datePublished": "2025-07-28T11:21:44.210Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:17.668Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38487 (GCVE-0-2025-38487)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled
Mitigate e.g. the following:
# echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind
...
[ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write
[ 120.373866] [00000004] *pgd=00000000
[ 120.377910] Internal error: Oops: 805 [#1] SMP ARM
[ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE
...
[ 120.679543] Call trace:
[ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac
[ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38
[ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200
...
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 Version: 9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/soc/aspeed/aspeed-lpc-snoop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "62e51f51d97477ea4e78c82e7076a171dac86c75", "status": "affected", "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1", "versionType": "git" }, { "lessThan": "9e1d2b97f5e2a36a2fd30a8bd30ead9dac5e3a51", "status": "affected", "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1", "versionType": "git" }, { "lessThan": "166afe964e8433d52c641f5d1c09102bacee9a92", "status": "affected", "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1", "versionType": "git" }, { "lessThan": "dc5598482e2d3b234f6d72d6f5568e24f603e51a", "status": "affected", "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1", "versionType": "git" }, { "lessThan": "329a80adc0e5f815d0514a6d403aaaf0995cd9be", "status": "affected", "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1", "versionType": "git" }, { "lessThan": "b361598b7352f02456619a6105c7da952ef69f8f", "status": "affected", "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1", "versionType": "git" }, { "lessThan": "ac10ed9862104936a412f8b475c869e99f048448", "status": "affected", "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1", "versionType": "git" }, { "lessThan": "56448e78a6bb4e1a8528a0e2efe94eff0400c247", "status": "affected", "version": "9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/soc/aspeed/aspeed-lpc-snoop.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "4.13" }, { "lessThan": "4.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "4.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "4.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "4.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "4.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "4.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "4.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "4.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "4.13", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: aspeed: lpc-snoop: Don\u0027t disable channels that aren\u0027t enabled\n\nMitigate e.g. the following:\n\n # echo 1e789080.lpc-snoop \u003e /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind\n ...\n [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write\n [ 120.373866] [00000004] *pgd=00000000\n [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM\n [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE\n ...\n [ 120.679543] Call trace:\n [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac\n [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38\n [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200\n ..." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:24.856Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/62e51f51d97477ea4e78c82e7076a171dac86c75" }, { "url": "https://git.kernel.org/stable/c/9e1d2b97f5e2a36a2fd30a8bd30ead9dac5e3a51" }, { "url": "https://git.kernel.org/stable/c/166afe964e8433d52c641f5d1c09102bacee9a92" }, { "url": "https://git.kernel.org/stable/c/dc5598482e2d3b234f6d72d6f5568e24f603e51a" }, { "url": "https://git.kernel.org/stable/c/329a80adc0e5f815d0514a6d403aaaf0995cd9be" }, { "url": "https://git.kernel.org/stable/c/b361598b7352f02456619a6105c7da952ef69f8f" }, { "url": "https://git.kernel.org/stable/c/ac10ed9862104936a412f8b475c869e99f048448" }, { "url": "https://git.kernel.org/stable/c/56448e78a6bb4e1a8528a0e2efe94eff0400c247" } ], "title": "soc: aspeed: lpc-snoop: Don\u0027t disable channels that aren\u0027t enabled", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38487", "datePublished": "2025-07-28T11:21:51.249Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:24.856Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38491 (GCVE-0-2025-38491)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: make fallback action and fallback decision atomic
Syzkaller reported the following splat:
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]
WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153
Modules linked in:
CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]
RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]
RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]
RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153
Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00
RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45
RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001
RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000
FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432
tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975
tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166
tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925
tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363
ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:317 [inline]
NF_HOOK include/linux/netfilter.h:311 [inline]
ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:469 [inline]
ip_rcv_finish net/ipv4/ip_input.c:447 [inline]
NF_HOOK include/linux/netfilter.h:317 [inline]
NF_HOOK include/linux/netfilter.h:311 [inline]
ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567
__netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975
__netif_receive_skb+0x1f/0x120 net/core/dev.c:6088
process_backlog+0x301/0x1360 net/core/dev.c:6440
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453
napi_poll net/core/dev.c:7517 [inline]
net_rx_action+0xb44/0x1010 net/core/dev.c:7644
handle_softirqs+0x1d0/0x770 kernel/softirq.c:579
do_softirq+0x3f/0x90 kernel/softirq.c:480
</IRQ>
<TASK>
__local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407
local_bh_enable include/linux/bottom_half.h:33 [inline]
inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524
mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985
mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]
__mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000
mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066
inet_release+0xed/0x200 net/ipv4/af_inet.c:435
inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487
__sock_release+0xb3/0x270 net/socket.c:649
sock_close+0x1c/0x30 net/socket.c:1439
__fput+0x402/0xb70 fs/file_table.c:465
task_work_run+0x150/0x240 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xd4
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 0530020a7c8f2204e784f0dbdc882bbd961fdbde Version: 609937aa962a62e93acfc04dd370b665e6152dfb Version: 6654efe264b014d8ea9fc38f79efb568b1b79069 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/mptcp/options.c", "net/mptcp/protocol.c", "net/mptcp/protocol.h", "net/mptcp/subflow.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "5586518bec27666c747cd52aabb62d485686d0bf", "status": "affected", "version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde", "versionType": "git" }, { "lessThan": "75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2", "status": "affected", "version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde", "versionType": "git" }, { "lessThan": "54999dea879fecb761225e28f274b40662918c30", "status": "affected", "version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde", "versionType": "git" }, { "lessThan": "1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5", "status": "affected", "version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde", "versionType": "git" }, { "lessThan": "f8a1d9b18c5efc76784f5a326e905f641f839894", "status": "affected", "version": "0530020a7c8f2204e784f0dbdc882bbd961fdbde", "versionType": "git" }, { "status": "affected", "version": "609937aa962a62e93acfc04dd370b665e6152dfb", "versionType": "git" }, { "status": "affected", "version": "6654efe264b014d8ea9fc38f79efb568b1b79069", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/mptcp/options.c", "net/mptcp/protocol.c", "net/mptcp/protocol.h", "net/mptcp/subflow.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.149", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.101", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.149", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.101", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.228", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.169", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: make fallback action and fallback decision atomic\n\nSyzkaller reported the following splat:\n\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline]\n WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n Modules linked in:\n CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary)\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline]\n RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline]\n RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline]\n RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153\n Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 \u003c0f\u003e 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00\n RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45\n RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001\n RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000\n FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0\n Call Trace:\n \u003cIRQ\u003e\n tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432\n tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975\n tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166\n tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925\n tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363\n ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:317 [inline]\n NF_HOOK include/linux/netfilter.h:311 [inline]\n ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:469 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:447 [inline]\n NF_HOOK include/linux/netfilter.h:317 [inline]\n NF_HOOK include/linux/netfilter.h:311 [inline]\n ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567\n __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975\n __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088\n process_backlog+0x301/0x1360 net/core/dev.c:6440\n __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453\n napi_poll net/core/dev.c:7517 [inline]\n net_rx_action+0xb44/0x1010 net/core/dev.c:7644\n handle_softirqs+0x1d0/0x770 kernel/softirq.c:579\n do_softirq+0x3f/0x90 kernel/softirq.c:480\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524\n mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985\n mptcp_check_listen_stop net/mptcp/mib.h:118 [inline]\n __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000\n mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066\n inet_release+0xed/0x200 net/ipv4/af_inet.c:435\n inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487\n __sock_release+0xb3/0x270 net/socket.c:649\n sock_close+0x1c/0x30 net/socket.c:1439\n __fput+0x402/0xb70 fs/file_table.c:465\n task_work_run+0x150/0x240 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xd4\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:27.453Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/5586518bec27666c747cd52aabb62d485686d0bf" }, { "url": "https://git.kernel.org/stable/c/75a4c9ab8a7af0d76b31ccd1188ed178c38b35d2" }, { "url": "https://git.kernel.org/stable/c/54999dea879fecb761225e28f274b40662918c30" }, { "url": "https://git.kernel.org/stable/c/1d82a8fe6ee4afdc92f4e8808c9dad2a6095bbc5" }, { "url": "https://git.kernel.org/stable/c/f8a1d9b18c5efc76784f5a326e905f641f839894" } ], "title": "mptcp: make fallback action and fallback decision atomic", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38491", "datePublished": "2025-07-28T11:21:59.852Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:27.453Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38494 (GCVE-0-2025-38494)
Vulnerability from cvelistv5
Published
2025-07-28 11:22
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: do not bypass hid_hw_raw_request
hid_hw_raw_request() is actually useful to ensure the provided buffer
and length are valid. Directly calling in the low level transport driver
function bypassed those checks and allowed invalid paramto be used.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/hid/hid-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "dd8e8314f2ce225dade5248dcfb9e2ac0edda624", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "40e25aa7e4e0f2440c73a683ee448e41c7c344ed", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "f10923b8d32a473b229477b63f23bbd72b1e9910", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "a62a895edb2bfebffa865b5129a66e3b4287f34f", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0e5017d84d650ca0eeaf4a3fe9264c5dbc886b81", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d18f63e848840100dbc351a82e7042eac5a28cf5", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "19d1314d46c0d8a5c08ab53ddeb62280c77698c0", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "c2ca42f190b6714d6c481dfd3d9b62ea091c946b", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/hid/hid-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: do not bypass hid_hw_raw_request\n\nhid_hw_raw_request() is actually useful to ensure the provided buffer\nand length are valid. Directly calling in the low level transport driver\nfunction bypassed those checks and allowed invalid paramto be used." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:28.710Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/dd8e8314f2ce225dade5248dcfb9e2ac0edda624" }, { "url": "https://git.kernel.org/stable/c/40e25aa7e4e0f2440c73a683ee448e41c7c344ed" }, { "url": "https://git.kernel.org/stable/c/f10923b8d32a473b229477b63f23bbd72b1e9910" }, { "url": "https://git.kernel.org/stable/c/a62a895edb2bfebffa865b5129a66e3b4287f34f" }, { "url": "https://git.kernel.org/stable/c/0e5017d84d650ca0eeaf4a3fe9264c5dbc886b81" }, { "url": "https://git.kernel.org/stable/c/d18f63e848840100dbc351a82e7042eac5a28cf5" }, { "url": "https://git.kernel.org/stable/c/19d1314d46c0d8a5c08ab53ddeb62280c77698c0" }, { "url": "https://git.kernel.org/stable/c/c2ca42f190b6714d6c481dfd3d9b62ea091c946b" } ], "title": "HID: core: do not bypass hid_hw_raw_request", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38494", "datePublished": "2025-07-28T11:22:03.180Z", "dateReserved": "2025-04-16T04:51:24.022Z", "dateUpdated": "2025-08-28T14:43:28.710Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38473 (GCVE-0-2025-38473)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]
l2cap_sock_resume_cb() has a similar problem that was fixed by commit
1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()").
Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed
under l2cap_sock_resume_cb(), we can avoid the issue simply by checking
if chan->data is NULL.
Let's not access to the killed socket in l2cap_sock_resume_cb().
[0]:
BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]
BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711
Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: hci0 hci_rx_work
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_report+0x58/0x84 mm/kasan/report.c:524
kasan_report+0xb0/0x110 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
__kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37
instrument_atomic_write include/linux/instrumented.h:82 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711
l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357
hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]
hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514
hci_event_func net/bluetooth/hci_event.c:7511 [inline]
hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565
hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070
process_one_work+0x7e8/0x155c kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3321 [inline]
worker_thread+0x958/0xed8 kernel/workqueue.c:3402
kthread+0x5fc/0x75c kernel/kthread.c:464
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 Version: d97c899bde330cd1c76c3a162558177563a74362 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/bluetooth/l2cap_sock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "262cd18f5f7ede6a586580cadc5d0799e52e2e7c", "status": "affected", "version": "d97c899bde330cd1c76c3a162558177563a74362", "versionType": "git" }, { "lessThan": "2b27b389006623673e8cfff4ce1e119cce640b05", "status": "affected", "version": "d97c899bde330cd1c76c3a162558177563a74362", "versionType": "git" }, { "lessThan": "3a4eca2a1859955c65f07a570156bd2d9048ce33", "status": "affected", "version": "d97c899bde330cd1c76c3a162558177563a74362", "versionType": "git" }, { "lessThan": "ac3a8147bb24314fb3e84986590148e79f9872ec", "status": "affected", "version": "d97c899bde330cd1c76c3a162558177563a74362", "versionType": "git" }, { "lessThan": "c4f16f6b071a74ac7eefe5c28985285cbbe2cd96", "status": "affected", "version": "d97c899bde330cd1c76c3a162558177563a74362", "versionType": "git" }, { "lessThan": "b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08", "status": "affected", "version": "d97c899bde330cd1c76c3a162558177563a74362", "versionType": "git" }, { "lessThan": "6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0", "status": "affected", "version": "d97c899bde330cd1c76c3a162558177563a74362", "versionType": "git" }, { "lessThan": "a0075accbf0d76c2dad1ad3993d2e944505d99a0", "status": "affected", "version": "d97c899bde330cd1c76c3a162558177563a74362", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/bluetooth/l2cap_sock.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.13" }, { "lessThan": "3.13", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "3.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "3.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "3.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "3.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "3.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "3.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "3.13", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.13", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()\n\nsyzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]\n\nl2cap_sock_resume_cb() has a similar problem that was fixed by commit\n1bff51ea59a9 (\"Bluetooth: fix use-after-free error in lock_sock_nested()\").\n\nSince both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed\nunder l2cap_sock_resume_cb(), we can avoid the issue simply by checking\nif chan-\u003edata is NULL.\n\nLet\u0027s not access to the killed socket in l2cap_sock_resume_cb().\n\n[0]:\nBUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]\nBUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\nBUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\nWrite of size 8 at addr 0000000000000570 by task kworker/u9:0/52\n\nCPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025\nWorkqueue: hci0 hci_rx_work\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)\n __dump_stack+0x30/0x40 lib/dump_stack.c:94\n dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120\n print_report+0x58/0x84 mm/kasan/report.c:524\n kasan_report+0xb0/0x110 mm/kasan/report.c:634\n check_region_inline mm/kasan/generic.c:-1 [inline]\n kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189\n __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37\n instrument_atomic_write include/linux/instrumented.h:82 [inline]\n clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]\n l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711\n l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357\n hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]\n hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514\n hci_event_func net/bluetooth/hci_event.c:7511 [inline]\n hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565\n hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3238\n process_scheduled_works kernel/workqueue.c:3321 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3402\n kthread+0x5fc/0x75c kernel/kthread.c:464\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847" } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:10.331Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/262cd18f5f7ede6a586580cadc5d0799e52e2e7c" }, { "url": "https://git.kernel.org/stable/c/2b27b389006623673e8cfff4ce1e119cce640b05" }, { "url": "https://git.kernel.org/stable/c/3a4eca2a1859955c65f07a570156bd2d9048ce33" }, { "url": "https://git.kernel.org/stable/c/ac3a8147bb24314fb3e84986590148e79f9872ec" }, { "url": "https://git.kernel.org/stable/c/c4f16f6b071a74ac7eefe5c28985285cbbe2cd96" }, { "url": "https://git.kernel.org/stable/c/b97be7ee8a1cd96b89817cbd64a9f5cc16c17d08" }, { "url": "https://git.kernel.org/stable/c/6d63901dcd592a1e3f71d7c6d78f9be5e8d7eef0" }, { "url": "https://git.kernel.org/stable/c/a0075accbf0d76c2dad1ad3993d2e944505d99a0" } ], "title": "Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38473", "datePublished": "2025-07-28T11:21:34.880Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:10.331Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38493 (GCVE-0-2025-38493)
Vulnerability from cvelistv5
Published
2025-07-28 11:22
Modified
2025-07-28 11:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/osnoise: Fix crash in timerlat_dump_stack()
We have observed kernel panics when using timerlat with stack saving,
with the following dmesg output:
memcpy: detected buffer overflow: 88 byte write of buffer size 0
WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0
CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)
Call Trace:
<TASK>
? trace_buffer_lock_reserve+0x2a/0x60
__fortify_panic+0xd/0xf
__timerlat_dump_stack.cold+0xd/0xd
timerlat_dump_stack.part.0+0x47/0x80
timerlat_fd_read+0x36d/0x390
vfs_read+0xe2/0x390
? syscall_exit_to_user_mode+0x1d5/0x210
ksys_read+0x73/0xe0
do_syscall_64+0x7b/0x160
? exc_page_fault+0x7e/0x1a0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
__timerlat_dump_stack() constructs the ftrace stack entry like this:
struct stack_entry *entry;
...
memcpy(&entry->caller, fstack->calls, size);
entry->size = fstack->nr_entries;
Since commit e7186af7fb26 ("tracing: Add back FORTIFY_SOURCE logic to
kernel_stack event structure"), struct stack_entry marks its caller
field with __counted_by(size). At the time of the memcpy, entry->size
contains garbage from the ringbuffer, which under some circumstances is
zero, triggering a kernel panic by buffer overflow.
Populate the size field before the memcpy so that the out-of-bounds
check knows the correct size. This is analogous to
__ftrace_trace_stack().
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "kernel/trace/trace_osnoise.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "823d798900481875ba6c68217af028c5ffd2976b", "status": "affected", "version": "e7186af7fb2609584a8bfb3da3c6ae09da5a5224", "versionType": "git" }, { "lessThan": "7bb9ea515cda027c9e717e27fefcf34f092e7c41", "status": "affected", "version": "e7186af7fb2609584a8bfb3da3c6ae09da5a5224", "versionType": "git" }, { "lessThan": "fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b", "status": "affected", "version": "e7186af7fb2609584a8bfb3da3c6ae09da5a5224", "versionType": "git" }, { "lessThan": "85a3bce695b361d85fc528e6fbb33e4c8089c806", "status": "affected", "version": "e7186af7fb2609584a8bfb3da3c6ae09da5a5224", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "kernel/trace/trace_osnoise.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.6" }, { "lessThan": "6.6", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "6.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.6", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.6", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix crash in timerlat_dump_stack()\n\nWe have observed kernel panics when using timerlat with stack saving,\nwith the following dmesg output:\n\nmemcpy: detected buffer overflow: 88 byte write of buffer size 0\nWARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0\nCPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy)\nCall Trace:\n \u003cTASK\u003e\n ? trace_buffer_lock_reserve+0x2a/0x60\n __fortify_panic+0xd/0xf\n __timerlat_dump_stack.cold+0xd/0xd\n timerlat_dump_stack.part.0+0x47/0x80\n timerlat_fd_read+0x36d/0x390\n vfs_read+0xe2/0x390\n ? syscall_exit_to_user_mode+0x1d5/0x210\n ksys_read+0x73/0xe0\n do_syscall_64+0x7b/0x160\n ? exc_page_fault+0x7e/0x1a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n__timerlat_dump_stack() constructs the ftrace stack entry like this:\n\nstruct stack_entry *entry;\n...\nmemcpy(\u0026entry-\u003ecaller, fstack-\u003ecalls, size);\nentry-\u003esize = fstack-\u003enr_entries;\n\nSince commit e7186af7fb26 (\"tracing: Add back FORTIFY_SOURCE logic to\nkernel_stack event structure\"), struct stack_entry marks its caller\nfield with __counted_by(size). At the time of the memcpy, entry-\u003esize\ncontains garbage from the ringbuffer, which under some circumstances is\nzero, triggering a kernel panic by buffer overflow.\n\nPopulate the size field before the memcpy so that the out-of-bounds\ncheck knows the correct size. This is analogous to\n__ftrace_trace_stack()." } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:22:02.000Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/823d798900481875ba6c68217af028c5ffd2976b" }, { "url": "https://git.kernel.org/stable/c/7bb9ea515cda027c9e717e27fefcf34f092e7c41" }, { "url": "https://git.kernel.org/stable/c/fbf90f5aa7ac7cddc69148a71d58f12c8709ce2b" }, { "url": "https://git.kernel.org/stable/c/85a3bce695b361d85fc528e6fbb33e4c8089c806" } ], "title": "tracing/osnoise: Fix crash in timerlat_dump_stack()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38493", "datePublished": "2025-07-28T11:22:02.000Z", "dateReserved": "2025-04-16T04:51:24.022Z", "dateUpdated": "2025-07-28T11:22:02.000Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38474 (GCVE-0-2025-38474)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: net: sierra: check for no status endpoint
The driver checks for having three endpoints and
having bulk in and out endpoints, but not that
the third endpoint is interrupt input.
Rectify the omission.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d Version: eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/usb/sierra_net.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0a263ccb905b4ae2af381cd4280bd8d2477b98b8", "status": "affected", "version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d", "versionType": "git" }, { "lessThan": "5408cc668e596c81cdd29e137225432aa40d1785", "status": "affected", "version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d", "versionType": "git" }, { "lessThan": "a6a238c4126eb3ddb495d3f960193ca5bb778d92", "status": "affected", "version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d", "versionType": "git" }, { "lessThan": "5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9", "status": "affected", "version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d", "versionType": "git" }, { "lessThan": "5dd6a441748dad2f02e27b256984ca0b2d4546b6", "status": "affected", "version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d", "versionType": "git" }, { "lessThan": "65c666aff44eb7f9079c55331abd9687fb77ba2d", "status": "affected", "version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d", "versionType": "git" }, { "lessThan": "bfe8ef373986e8f185d3d6613eb1801a8749837a", "status": "affected", "version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d", "versionType": "git" }, { "lessThan": "4c4ca3c46167518f8534ed70f6e3b4bf86c4d158", "status": "affected", "version": "eb4fd8cd355c8ec425a12ec6cbdac614e8a4819d", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/usb/sierra_net.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.34" }, { "lessThan": "2.6.34", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "2.6.34", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "2.6.34", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "2.6.34", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "2.6.34", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "2.6.34", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "2.6.34", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "2.6.34", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.34", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: net: sierra: check for no status endpoint\n\nThe driver checks for having three endpoints and\nhaving bulk in and out endpoints, but not that\nthe third endpoint is interrupt input.\nRectify the omission." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:11.557Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0a263ccb905b4ae2af381cd4280bd8d2477b98b8" }, { "url": "https://git.kernel.org/stable/c/5408cc668e596c81cdd29e137225432aa40d1785" }, { "url": "https://git.kernel.org/stable/c/a6a238c4126eb3ddb495d3f960193ca5bb778d92" }, { "url": "https://git.kernel.org/stable/c/5849980faea1c792d1d5e54fdbf1e69ac0a9bfb9" }, { "url": "https://git.kernel.org/stable/c/5dd6a441748dad2f02e27b256984ca0b2d4546b6" }, { "url": "https://git.kernel.org/stable/c/65c666aff44eb7f9079c55331abd9687fb77ba2d" }, { "url": "https://git.kernel.org/stable/c/bfe8ef373986e8f185d3d6613eb1801a8749837a" }, { "url": "https://git.kernel.org/stable/c/4c4ca3c46167518f8534ed70f6e3b4bf86c4d158" } ], "title": "usb: net: sierra: check for no status endpoint", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38474", "datePublished": "2025-07-28T11:21:35.570Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:11.557Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-50047 (GCVE-0-2024-50047)
Vulnerability from cvelistv5
Published
2024-10-21 19:39
Modified
2025-05-04 09:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix UAF in async decryption
Doing an async decryption (large read) crashes with a
slab-use-after-free way down in the crypto API.
Reproducer:
# mount.cifs -o ...,seal,esize=1 //srv/share /mnt
# dd if=/mnt/largefile of=/dev/null
...
[ 194.196391] ==================================================================
[ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110
[ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899
[ 194.197707]
[ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43
[ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014
[ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]
[ 194.200032] Call Trace:
[ 194.200191] <TASK>
[ 194.200327] dump_stack_lvl+0x4e/0x70
[ 194.200558] ? gf128mul_4k_lle+0xc1/0x110
[ 194.200809] print_report+0x174/0x505
[ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 194.201352] ? srso_return_thunk+0x5/0x5f
[ 194.201604] ? __virt_addr_valid+0xdf/0x1c0
[ 194.201868] ? gf128mul_4k_lle+0xc1/0x110
[ 194.202128] kasan_report+0xc8/0x150
[ 194.202361] ? gf128mul_4k_lle+0xc1/0x110
[ 194.202616] gf128mul_4k_lle+0xc1/0x110
[ 194.202863] ghash_update+0x184/0x210
[ 194.203103] shash_ahash_update+0x184/0x2a0
[ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10
[ 194.203651] ? srso_return_thunk+0x5/0x5f
[ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340
[ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140
[ 194.204434] crypt_message+0xec1/0x10a0 [cifs]
[ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs]
[ 194.208507] ? srso_return_thunk+0x5/0x5f
[ 194.209205] ? srso_return_thunk+0x5/0x5f
[ 194.209925] ? srso_return_thunk+0x5/0x5f
[ 194.210443] ? srso_return_thunk+0x5/0x5f
[ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs]
[ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]
[ 194.214670] ? srso_return_thunk+0x5/0x5f
[ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs]
This is because TFM is being used in parallel.
Fix this by allocating a new AEAD TFM for async decryption, but keep
the existing one for synchronous READ cases (similar to what is done
in smb3_calc_signature()).
Also remove the calls to aead_request_set_callback() and
crypto_wait_req() since it's always going to be a synchronous operation.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-50047", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-22T13:23:59.456851Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-22T13:28:43.459Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "fs/smb/client/smb2ops.c", "fs/smb/client/smb2pdu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "8f14a476abba13144df5434871a7225fd29af633", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "ef51c0d544b1518b35364480317ab6d3468f205d", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "bce966530fd5542bbb422cb45ecb775f7a1a6bc3", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "0809fb86ad13b29e1d6d491364fc7ea4fb545995", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "538c26d9bf70c90edc460d18c81008a4e555925a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "b0abcd65ec545701b8793e12bc27dc98042b151a", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "fs/smb/client/smb2ops.c", "fs/smb/client/smb2pdu.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.237", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.181", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.128", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.57", "versionType": "semver" }, { "lessThanOrEqual": "6.11.*", "status": "unaffected", "version": "6.11.4", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.237", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.181", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.128", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.57", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.11.4", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in async decryption\n\nDoing an async decryption (large read) crashes with a\nslab-use-after-free way down in the crypto API.\n\nReproducer:\n # mount.cifs -o ...,seal,esize=1 //srv/share /mnt\n # dd if=/mnt/largefile of=/dev/null\n ...\n [ 194.196391] ==================================================================\n [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110\n [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899\n [ 194.197707]\n [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43\n [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014\n [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs]\n [ 194.200032] Call Trace:\n [ 194.200191] \u003cTASK\u003e\n [ 194.200327] dump_stack_lvl+0x4e/0x70\n [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.200809] print_report+0x174/0x505\n [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n [ 194.201352] ? srso_return_thunk+0x5/0x5f\n [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0\n [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.202128] kasan_report+0xc8/0x150\n [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110\n [ 194.202616] gf128mul_4k_lle+0xc1/0x110\n [ 194.202863] ghash_update+0x184/0x210\n [ 194.203103] shash_ahash_update+0x184/0x2a0\n [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10\n [ 194.203651] ? srso_return_thunk+0x5/0x5f\n [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340\n [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140\n [ 194.204434] crypt_message+0xec1/0x10a0 [cifs]\n [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs]\n [ 194.208507] ? srso_return_thunk+0x5/0x5f\n [ 194.209205] ? srso_return_thunk+0x5/0x5f\n [ 194.209925] ? srso_return_thunk+0x5/0x5f\n [ 194.210443] ? srso_return_thunk+0x5/0x5f\n [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs]\n [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs]\n [ 194.214670] ? srso_return_thunk+0x5/0x5f\n [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs]\n\nThis is because TFM is being used in parallel.\n\nFix this by allocating a new AEAD TFM for async decryption, but keep\nthe existing one for synchronous READ cases (similar to what is done\nin smb3_calc_signature()).\n\nAlso remove the calls to aead_request_set_callback() and\ncrypto_wait_req() since it\u0027s always going to be a synchronous operation." } ], "providerMetadata": { "dateUpdated": "2025-05-04T09:44:44.662Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/8f14a476abba13144df5434871a7225fd29af633" }, { "url": "https://git.kernel.org/stable/c/ef51c0d544b1518b35364480317ab6d3468f205d" }, { "url": "https://git.kernel.org/stable/c/bce966530fd5542bbb422cb45ecb775f7a1a6bc3" }, { "url": "https://git.kernel.org/stable/c/0809fb86ad13b29e1d6d491364fc7ea4fb545995" }, { "url": "https://git.kernel.org/stable/c/538c26d9bf70c90edc460d18c81008a4e555925a" }, { "url": "https://git.kernel.org/stable/c/b0abcd65ec545701b8793e12bc27dc98042b151a" } ], "title": "smb: client: fix UAF in async decryption", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-50047", "datePublished": "2024-10-21T19:39:44.430Z", "dateReserved": "2024-10-21T12:17:06.071Z", "dateUpdated": "2025-05-04T09:44:44.662Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38485 (GCVE-0-2025-38485)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush
fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with
iio_for_each_active_channel()) without making sure the indio_dev
stays in buffer mode.
There is a race if indio_dev exits buffer mode in the middle of the
interrupt that flushes the fifo. Fix this by calling
synchronize_irq() to ensure that no interrupt is currently running when
disabling buffer mode.
Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
[...]
_find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290
fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178
fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c
irq_thread_fn from irq_thread+0x110/0x1f4
irq_thread from kthread+0xe0/0xfc
kthread from ret_from_fork+0x14/0x2c
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c Version: 79e3a5bdd9efbdf4e1069793d7735b432d641e7c |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/iio/accel/fxls8962af-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "6ecd61c201b27ad2760b3975437ad2b97d725b98", "status": "affected", "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c", "versionType": "git" }, { "lessThan": "dda42f23a8f5439eaac9521ce0531547d880cc54", "status": "affected", "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c", "versionType": "git" }, { "lessThan": "bfcda3e1015791b3a63fb4d3aad408da9cf76e8f", "status": "affected", "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c", "versionType": "git" }, { "lessThan": "1803d372460aaa9ae0188a30c9421d3f157f2f04", "status": "affected", "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c", "versionType": "git" }, { "lessThan": "1fe16dc1a2f5057772e5391ec042ed7442966c9a", "status": "affected", "version": "79e3a5bdd9efbdf4e1069793d7735b432d641e7c", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/iio/accel/fxls8962af-core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.14" }, { "lessThan": "5.14", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "5.14", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.14", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush\n\nfxls8962af_fifo_flush() uses indio_dev-\u003eactive_scan_mask (with\niio_for_each_active_channel()) without making sure the indio_dev\nstays in buffer mode.\nThere is a race if indio_dev exits buffer mode in the middle of the\ninterrupt that flushes the fifo. Fix this by calling\nsynchronize_irq() to ensure that no interrupt is currently running when\ndisabling buffer mode.\n\nUnable to handle kernel NULL pointer dereference at virtual address 00000000 when read\n[...]\n_find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290\nfxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178\nfxls8962af_interrupt from irq_thread_fn+0x1c/0x7c\nirq_thread_fn from irq_thread+0x110/0x1f4\nirq_thread from kthread+0xe0/0xfc\nkthread from ret_from_fork+0x14/0x2c" } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:49.624Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/6ecd61c201b27ad2760b3975437ad2b97d725b98" }, { "url": "https://git.kernel.org/stable/c/dda42f23a8f5439eaac9521ce0531547d880cc54" }, { "url": "https://git.kernel.org/stable/c/bfcda3e1015791b3a63fb4d3aad408da9cf76e8f" }, { "url": "https://git.kernel.org/stable/c/1803d372460aaa9ae0188a30c9421d3f157f2f04" }, { "url": "https://git.kernel.org/stable/c/1fe16dc1a2f5057772e5391ec042ed7442966c9a" } ], "title": "iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38485", "datePublished": "2025-07-28T11:21:49.624Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:21:49.624Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38490 (GCVE-0-2025-38490)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: libwx: remove duplicate page_pool_put_full_page()
page_pool_put_full_page() should only be invoked when freeing Rx buffers
or building a skb if the size is too short. At other times, the pages
need to be reused. So remove the redundant page put. In the original
code, double free pages cause kernel panic:
[ 876.949834] __irq_exit_rcu+0xc7/0x130
[ 876.949836] common_interrupt+0xb8/0xd0
[ 876.949838] </IRQ>
[ 876.949838] <TASK>
[ 876.949840] asm_common_interrupt+0x22/0x40
[ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420
[ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d
[ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246
[ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000
[ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e
[ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed
[ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580
[ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000
[ 876.949852] ? cpuidle_enter_state+0xb3/0x420
[ 876.949855] cpuidle_enter+0x29/0x40
[ 876.949857] cpuidle_idle_call+0xfd/0x170
[ 876.949859] do_idle+0x7a/0xc0
[ 876.949861] cpu_startup_entry+0x25/0x30
[ 876.949862] start_secondary+0x117/0x140
[ 876.949864] common_startup_64+0x13e/0x148
[ 876.949867] </TASK>
[ 876.949868] ---[ end trace 0000000000000000 ]---
[ 876.949869] ------------[ cut here ]------------
[ 876.949870] list_del corruption, ffffead40445a348->next is NULL
[ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120
[ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E)
[ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi
[ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary)
[ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE
[ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024
[ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120
[ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8
[ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282
[ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000
[ 876.949942] RDX: 0000000000000105 RSI: 00000
---truncated---
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/wangxun/libwx/wx_lib.c", "drivers/net/ethernet/wangxun/libwx/wx_type.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3c91a56762b1f0d1e4af2d86c2cba83b61ed9eaa", "status": "affected", "version": "3c47e8ae113a68da47987750d9896e325d0aeedd", "versionType": "git" }, { "lessThan": "08d18bda0d03f5ec376929a8c6c4495f9594593a", "status": "affected", "version": "3c47e8ae113a68da47987750d9896e325d0aeedd", "versionType": "git" }, { "lessThan": "003e4765d8661be97e650a833868c53d35574130", "status": "affected", "version": "3c47e8ae113a68da47987750d9896e325d0aeedd", "versionType": "git" }, { "lessThan": "1b7e585c04cd5f0731dd25ffd396277e55fae0e6", "status": "affected", "version": "3c47e8ae113a68da47987750d9896e325d0aeedd", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/net/ethernet/wangxun/libwx/wx_lib.c", "drivers/net/ethernet/wangxun/libwx/wx_type.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.3" }, { "lessThan": "6.3", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.3", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: libwx: remove duplicate page_pool_put_full_page()\n\npage_pool_put_full_page() should only be invoked when freeing Rx buffers\nor building a skb if the size is too short. At other times, the pages\nneed to be reused. So remove the redundant page put. In the original\ncode, double free pages cause kernel panic:\n\n[ 876.949834] __irq_exit_rcu+0xc7/0x130\n[ 876.949836] common_interrupt+0xb8/0xd0\n[ 876.949838] \u003c/IRQ\u003e\n[ 876.949838] \u003cTASK\u003e\n[ 876.949840] asm_common_interrupt+0x22/0x40\n[ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420\n[ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 \u003c45\u003e 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d\n[ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246\n[ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000\n[ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e\n[ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed\n[ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580\n[ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000\n[ 876.949852] ? cpuidle_enter_state+0xb3/0x420\n[ 876.949855] cpuidle_enter+0x29/0x40\n[ 876.949857] cpuidle_idle_call+0xfd/0x170\n[ 876.949859] do_idle+0x7a/0xc0\n[ 876.949861] cpu_startup_entry+0x25/0x30\n[ 876.949862] start_secondary+0x117/0x140\n[ 876.949864] common_startup_64+0x13e/0x148\n[ 876.949867] \u003c/TASK\u003e\n[ 876.949868] ---[ end trace 0000000000000000 ]---\n[ 876.949869] ------------[ cut here ]------------\n[ 876.949870] list_del corruption, ffffead40445a348-\u003enext is NULL\n[ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120\n[ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E)\n[ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi\n[ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary)\n[ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE\n[ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024\n[ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120\n[ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff \u003c0f\u003e 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8\n[ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282\n[ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000\n[ 876.949942] RDX: 0000000000000105 RSI: 00000\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:54.009Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3c91a56762b1f0d1e4af2d86c2cba83b61ed9eaa" }, { "url": "https://git.kernel.org/stable/c/08d18bda0d03f5ec376929a8c6c4495f9594593a" }, { "url": "https://git.kernel.org/stable/c/003e4765d8661be97e650a833868c53d35574130" }, { "url": "https://git.kernel.org/stable/c/1b7e585c04cd5f0731dd25ffd396277e55fae0e6" } ], "title": "net: libwx: remove duplicate page_pool_put_full_page()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38490", "datePublished": "2025-07-28T11:21:54.009Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:21:54.009Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38497 (GCVE-0-2025-38497)
Vulnerability from cvelistv5
Published
2025-07-28 11:22
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: configfs: Fix OOB read on empty string write
When writing an empty string to either 'qw_sign' or 'landingPage'
sysfs attributes, the store functions attempt to access page[l - 1]
before validating that the length 'l' is greater than zero.
This patch fixes the vulnerability by adding a check at the beginning
of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
the zero-length input case gracefully by returning immediately.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/usb/gadget/configfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "78b41148cfea2a3f04d87adf3a71b21735820a37", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "d68b7c8fefbaeae8f065b84e40cf64baf4cc0c76", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "15a87206879951712915c03c8952a73d6a74721e", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "2798111f8e504ac747cce911226135d50b8de468", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "58bdd5160184645771553ea732da5c2887fc9bd1", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "783ea37b237a9b524f1e5ca018ea17d772ee0ea0", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "22b7897c289cc25d99c603f5144096142a30d897", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" }, { "lessThan": "3014168731b7930300aab656085af784edc861f6", "status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/usb/gadget/configfs.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: configfs: Fix OOB read on empty string write\n\nWhen writing an empty string to either \u0027qw_sign\u0027 or \u0027landingPage\u0027\nsysfs attributes, the store functions attempt to access page[l - 1]\nbefore validating that the length \u0027l\u0027 is greater than zero.\n\nThis patch fixes the vulnerability by adding a check at the beginning\nof os_desc_qw_sign_store() and webusb_landingPage_store() to handle\nthe zero-length input case gracefully by returning immediately." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:31.159Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/78b41148cfea2a3f04d87adf3a71b21735820a37" }, { "url": "https://git.kernel.org/stable/c/d68b7c8fefbaeae8f065b84e40cf64baf4cc0c76" }, { "url": "https://git.kernel.org/stable/c/15a87206879951712915c03c8952a73d6a74721e" }, { "url": "https://git.kernel.org/stable/c/2798111f8e504ac747cce911226135d50b8de468" }, { "url": "https://git.kernel.org/stable/c/58bdd5160184645771553ea732da5c2887fc9bd1" }, { "url": "https://git.kernel.org/stable/c/783ea37b237a9b524f1e5ca018ea17d772ee0ea0" }, { "url": "https://git.kernel.org/stable/c/22b7897c289cc25d99c603f5144096142a30d897" }, { "url": "https://git.kernel.org/stable/c/3014168731b7930300aab656085af784edc861f6" } ], "title": "usb: gadget: configfs: Fix OOB read on empty string write", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38497", "datePublished": "2025-07-28T11:22:05.855Z", "dateReserved": "2025-04-16T04:51:24.022Z", "dateUpdated": "2025-08-28T14:43:31.159Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38480 (GCVE-0-2025-38480)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital"
subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and
`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have
`insn_read` and `insn_write` handler functions, but to have an
`insn_bits` handler function for handling Comedi `INSN_BITS`
instructions. In that case, the subdevice's `insn_read` and/or
`insn_write` function handler pointers are set to point to the
`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.
For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the
supplied `data[0]` value is a valid copy from user memory. It will at
least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in
"comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are
allocated. However, if `insn->n` is 0 (which is allowable for
`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain
uninitialized data, and certainly contains invalid data, possibly from a
different instruction in the array of instructions handled by
`do_insnlist_ioctl()`. This will result in an incorrect value being
written to the digital output channel (or to the digital input/output
channel if configured as an output), and may be reflected in the
internal saved state of the channel.
Fix it by returning 0 early if `insn->n` is 0, before reaching the code
that accesses `data[0]`. Previously, the function always returned 1 on
success, but it is supposed to be the number of data samples actually
read or written up to `insn->n`, which is 0 in this case.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 Version: ed9eccbe8970f6eedc1b978c157caf1251a896d4 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/comedi/drivers.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "4c2981bf30401adfcdbfece4ab6f411f7c5875a1", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "16256d7efcf7acc9f39abe21522c4c6b77f67c00", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "c53570e62b5b28bdb56bb563190227f8307817a5", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "3050d197d6bc9ef128944a70210f42d2430b3000", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "10f9024a8c824a41827fff1fefefb314c98e2c88", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "2af1e7d389c2619219171d23f5b96dbcbb7f9656", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" }, { "lessThan": "e9cb26291d009243a4478a7ffb37b3a9175bfce9", "status": "affected", "version": "ed9eccbe8970f6eedc1b978c157caf1251a896d4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/comedi/drivers.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.29" }, { "lessThan": "2.6.29", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.29", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: Fix use of uninitialized data in insn_rw_emulate_bits()\n\nFor Comedi `INSN_READ` and `INSN_WRITE` instructions on \"digital\"\nsubdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and\n`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have\n`insn_read` and `insn_write` handler functions, but to have an\n`insn_bits` handler function for handling Comedi `INSN_BITS`\ninstructions. In that case, the subdevice\u0027s `insn_read` and/or\n`insn_write` function handler pointers are set to point to the\n`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.\n\nFor `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the\nsupplied `data[0]` value is a valid copy from user memory. It will at\nleast exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in\n\"comedi_fops.c\" ensure at lease `MIN_SAMPLES` (16) elements are\nallocated. However, if `insn-\u003en` is 0 (which is allowable for\n`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain\nuninitialized data, and certainly contains invalid data, possibly from a\ndifferent instruction in the array of instructions handled by\n`do_insnlist_ioctl()`. This will result in an incorrect value being\nwritten to the digital output channel (or to the digital input/output\nchannel if configured as an output), and may be reflected in the\ninternal saved state of the channel.\n\nFix it by returning 0 early if `insn-\u003en` is 0, before reaching the code\nthat accesses `data[0]`. Previously, the function always returned 1 on\nsuccess, but it is supposed to be the number of data samples actually\nread or written up to `insn-\u003en`, which is 0 in this case." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:19.703Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/4c2981bf30401adfcdbfece4ab6f411f7c5875a1" }, { "url": "https://git.kernel.org/stable/c/16256d7efcf7acc9f39abe21522c4c6b77f67c00" }, { "url": "https://git.kernel.org/stable/c/c53570e62b5b28bdb56bb563190227f8307817a5" }, { "url": "https://git.kernel.org/stable/c/3050d197d6bc9ef128944a70210f42d2430b3000" }, { "url": "https://git.kernel.org/stable/c/10f9024a8c824a41827fff1fefefb314c98e2c88" }, { "url": "https://git.kernel.org/stable/c/2af1e7d389c2619219171d23f5b96dbcbb7f9656" }, { "url": "https://git.kernel.org/stable/c/3ab55ffaaf75d0c7b68e332c1cdcc1b0e0044870" }, { "url": "https://git.kernel.org/stable/c/e9cb26291d009243a4478a7ffb37b3a9175bfce9" } ], "title": "comedi: Fix use of uninitialized data in insn_rw_emulate_bits()", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38480", "datePublished": "2025-07-28T11:21:45.142Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:19.703Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38468 (GCVE-0-2025-38468)
Vulnerability from cvelistv5
Published
2025-07-28 11:12
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
htb_lookup_leaf has a BUG_ON that can trigger with the following:
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 htb rate 64bit
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2:1 handle 3: blackhole
ping -I lo -c1 -W0.001 127.0.0.1
The root cause is the following:
1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on
the selected leaf qdisc
2. netem_dequeue calls enqueue on the child qdisc
3. blackhole_enqueue drops the packet and returns a value that is not
just NET_XMIT_SUCCESS
4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and
since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate ->
htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase
5. As this is the only class in the selected hprio rbtree,
__rb_change_child in __rb_erase_augmented sets the rb_root pointer to
NULL
6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,
which causes htb_dequeue_tree to call htb_lookup_leaf with the same
hprio rbtree, and fail the BUG_ON
The function graph for this scenario is shown here:
0) | htb_enqueue() {
0) + 13.635 us | netem_enqueue();
0) 4.719 us | htb_activate_prios();
0) # 2249.199 us | }
0) | htb_dequeue() {
0) 2.355 us | htb_lookup_leaf();
0) | netem_dequeue() {
0) + 11.061 us | blackhole_enqueue();
0) | qdisc_tree_reduce_backlog() {
0) | qdisc_lookup_rcu() {
0) 1.873 us | qdisc_match_from_root();
0) 6.292 us | }
0) 1.894 us | htb_search();
0) | htb_qlen_notify() {
0) 2.655 us | htb_deactivate_prios();
0) 6.933 us | }
0) + 25.227 us | }
0) 1.983 us | blackhole_dequeue();
0) + 86.553 us | }
0) # 2932.761 us | qdisc_warn_nonwc();
0) | htb_lookup_leaf() {
0) | BUG_ON();
------------------------------------------
The full original bug report can be seen here [1].
We can fix this just by returning NULL instead of the BUG_ON,
as htb_dequeue_tree returns NULL when htb_lookup_leaf returns
NULL.
[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 Version: 512bb43eb5422ee69a1be05ea0d89dc074fac9a2 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/sched/sch_htb.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d", "status": "affected", "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2", "versionType": "git" }, { "lessThan": "5c0506cd1b1a3b145bda2612bbf7fe78d186c355", "status": "affected", "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2", "versionType": "git" }, { "lessThan": "850226aef8d28a00cf966ef26d2f8f2bff344535", "status": "affected", "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2", "versionType": "git" }, { "lessThan": "890a5d423ef0a7bd13447ceaffad21189f557301", "status": "affected", "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2", "versionType": "git" }, { "lessThan": "7ff2d83ecf2619060f30ecf9fad4f2a700fca344", "status": "affected", "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2", "versionType": "git" }, { "lessThan": "e5c480dc62a3025b8428d4818e722da30ad6804f", "status": "affected", "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2", "versionType": "git" }, { "lessThan": "3691f84269a23f7edd263e9b6edbc27b7ae332f4", "status": "affected", "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2", "versionType": "git" }, { "lessThan": "0e1d5d9b5c5966e2e42e298670808590db5ed628", "status": "affected", "version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/sched/sch_htb.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.29" }, { "lessThan": "2.6.29", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "2.6.29", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.29", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\nping -I lo -c1 -W0.001 127.0.0.1\n\nThe root cause is the following:\n\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\n the selected leaf qdisc\n2. netem_dequeue calls enqueue on the child qdisc\n3. blackhole_enqueue drops the packet and returns a value that is not\n just NET_XMIT_SUCCESS\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\n since qlen is now 0, it calls htb_qlen_notify -\u003e htb_deactivate -\u003e\n htb_deactiviate_prios -\u003e htb_remove_class_from_row -\u003e htb_safe_rb_erase\n5. As this is the only class in the selected hprio rbtree,\n __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\n NULL\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\n which causes htb_dequeue_tree to call htb_lookup_leaf with the same\n hprio rbtree, and fail the BUG_ON\n\nThe function graph for this scenario is shown here:\n 0) | htb_enqueue() {\n 0) + 13.635 us | netem_enqueue();\n 0) 4.719 us | htb_activate_prios();\n 0) # 2249.199 us | }\n 0) | htb_dequeue() {\n 0) 2.355 us | htb_lookup_leaf();\n 0) | netem_dequeue() {\n 0) + 11.061 us | blackhole_enqueue();\n 0) | qdisc_tree_reduce_backlog() {\n 0) | qdisc_lookup_rcu() {\n 0) 1.873 us | qdisc_match_from_root();\n 0) 6.292 us | }\n 0) 1.894 us | htb_search();\n 0) | htb_qlen_notify() {\n 0) 2.655 us | htb_deactivate_prios();\n 0) 6.933 us | }\n 0) + 25.227 us | }\n 0) 1.983 us | blackhole_dequeue();\n 0) + 86.553 us | }\n 0) # 2932.761 us | qdisc_warn_nonwc();\n 0) | htb_lookup_leaf() {\n 0) | BUG_ON();\n ------------------------------------------\n\nThe full original bug report can be seen here [1].\n\nWe can fix this just by returning NULL instead of the BUG_ON,\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\nNULL.\n\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/" } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:07.848Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d" }, { "url": "https://git.kernel.org/stable/c/5c0506cd1b1a3b145bda2612bbf7fe78d186c355" }, { "url": "https://git.kernel.org/stable/c/850226aef8d28a00cf966ef26d2f8f2bff344535" }, { "url": "https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301" }, { "url": "https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344" }, { "url": "https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f" }, { "url": "https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4" }, { "url": "https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628" } ], "title": "net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38468", "datePublished": "2025-07-28T11:12:20.188Z", "dateReserved": "2025-04-16T04:51:24.020Z", "dateUpdated": "2025-08-28T14:43:07.848Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38472 (GCVE-0-2025-38472)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack: fix crash due to removal of uninitialised entry
A crash in conntrack was reported while trying to unlink the conntrack
entry from the hash bucket list:
[exception RIP: __nf_ct_delete_from_lists+172]
[..]
#7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]
#8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]
#9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]
[..]
The nf_conn struct is marked as allocated from slab but appears to be in
a partially initialised state:
ct hlist pointer is garbage; looks like the ct hash value
(hence crash).
ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected
ct->timeout is 30000 (=30s), which is unexpected.
Everything else looks like normal udp conntrack entry. If we ignore
ct->status and pretend its 0, the entry matches those that are newly
allocated but not yet inserted into the hash:
- ct hlist pointers are overloaded and store/cache the raw tuple hash
- ct->timeout matches the relative time expected for a new udp flow
rather than the absolute 'jiffies' value.
If it were not for the presence of IPS_CONFIRMED,
__nf_conntrack_find_get() would have skipped the entry.
Theory is that we did hit following race:
cpu x cpu y cpu z
found entry E found entry E
E is expired <preemption>
nf_ct_delete()
return E to rcu slab
init_conntrack
E is re-inited,
ct->status set to 0
reply tuplehash hnnode.pprev
stores hash value.
cpu y found E right before it was deleted on cpu x.
E is now re-inited on cpu z. cpu y was preempted before
checking for expiry and/or confirm bit.
->refcnt set to 1
E now owned by skb
->timeout set to 30000
If cpu y were to resume now, it would observe E as
expired but would skip E due to missing CONFIRMED bit.
nf_conntrack_confirm gets called
sets: ct->status |= CONFIRMED
This is wrong: E is not yet added
to hashtable.
cpu y resumes, it observes E as expired but CONFIRMED:
<resumes>
nf_ct_expired()
-> yes (ct->timeout is 30s)
confirmed bit set.
cpu y will try to delete E from the hashtable:
nf_ct_delete() -> set DYING bit
__nf_ct_delete_from_lists
Even this scenario doesn't guarantee a crash:
cpu z still holds the table bucket lock(s) so y blocks:
wait for spinlock held by z
CONFIRMED is set but there is no
guarantee ct will be added to hash:
"chaintoolong" or "clash resolution"
logic both skip the insert step.
reply hnnode.pprev still stores the
hash value.
unlocks spinlock
return NF_DROP
<unblocks, then
crashes on hlist_nulls_del_rcu pprev>
In case CPU z does insert the entry into the hashtable, cpu y will unlink
E again right away but no crash occurs.
Without 'cpu y' race, 'garbage' hlist is of no consequence:
ct refcnt remains at 1, eventually skb will be free'd and E gets
destroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy.
To resolve this, move the IPS_CONFIRMED assignment after the table
insertion but before the unlock.
Pablo points out that the confirm-bit-store could be reordered to happen
before hlist add resp. the timeout fixup, so switch to set_bit and
before_atomic memory barrier to prevent this.
It doesn't matter if other CPUs can observe a newly inserted entry right
before the CONFIRMED bit was set:
Such event cannot be distinguished from above "E is the old incarnation"
case: the entry will be skipped.
Also change nf_ct_should_gc() to first check the confirmed bit.
The gc sequence is:
1. Check if entry has expired, if not skip to next entry
2. Obtain a reference to the expired entry.
3. Call nf_ct_should_gc() to double-check step 1.
nf_ct_should_gc() is thus called only for entries that already failed an
expiry check. After this patch, once the confirmed bit check pas
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912 Version: 594cea2c09f7cd440d1ee1c4547d5bc6a646b0e4 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "include/net/netfilter/nf_conntrack.h", "net/netfilter/nf_conntrack_core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a47ef874189d47f934d0809ae738886307c0ea22", "status": "affected", "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912", "versionType": "git" }, { "lessThan": "76179961c423cd698080b5e4d5583cf7f4fcdde9", "status": "affected", "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912", "versionType": "git" }, { "lessThan": "fc38c249c622ff5e3011b8845fd49dbfd9289afc", "status": "affected", "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912", "versionType": "git" }, { "lessThan": "938ce0e8422d3793fe30df2ed0e37f6bc0598379", "status": "affected", "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912", "versionType": "git" }, { "lessThan": "2d72afb340657f03f7261e9243b44457a9228ac7", "status": "affected", "version": "1397af5bfd7d32b0cf2adb70a78c9a9e8f11d912", "versionType": "git" }, { "status": "affected", "version": "594cea2c09f7cd440d1ee1c4547d5bc6a646b0e4", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "include/net/netfilter/nf_conntrack.h", "net/netfilter/nf_conntrack_core.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.19" }, { "lessThan": "5.19", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.19", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18.13", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: fix crash due to removal of uninitialised entry\n\nA crash in conntrack was reported while trying to unlink the conntrack\nentry from the hash bucket list:\n [exception RIP: __nf_ct_delete_from_lists+172]\n [..]\n #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack]\n #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack]\n #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack]\n [..]\n\nThe nf_conn struct is marked as allocated from slab but appears to be in\na partially initialised state:\n\n ct hlist pointer is garbage; looks like the ct hash value\n (hence crash).\n ct-\u003estatus is equal to IPS_CONFIRMED|IPS_DYING, which is expected\n ct-\u003etimeout is 30000 (=30s), which is unexpected.\n\nEverything else looks like normal udp conntrack entry. If we ignore\nct-\u003estatus and pretend its 0, the entry matches those that are newly\nallocated but not yet inserted into the hash:\n - ct hlist pointers are overloaded and store/cache the raw tuple hash\n - ct-\u003etimeout matches the relative time expected for a new udp flow\n rather than the absolute \u0027jiffies\u0027 value.\n\nIf it were not for the presence of IPS_CONFIRMED,\n__nf_conntrack_find_get() would have skipped the entry.\n\nTheory is that we did hit following race:\n\ncpu x \t\t\tcpu y\t\t\tcpu z\n found entry E\t\tfound entry E\n E is expired\t\t\u003cpreemption\u003e\n nf_ct_delete()\n return E to rcu slab\n\t\t\t\t\tinit_conntrack\n\t\t\t\t\tE is re-inited,\n\t\t\t\t\tct-\u003estatus set to 0\n\t\t\t\t\treply tuplehash hnnode.pprev\n\t\t\t\t\tstores hash value.\n\ncpu y found E right before it was deleted on cpu x.\nE is now re-inited on cpu z. cpu y was preempted before\nchecking for expiry and/or confirm bit.\n\n\t\t\t\t\t-\u003erefcnt set to 1\n\t\t\t\t\tE now owned by skb\n\t\t\t\t\t-\u003etimeout set to 30000\n\nIf cpu y were to resume now, it would observe E as\nexpired but would skip E due to missing CONFIRMED bit.\n\n\t\t\t\t\tnf_conntrack_confirm gets called\n\t\t\t\t\tsets: ct-\u003estatus |= CONFIRMED\n\t\t\t\t\tThis is wrong: E is not yet added\n\t\t\t\t\tto hashtable.\n\ncpu y resumes, it observes E as expired but CONFIRMED:\n\t\t\t\u003cresumes\u003e\n\t\t\tnf_ct_expired()\n\t\t\t -\u003e yes (ct-\u003etimeout is 30s)\n\t\t\tconfirmed bit set.\n\ncpu y will try to delete E from the hashtable:\n\t\t\tnf_ct_delete() -\u003e set DYING bit\n\t\t\t__nf_ct_delete_from_lists\n\nEven this scenario doesn\u0027t guarantee a crash:\ncpu z still holds the table bucket lock(s) so y blocks:\n\n\t\t\twait for spinlock held by z\n\n\t\t\t\t\tCONFIRMED is set but there is no\n\t\t\t\t\tguarantee ct will be added to hash:\n\t\t\t\t\t\"chaintoolong\" or \"clash resolution\"\n\t\t\t\t\tlogic both skip the insert step.\n\t\t\t\t\treply hnnode.pprev still stores the\n\t\t\t\t\thash value.\n\n\t\t\t\t\tunlocks spinlock\n\t\t\t\t\treturn NF_DROP\n\t\t\t\u003cunblocks, then\n\t\t\t crashes on hlist_nulls_del_rcu pprev\u003e\n\nIn case CPU z does insert the entry into the hashtable, cpu y will unlink\nE again right away but no crash occurs.\n\nWithout \u0027cpu y\u0027 race, \u0027garbage\u0027 hlist is of no consequence:\nct refcnt remains at 1, eventually skb will be free\u0027d and E gets\ndestroyed via: nf_conntrack_put -\u003e nf_conntrack_destroy -\u003e nf_ct_destroy.\n\nTo resolve this, move the IPS_CONFIRMED assignment after the table\ninsertion but before the unlock.\n\nPablo points out that the confirm-bit-store could be reordered to happen\nbefore hlist add resp. the timeout fixup, so switch to set_bit and\nbefore_atomic memory barrier to prevent this.\n\nIt doesn\u0027t matter if other CPUs can observe a newly inserted entry right\nbefore the CONFIRMED bit was set:\n\nSuch event cannot be distinguished from above \"E is the old incarnation\"\ncase: the entry will be skipped.\n\nAlso change nf_ct_should_gc() to first check the confirmed bit.\n\nThe gc sequence is:\n 1. Check if entry has expired, if not skip to next entry\n 2. Obtain a reference to the expired entry.\n 3. Call nf_ct_should_gc() to double-check step 1.\n\nnf_ct_should_gc() is thus called only for entries that already failed an\nexpiry check. After this patch, once the confirmed bit check pas\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:33.977Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a47ef874189d47f934d0809ae738886307c0ea22" }, { "url": "https://git.kernel.org/stable/c/76179961c423cd698080b5e4d5583cf7f4fcdde9" }, { "url": "https://git.kernel.org/stable/c/fc38c249c622ff5e3011b8845fd49dbfd9289afc" }, { "url": "https://git.kernel.org/stable/c/938ce0e8422d3793fe30df2ed0e37f6bc0598379" }, { "url": "https://git.kernel.org/stable/c/2d72afb340657f03f7261e9243b44457a9228ac7" } ], "title": "netfilter: nf_conntrack: fix crash due to removal of uninitialised entry", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38472", "datePublished": "2025-07-28T11:21:33.977Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:21:33.977Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38469 (GCVE-0-2025-38469)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls
kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host
for more than one event channel potr (nr_ports > 1).
After the kmalloc_array(), the error paths need to go through the
"out" label, but the call to kvm_read_guest_virt() does not.
[Adjusted commit message. - Paolo]
References
Impacted products
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/x86/kvm/xen.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "3ee59c38ae7369ad1f7b846e05633ccf0d159fab", "status": "affected", "version": "92c58965e9656dc6e682a8ffe520fac0fb256d13", "versionType": "git" }, { "lessThan": "fd627ac8a5cff4d45269f164b13ddddc0726f2cc", "status": "affected", "version": "92c58965e9656dc6e682a8ffe520fac0fb256d13", "versionType": "git" }, { "lessThan": "061c553c66bc1638c280739999224c8000fd4602", "status": "affected", "version": "92c58965e9656dc6e682a8ffe520fac0fb256d13", "versionType": "git" }, { "lessThan": "5a53249d149f48b558368c5338b9921b76a12f8c", "status": "affected", "version": "92c58965e9656dc6e682a8ffe520fac0fb256d13", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/x86/kvm/xen.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.2" }, { "lessThan": "6.2", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.2", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.2", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls\n\nkvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host\nfor more than one event channel potr (nr_ports \u003e 1).\n\nAfter the kmalloc_array(), the error paths need to go through the\n\"out\" label, but the call to kvm_read_guest_virt() does not.\n\n[Adjusted commit message. - Paolo]" } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:30.992Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/3ee59c38ae7369ad1f7b846e05633ccf0d159fab" }, { "url": "https://git.kernel.org/stable/c/fd627ac8a5cff4d45269f164b13ddddc0726f2cc" }, { "url": "https://git.kernel.org/stable/c/061c553c66bc1638c280739999224c8000fd4602" }, { "url": "https://git.kernel.org/stable/c/5a53249d149f48b558368c5338b9921b76a12f8c" } ], "title": "KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38469", "datePublished": "2025-07-28T11:21:30.992Z", "dateReserved": "2025-04-16T04:51:24.020Z", "dateUpdated": "2025-07-28T11:21:30.992Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38482 (GCVE-0-2025-38482)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
comedi: das6402: Fix bit shift out of bounds
When checking for a supported IRQ number, the following test is used:
/* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */
if ((1 << it->options[1]) & 0x8cec) {
However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test. Valid `it->options[1]` values that select the IRQ
will be in the range [1,15]. The value 0 explicitly disables the use of
interrupts.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: 79e5e6addbb18bf56075f0ff552094a28636dd03 Version: 79e5e6addbb18bf56075f0ff552094a28636dd03 Version: 79e5e6addbb18bf56075f0ff552094a28636dd03 Version: 79e5e6addbb18bf56075f0ff552094a28636dd03 Version: 79e5e6addbb18bf56075f0ff552094a28636dd03 Version: 79e5e6addbb18bf56075f0ff552094a28636dd03 Version: 79e5e6addbb18bf56075f0ff552094a28636dd03 Version: 79e5e6addbb18bf56075f0ff552094a28636dd03 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "drivers/comedi/drivers/das6402.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "a15e9c175f783298c4ee48146be6841335400406", "status": "affected", "version": "79e5e6addbb18bf56075f0ff552094a28636dd03", "versionType": "git" }, { "lessThan": "de8da1063cce9234d55c8270d9bdf4cf84411c80", "status": "affected", "version": "79e5e6addbb18bf56075f0ff552094a28636dd03", "versionType": "git" }, { "lessThan": "73f34d609397805c20d6b2ef5c07a4cbf7c4d63a", "status": "affected", "version": "79e5e6addbb18bf56075f0ff552094a28636dd03", "versionType": "git" }, { "lessThan": "a18a42e77545afcacd6a2b8d9fc16191b87454df", "status": "affected", "version": "79e5e6addbb18bf56075f0ff552094a28636dd03", "versionType": "git" }, { "lessThan": "8a3637027ceeba4ca5e500b23cb7d24c25592513", "status": "affected", "version": "79e5e6addbb18bf56075f0ff552094a28636dd03", "versionType": "git" }, { "lessThan": "3eab654f5d199ecd45403c6588cda63e491fcfca", "status": "affected", "version": "79e5e6addbb18bf56075f0ff552094a28636dd03", "versionType": "git" }, { "lessThan": "4a3c18cde02e35aba87e0ad5672b3e1c72dda5a4", "status": "affected", "version": "79e5e6addbb18bf56075f0ff552094a28636dd03", "versionType": "git" }, { "lessThan": "70f2b28b5243df557f51c054c20058ae207baaac", "status": "affected", "version": "79e5e6addbb18bf56075f0ff552094a28636dd03", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "drivers/comedi/drivers/das6402.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "3.15" }, { "lessThan": "3.15", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "3.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "3.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "3.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "3.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "3.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "3.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "3.15", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "3.15", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: das6402: Fix bit shift out of bounds\n\nWhen checking for a supported IRQ number, the following test is used:\n\n\t/* IRQs 2,3,5,6,7, 10,11,15 are valid for \"enhanced\" mode */\n\tif ((1 \u003c\u003c it-\u003eoptions[1]) \u0026 0x8cec) {\n\nHowever, `it-\u003eoptions[i]` is an unchecked `int` value from userspace, so\nthe shift amount could be negative or out of bounds. Fix the test by\nrequiring `it-\u003eoptions[1]` to be within bounds before proceeding with\nthe original test. Valid `it-\u003eoptions[1]` values that select the IRQ\nwill be in the range [1,15]. The value 0 explicitly disables the use of\ninterrupts." } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:22.306Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/a15e9c175f783298c4ee48146be6841335400406" }, { "url": "https://git.kernel.org/stable/c/de8da1063cce9234d55c8270d9bdf4cf84411c80" }, { "url": "https://git.kernel.org/stable/c/73f34d609397805c20d6b2ef5c07a4cbf7c4d63a" }, { "url": "https://git.kernel.org/stable/c/a18a42e77545afcacd6a2b8d9fc16191b87454df" }, { "url": "https://git.kernel.org/stable/c/8a3637027ceeba4ca5e500b23cb7d24c25592513" }, { "url": "https://git.kernel.org/stable/c/3eab654f5d199ecd45403c6588cda63e491fcfca" }, { "url": "https://git.kernel.org/stable/c/4a3c18cde02e35aba87e0ad5672b3e1c72dda5a4" }, { "url": "https://git.kernel.org/stable/c/70f2b28b5243df557f51c054c20058ae207baaac" } ], "title": "comedi: das6402: Fix bit shift out of bounds", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38482", "datePublished": "2025-07-28T11:21:47.026Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:22.306Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38470 (GCVE-0-2025-38470)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
Assuming the "rx-vlan-filter" feature is enabled on a net device, the
8021q module will automatically add or remove VLAN 0 when the net device
is put administratively up or down, respectively. There are a couple of
problems with the above scheme.
The first problem is a memory leak that can happen if the "rx-vlan-filter"
feature is disabled while the device is running:
# ip link add bond1 up type bond mode 0
# ethtool -K bond1 rx-vlan-filter off
# ip link del dev bond1
When the device is put administratively down the "rx-vlan-filter"
feature is disabled, so the 8021q module will not remove VLAN 0 and the
memory will be leaked [1].
Another problem that can happen is that the kernel can automatically
delete VLAN 0 when the device is put administratively down despite not
adding it when the device was put administratively up since during that
time the "rx-vlan-filter" feature was disabled. null-ptr-unref or
bug_on[2] will be triggered by unregister_vlan_dev() for refcount
imbalance if toggling filtering during runtime:
$ ip link add bond0 type bond mode 0
$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q
$ ethtool -K bond0 rx-vlan-filter off
$ ifconfig bond0 up
$ ethtool -K bond0 rx-vlan-filter on
$ ifconfig bond0 down
$ ip link del vlan0
Root cause is as below:
step1: add vlan0 for real_dev, such as bond, team.
register_vlan_dev
vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1
step2: disable vlan filter feature and enable real_dev
step3: change filter from 0 to 1
vlan_device_event
vlan_filter_push_vids
ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0
step4: real_dev down
vlan_device_event
vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0
vlan_info_rcu_free //free vlan0
step5: delete vlan0
unregister_vlan_dev
BUG_ON(!vlan_info); //vlan_info is null
Fix both problems by noting in the VLAN info whether VLAN 0 was
automatically added upon NETDEV_UP and based on that decide whether it
should be deleted upon NETDEV_DOWN, regardless of the state of the
"rx-vlan-filter" feature.
[1]
unreferenced object 0xffff8880068e3100 (size 256):
comm "ip", pid 384, jiffies 4296130254
hex dump (first 32 bytes):
00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 81ce31fa):
__kmalloc_cache_noprof+0x2b5/0x340
vlan_vid_add+0x434/0x940
vlan_device_event.cold+0x75/0xa8
notifier_call_chain+0xca/0x150
__dev_notify_flags+0xe3/0x250
rtnl_configure_link+0x193/0x260
rtnl_newlink_create+0x383/0x8e0
__rtnl_newlink+0x22c/0xa40
rtnl_newlink+0x627/0xb00
rtnetlink_rcv_msg+0x6fb/0xb70
netlink_rcv_skb+0x11f/0x350
netlink_unicast+0x426/0x710
netlink_sendmsg+0x75a/0xc20
__sock_sendmsg+0xc1/0x150
____sys_sendmsg+0x5aa/0x7b0
___sys_sendmsg+0xfc/0x180
[2]
kernel BUG at net/8021q/vlan.c:99!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))
RSP: 0018:ffff88810badf310 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8
RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80
R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000
R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e
FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0
Call Trace:
<TASK
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f Version: ad1afb00393915a51c21b1ae8704562bf036855f |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/8021q/vlan.c", "net/8021q/vlan.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "ba48d3993af23753e1f1f01c8d592de9c7785f24", "status": "affected", "version": "ad1afb00393915a51c21b1ae8704562bf036855f", "versionType": "git" }, { "lessThan": "35142b3816832889e50164d993018ea5810955ae", "status": "affected", "version": "ad1afb00393915a51c21b1ae8704562bf036855f", "versionType": "git" }, { "lessThan": "047b61a24d7c866c502aeeea482892969a68f216", "status": "affected", "version": "ad1afb00393915a51c21b1ae8704562bf036855f", "versionType": "git" }, { "lessThan": "d43ef15bf4856c8c4c6c3572922331a5f06deb77", "status": "affected", "version": "ad1afb00393915a51c21b1ae8704562bf036855f", "versionType": "git" }, { "lessThan": "bb515c41306454937464da055609b5fb0a27821b", "status": "affected", "version": "ad1afb00393915a51c21b1ae8704562bf036855f", "versionType": "git" }, { "lessThan": "8984bcbd1edf5bee5be06ad771d157333b790c33", "status": "affected", "version": "ad1afb00393915a51c21b1ae8704562bf036855f", "versionType": "git" }, { "lessThan": "93715aa2d80e6c5cea1bb486321fc4585076928b", "status": "affected", "version": "ad1afb00393915a51c21b1ae8704562bf036855f", "versionType": "git" }, { "lessThan": "579d4f9ca9a9a605184a9b162355f6ba131f678d", "status": "affected", "version": "ad1afb00393915a51c21b1ae8704562bf036855f", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/8021q/vlan.c", "net/8021q/vlan.h" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "2.6.36" }, { "lessThan": "2.6.36", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.4.*", "status": "unaffected", "version": "5.4.297", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.297", "versionStartIncluding": "2.6.36", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "2.6.36", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "2.6.36", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "2.6.36", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "2.6.36", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "2.6.36", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "2.6.36", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "2.6.36", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime\n\nAssuming the \"rx-vlan-filter\" feature is enabled on a net device, the\n8021q module will automatically add or remove VLAN 0 when the net device\nis put administratively up or down, respectively. There are a couple of\nproblems with the above scheme.\n\nThe first problem is a memory leak that can happen if the \"rx-vlan-filter\"\nfeature is disabled while the device is running:\n\n # ip link add bond1 up type bond mode 0\n # ethtool -K bond1 rx-vlan-filter off\n # ip link del dev bond1\n\nWhen the device is put administratively down the \"rx-vlan-filter\"\nfeature is disabled, so the 8021q module will not remove VLAN 0 and the\nmemory will be leaked [1].\n\nAnother problem that can happen is that the kernel can automatically\ndelete VLAN 0 when the device is put administratively down despite not\nadding it when the device was put administratively up since during that\ntime the \"rx-vlan-filter\" feature was disabled. null-ptr-unref or\nbug_on[2] will be triggered by unregister_vlan_dev() for refcount\nimbalance if toggling filtering during runtime:\n\n$ ip link add bond0 type bond mode 0\n$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q\n$ ethtool -K bond0 rx-vlan-filter off\n$ ifconfig bond0 up\n$ ethtool -K bond0 rx-vlan-filter on\n$ ifconfig bond0 down\n$ ip link del vlan0\n\nRoot cause is as below:\nstep1: add vlan0 for real_dev, such as bond, team.\nregister_vlan_dev\n vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1\nstep2: disable vlan filter feature and enable real_dev\nstep3: change filter from 0 to 1\nvlan_device_event\n vlan_filter_push_vids\n ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0\nstep4: real_dev down\nvlan_device_event\n vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0\n vlan_info_rcu_free //free vlan0\nstep5: delete vlan0\nunregister_vlan_dev\n BUG_ON(!vlan_info); //vlan_info is null\n\nFix both problems by noting in the VLAN info whether VLAN 0 was\nautomatically added upon NETDEV_UP and based on that decide whether it\nshould be deleted upon NETDEV_DOWN, regardless of the state of the\n\"rx-vlan-filter\" feature.\n\n[1]\nunreferenced object 0xffff8880068e3100 (size 256):\n comm \"ip\", pid 384, jiffies 4296130254\n hex dump (first 32 bytes):\n 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 81ce31fa):\n __kmalloc_cache_noprof+0x2b5/0x340\n vlan_vid_add+0x434/0x940\n vlan_device_event.cold+0x75/0xa8\n notifier_call_chain+0xca/0x150\n __dev_notify_flags+0xe3/0x250\n rtnl_configure_link+0x193/0x260\n rtnl_newlink_create+0x383/0x8e0\n __rtnl_newlink+0x22c/0xa40\n rtnl_newlink+0x627/0xb00\n rtnetlink_rcv_msg+0x6fb/0xb70\n netlink_rcv_skb+0x11f/0x350\n netlink_unicast+0x426/0x710\n netlink_sendmsg+0x75a/0xc20\n __sock_sendmsg+0xc1/0x150\n ____sys_sendmsg+0x5aa/0x7b0\n ___sys_sendmsg+0xfc/0x180\n\n[2]\nkernel BUG at net/8021q/vlan.c:99!\nOops: invalid opcode: 0000 [#1] SMP KASAN PTI\nCPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nBIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))\nRSP: 0018:ffff88810badf310 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a\nRDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8\nRBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80\nR10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000\nR13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e\nFS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0\nCall Trace:\n \u003cTASK\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:09.081Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/ba48d3993af23753e1f1f01c8d592de9c7785f24" }, { "url": "https://git.kernel.org/stable/c/35142b3816832889e50164d993018ea5810955ae" }, { "url": "https://git.kernel.org/stable/c/047b61a24d7c866c502aeeea482892969a68f216" }, { "url": "https://git.kernel.org/stable/c/d43ef15bf4856c8c4c6c3572922331a5f06deb77" }, { "url": "https://git.kernel.org/stable/c/bb515c41306454937464da055609b5fb0a27821b" }, { "url": "https://git.kernel.org/stable/c/8984bcbd1edf5bee5be06ad771d157333b790c33" }, { "url": "https://git.kernel.org/stable/c/93715aa2d80e6c5cea1bb486321fc4585076928b" }, { "url": "https://git.kernel.org/stable/c/579d4f9ca9a9a605184a9b162355f6ba131f678d" } ], "title": "net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38470", "datePublished": "2025-07-28T11:21:32.002Z", "dateReserved": "2025-04-16T04:51:24.020Z", "dateUpdated": "2025-08-28T14:43:09.081Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38476 (GCVE-0-2025-38476)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-08-28 14:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rpl: Fix use-after-free in rpl_do_srh_inline().
Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers
the splat below [0].
rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after
skb_cow_head(), which is illegal as the header could be freed then.
Let's fix it by making oldhdr to a local struct instead of a pointer.
[0]:
[root@fedora net]# ./lwt_dst_cache_ref_loop.sh
...
TEST: rpl (input)
[ 57.631529] ==================================================================
BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
Read of size 40 at addr ffff888122bf96d8 by task ping6/1543
CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:122)
print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)
kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)
kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))
__asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))
rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)
lwtunnel_input (net/core/lwtunnel.c:459)
ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))
__netif_receive_skb_one_core (net/core/dev.c:5967)
process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)
__napi_poll.constprop.0 (net/core/dev.c:7452)
net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480 (discriminator 20))
</IRQ>
<TASK>
__local_bh_enable_ip (kernel/softirq.c:407)
__dev_queue_xmit (net/core/dev.c:4740)
ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)
ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)
ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)
ip6_send_skb (net/ipv6/ip6_output.c:1983)
rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)
__sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))
__x64_sys_sendto (net/socket.c:2231)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f68cffb2a06
Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08
RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06
RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003
RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4
R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0
</TASK>
Allocated by task 1543:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)
kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)
kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))
__alloc_skb (net/core/skbuff.c:669)
__ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))
ip6_
---truncated---
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 Version: a7a29f9c361f8542604ef959ae6627f423b7a412 |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "net/ipv6/rpl_iptunnel.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "c09e21dfc08d8afb92d9ea3bee3457adbe3ef297", "status": "affected", "version": "a7a29f9c361f8542604ef959ae6627f423b7a412", "versionType": "git" }, { "lessThan": "8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc", "status": "affected", "version": "a7a29f9c361f8542604ef959ae6627f423b7a412", "versionType": "git" }, { "lessThan": "e8101506ab86dd78f823b7028f2036a380f3a12a", "status": "affected", "version": "a7a29f9c361f8542604ef959ae6627f423b7a412", "versionType": "git" }, { "lessThan": "62dcd9d6e61c39122d2f251a26829e2e55b0a11d", "status": "affected", "version": "a7a29f9c361f8542604ef959ae6627f423b7a412", "versionType": "git" }, { "lessThan": "06ec83b6c792fde1f710c1de3e836da6e257c4c4", "status": "affected", "version": "a7a29f9c361f8542604ef959ae6627f423b7a412", "versionType": "git" }, { "lessThan": "034b428aa3583373a5a20b1c5931bb2b3cae1f36", "status": "affected", "version": "a7a29f9c361f8542604ef959ae6627f423b7a412", "versionType": "git" }, { "lessThan": "b640daa2822a39ff76e70200cb2b7b892b896dce", "status": "affected", "version": "a7a29f9c361f8542604ef959ae6627f423b7a412", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "net/ipv6/rpl_iptunnel.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "5.7" }, { "lessThan": "5.7", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.241", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.190", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.147", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.241", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.190", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.147", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "5.7", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "5.7", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet\u0027s fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[ 57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n \u003c/TASK\u003e\n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---" } ], "providerMetadata": { "dateUpdated": "2025-08-28T14:43:12.901Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/c09e21dfc08d8afb92d9ea3bee3457adbe3ef297" }, { "url": "https://git.kernel.org/stable/c/8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc" }, { "url": "https://git.kernel.org/stable/c/e8101506ab86dd78f823b7028f2036a380f3a12a" }, { "url": "https://git.kernel.org/stable/c/62dcd9d6e61c39122d2f251a26829e2e55b0a11d" }, { "url": "https://git.kernel.org/stable/c/06ec83b6c792fde1f710c1de3e836da6e257c4c4" }, { "url": "https://git.kernel.org/stable/c/034b428aa3583373a5a20b1c5931bb2b3cae1f36" }, { "url": "https://git.kernel.org/stable/c/b640daa2822a39ff76e70200cb2b7b892b896dce" } ], "title": "rpl: Fix use-after-free in rpl_do_srh_inline().", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38476", "datePublished": "2025-07-28T11:21:37.175Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-08-28T14:43:12.901Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-38489 (GCVE-0-2025-38489)
Vulnerability from cvelistv5
Published
2025-07-28 11:21
Modified
2025-07-28 11:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again
Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has
accidentally removed the critical piece of commit c730fce7c70c
("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing
intermittent kernel panics in e.g. perf's on_switch() prog to reappear.
Restore the fix and add a comment.
References
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: c3062bdb859b6e2567e7f5c8cde20c0250bb130f Version: 7ded842b356d151ece8ac4985940438e6d3998bb Version: 7ded842b356d151ece8ac4985940438e6d3998bb Version: 7ded842b356d151ece8ac4985940438e6d3998bb Version: d3d74e45a060d218fe4b0c9174f0a77517509d8e |
||||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "arch/s390/net/bpf_jit_comp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "0c7b20f7785cfdd59403333612c90b458b12307c", "status": "affected", "version": "c3062bdb859b6e2567e7f5c8cde20c0250bb130f", "versionType": "git" }, { "lessThan": "d5629d1af0600f8cc7c9245e8d832a66358ef889", "status": "affected", "version": "7ded842b356d151ece8ac4985940438e6d3998bb", "versionType": "git" }, { "lessThan": "a4f9c7846b1ac428921ce9676b1b8c80ed60093c", "status": "affected", "version": "7ded842b356d151ece8ac4985940438e6d3998bb", "versionType": "git" }, { "lessThan": "6a5abf8cf182f577c7ae6c62f14debc9754ec986", "status": "affected", "version": "7ded842b356d151ece8ac4985940438e6d3998bb", "versionType": "git" }, { "status": "affected", "version": "d3d74e45a060d218fe4b0c9174f0a77517509d8e", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "arch/s390/net/bpf_jit_comp.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.9" }, { "lessThan": "6.9", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.100", "versionType": "semver" }, { "lessThanOrEqual": "6.12.*", "status": "unaffected", "version": "6.12.40", "versionType": "semver" }, { "lessThanOrEqual": "6.15.*", "status": "unaffected", "version": "6.15.8", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.16", "versionType": "original_commit_for_fix" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.100", "versionStartIncluding": "6.6.26", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.40", "versionStartIncluding": "6.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.15.8", "versionStartIncluding": "6.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.16", "versionStartIncluding": "6.9", "vulnerable": true }, { "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8.5", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again\n\nCommit 7ded842b356d (\"s390/bpf: Fix bpf_plt pointer arithmetic\") has\naccidentally removed the critical piece of commit c730fce7c70c\n(\"s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL\"), causing\nintermittent kernel panics in e.g. perf\u0027s on_switch() prog to reappear.\n\nRestore the fix and add a comment." } ], "providerMetadata": { "dateUpdated": "2025-07-28T11:21:53.024Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/0c7b20f7785cfdd59403333612c90b458b12307c" }, { "url": "https://git.kernel.org/stable/c/d5629d1af0600f8cc7c9245e8d832a66358ef889" }, { "url": "https://git.kernel.org/stable/c/a4f9c7846b1ac428921ce9676b1b8c80ed60093c" }, { "url": "https://git.kernel.org/stable/c/6a5abf8cf182f577c7ae6c62f14debc9754ec986" } ], "title": "s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again", "x_generator": { "engine": "bippy-1.2.0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2025-38489", "datePublished": "2025-07-28T11:21:53.024Z", "dateReserved": "2025-04-16T04:51:24.021Z", "dateUpdated": "2025-07-28T11:21:53.024Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…