Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-2077
Vulnerability from csaf_certbund
Published
2025-09-16 22:00
Modified
2025-09-22 22:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht näher beschriebene Auswirkungen zu erzielen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder nicht n\u00e4her beschriebene Auswirkungen zu erzielen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2077 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2077.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2077 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2077"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50339",
"url": "https://lore.kernel.org/linux-cve-announce/2025091636-CVE-2022-50339-bc17@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50340",
"url": "https://lore.kernel.org/linux-cve-announce/2025091638-CVE-2022-50340-693e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50341",
"url": "https://lore.kernel.org/linux-cve-announce/2025091638-CVE-2022-50341-12c1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50342",
"url": "https://lore.kernel.org/linux-cve-announce/2025091639-CVE-2022-50342-d7ef@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50343",
"url": "https://lore.kernel.org/linux-cve-announce/2025091639-CVE-2022-50343-75e3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50344",
"url": "https://lore.kernel.org/linux-cve-announce/2025091639-CVE-2022-50344-8893@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50345",
"url": "https://lore.kernel.org/linux-cve-announce/2025091639-CVE-2022-50345-a1ff@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50346",
"url": "https://lore.kernel.org/linux-cve-announce/2025091639-CVE-2022-50346-49b1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50347",
"url": "https://lore.kernel.org/linux-cve-announce/2025091640-CVE-2022-50347-33c3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50348",
"url": "https://lore.kernel.org/linux-cve-announce/2025091640-CVE-2022-50348-534c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50349",
"url": "https://lore.kernel.org/linux-cve-announce/2025091640-CVE-2022-50349-cc37@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50350",
"url": "https://lore.kernel.org/linux-cve-announce/2025091640-CVE-2022-50350-31bb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50351",
"url": "https://lore.kernel.org/linux-cve-announce/2025091640-CVE-2022-50351-ac59@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-50352",
"url": "https://lore.kernel.org/linux-cve-announce/2025091641-CVE-2022-50352-8531@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53304",
"url": "https://lore.kernel.org/linux-cve-announce/2025091641-CVE-2023-53304-9a57@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53305",
"url": "https://lore.kernel.org/linux-cve-announce/2025091641-CVE-2023-53305-b8fe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53306",
"url": "https://lore.kernel.org/linux-cve-announce/2025091641-CVE-2023-53306-b665@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53307",
"url": "https://lore.kernel.org/linux-cve-announce/2025091641-CVE-2023-53307-129b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53308",
"url": "https://lore.kernel.org/linux-cve-announce/2025091641-CVE-2023-53308-51a1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53309",
"url": "https://lore.kernel.org/linux-cve-announce/2025091642-CVE-2023-53309-005a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53310",
"url": "https://lore.kernel.org/linux-cve-announce/2025091642-CVE-2023-53310-8d40@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53311",
"url": "https://lore.kernel.org/linux-cve-announce/2025091642-CVE-2023-53311-bff3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53312",
"url": "https://lore.kernel.org/linux-cve-announce/2025091642-CVE-2023-53312-a16b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53313",
"url": "https://lore.kernel.org/linux-cve-announce/2025091642-CVE-2023-53313-0f1c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53314",
"url": "https://lore.kernel.org/linux-cve-announce/2025091643-CVE-2023-53314-b727@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53315",
"url": "https://lore.kernel.org/linux-cve-announce/2025091643-CVE-2023-53315-2711@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53316",
"url": "https://lore.kernel.org/linux-cve-announce/2025091643-CVE-2023-53316-fb3d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53317",
"url": "https://lore.kernel.org/linux-cve-announce/2025091643-CVE-2023-53317-c945@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53318",
"url": "https://lore.kernel.org/linux-cve-announce/2025091643-CVE-2023-53318-633b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53319",
"url": "https://lore.kernel.org/linux-cve-announce/2025091643-CVE-2023-53319-4fd2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53320",
"url": "https://lore.kernel.org/linux-cve-announce/2025091644-CVE-2023-53320-d419@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53321",
"url": "https://lore.kernel.org/linux-cve-announce/2025091644-CVE-2023-53321-0003@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53322",
"url": "https://lore.kernel.org/linux-cve-announce/2025091644-CVE-2023-53322-45ba@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53323",
"url": "https://lore.kernel.org/linux-cve-announce/2025091644-CVE-2023-53323-6a1b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53324",
"url": "https://lore.kernel.org/linux-cve-announce/2025091644-CVE-2023-53324-631a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53325",
"url": "https://lore.kernel.org/linux-cve-announce/2025091644-CVE-2023-53325-a6b9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53326",
"url": "https://lore.kernel.org/linux-cve-announce/2025091645-CVE-2023-53326-7ff5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53327",
"url": "https://lore.kernel.org/linux-cve-announce/2025091645-CVE-2023-53327-55c1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53328",
"url": "https://lore.kernel.org/linux-cve-announce/2025091645-CVE-2023-53328-07a7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53329",
"url": "https://lore.kernel.org/linux-cve-announce/2025091645-CVE-2023-53329-d1d9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53330",
"url": "https://lore.kernel.org/linux-cve-announce/2025091645-CVE-2023-53330-8d89@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53331",
"url": "https://lore.kernel.org/linux-cve-announce/2025091645-CVE-2023-53331-50a3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53332",
"url": "https://lore.kernel.org/linux-cve-announce/2025091646-CVE-2023-53332-9a4d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53333",
"url": "https://lore.kernel.org/linux-cve-announce/2025091646-CVE-2023-53333-f2b8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53334",
"url": "https://lore.kernel.org/linux-cve-announce/2025091646-CVE-2023-53334-bd19@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39805",
"url": "https://lore.kernel.org/linux-cve-announce/2025091610-CVE-2025-39805-2871@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39806",
"url": "https://lore.kernel.org/linux-cve-announce/2025091613-CVE-2025-39806-f74d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39807",
"url": "https://lore.kernel.org/linux-cve-announce/2025091613-CVE-2025-39807-4c3b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39808",
"url": "https://lore.kernel.org/linux-cve-announce/2025091613-CVE-2025-39808-a964@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39809",
"url": "https://lore.kernel.org/linux-cve-announce/2025091614-CVE-2025-39809-396d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39810",
"url": "https://lore.kernel.org/linux-cve-announce/2025091614-CVE-2025-39810-ed5c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39811",
"url": "https://lore.kernel.org/linux-cve-announce/2025091614-CVE-2025-39811-535b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39812",
"url": "https://lore.kernel.org/linux-cve-announce/2025091614-CVE-2025-39812-8a89@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39813",
"url": "https://lore.kernel.org/linux-cve-announce/2025091614-CVE-2025-39813-295c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39814",
"url": "https://lore.kernel.org/linux-cve-announce/2025091614-CVE-2025-39814-1765@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39815",
"url": "https://lore.kernel.org/linux-cve-announce/2025091615-CVE-2025-39815-a663@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39816",
"url": "https://lore.kernel.org/linux-cve-announce/2025091615-CVE-2025-39816-f21d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39817",
"url": "https://lore.kernel.org/linux-cve-announce/2025091615-CVE-2025-39817-90b7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39818",
"url": "https://lore.kernel.org/linux-cve-announce/2025091615-CVE-2025-39818-f1b9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39819",
"url": "https://lore.kernel.org/linux-cve-announce/2025091615-CVE-2025-39819-d3c9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39820",
"url": "https://lore.kernel.org/linux-cve-announce/2025091615-CVE-2025-39820-50d7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39821",
"url": "https://lore.kernel.org/linux-cve-announce/2025091616-CVE-2025-39821-3812@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39822",
"url": "https://lore.kernel.org/linux-cve-announce/2025091616-CVE-2025-39822-454e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39823",
"url": "https://lore.kernel.org/linux-cve-announce/2025091616-CVE-2025-39823-f9bf@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39824",
"url": "https://lore.kernel.org/linux-cve-announce/2025091616-CVE-2025-39824-6491@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39825",
"url": "https://lore.kernel.org/linux-cve-announce/2025091616-CVE-2025-39825-8a7a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39826",
"url": "https://lore.kernel.org/linux-cve-announce/2025091616-CVE-2025-39826-e096@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39827",
"url": "https://lore.kernel.org/linux-cve-announce/2025091617-CVE-2025-39827-0c7c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39828",
"url": "https://lore.kernel.org/linux-cve-announce/2025091617-CVE-2025-39828-c69f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39829",
"url": "https://lore.kernel.org/linux-cve-announce/2025091617-CVE-2025-39829-2ef1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39830",
"url": "https://lore.kernel.org/linux-cve-announce/2025091657-CVE-2025-39830-5341@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39831",
"url": "https://lore.kernel.org/linux-cve-announce/2025091657-CVE-2025-39831-1112@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39832",
"url": "https://lore.kernel.org/linux-cve-announce/2025091657-CVE-2025-39832-6bbc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39833",
"url": "https://lore.kernel.org/linux-cve-announce/2025091657-CVE-2025-39833-c2ef@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39834",
"url": "https://lore.kernel.org/linux-cve-announce/2025091657-CVE-2025-39834-4d8f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39835",
"url": "https://lore.kernel.org/linux-cve-announce/2025091658-CVE-2025-39835-6f82@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39836",
"url": "https://lore.kernel.org/linux-cve-announce/2025091658-CVE-2025-39836-49ce@gregkh/"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-6008 vom 2025-09-23",
"url": "https://lists.debian.org/debian-security-announce/2025/msg00172.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-6009 vom 2025-09-23",
"url": "https://lists.debian.org/debian-security-announce/2025/msg00173.html"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-09-22T22:00:00.000+00:00",
"generator": {
"date": "2025-09-23T04:57:09.940+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-2077",
"initial_release_date": "2025-09-16T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-09-16T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-09-22T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Debian aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T028463",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:unspecified"
}
}
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50339",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50339"
},
{
"cve": "CVE-2022-50340",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50340"
},
{
"cve": "CVE-2022-50341",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50341"
},
{
"cve": "CVE-2022-50342",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50342"
},
{
"cve": "CVE-2022-50343",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50343"
},
{
"cve": "CVE-2022-50344",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50344"
},
{
"cve": "CVE-2022-50345",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50345"
},
{
"cve": "CVE-2022-50346",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50346"
},
{
"cve": "CVE-2022-50347",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50347"
},
{
"cve": "CVE-2022-50348",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50348"
},
{
"cve": "CVE-2022-50349",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50349"
},
{
"cve": "CVE-2022-50350",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50350"
},
{
"cve": "CVE-2022-50351",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50351"
},
{
"cve": "CVE-2022-50352",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2022-50352"
},
{
"cve": "CVE-2023-53304",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53304"
},
{
"cve": "CVE-2023-53305",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53305"
},
{
"cve": "CVE-2023-53306",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53306"
},
{
"cve": "CVE-2023-53307",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53307"
},
{
"cve": "CVE-2023-53308",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53308"
},
{
"cve": "CVE-2023-53309",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53309"
},
{
"cve": "CVE-2023-53310",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53310"
},
{
"cve": "CVE-2023-53311",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53311"
},
{
"cve": "CVE-2023-53312",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53312"
},
{
"cve": "CVE-2023-53313",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53313"
},
{
"cve": "CVE-2023-53314",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53314"
},
{
"cve": "CVE-2023-53315",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53315"
},
{
"cve": "CVE-2023-53316",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53316"
},
{
"cve": "CVE-2023-53317",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53317"
},
{
"cve": "CVE-2023-53318",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53318"
},
{
"cve": "CVE-2023-53319",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53319"
},
{
"cve": "CVE-2023-53320",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53320"
},
{
"cve": "CVE-2023-53321",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53321"
},
{
"cve": "CVE-2023-53322",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53322"
},
{
"cve": "CVE-2023-53323",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53323"
},
{
"cve": "CVE-2023-53324",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53324"
},
{
"cve": "CVE-2023-53325",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53325"
},
{
"cve": "CVE-2023-53326",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53326"
},
{
"cve": "CVE-2023-53327",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53327"
},
{
"cve": "CVE-2023-53328",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53328"
},
{
"cve": "CVE-2023-53329",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53329"
},
{
"cve": "CVE-2023-53330",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53330"
},
{
"cve": "CVE-2023-53331",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53331"
},
{
"cve": "CVE-2023-53332",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53332"
},
{
"cve": "CVE-2023-53333",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53333"
},
{
"cve": "CVE-2023-53334",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2023-53334"
},
{
"cve": "CVE-2025-39805",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39805"
},
{
"cve": "CVE-2025-39806",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39806"
},
{
"cve": "CVE-2025-39807",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39807"
},
{
"cve": "CVE-2025-39808",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39808"
},
{
"cve": "CVE-2025-39809",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39809"
},
{
"cve": "CVE-2025-39810",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39810"
},
{
"cve": "CVE-2025-39811",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39811"
},
{
"cve": "CVE-2025-39812",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39812"
},
{
"cve": "CVE-2025-39813",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39813"
},
{
"cve": "CVE-2025-39814",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39814"
},
{
"cve": "CVE-2025-39815",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39815"
},
{
"cve": "CVE-2025-39816",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39816"
},
{
"cve": "CVE-2025-39817",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39817"
},
{
"cve": "CVE-2025-39818",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39818"
},
{
"cve": "CVE-2025-39819",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39819"
},
{
"cve": "CVE-2025-39820",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39820"
},
{
"cve": "CVE-2025-39821",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39821"
},
{
"cve": "CVE-2025-39822",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39822"
},
{
"cve": "CVE-2025-39823",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39823"
},
{
"cve": "CVE-2025-39824",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39824"
},
{
"cve": "CVE-2025-39825",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39825"
},
{
"cve": "CVE-2025-39826",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39826"
},
{
"cve": "CVE-2025-39827",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39827"
},
{
"cve": "CVE-2025-39828",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39828"
},
{
"cve": "CVE-2025-39829",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39829"
},
{
"cve": "CVE-2025-39830",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39830"
},
{
"cve": "CVE-2025-39831",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39831"
},
{
"cve": "CVE-2025-39832",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39832"
},
{
"cve": "CVE-2025-39833",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39833"
},
{
"cve": "CVE-2025-39834",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39834"
},
{
"cve": "CVE-2025-39835",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39835"
},
{
"cve": "CVE-2025-39836",
"product_status": {
"known_affected": [
"T028463",
"2951"
]
},
"release_date": "2025-09-16T22:00:00.000+00:00",
"title": "CVE-2025-39836"
}
]
}
CVE-2023-53327 (GCVE-0-2023-53327)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommufd/selftest: Catch overflow of uptr and length
syzkaller hits a WARN_ON when trying to have a uptr close to UINTPTR_MAX:
WARNING: CPU: 1 PID: 393 at drivers/iommu/iommufd/selftest.c:403 iommufd_test+0xb19/0x16f0
Modules linked in:
CPU: 1 PID: 393 Comm: repro Not tainted 6.2.0-c9c3395d5e3d #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommufd_test+0xb19/0x16f0
Code: 94 c4 31 ff 44 89 e6 e8 a5 54 17 ff 45 84 e4 0f 85 bb 0b 00 00 41 be fb ff ff ff e8 31 53 17 ff e9 a0 f7 ff ff e8 27 53 17 ff <0f> 0b 41 be 8
RSP: 0018:ffffc90000eabdc0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8214c487
RDX: 0000000000000000 RSI: ffff88800f5c8000 RDI: 0000000000000002
RBP: ffffc90000eabe48 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: 00000000cd2b0000
R13: 00000000cd2af000 R14: 0000000000000000 R15: ffffc90000eabe68
FS: 00007f94d76d5740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000043 CR3: 0000000006880006 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
<TASK>
? write_comp_data+0x2f/0x90
iommufd_fops_ioctl+0x1ef/0x310
__x64_sys_ioctl+0x10e/0x160
? __pfx_iommufd_fops_ioctl+0x10/0x10
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Check that the user memory range doesn't overflow.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/selftest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "adac6508c235a092b91ed9c0110ecf140e9e9441",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
},
{
"lessThan": "3fb3505636d033bbf7a0851dac63d01732c51d62",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
},
{
"lessThan": "fd8c1a4aee973e87d890a5861e106625a33b2c4e",
"status": "affected",
"version": "f4b20bb34c83dceade5470288f48f94ce3598ada",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/iommufd/selftest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.15",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.2",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd/selftest: Catch overflow of uptr and length\n\nsyzkaller hits a WARN_ON when trying to have a uptr close to UINTPTR_MAX:\n\n WARNING: CPU: 1 PID: 393 at drivers/iommu/iommufd/selftest.c:403 iommufd_test+0xb19/0x16f0\n Modules linked in:\n CPU: 1 PID: 393 Comm: repro Not tainted 6.2.0-c9c3395d5e3d #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:iommufd_test+0xb19/0x16f0\n Code: 94 c4 31 ff 44 89 e6 e8 a5 54 17 ff 45 84 e4 0f 85 bb 0b 00 00 41 be fb ff ff ff e8 31 53 17 ff e9 a0 f7 ff ff e8 27 53 17 ff \u003c0f\u003e 0b 41 be 8\n RSP: 0018:ffffc90000eabdc0 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8214c487\n RDX: 0000000000000000 RSI: ffff88800f5c8000 RDI: 0000000000000002\n RBP: ffffc90000eabe48 R08: 0000000000000000 R09: 0000000000000001\n R10: 0000000000000001 R11: 0000000000000000 R12: 00000000cd2b0000\n R13: 00000000cd2af000 R14: 0000000000000000 R15: ffffc90000eabe68\n FS: 00007f94d76d5740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000043 CR3: 0000000006880006 CR4: 0000000000770ee0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n ? write_comp_data+0x2f/0x90\n iommufd_fops_ioctl+0x1ef/0x310\n __x64_sys_ioctl+0x10e/0x160\n ? __pfx_iommufd_fops_ioctl+0x10/0x10\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nCheck that the user memory range doesn\u0027t overflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:03.417Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/adac6508c235a092b91ed9c0110ecf140e9e9441"
},
{
"url": "https://git.kernel.org/stable/c/3fb3505636d033bbf7a0851dac63d01732c51d62"
},
{
"url": "https://git.kernel.org/stable/c/fd8c1a4aee973e87d890a5861e106625a33b2c4e"
}
],
"title": "iommufd/selftest: Catch overflow of uptr and length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53327",
"datePublished": "2025-09-16T16:12:03.417Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:03.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39830 (GCVE-0-2025-39830)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-16 13:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path
In the error path of hws_pool_buddy_init(), the buddy allocator cleanup
doesn't free the allocator structure itself, causing a memory leak.
Add the missing kfree() to properly release all allocated memory.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/steering/hws/pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86d13a6f49cb68aa91bd718b1b627e72e77285c1",
"status": "affected",
"version": "c61afff94373641695cc81999e9bb10408ea84d5",
"versionType": "git"
},
{
"lessThan": "2c0a959bebdc1ada13cf9a8242f177c5400299e6",
"status": "affected",
"version": "c61afff94373641695cc81999e9bb10408ea84d5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/steering/hws/pool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path\n\nIn the error path of hws_pool_buddy_init(), the buddy allocator cleanup\ndoesn\u0027t free the allocator structure itself, causing a memory leak.\n\nAdd the missing kfree() to properly release all allocated memory."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:08:48.110Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86d13a6f49cb68aa91bd718b1b627e72e77285c1"
},
{
"url": "https://git.kernel.org/stable/c/2c0a959bebdc1ada13cf9a8242f177c5400299e6"
}
],
"title": "net/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39830",
"datePublished": "2025-09-16T13:08:48.110Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:08:48.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39832 (GCVE-0-2025-39832)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-16 13:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix lockdep assertion on sync reset unload event
Fix lockdep assertion triggered during sync reset unload event. When the
sync reset flow is initiated using the devlink reload fw_activate
option, the PF already holds the devlink lock while handling unload
event. In this case, delegate sync reset unload event handling back to
the devlink callback process to avoid double-locking and resolve the
lockdep warning.
Kernel log:
WARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40
[...]
Call Trace:
<TASK>
mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]
mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]
process_one_work+0x222/0x640
worker_thread+0x199/0x350
kthread+0x10b/0x230
? __pfx_worker_thread+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x8e/0x100
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/devlink.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddac9d0fe2493dd550cbfc75eeaf31e9b6dac959",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "0c87dba9ccd3801d3b503f0b4fd41be343af4f06",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "06d897148e79638651800d851a69547b56b4be2e",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
},
{
"lessThan": "902a8bc23a24882200f57cadc270e15a2cfaf2bb",
"status": "affected",
"version": "7a9770f1bfeaeddf5afabd3244e2c4c4966be37d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/devlink.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c",
"drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix lockdep assertion on sync reset unload event\n\nFix lockdep assertion triggered during sync reset unload event. When the\nsync reset flow is initiated using the devlink reload fw_activate\noption, the PF already holds the devlink lock while handling unload\nevent. In this case, delegate sync reset unload event handling back to\nthe devlink callback process to avoid double-locking and resolve the\nlockdep warning.\n\nKernel log:\nWARNING: CPU: 9 PID: 1578 at devl_assert_locked+0x31/0x40\n[...]\nCall Trace:\n\u003cTASK\u003e\n mlx5_unload_one_devl_locked+0x2c/0xc0 [mlx5_core]\n mlx5_sync_reset_unload_event+0xaf/0x2f0 [mlx5_core]\n process_one_work+0x222/0x640\n worker_thread+0x199/0x350\n kthread+0x10b/0x230\n ? __pfx_worker_thread+0x10/0x10\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x8e/0x100\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:08:49.513Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddac9d0fe2493dd550cbfc75eeaf31e9b6dac959"
},
{
"url": "https://git.kernel.org/stable/c/0c87dba9ccd3801d3b503f0b4fd41be343af4f06"
},
{
"url": "https://git.kernel.org/stable/c/06d897148e79638651800d851a69547b56b4be2e"
},
{
"url": "https://git.kernel.org/stable/c/902a8bc23a24882200f57cadc270e15a2cfaf2bb"
}
],
"title": "net/mlx5: Fix lockdep assertion on sync reset unload event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39832",
"datePublished": "2025-09-16T13:08:49.513Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:08:49.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39833 (GCVE-0-2025-39833)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-16 13:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mISDN: hfcpci: Fix warning when deleting uninitialized timer
With CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads
to the following splat:
[ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0
[ 250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0
[ 250.218775] Modules linked in: hfcpci(-) mISDN_core
[ 250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary)
[ 250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0
[ 250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d
[ 250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286
[ 250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95
[ 250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0
[ 250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39
[ 250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001
[ 250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8
[ 250.232454] FS: 00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000
[ 250.233851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0
[ 250.236117] Call Trace:
[ 250.236599] <TASK>
[ 250.236967] ? trace_irq_enable.constprop.0+0xd4/0x130
[ 250.237920] debug_object_assert_init+0x1f6/0x310
[ 250.238762] ? __pfx_debug_object_assert_init+0x10/0x10
[ 250.239658] ? __lock_acquire+0xdea/0x1c70
[ 250.240369] __try_to_del_timer_sync+0x69/0x140
[ 250.241172] ? __pfx___try_to_del_timer_sync+0x10/0x10
[ 250.242058] ? __timer_delete_sync+0xc6/0x120
[ 250.242842] ? lock_acquire+0x30/0x80
[ 250.243474] ? __timer_delete_sync+0xc6/0x120
[ 250.244262] __timer_delete_sync+0x98/0x120
[ 250.245015] HFC_cleanup+0x10/0x20 [hfcpci]
[ 250.245704] __do_sys_delete_module+0x348/0x510
[ 250.246461] ? __pfx___do_sys_delete_module+0x10/0x10
[ 250.247338] do_syscall_64+0xc1/0x360
[ 250.247924] entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fix this by initializing hfc_tl timer with DEFINE_TIMER macro.
Also, use mod_timer instead of manual timeout update.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcpci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43fc5da8133badf17f5df250ba03b9d882254845",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
},
{
"lessThan": "97766512a9951b9fd6fc97f1b93211642bb0b220",
"status": "affected",
"version": "87c5fa1bb42624254a2013cbbc3b170d6017f5d6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/isdn/hardware/mISDN/hfcpci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: hfcpci: Fix warning when deleting uninitialized timer\n\nWith CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads\nto the following splat:\n\n[ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0\n[ 250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0\n[ 250.218775] Modules linked in: hfcpci(-) mISDN_core\n[ 250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary)\n[ 250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0\n[ 250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d\n[ 250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286\n[ 250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95\n[ 250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0\n[ 250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39\n[ 250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001\n[ 250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8\n[ 250.232454] FS: 00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000\n[ 250.233851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0\n[ 250.236117] Call Trace:\n[ 250.236599] \u003cTASK\u003e\n[ 250.236967] ? trace_irq_enable.constprop.0+0xd4/0x130\n[ 250.237920] debug_object_assert_init+0x1f6/0x310\n[ 250.238762] ? __pfx_debug_object_assert_init+0x10/0x10\n[ 250.239658] ? __lock_acquire+0xdea/0x1c70\n[ 250.240369] __try_to_del_timer_sync+0x69/0x140\n[ 250.241172] ? __pfx___try_to_del_timer_sync+0x10/0x10\n[ 250.242058] ? __timer_delete_sync+0xc6/0x120\n[ 250.242842] ? lock_acquire+0x30/0x80\n[ 250.243474] ? __timer_delete_sync+0xc6/0x120\n[ 250.244262] __timer_delete_sync+0x98/0x120\n[ 250.245015] HFC_cleanup+0x10/0x20 [hfcpci]\n[ 250.245704] __do_sys_delete_module+0x348/0x510\n[ 250.246461] ? __pfx___do_sys_delete_module+0x10/0x10\n[ 250.247338] do_syscall_64+0xc1/0x360\n[ 250.247924] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFix this by initializing hfc_tl timer with DEFINE_TIMER macro.\nAlso, use mod_timer instead of manual timeout update."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:08:50.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43fc5da8133badf17f5df250ba03b9d882254845"
},
{
"url": "https://git.kernel.org/stable/c/97766512a9951b9fd6fc97f1b93211642bb0b220"
}
],
"title": "mISDN: hfcpci: Fix warning when deleting uninitialized timer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39833",
"datePublished": "2025-09-16T13:08:50.192Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:08:50.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50352 (GCVE-0-2022-50352)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: hns: fix possible memory leak in hnae_ae_register()
Inject fault while probing module, if device_register() fails,
but the refcount of kobject is not decreased to 0, the name
allocated in dev_set_name() is leaked. Fix this by calling
put_device(), so that name can be freed in callback function
kobject_cleanup().
unreferenced object 0xffff00c01aba2100 (size 128):
comm "systemd-udevd", pid 1259, jiffies 4294903284 (age 294.152s)
hex dump (first 32 bytes):
68 6e 61 65 30 00 00 00 18 21 ba 1a c0 00 ff ff hnae0....!......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000034783f26>] slab_post_alloc_hook+0xa0/0x3e0
[<00000000748188f2>] __kmem_cache_alloc_node+0x164/0x2b0
[<00000000ab0743e8>] __kmalloc_node_track_caller+0x6c/0x390
[<000000006c0ffb13>] kvasprintf+0x8c/0x118
[<00000000fa27bfe1>] kvasprintf_const+0x60/0xc8
[<0000000083e10ed7>] kobject_set_name_vargs+0x3c/0xc0
[<000000000b87affc>] dev_set_name+0x7c/0xa0
[<000000003fd8fe26>] hnae_ae_register+0xcc/0x190 [hnae]
[<00000000fe97edc9>] hns_dsaf_ae_init+0x9c/0x108 [hns_dsaf]
[<00000000c36ff1eb>] hns_dsaf_probe+0x548/0x748 [hns_dsaf]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 6fe6611ff275522a4e4c0359e2f46cdd07780d2f Version: 6fe6611ff275522a4e4c0359e2f46cdd07780d2f Version: 6fe6611ff275522a4e4c0359e2f46cdd07780d2f Version: 6fe6611ff275522a4e4c0359e2f46cdd07780d2f Version: 6fe6611ff275522a4e4c0359e2f46cdd07780d2f Version: 6fe6611ff275522a4e4c0359e2f46cdd07780d2f Version: 6fe6611ff275522a4e4c0359e2f46cdd07780d2f Version: 6fe6611ff275522a4e4c0359e2f46cdd07780d2f |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns/hnae.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a3c148955c22fe1d94d7a2096005679c1f22eddf",
"status": "affected",
"version": "6fe6611ff275522a4e4c0359e2f46cdd07780d2f",
"versionType": "git"
},
{
"lessThan": "3b78453cca046d3b03853f0d077ad3ad130db886",
"status": "affected",
"version": "6fe6611ff275522a4e4c0359e2f46cdd07780d2f",
"versionType": "git"
},
{
"lessThan": "7ae1345f6ad715acbcdc9e1ac28153684fd498bb",
"status": "affected",
"version": "6fe6611ff275522a4e4c0359e2f46cdd07780d2f",
"versionType": "git"
},
{
"lessThan": "dfc0337c6dceb6449403b33ecb141f4a1458a1e9",
"status": "affected",
"version": "6fe6611ff275522a4e4c0359e2f46cdd07780d2f",
"versionType": "git"
},
{
"lessThan": "2974f3b330ef25f5d34a4948d04290c2cd7802cf",
"status": "affected",
"version": "6fe6611ff275522a4e4c0359e2f46cdd07780d2f",
"versionType": "git"
},
{
"lessThan": "91f8f5342bee726ed5692583d58f69e7cc9ae60e",
"status": "affected",
"version": "6fe6611ff275522a4e4c0359e2f46cdd07780d2f",
"versionType": "git"
},
{
"lessThan": "02dc0db19d944b4a90941db505ecf1aaec714be4",
"status": "affected",
"version": "6fe6611ff275522a4e4c0359e2f46cdd07780d2f",
"versionType": "git"
},
{
"lessThan": "ff2f5ec5d009844ec28f171123f9e58750cef4bf",
"status": "affected",
"version": "6fe6611ff275522a4e4c0359e2f46cdd07780d2f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/hisilicon/hns/hnae.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.332",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.332",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.298",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.221",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns: fix possible memory leak in hnae_ae_register()\n\nInject fault while probing module, if device_register() fails,\nbut the refcount of kobject is not decreased to 0, the name\nallocated in dev_set_name() is leaked. Fix this by calling\nput_device(), so that name can be freed in callback function\nkobject_cleanup().\n\nunreferenced object 0xffff00c01aba2100 (size 128):\n comm \"systemd-udevd\", pid 1259, jiffies 4294903284 (age 294.152s)\n hex dump (first 32 bytes):\n 68 6e 61 65 30 00 00 00 18 21 ba 1a c0 00 ff ff hnae0....!......\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c0000000034783f26\u003e] slab_post_alloc_hook+0xa0/0x3e0\n [\u003c00000000748188f2\u003e] __kmem_cache_alloc_node+0x164/0x2b0\n [\u003c00000000ab0743e8\u003e] __kmalloc_node_track_caller+0x6c/0x390\n [\u003c000000006c0ffb13\u003e] kvasprintf+0x8c/0x118\n [\u003c00000000fa27bfe1\u003e] kvasprintf_const+0x60/0xc8\n [\u003c0000000083e10ed7\u003e] kobject_set_name_vargs+0x3c/0xc0\n [\u003c000000000b87affc\u003e] dev_set_name+0x7c/0xa0\n [\u003c000000003fd8fe26\u003e] hnae_ae_register+0xcc/0x190 [hnae]\n [\u003c00000000fe97edc9\u003e] hns_dsaf_ae_init+0x9c/0x108 [hns_dsaf]\n [\u003c00000000c36ff1eb\u003e] hns_dsaf_probe+0x548/0x748 [hns_dsaf]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:43.458Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a3c148955c22fe1d94d7a2096005679c1f22eddf"
},
{
"url": "https://git.kernel.org/stable/c/3b78453cca046d3b03853f0d077ad3ad130db886"
},
{
"url": "https://git.kernel.org/stable/c/7ae1345f6ad715acbcdc9e1ac28153684fd498bb"
},
{
"url": "https://git.kernel.org/stable/c/dfc0337c6dceb6449403b33ecb141f4a1458a1e9"
},
{
"url": "https://git.kernel.org/stable/c/2974f3b330ef25f5d34a4948d04290c2cd7802cf"
},
{
"url": "https://git.kernel.org/stable/c/91f8f5342bee726ed5692583d58f69e7cc9ae60e"
},
{
"url": "https://git.kernel.org/stable/c/02dc0db19d944b4a90941db505ecf1aaec714be4"
},
{
"url": "https://git.kernel.org/stable/c/ff2f5ec5d009844ec28f171123f9e58750cef4bf"
}
],
"title": "net: hns: fix possible memory leak in hnae_ae_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50352",
"datePublished": "2025-09-16T16:11:43.458Z",
"dateReserved": "2025-09-16T16:03:27.882Z",
"dateUpdated": "2025-09-16T16:11:43.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39820 (GCVE-0-2025-39820)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dpu: Add a null ptr check for dpu_encoder_needs_modeset
The drm_atomic_get_new_connector_state() can return NULL if the
connector is not part of the atomic state. Add a check to prevent
a NULL pointer dereference.
This follows the same pattern used in dpu_encoder_update_topology()
within the same file, which checks for NULL before using conn_state.
Patchwork: https://patchwork.freedesktop.org/patch/665188/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aaec54254b02f5959c3670177037464d828b2140",
"status": "affected",
"version": "1ce69c265a53c61c5c29f97f542ff89af3f3d7e7",
"versionType": "git"
},
{
"lessThan": "abebfed208515726760d79cf4f9f1a76b9a10a84",
"status": "affected",
"version": "1ce69c265a53c61c5c29f97f542ff89af3f3d7e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add a null ptr check for dpu_encoder_needs_modeset\n\nThe drm_atomic_get_new_connector_state() can return NULL if the\nconnector is not part of the atomic state. Add a check to prevent\na NULL pointer dereference.\n\nThis follows the same pattern used in dpu_encoder_update_topology()\nwithin the same file, which checks for NULL before using conn_state.\n\nPatchwork: https://patchwork.freedesktop.org/patch/665188/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:20.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aaec54254b02f5959c3670177037464d828b2140"
},
{
"url": "https://git.kernel.org/stable/c/abebfed208515726760d79cf4f9f1a76b9a10a84"
}
],
"title": "drm/msm/dpu: Add a null ptr check for dpu_encoder_needs_modeset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39820",
"datePublished": "2025-09-16T13:00:20.059Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-09-16T13:00:20.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39829 (GCVE-0-2025-39829)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
trace/fgraph: Fix the warning caused by missing unregister notifier
This warning was triggered during testing on v6.16:
notifier callback ftrace_suspend_notifier_call already registered
WARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0
...
Call Trace:
<TASK>
blocking_notifier_chain_register+0x34/0x60
register_ftrace_graph+0x330/0x410
ftrace_profile_write+0x1e9/0x340
vfs_write+0xf8/0x420
? filp_flush+0x8a/0xa0
? filp_close+0x1f/0x30
? do_dup2+0xaf/0x160
ksys_write+0x65/0xe0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
When writing to the function_profile_enabled interface, the notifier was
not unregistered after start_graph_tracing failed, causing a warning the
next time function_profile_enabled was written.
Fixed by adding unregister_pm_notifier in the exception path.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/fgraph.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2a2deb9f8df70480050351ac27041f19bb9e718b",
"status": "affected",
"version": "4a2b8dda3f8705880ec7408135645602d5590f51",
"versionType": "git"
},
{
"lessThan": "000aa47a51233fd38a629b029478e0278e1e9fbe",
"status": "affected",
"version": "4a2b8dda3f8705880ec7408135645602d5590f51",
"versionType": "git"
},
{
"lessThan": "edede7a6dcd7435395cf757d053974aaab6ab1c2",
"status": "affected",
"version": "4a2b8dda3f8705880ec7408135645602d5590f51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/fgraph.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc3",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntrace/fgraph: Fix the warning caused by missing unregister notifier\n\nThis warning was triggered during testing on v6.16:\n\nnotifier callback ftrace_suspend_notifier_call already registered\nWARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0\n...\nCall Trace:\n \u003cTASK\u003e\n blocking_notifier_chain_register+0x34/0x60\n register_ftrace_graph+0x330/0x410\n ftrace_profile_write+0x1e9/0x340\n vfs_write+0xf8/0x420\n ? filp_flush+0x8a/0xa0\n ? filp_close+0x1f/0x30\n ? do_dup2+0xaf/0x160\n ksys_write+0x65/0xe0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWhen writing to the function_profile_enabled interface, the notifier was\nnot unregistered after start_graph_tracing failed, causing a warning the\nnext time function_profile_enabled was written.\n\nFixed by adding unregister_pm_notifier in the exception path."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:27.154Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2a2deb9f8df70480050351ac27041f19bb9e718b"
},
{
"url": "https://git.kernel.org/stable/c/000aa47a51233fd38a629b029478e0278e1e9fbe"
},
{
"url": "https://git.kernel.org/stable/c/edede7a6dcd7435395cf757d053974aaab6ab1c2"
}
],
"title": "trace/fgraph: Fix the warning caused by missing unregister notifier",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39829",
"datePublished": "2025-09-16T13:00:27.154Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:00:27.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50345 (GCVE-0-2022-50345)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Protect against send buffer overflow in NFSv3 READ
Since before the git era, NFSD has conserved the number of pages
held by each nfsd thread by combining the RPC receive and send
buffers into a single array of pages. This works because there are
no cases where an operation needs a large RPC Call message and a
large RPC Reply at the same time.
Once an RPC Call has been received, svc_process() updates
svc_rqst::rq_res to describe the part of rq_pages that can be
used for constructing the Reply. This means that the send buffer
(rq_res) shrinks when the received RPC record containing the RPC
Call is large.
A client can force this shrinkage on TCP by sending a correctly-
formed RPC Call header contained in an RPC record that is
excessively large. The full maximum payload size cannot be
constructed in that case.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs3proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c23687911f82a63fa2977ce9c992b395e90f8ba0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "75d9de25a6f833dd0701ca546ac926cabff2b5af",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bc6c0ed253cd4763dba7541d558e4b704f33176f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "309f29361b6bfae96936317376f1114568c5de19",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa6be9cc6e80ec79892ddf08a8c10cabab9baf38",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs3proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Protect against send buffer overflow in NFSv3 READ\n\nSince before the git era, NFSD has conserved the number of pages\nheld by each nfsd thread by combining the RPC receive and send\nbuffers into a single array of pages. This works because there are\nno cases where an operation needs a large RPC Call message and a\nlarge RPC Reply at the same time.\n\nOnce an RPC Call has been received, svc_process() updates\nsvc_rqst::rq_res to describe the part of rq_pages that can be\nused for constructing the Reply. This means that the send buffer\n(rq_res) shrinks when the received RPC record containing the RPC\nCall is large.\n\nA client can force this shrinkage on TCP by sending a correctly-\nformed RPC Call header contained in an RPC record that is\nexcessively large. The full maximum payload size cannot be\nconstructed in that case."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:38.348Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c23687911f82a63fa2977ce9c992b395e90f8ba0"
},
{
"url": "https://git.kernel.org/stable/c/75d9de25a6f833dd0701ca546ac926cabff2b5af"
},
{
"url": "https://git.kernel.org/stable/c/bc6c0ed253cd4763dba7541d558e4b704f33176f"
},
{
"url": "https://git.kernel.org/stable/c/309f29361b6bfae96936317376f1114568c5de19"
},
{
"url": "https://git.kernel.org/stable/c/fa6be9cc6e80ec79892ddf08a8c10cabab9baf38"
}
],
"title": "NFSD: Protect against send buffer overflow in NFSv3 READ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50345",
"datePublished": "2025-09-16T16:11:24.171Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2025-09-16T16:11:38.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50348 (GCVE-0-2022-50348)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: Fix a memory leak in an error handling path
If this memdup_user() call fails, the memory allocated in a previous call
a few lines above should be freed. Otherwise it leaks.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 6ee95d1c899186c0798cafd25998d436bcdb9618 Version: 6ee95d1c899186c0798cafd25998d436bcdb9618 Version: 6ee95d1c899186c0798cafd25998d436bcdb9618 Version: 6ee95d1c899186c0798cafd25998d436bcdb9618 Version: 6ee95d1c899186c0798cafd25998d436bcdb9618 Version: 6ee95d1c899186c0798cafd25998d436bcdb9618 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4recover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "acc393aecda05bf64ed13b732931462e07a1bf08",
"status": "affected",
"version": "6ee95d1c899186c0798cafd25998d436bcdb9618",
"versionType": "git"
},
{
"lessThan": "e060c4b9f33c1fca74df26d57a98e784295327e6",
"status": "affected",
"version": "6ee95d1c899186c0798cafd25998d436bcdb9618",
"versionType": "git"
},
{
"lessThan": "aed8816305575b38dcc77feb6f1bc1d0ed32f5b8",
"status": "affected",
"version": "6ee95d1c899186c0798cafd25998d436bcdb9618",
"versionType": "git"
},
{
"lessThan": "733dd17158f96aaa25408dc39bbb2738fda9300e",
"status": "affected",
"version": "6ee95d1c899186c0798cafd25998d436bcdb9618",
"versionType": "git"
},
{
"lessThan": "cc3bca2110ac85cd964da997ef83d84cab0d49fb",
"status": "affected",
"version": "6ee95d1c899186c0798cafd25998d436bcdb9618",
"versionType": "git"
},
{
"lessThan": "fd1ef88049de09bc70d60b549992524cfc0e66ff",
"status": "affected",
"version": "6ee95d1c899186c0798cafd25998d436bcdb9618",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfsd/nfs4recover.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: Fix a memory leak in an error handling path\n\nIf this memdup_user() call fails, the memory allocated in a previous call\na few lines above should be freed. Otherwise it leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:40.617Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/acc393aecda05bf64ed13b732931462e07a1bf08"
},
{
"url": "https://git.kernel.org/stable/c/e060c4b9f33c1fca74df26d57a98e784295327e6"
},
{
"url": "https://git.kernel.org/stable/c/aed8816305575b38dcc77feb6f1bc1d0ed32f5b8"
},
{
"url": "https://git.kernel.org/stable/c/733dd17158f96aaa25408dc39bbb2738fda9300e"
},
{
"url": "https://git.kernel.org/stable/c/cc3bca2110ac85cd964da997ef83d84cab0d49fb"
},
{
"url": "https://git.kernel.org/stable/c/fd1ef88049de09bc70d60b549992524cfc0e66ff"
}
],
"title": "nfsd: Fix a memory leak in an error handling path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50348",
"datePublished": "2025-09-16T16:11:40.617Z",
"dateReserved": "2025-09-16T16:03:27.882Z",
"dateUpdated": "2025-09-16T16:11:40.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53315 (GCVE-0-2023-53315)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-19 15:21
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: Fix SKB corruption in REO destination ring
While running traffics for a long time, randomly an RX descriptor
filled with value "0" from REO destination ring is received.
This descriptor which is invalid causes the wrong SKB (SKB stored in
the IDR lookup with buffer id "0") to be fetched which in turn
causes SKB memory corruption issue and the same leads to crash
after some time.
Changed the start id for idr allocation to "1" and the buffer id "0"
is reserved for error validation. Introduced Sanity check to validate
the descriptor, before processing the SKB.
Crash Signature :
Unable to handle kernel paging request at virtual address 3f004900
PC points to "b15_dma_inv_range+0x30/0x50"
LR points to "dma_cache_maint_page+0x8c/0x128".
The Backtrace obtained is as follows:
[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128)
[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc)
[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])
[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])
[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])
[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8)
[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280)
[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280)
[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4)
[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4)
[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90)
[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d Version: d5c65159f2895379e11ca13f62feabe93278985d |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "866921dc06b94df91acfcf9359b57da943ed99b3",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "3d3f8fe01a01d94a17fe1ae0d2e894049a972717",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "068fd06148fbf0af95bb08dc77cff34ee679fdbc",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "67459491f78146bcf7d93596e5b709d063dff5d8",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
},
{
"lessThan": "f9fff67d2d7ca6fa8066132003a3deef654c55b1",
"status": "affected",
"version": "d5c65159f2895379e11ca13f62feabe93278985d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath11k/dp_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Fix SKB corruption in REO destination ring\n\nWhile running traffics for a long time, randomly an RX descriptor\nfilled with value \"0\" from REO destination ring is received.\nThis descriptor which is invalid causes the wrong SKB (SKB stored in\nthe IDR lookup with buffer id \"0\") to be fetched which in turn\ncauses SKB memory corruption issue and the same leads to crash\nafter some time.\n\nChanged the start id for idr allocation to \"1\" and the buffer id \"0\"\nis reserved for error validation. Introduced Sanity check to validate\nthe descriptor, before processing the SKB.\n\nCrash Signature :\n\nUnable to handle kernel paging request at virtual address 3f004900\nPC points to \"b15_dma_inv_range+0x30/0x50\"\nLR points to \"dma_cache_maint_page+0x8c/0x128\".\nThe Backtrace obtained is as follows:\n[\u003c8031716c\u003e] (b15_dma_inv_range) from [\u003c80313a4c\u003e] (dma_cache_maint_page+0x8c/0x128)\n[\u003c80313a4c\u003e] (dma_cache_maint_page) from [\u003c80313b90\u003e] (__dma_page_dev_to_cpu+0x28/0xcc)\n[\u003c80313b90\u003e] (__dma_page_dev_to_cpu) from [\u003c7fb5dd68\u003e] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])\n[\u003c7fb5dd68\u003e] (ath11k_dp_process_rx [ath11k]) from [\u003c7fb53c20\u003e] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])\n[\u003c7fb53c20\u003e] (ath11k_dp_service_srng [ath11k]) from [\u003c7f67bba4\u003e] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])\n[\u003c7f67bba4\u003e] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [\u003c807d5cf4\u003e] (__napi_poll+0x28/0xb8)\n[\u003c807d5cf4\u003e] (__napi_poll) from [\u003c807d5f28\u003e] (net_rx_action+0xf0/0x280)\n[\u003c807d5f28\u003e] (net_rx_action) from [\u003c80302148\u003e] (__do_softirq+0xd0/0x280)\n[\u003c80302148\u003e] (__do_softirq) from [\u003c80320408\u003e] (irq_exit+0x74/0xd4)\n[\u003c80320408\u003e] (irq_exit) from [\u003c803638a4\u003e] (__handle_domain_irq+0x90/0xb4)\n[\u003c803638a4\u003e] (__handle_domain_irq) from [\u003c805bedec\u003e] (gic_handle_irq+0x58/0x90)\n[\u003c805bedec\u003e] (gic_handle_irq) from [\u003c80301a78\u003e] (__irq_svc+0x58/0x8c)\n\nTested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T15:21:32.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/866921dc06b94df91acfcf9359b57da943ed99b3"
},
{
"url": "https://git.kernel.org/stable/c/3d3f8fe01a01d94a17fe1ae0d2e894049a972717"
},
{
"url": "https://git.kernel.org/stable/c/068fd06148fbf0af95bb08dc77cff34ee679fdbc"
},
{
"url": "https://git.kernel.org/stable/c/67459491f78146bcf7d93596e5b709d063dff5d8"
},
{
"url": "https://git.kernel.org/stable/c/f9fff67d2d7ca6fa8066132003a3deef654c55b1"
}
],
"title": "wifi: ath11k: Fix SKB corruption in REO destination ring",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53315",
"datePublished": "2025-09-16T16:11:52.242Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-19T15:21:32.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53322 (GCVE-0-2023-53322)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Wait for io return on terminate rport
System crash due to use after free.
Current code allows terminate_rport_io to exit before making
sure all IOs has returned. For FCP-2 device, IO's can hang
on in HW because driver has not tear down the session in FW at
first sign of cable pull. When dev_loss_tmo timer pops,
terminate_rport_io is called and upper layer is about to
free various resources. Terminate_rport_io trigger qla to do
the final cleanup, but the cleanup might not be fast enough where it
leave qla still holding on to the same resource.
Wait for IO's to return to upper layer before resources are freed.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a55556cd7e0220486163b1285ce11a8be2ce5fa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4647d2e88918a078359d1532d90c417a38542c9e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d25fded78d88e1515439b3ba581684d683e0b6ab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a9fe97fb7b4ee21bffb76f2acb05769bad27ae70",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "079c8264ed9fea8cbcac01ad29040f901cbc3692",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "90770dad1eb30967ebd8d37d82830bcf270b3293",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5bcdaafd92be6035ddc77fa76650cf9dd5b864c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fc0cba0c7be8261a1625098bd1d695077ec621c9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/qla2xxx/qla_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Wait for io return on terminate rport\n\nSystem crash due to use after free.\nCurrent code allows terminate_rport_io to exit before making\nsure all IOs has returned. For FCP-2 device, IO\u0027s can hang\non in HW because driver has not tear down the session in FW at\nfirst sign of cable pull. When dev_loss_tmo timer pops,\nterminate_rport_io is called and upper layer is about to\nfree various resources. Terminate_rport_io trigger qla to do\nthe final cleanup, but the cleanup might not be fast enough where it\nleave qla still holding on to the same resource.\n\nWait for IO\u0027s to return to upper layer before resources are freed."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:58.062Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a55556cd7e0220486163b1285ce11a8be2ce5fa"
},
{
"url": "https://git.kernel.org/stable/c/4647d2e88918a078359d1532d90c417a38542c9e"
},
{
"url": "https://git.kernel.org/stable/c/d25fded78d88e1515439b3ba581684d683e0b6ab"
},
{
"url": "https://git.kernel.org/stable/c/a9fe97fb7b4ee21bffb76f2acb05769bad27ae70"
},
{
"url": "https://git.kernel.org/stable/c/079c8264ed9fea8cbcac01ad29040f901cbc3692"
},
{
"url": "https://git.kernel.org/stable/c/90770dad1eb30967ebd8d37d82830bcf270b3293"
},
{
"url": "https://git.kernel.org/stable/c/5bcdaafd92be6035ddc77fa76650cf9dd5b864c4"
},
{
"url": "https://git.kernel.org/stable/c/fc0cba0c7be8261a1625098bd1d695077ec621c9"
}
],
"title": "scsi: qla2xxx: Wait for io return on terminate rport",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53322",
"datePublished": "2025-09-16T16:11:58.062Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:58.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53332 (GCVE-0-2023-53332)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()
If ipi_send_{mask|single}() is called with an invalid interrupt number, all
the local variables there will be NULL. ipi_send_verify() which is invoked
from these functions does verify its 'data' parameter, resulting in a
kernel oops in irq_data_get_affinity_mask() as the passed NULL pointer gets
dereferenced.
Add a missing NULL pointer check in ipi_send_verify()...
Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/irq/ipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "926aef60ea64cd9becf2829f7388f48dbe8bcb11",
"status": "affected",
"version": "3b8e29a82dd16c1f2061e0b955a71cd36eeb061b",
"versionType": "git"
},
{
"lessThan": "7448c73d64075051f50caed2c62f46553b69ab8a",
"status": "affected",
"version": "3b8e29a82dd16c1f2061e0b955a71cd36eeb061b",
"versionType": "git"
},
{
"lessThan": "feabecaff5902f896531dde90646ca5dfa9d4f7d",
"status": "affected",
"version": "3b8e29a82dd16c1f2061e0b955a71cd36eeb061b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/irq/ipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.6"
},
{
"lessThan": "4.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"versionStartIncluding": "4.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()\n\nIf ipi_send_{mask|single}() is called with an invalid interrupt number, all\nthe local variables there will be NULL. ipi_send_verify() which is invoked\nfrom these functions does verify its \u0027data\u0027 parameter, resulting in a\nkernel oops in irq_data_get_affinity_mask() as the passed NULL pointer gets\ndereferenced.\n\nAdd a missing NULL pointer check in ipi_send_verify()...\n\nFound by Linux Verification Center (linuxtesting.org) with the SVACE static\nanalysis tool."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:07.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/926aef60ea64cd9becf2829f7388f48dbe8bcb11"
},
{
"url": "https://git.kernel.org/stable/c/7448c73d64075051f50caed2c62f46553b69ab8a"
},
{
"url": "https://git.kernel.org/stable/c/feabecaff5902f896531dde90646ca5dfa9d4f7d"
}
],
"title": "genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53332",
"datePublished": "2025-09-16T16:12:07.573Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:07.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53306 (GCVE-0-2023-53306)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fsdax: force clear dirty mark if CoW
XFS allows CoW on non-shared extents to combat fragmentation[1]. The old
non-shared extent could be mwrited before, its dax entry is marked dirty.
This results in a WARNing:
[ 28.512349] ------------[ cut here ]------------
[ 28.512622] WARNING: CPU: 2 PID: 5255 at fs/dax.c:390 dax_insert_entry+0x342/0x390
[ 28.513050] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace fscache netfs nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables
[ 28.515462] CPU: 2 PID: 5255 Comm: fsstress Kdump: loaded Not tainted 6.3.0-rc1-00001-g85e1481e19c1-dirty #117
[ 28.515902] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.1-1-1 04/01/2014
[ 28.516307] RIP: 0010:dax_insert_entry+0x342/0x390
[ 28.516536] Code: 30 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 8b 45 20 48 83 c0 01 e9 e2 fe ff ff 48 8b 45 20 48 83 c0 01 e9 cd fe ff ff <0f> 0b e9 53 ff ff ff 48 8b 7c 24 08 31 f6 e8 1b 61 a1 00 eb 8c 48
[ 28.517417] RSP: 0000:ffffc9000845fb18 EFLAGS: 00010086
[ 28.517721] RAX: 0000000000000053 RBX: 0000000000000155 RCX: 000000000018824b
[ 28.518113] RDX: 0000000000000000 RSI: ffffffff827525a6 RDI: 00000000ffffffff
[ 28.518515] RBP: ffffea00062092c0 R08: 0000000000000000 R09: ffffc9000845f9c8
[ 28.518905] R10: 0000000000000003 R11: ffffffff82ddb7e8 R12: 0000000000000155
[ 28.519301] R13: 0000000000000000 R14: 000000000018824b R15: ffff88810cfa76b8
[ 28.519703] FS: 00007f14a0c94740(0000) GS:ffff88817bd00000(0000) knlGS:0000000000000000
[ 28.520148] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 28.520472] CR2: 00007f14a0c8d000 CR3: 000000010321c004 CR4: 0000000000770ee0
[ 28.520863] PKRU: 55555554
[ 28.521043] Call Trace:
[ 28.521219] <TASK>
[ 28.521368] dax_fault_iter+0x196/0x390
[ 28.521595] dax_iomap_pte_fault+0x19b/0x3d0
[ 28.521852] __xfs_filemap_fault+0x234/0x2b0
[ 28.522116] __do_fault+0x30/0x130
[ 28.522334] do_fault+0x193/0x340
[ 28.522586] __handle_mm_fault+0x2d3/0x690
[ 28.522975] handle_mm_fault+0xe6/0x2c0
[ 28.523259] do_user_addr_fault+0x1bc/0x6f0
[ 28.523521] exc_page_fault+0x60/0x140
[ 28.523763] asm_exc_page_fault+0x22/0x30
[ 28.524001] RIP: 0033:0x7f14a0b589ca
[ 28.524225] Code: c5 fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 47 40 c5 fe 7f 47 60 c5 f8 77 c3 66 0f 1f 84 00 00 00 00 00 40 0f b6 c6 48 89 d1 48 89 fa <f3> aa 48 89 d0 c5 f8 77 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90
[ 28.525198] RSP: 002b:00007fff1dea1c98 EFLAGS: 00010202
[ 28.525505] RAX: 000000000000001e RBX: 000000000014a000 RCX: 0000000000006046
[ 28.525895] RDX: 00007f14a0c82000 RSI: 000000000000001e RDI: 00007f14a0c8d000
[ 28.526290] RBP: 000000000000006f R08: 0000000000000004 R09: 000000000014a000
[ 28.526681] R10: 0000000000000008 R11: 0000000000000246 R12: 028f5c28f5c28f5c
[ 28.527067] R13: 8f5c28f5c28f5c29 R14: 0000000000011046 R15: 00007f14a0c946c0
[ 28.527449] </TASK>
[ 28.527600] ---[ end trace 0000000000000000 ]---
To be able to delete this entry, clear its dirty mark before
invalidate_inode_pages2_range().
[1] https://lore.kernel.org/linux-xfs/20230321151339.GA11376@frogsfrogsfrogs/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/dax.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fac05f800abb63dc4d7cc48fe7edf16e0520dc1f",
"status": "affected",
"version": "f80e1668888f34c0764822e74953c997daf2ccdb",
"versionType": "git"
},
{
"lessThan": "f76b3a32879de215ced3f8c754c4077b0c2f79e3",
"status": "affected",
"version": "f80e1668888f34c0764822e74953c997daf2ccdb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/dax.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.11",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: force clear dirty mark if CoW\n\nXFS allows CoW on non-shared extents to combat fragmentation[1]. The old\nnon-shared extent could be mwrited before, its dax entry is marked dirty. \n\nThis results in a WARNing:\n\n[ 28.512349] ------------[ cut here ]------------\n[ 28.512622] WARNING: CPU: 2 PID: 5255 at fs/dax.c:390 dax_insert_entry+0x342/0x390\n[ 28.513050] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace fscache netfs nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables\n[ 28.515462] CPU: 2 PID: 5255 Comm: fsstress Kdump: loaded Not tainted 6.3.0-rc1-00001-g85e1481e19c1-dirty #117\n[ 28.515902] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.1-1-1 04/01/2014\n[ 28.516307] RIP: 0010:dax_insert_entry+0x342/0x390\n[ 28.516536] Code: 30 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 8b 45 20 48 83 c0 01 e9 e2 fe ff ff 48 8b 45 20 48 83 c0 01 e9 cd fe ff ff \u003c0f\u003e 0b e9 53 ff ff ff 48 8b 7c 24 08 31 f6 e8 1b 61 a1 00 eb 8c 48\n[ 28.517417] RSP: 0000:ffffc9000845fb18 EFLAGS: 00010086\n[ 28.517721] RAX: 0000000000000053 RBX: 0000000000000155 RCX: 000000000018824b\n[ 28.518113] RDX: 0000000000000000 RSI: ffffffff827525a6 RDI: 00000000ffffffff\n[ 28.518515] RBP: ffffea00062092c0 R08: 0000000000000000 R09: ffffc9000845f9c8\n[ 28.518905] R10: 0000000000000003 R11: ffffffff82ddb7e8 R12: 0000000000000155\n[ 28.519301] R13: 0000000000000000 R14: 000000000018824b R15: ffff88810cfa76b8\n[ 28.519703] FS: 00007f14a0c94740(0000) GS:ffff88817bd00000(0000) knlGS:0000000000000000\n[ 28.520148] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 28.520472] CR2: 00007f14a0c8d000 CR3: 000000010321c004 CR4: 0000000000770ee0\n[ 28.520863] PKRU: 55555554\n[ 28.521043] Call Trace:\n[ 28.521219] \u003cTASK\u003e\n[ 28.521368] dax_fault_iter+0x196/0x390\n[ 28.521595] dax_iomap_pte_fault+0x19b/0x3d0\n[ 28.521852] __xfs_filemap_fault+0x234/0x2b0\n[ 28.522116] __do_fault+0x30/0x130\n[ 28.522334] do_fault+0x193/0x340\n[ 28.522586] __handle_mm_fault+0x2d3/0x690\n[ 28.522975] handle_mm_fault+0xe6/0x2c0\n[ 28.523259] do_user_addr_fault+0x1bc/0x6f0\n[ 28.523521] exc_page_fault+0x60/0x140\n[ 28.523763] asm_exc_page_fault+0x22/0x30\n[ 28.524001] RIP: 0033:0x7f14a0b589ca\n[ 28.524225] Code: c5 fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 47 40 c5 fe 7f 47 60 c5 f8 77 c3 66 0f 1f 84 00 00 00 00 00 40 0f b6 c6 48 89 d1 48 89 fa \u003cf3\u003e aa 48 89 d0 c5 f8 77 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90\n[ 28.525198] RSP: 002b:00007fff1dea1c98 EFLAGS: 00010202\n[ 28.525505] RAX: 000000000000001e RBX: 000000000014a000 RCX: 0000000000006046\n[ 28.525895] RDX: 00007f14a0c82000 RSI: 000000000000001e RDI: 00007f14a0c8d000\n[ 28.526290] RBP: 000000000000006f R08: 0000000000000004 R09: 000000000014a000\n[ 28.526681] R10: 0000000000000008 R11: 0000000000000246 R12: 028f5c28f5c28f5c\n[ 28.527067] R13: 8f5c28f5c28f5c29 R14: 0000000000011046 R15: 00007f14a0c946c0\n[ 28.527449] \u003c/TASK\u003e\n[ 28.527600] ---[ end trace 0000000000000000 ]---\n\n\nTo be able to delete this entry, clear its dirty mark before\ninvalidate_inode_pages2_range().\n\n[1] https://lore.kernel.org/linux-xfs/20230321151339.GA11376@frogsfrogsfrogs/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:45.592Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fac05f800abb63dc4d7cc48fe7edf16e0520dc1f"
},
{
"url": "https://git.kernel.org/stable/c/f76b3a32879de215ced3f8c754c4077b0c2f79e3"
}
],
"title": "fsdax: force clear dirty mark if CoW",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53306",
"datePublished": "2025-09-16T16:11:45.592Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2025-09-16T16:11:45.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39827 (GCVE-0-2025-39827)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: include node references in rose_neigh refcount
Current implementation maintains two separate reference counting
mechanisms: the 'count' field in struct rose_neigh tracks references from
rose_node structures, while the 'use' field (now refcount_t) tracks
references from rose_sock.
This patch merges these two reference counting systems using 'use' field
for proper reference management. Specifically, this patch adds incrementing
and decrementing of rose_neigh->use when rose_neigh->count is incremented
or decremented.
This patch also modifies rose_rt_free(), rose_rt_device_down() and
rose_clear_route() to properly release references to rose_neigh objects
before freeing a rose_node through rose_remove_node().
These changes ensure rose_neigh structures are properly freed only when
all references, including those from rose_node structures, are released.
As a result, this resolves a slab-use-after-free issue reported by Syzbot.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4cce478c3e82a5fc788d72adb2f4c4e983997639",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9c547c8eee9d1cf6e744611d688b9f725cf9a115",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d7563b456ed44151e1a82091d96f60166daea89b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "384210cceb1873a4c8218b27ba0745444436b728",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "da9c9c877597170b929a6121a68dcd3dd9a80f45",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/rose_route.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: include node references in rose_neigh refcount\n\nCurrent implementation maintains two separate reference counting\nmechanisms: the \u0027count\u0027 field in struct rose_neigh tracks references from\nrose_node structures, while the \u0027use\u0027 field (now refcount_t) tracks\nreferences from rose_sock.\n\nThis patch merges these two reference counting systems using \u0027use\u0027 field\nfor proper reference management. Specifically, this patch adds incrementing\nand decrementing of rose_neigh-\u003euse when rose_neigh-\u003ecount is incremented\nor decremented.\n\nThis patch also modifies rose_rt_free(), rose_rt_device_down() and\nrose_clear_route() to properly release references to rose_neigh objects\nbefore freeing a rose_node through rose_remove_node().\n\nThese changes ensure rose_neigh structures are properly freed only when\nall references, including those from rose_node structures, are released.\nAs a result, this resolves a slab-use-after-free issue reported by Syzbot."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:25.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4cce478c3e82a5fc788d72adb2f4c4e983997639"
},
{
"url": "https://git.kernel.org/stable/c/9c547c8eee9d1cf6e744611d688b9f725cf9a115"
},
{
"url": "https://git.kernel.org/stable/c/d7563b456ed44151e1a82091d96f60166daea89b"
},
{
"url": "https://git.kernel.org/stable/c/384210cceb1873a4c8218b27ba0745444436b728"
},
{
"url": "https://git.kernel.org/stable/c/da9c9c877597170b929a6121a68dcd3dd9a80f45"
}
],
"title": "net: rose: include node references in rose_neigh refcount",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39827",
"datePublished": "2025-09-16T13:00:25.555Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:00:25.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50344 (GCVE-0-2022-50344)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix null-ptr-deref in ext4_write_info
I caught a null-ptr-deref bug as follows:
==================================================================
KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339
RIP: 0010:ext4_write_info+0x53/0x1b0
[...]
Call Trace:
dquot_writeback_dquots+0x341/0x9a0
ext4_sync_fs+0x19e/0x800
__sync_filesystem+0x83/0x100
sync_filesystem+0x89/0xf0
generic_shutdown_super+0x79/0x3e0
kill_block_super+0xa1/0x110
deactivate_locked_super+0xac/0x130
deactivate_super+0xb6/0xd0
cleanup_mnt+0x289/0x400
__cleanup_mnt+0x16/0x20
task_work_run+0x11c/0x1c0
exit_to_user_mode_prepare+0x203/0x210
syscall_exit_to_user_mode+0x5b/0x3a0
do_syscall_64+0x59/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
==================================================================
Above issue may happen as follows:
-------------------------------------
exit_to_user_mode_prepare
task_work_run
__cleanup_mnt
cleanup_mnt
deactivate_super
deactivate_locked_super
kill_block_super
generic_shutdown_super
shrink_dcache_for_umount
dentry = sb->s_root
sb->s_root = NULL <--- Here set NULL
sync_filesystem
__sync_filesystem
sb->s_op->sync_fs > ext4_sync_fs
dquot_writeback_dquots
sb->dq_op->write_info > ext4_write_info
ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2)
d_inode(sb->s_root)
s_root->d_inode <--- Null pointer dereference
To solve this problem, we use ext4_journal_start_sb directly
to avoid s_root being used.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc451578446afd03c0c21913993c08898a691435",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f4b5ff0b794aa94afac7269c494550ca2f66511b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "947264e00c46de19a016fd81218118c708fed2f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f34ab95162763cd7352f46df169296eec28b688d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "533c60a0b97cee5daab376933f486207e6680fb7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4a657319cfabd6199fd0b7b65bbebf6ded7a11c1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bb420e8afc854d2a1caaa23a0c129839acfb7888",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f9c1f248607d5546075d3f731e7607d5571f2b60",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.331",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.262",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.220",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.331",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.296",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix null-ptr-deref in ext4_write_info\n\nI caught a null-ptr-deref bug as follows:\n==================================================================\nKASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]\nCPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339\nRIP: 0010:ext4_write_info+0x53/0x1b0\n[...]\nCall Trace:\n dquot_writeback_dquots+0x341/0x9a0\n ext4_sync_fs+0x19e/0x800\n __sync_filesystem+0x83/0x100\n sync_filesystem+0x89/0xf0\n generic_shutdown_super+0x79/0x3e0\n kill_block_super+0xa1/0x110\n deactivate_locked_super+0xac/0x130\n deactivate_super+0xb6/0xd0\n cleanup_mnt+0x289/0x400\n __cleanup_mnt+0x16/0x20\n task_work_run+0x11c/0x1c0\n exit_to_user_mode_prepare+0x203/0x210\n syscall_exit_to_user_mode+0x5b/0x3a0\n do_syscall_64+0x59/0x70\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n ==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\nexit_to_user_mode_prepare\n task_work_run\n __cleanup_mnt\n cleanup_mnt\n deactivate_super\n deactivate_locked_super\n kill_block_super\n generic_shutdown_super\n shrink_dcache_for_umount\n dentry = sb-\u003es_root\n sb-\u003es_root = NULL \u003c--- Here set NULL\n sync_filesystem\n __sync_filesystem\n sb-\u003es_op-\u003esync_fs \u003e ext4_sync_fs\n dquot_writeback_dquots\n sb-\u003edq_op-\u003ewrite_info \u003e ext4_write_info\n ext4_journal_start(d_inode(sb-\u003es_root), EXT4_HT_QUOTA, 2)\n d_inode(sb-\u003es_root)\n s_root-\u003ed_inode \u003c--- Null pointer dereference\n\nTo solve this problem, we use ext4_journal_start_sb directly\nto avoid s_root being used."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:36.950Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc451578446afd03c0c21913993c08898a691435"
},
{
"url": "https://git.kernel.org/stable/c/f4b5ff0b794aa94afac7269c494550ca2f66511b"
},
{
"url": "https://git.kernel.org/stable/c/947264e00c46de19a016fd81218118c708fed2f3"
},
{
"url": "https://git.kernel.org/stable/c/3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4"
},
{
"url": "https://git.kernel.org/stable/c/f34ab95162763cd7352f46df169296eec28b688d"
},
{
"url": "https://git.kernel.org/stable/c/533c60a0b97cee5daab376933f486207e6680fb7"
},
{
"url": "https://git.kernel.org/stable/c/4a657319cfabd6199fd0b7b65bbebf6ded7a11c1"
},
{
"url": "https://git.kernel.org/stable/c/bb420e8afc854d2a1caaa23a0c129839acfb7888"
},
{
"url": "https://git.kernel.org/stable/c/f9c1f248607d5546075d3f731e7607d5571f2b60"
}
],
"title": "ext4: fix null-ptr-deref in ext4_write_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50344",
"datePublished": "2025-09-16T16:11:23.345Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2025-09-16T16:11:36.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50347 (GCVE-0-2022-50347)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and calling mmc_free_host() in the
error path, besides, led_classdev_unregister() and pm_runtime_disable() also
need be called.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: c7f6558d84afe60016b8103c0737df6e376a1c2d Version: c7f6558d84afe60016b8103c0737df6e376a1c2d Version: c7f6558d84afe60016b8103c0737df6e376a1c2d Version: c7f6558d84afe60016b8103c0737df6e376a1c2d Version: c7f6558d84afe60016b8103c0737df6e376a1c2d Version: c7f6558d84afe60016b8103c0737df6e376a1c2d Version: c7f6558d84afe60016b8103c0737df6e376a1c2d Version: c7f6558d84afe60016b8103c0737df6e376a1c2d Version: c7f6558d84afe60016b8103c0737df6e376a1c2d |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/rtsx_usb_sdmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d7ad7278be401b09c9f9a9f522cf4c449c7fd489",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
},
{
"lessThan": "e598c9683fe1cf97c2b11b800cc3cee072108220",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
},
{
"lessThan": "89303ddbb502c3bc8edbf864f9f85500c8fe07e9",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
},
{
"lessThan": "937112e991ed25d1727d878734adcbef3b900274",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
},
{
"lessThan": "7fa922c7a3dd623fd59f1af50e8896fd9ca7f654",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
},
{
"lessThan": "df683201c7ffbd21a806a7cad657b661c5ebfb6f",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
},
{
"lessThan": "1491667d5450778a265eddddd294219acfd648cb",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
},
{
"lessThan": "a522e26a20a43dcfbef9ee9f71ed803290e852b0",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
},
{
"lessThan": "fc38a5a10e9e5a75eb9189854abeb8405b214cc9",
"status": "affected",
"version": "c7f6558d84afe60016b8103c0737df6e376a1c2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mmc/host/rtsx_usb_sdmmc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()\n\nmmc_add_host() may return error, if we ignore its return value, the memory\nthat allocated in mmc_alloc_host() will be leaked and it will lead a kernel\ncrash because of deleting not added device in the remove path.\n\nSo fix this by checking the return value and calling mmc_free_host() in the\nerror path, besides, led_classdev_unregister() and pm_runtime_disable() also\nneed be called."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:39.891Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d7ad7278be401b09c9f9a9f522cf4c449c7fd489"
},
{
"url": "https://git.kernel.org/stable/c/e598c9683fe1cf97c2b11b800cc3cee072108220"
},
{
"url": "https://git.kernel.org/stable/c/89303ddbb502c3bc8edbf864f9f85500c8fe07e9"
},
{
"url": "https://git.kernel.org/stable/c/937112e991ed25d1727d878734adcbef3b900274"
},
{
"url": "https://git.kernel.org/stable/c/7fa922c7a3dd623fd59f1af50e8896fd9ca7f654"
},
{
"url": "https://git.kernel.org/stable/c/df683201c7ffbd21a806a7cad657b661c5ebfb6f"
},
{
"url": "https://git.kernel.org/stable/c/1491667d5450778a265eddddd294219acfd648cb"
},
{
"url": "https://git.kernel.org/stable/c/a522e26a20a43dcfbef9ee9f71ed803290e852b0"
},
{
"url": "https://git.kernel.org/stable/c/fc38a5a10e9e5a75eb9189854abeb8405b214cc9"
}
],
"title": "mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50347",
"datePublished": "2025-09-16T16:11:39.891Z",
"dateReserved": "2025-09-16T16:03:27.882Z",
"dateUpdated": "2025-09-16T16:11:39.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53331 (GCVE-0-2023-53331)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pstore/ram: Check start of empty przs during init
After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as
valid"), initialization would assume a prz was valid after seeing that
the buffer_size is zero (regardless of the buffer start position). This
unchecked start value means it could be outside the bounds of the buffer,
leading to future access panics when written to:
sysdump_panic_event+0x3b4/0x5b8
atomic_notifier_call_chain+0x54/0x90
panic+0x1c8/0x42c
die+0x29c/0x2a8
die_kernel_fault+0x68/0x78
__do_kernel_fault+0x1c4/0x1e0
do_bad_area+0x40/0x100
do_translation_fault+0x68/0x80
do_mem_abort+0x68/0xf8
el1_da+0x1c/0xc0
__raw_writeb+0x38/0x174
__memcpy_toio+0x40/0xac
persistent_ram_update+0x44/0x12c
persistent_ram_write+0x1a8/0x1b8
ramoops_pstore_write+0x198/0x1e8
pstore_console_write+0x94/0xe0
...
To avoid this, also check if the prz start is 0 during the initialization
phase. If not, the next prz sanity check case will discover it (start >
size) and zap the buffer back to a sane state.
[kees: update commit log with backtrace and clarifications]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: e1e3a46706bd4037e8b7407dc660ae6e05b8ac56 Version: 265242d82a3c6a8bd9120d06b4801f8d7ae9a346 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: 30696378f68a9e3dad6bfe55938b112e72af00c2 Version: ec7f99261da9a20d63cbd273511a11a2efe698f2 Version: f250e4c562a3bd106575032666e9ef46f31231f8 Version: fffdbf586866e9500b53c9d4b061d3983720375a Version: 9e969ba431b46b1891c88cea36f722f3bfe8a180 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "89312657337e6e03ad6e9ea1a462bd9c158c85c8",
"status": "affected",
"version": "e1e3a46706bd4037e8b7407dc660ae6e05b8ac56",
"versionType": "git"
},
{
"lessThan": "c807ccdd812d18985860504b503899f3140a9549",
"status": "affected",
"version": "265242d82a3c6a8bd9120d06b4801f8d7ae9a346",
"versionType": "git"
},
{
"lessThan": "e972231db29b5d1dccc13bf9d5ba55b6979a69ed",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "dc2f60de9a7d3efd982440117dab5579898d808c",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "fedecaeef88899d940b69368c996e8b3b0b8650d",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "e95d7a8a6edd14f8fab44c777dd7281db91f6ae2",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "f77990358628b01bdc03752126ff5f716ea37615",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "25fb4e3402d46f425ec135ef6f09792a4c1b3003",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"lessThan": "fe8c3623ab06603eb760444a032d426542212021",
"status": "affected",
"version": "30696378f68a9e3dad6bfe55938b112e72af00c2",
"versionType": "git"
},
{
"status": "affected",
"version": "ec7f99261da9a20d63cbd273511a11a2efe698f2",
"versionType": "git"
},
{
"status": "affected",
"version": "f250e4c562a3bd106575032666e9ef46f31231f8",
"versionType": "git"
},
{
"status": "affected",
"version": "fffdbf586866e9500b53c9d4b061d3983720375a",
"versionType": "git"
},
{
"status": "affected",
"version": "9e969ba431b46b1891c88cea36f722f3bfe8a180",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "4.14.96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.19.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.172",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.20.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Check start of empty przs during init\n\nAfter commit 30696378f68a (\"pstore/ram: Do not treat empty buffers as\nvalid\"), initialization would assume a prz was valid after seeing that\nthe buffer_size is zero (regardless of the buffer start position). This\nunchecked start value means it could be outside the bounds of the buffer,\nleading to future access panics when written to:\n\n sysdump_panic_event+0x3b4/0x5b8\n atomic_notifier_call_chain+0x54/0x90\n panic+0x1c8/0x42c\n die+0x29c/0x2a8\n die_kernel_fault+0x68/0x78\n __do_kernel_fault+0x1c4/0x1e0\n do_bad_area+0x40/0x100\n do_translation_fault+0x68/0x80\n do_mem_abort+0x68/0xf8\n el1_da+0x1c/0xc0\n __raw_writeb+0x38/0x174\n __memcpy_toio+0x40/0xac\n persistent_ram_update+0x44/0x12c\n persistent_ram_write+0x1a8/0x1b8\n ramoops_pstore_write+0x198/0x1e8\n pstore_console_write+0x94/0xe0\n ...\n\nTo avoid this, also check if the prz start is 0 during the initialization\nphase. If not, the next prz sanity check case will discover it (start \u003e\nsize) and zap the buffer back to a sane state.\n\n[kees: update commit log with backtrace and clarifications]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:06.788Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/89312657337e6e03ad6e9ea1a462bd9c158c85c8"
},
{
"url": "https://git.kernel.org/stable/c/c807ccdd812d18985860504b503899f3140a9549"
},
{
"url": "https://git.kernel.org/stable/c/e972231db29b5d1dccc13bf9d5ba55b6979a69ed"
},
{
"url": "https://git.kernel.org/stable/c/dc2f60de9a7d3efd982440117dab5579898d808c"
},
{
"url": "https://git.kernel.org/stable/c/fedecaeef88899d940b69368c996e8b3b0b8650d"
},
{
"url": "https://git.kernel.org/stable/c/e95d7a8a6edd14f8fab44c777dd7281db91f6ae2"
},
{
"url": "https://git.kernel.org/stable/c/f77990358628b01bdc03752126ff5f716ea37615"
},
{
"url": "https://git.kernel.org/stable/c/25fb4e3402d46f425ec135ef6f09792a4c1b3003"
},
{
"url": "https://git.kernel.org/stable/c/fe8c3623ab06603eb760444a032d426542212021"
}
],
"title": "pstore/ram: Check start of empty przs during init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53331",
"datePublished": "2025-09-16T16:12:06.788Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:06.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39834 (GCVE-0-2025-39834)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-16 13:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow
When an invalid stc_type is provided, the function allocates memory for
shared_stc but jumps to unlock_and_out without freeing it, causing a
memory leak.
Fix by jumping to free_shared_stc label instead to ensure proper cleanup.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/steering/hws/action.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "051fd8576a2e4e95d5870c5c9f8679c5b16882e4",
"status": "affected",
"version": "504e536d90104c850731840d3fbc95acf251f11b",
"versionType": "git"
},
{
"lessThan": "a630f83592cdad1253523a1b760cfe78fef6cd9c",
"status": "affected",
"version": "504e536d90104c850731840d3fbc95acf251f11b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/steering/hws/action.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow\n\nWhen an invalid stc_type is provided, the function allocates memory for\nshared_stc but jumps to unlock_and_out without freeing it, causing a\nmemory leak.\n\nFix by jumping to free_shared_stc label instead to ensure proper cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:08:50.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/051fd8576a2e4e95d5870c5c9f8679c5b16882e4"
},
{
"url": "https://git.kernel.org/stable/c/a630f83592cdad1253523a1b760cfe78fef6cd9c"
}
],
"title": "net/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39834",
"datePublished": "2025-09-16T13:08:50.896Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:08:50.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53321 (GCVE-0-2023-53321)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211_hwsim: drop short frames
While technically some control frames like ACK are shorter and
end after Address 1, such frames shouldn't be forwarded through
wmediumd or similar userspace, so require the full 3-address
header to avoid accessing invalid memory if shorter frames are
passed in.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/mac80211_hwsim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3beb97bed860d95b14ad23578ce8ddaea62023db",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "672205c6f2d11978fcd7f0f336bb2c708e28874b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c64ee9dd335832d5e2ab0a8fc83a34ad4c729799",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b9a175e3b250b0dc6e152988040aa5014e98e61e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "89a41ed7f21476301659ebd25ccb48a60791c1a7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/virtual/mac80211_hwsim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.197",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.133",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.197",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211_hwsim: drop short frames\n\nWhile technically some control frames like ACK are shorter and\nend after Address 1, such frames shouldn\u0027t be forwarded through\nwmediumd or similar userspace, so require the full 3-address\nheader to avoid accessing invalid memory if shorter frames are\npassed in."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:57.206Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3beb97bed860d95b14ad23578ce8ddaea62023db"
},
{
"url": "https://git.kernel.org/stable/c/672205c6f2d11978fcd7f0f336bb2c708e28874b"
},
{
"url": "https://git.kernel.org/stable/c/c64ee9dd335832d5e2ab0a8fc83a34ad4c729799"
},
{
"url": "https://git.kernel.org/stable/c/b9a175e3b250b0dc6e152988040aa5014e98e61e"
},
{
"url": "https://git.kernel.org/stable/c/89a41ed7f21476301659ebd25ccb48a60791c1a7"
},
{
"url": "https://git.kernel.org/stable/c/fba360a047d5eeeb9d4b7c3a9b1c8308980ce9a6"
}
],
"title": "wifi: mac80211_hwsim: drop short frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53321",
"datePublished": "2025-09-16T16:11:57.206Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:57.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39818 (GCVE-0-2025-39818)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save
Improper use of secondary pointer (&dev->i2c_subip_regs) caused
kernel crash and out-of-bounds error:
BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510
Write of size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107
CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3 PREEMPT(voluntary)
Workqueue: async async_run_entry_fn
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
print_report+0xd1/0x660
? __pfx__raw_spin_lock_irqsave+0x10/0x10
? kasan_complete_mode_report_info+0x26/0x200
kasan_report+0xe1/0x120
? _regmap_bulk_read+0x449/0x510
? _regmap_bulk_read+0x449/0x510
__asan_report_store4_noabort+0x17/0x30
_regmap_bulk_read+0x449/0x510
? __pfx__regmap_bulk_read+0x10/0x10
regmap_bulk_read+0x270/0x3d0
pio_complete+0x1ee/0x2c0 [intel_thc]
? __pfx_pio_complete+0x10/0x10 [intel_thc]
? __pfx_pio_wait+0x10/0x10 [intel_thc]
? regmap_update_bits_base+0x13b/0x1f0
thc_i2c_subip_pio_read+0x117/0x270 [intel_thc]
thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc]
? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc]
[...]
The buggy address belongs to the object at ffff888136005d00
which belongs to the cache kmalloc-rnd-12-192 of size 192
The buggy address is located 0 bytes to the right of
allocated 192-byte region [ffff888136005d00, ffff888136005dc0)
Replaced with direct array indexing (&dev->i2c_subip_regs[i]) to ensure
safe memory access.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "78d4cf0466c79452e47aa6f720afbde63e709ccc",
"status": "affected",
"version": "4228966def884c6e34b85cdc7118c5d013e1718f",
"versionType": "git"
},
{
"lessThan": "a7fc15ed629be89e51e09b743277c53e0a0168f5",
"status": "affected",
"version": "4228966def884c6e34b85cdc7118c5d013e1718f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save\n\nImproper use of secondary pointer (\u0026dev-\u003ei2c_subip_regs) caused\nkernel crash and out-of-bounds error:\n\n BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510\n Write of size 4 at addr ffff888136005dc0 by task kworker/u33:5/5107\n\n CPU: 3 UID: 0 PID: 5107 Comm: kworker/u33:5 Not tainted 6.16.0+ #3 PREEMPT(voluntary)\n Workqueue: async async_run_entry_fn\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x76/0xa0\n print_report+0xd1/0x660\n ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n ? kasan_complete_mode_report_info+0x26/0x200\n kasan_report+0xe1/0x120\n ? _regmap_bulk_read+0x449/0x510\n ? _regmap_bulk_read+0x449/0x510\n __asan_report_store4_noabort+0x17/0x30\n _regmap_bulk_read+0x449/0x510\n ? __pfx__regmap_bulk_read+0x10/0x10\n regmap_bulk_read+0x270/0x3d0\n pio_complete+0x1ee/0x2c0 [intel_thc]\n ? __pfx_pio_complete+0x10/0x10 [intel_thc]\n ? __pfx_pio_wait+0x10/0x10 [intel_thc]\n ? regmap_update_bits_base+0x13b/0x1f0\n thc_i2c_subip_pio_read+0x117/0x270 [intel_thc]\n thc_i2c_subip_regs_save+0xc2/0x140 [intel_thc]\n ? __pfx_thc_i2c_subip_regs_save+0x10/0x10 [intel_thc]\n[...]\n The buggy address belongs to the object at ffff888136005d00\n which belongs to the cache kmalloc-rnd-12-192 of size 192\n The buggy address is located 0 bytes to the right of\n allocated 192-byte region [ffff888136005d00, ffff888136005dc0)\n\nReplaced with direct array indexing (\u0026dev-\u003ei2c_subip_regs[i]) to ensure\nsafe memory access."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:18.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/78d4cf0466c79452e47aa6f720afbde63e709ccc"
},
{
"url": "https://git.kernel.org/stable/c/a7fc15ed629be89e51e09b743277c53e0a0168f5"
}
],
"title": "HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39818",
"datePublished": "2025-09-16T13:00:18.490Z",
"dateReserved": "2025-04-16T07:20:57.138Z",
"dateUpdated": "2025-09-16T13:00:18.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39812 (GCVE-0-2025-39812)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sctp: initialize more fields in sctp_v6_from_sk()
syzbot found that sin6_scope_id was not properly initialized,
leading to undefined behavior.
Clear sin6_scope_id and sin6_flowinfo.
BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649
__sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649
sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983
sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390
sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452
sctp_get_port net/sctp/socket.c:8523 [inline]
sctp_listen_start net/sctp/socket.c:8567 [inline]
sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636
__sys_listen_socket net/socket.c:1912 [inline]
__sys_listen net/socket.c:1927 [inline]
__do_sys_listen net/socket.c:1932 [inline]
__se_sys_listen net/socket.c:1930 [inline]
__x64_sys_listen+0x343/0x4c0 net/socket.c:1930
x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Local variable addr.i.i created at:
sctp_get_port net/sctp/socket.c:8515 [inline]
sctp_listen_start net/sctp/socket.c:8567 [inline]
sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636
__sys_listen_socket net/socket.c:1912 [inline]
__sys_listen net/socket.c:1927 [inline]
__do_sys_listen net/socket.c:1932 [inline]
__se_sys_listen net/socket.c:1930 [inline]
__x64_sys_listen+0x343/0x4c0 net/socket.c:1930
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sctp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45e4b36593edffb7bbee5828ae820bc10a9fa0f3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9546934c2054bba1bd605c44e936619159a34027",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "17d6c7747045e9b802c2f5dfaba260d309d831ae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "65b4693d8bab5370cfcb44a275b4d8dcb06e56bf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "463aa96fca6209bb205f49f7deea3817d7ddaa3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1bbc0c02aea1f1c405bd1271466889c25a1fe01b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f6c2cc99fc2387ba6499facd6108f6543382792d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e8750469242cad8f01f320131fd5a6f540dbb99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sctp/ipv6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: initialize more fields in sctp_v6_from_sk()\n\nsyzbot found that sin6_scope_id was not properly initialized,\nleading to undefined behavior.\n\nClear sin6_scope_id and sin6_flowinfo.\n\nBUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649\n sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983\n sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390\n sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452\n sctp_get_port net/sctp/socket.c:8523 [inline]\n sctp_listen_start net/sctp/socket.c:8567 [inline]\n sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636\n __sys_listen_socket net/socket.c:1912 [inline]\n __sys_listen net/socket.c:1927 [inline]\n __do_sys_listen net/socket.c:1932 [inline]\n __se_sys_listen net/socket.c:1930 [inline]\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930\n x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nLocal variable addr.i.i created at:\n sctp_get_port net/sctp/socket.c:8515 [inline]\n sctp_listen_start net/sctp/socket.c:8567 [inline]\n sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636\n __sys_listen_socket net/socket.c:1912 [inline]\n __sys_listen net/socket.c:1927 [inline]\n __do_sys_listen net/socket.c:1932 [inline]\n __se_sys_listen net/socket.c:1930 [inline]\n __x64_sys_listen+0x343/0x4c0 net/socket.c:1930"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:14.103Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45e4b36593edffb7bbee5828ae820bc10a9fa0f3"
},
{
"url": "https://git.kernel.org/stable/c/9546934c2054bba1bd605c44e936619159a34027"
},
{
"url": "https://git.kernel.org/stable/c/17d6c7747045e9b802c2f5dfaba260d309d831ae"
},
{
"url": "https://git.kernel.org/stable/c/65b4693d8bab5370cfcb44a275b4d8dcb06e56bf"
},
{
"url": "https://git.kernel.org/stable/c/463aa96fca6209bb205f49f7deea3817d7ddaa3a"
},
{
"url": "https://git.kernel.org/stable/c/1bbc0c02aea1f1c405bd1271466889c25a1fe01b"
},
{
"url": "https://git.kernel.org/stable/c/f6c2cc99fc2387ba6499facd6108f6543382792d"
},
{
"url": "https://git.kernel.org/stable/c/2e8750469242cad8f01f320131fd5a6f540dbb99"
}
],
"title": "sctp: initialize more fields in sctp_v6_from_sk()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39812",
"datePublished": "2025-09-16T13:00:14.103Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-09-16T13:00:14.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39813 (GCVE-0-2025-39813)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
When calling ftrace_dump_one() concurrently with reading trace_pipe,
a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race
condition.
The issue occurs because:
CPU0 (ftrace_dump) CPU1 (reader)
echo z > /proc/sysrq-trigger
!trace_empty(&iter)
trace_iterator_reset(&iter) <- len = size = 0
cat /sys/kernel/tracing/trace_pipe
trace_find_next_entry_inc(&iter)
__find_next_entry
ring_buffer_empty_cpu <- all empty
return NULL
trace_printk_seq(&iter.seq)
WARN_ON_ONCE(s->seq.len >= s->seq.size)
In the context between trace_empty() and trace_find_next_entry_inc()
during ftrace_dump, the ring buffer data was consumed by other readers.
This caused trace_find_next_entry_inc to return NULL, failing to populate
`iter.seq`. At this point, due to the prior trace_iterator_reset, both
`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,
the WARN_ON_ONCE condition is triggered.
Move the trace_printk_seq() into the if block that checks to make sure the
return value of trace_find_next_entry_inc() is non-NULL in
ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before
subsequent operations.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 Version: d769041f865330034131525ee6a7f72eb4af2a24 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f299353e7ccbcc5c2ed8993c48fbe7609cbe729a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "a6f0f8873cc30fd4543b09adf03f7f51d293f0e6",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "e80ff23ba8bdb0f41a1afe2657078e4097d13a9a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "ced94e137e6cd5e79c65564841d3b7695d0f5fa3",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "fbd4cf7ee4db65ef36796769fe978e9eba6f0de4",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
},
{
"lessThan": "4013aef2ced9b756a410f50d12df9ebe6a883e4a",
"status": "affected",
"version": "d769041f865330034131525ee6a7f72eb4af2a24",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc3",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Fix potential warning in trace_printk_seq during ftrace_dump\n\nWhen calling ftrace_dump_one() concurrently with reading trace_pipe,\na WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race\ncondition.\n\nThe issue occurs because:\n\nCPU0 (ftrace_dump) CPU1 (reader)\necho z \u003e /proc/sysrq-trigger\n\n!trace_empty(\u0026iter)\ntrace_iterator_reset(\u0026iter) \u003c- len = size = 0\n cat /sys/kernel/tracing/trace_pipe\ntrace_find_next_entry_inc(\u0026iter)\n __find_next_entry\n ring_buffer_empty_cpu \u003c- all empty\n return NULL\n\ntrace_printk_seq(\u0026iter.seq)\n WARN_ON_ONCE(s-\u003eseq.len \u003e= s-\u003eseq.size)\n\nIn the context between trace_empty() and trace_find_next_entry_inc()\nduring ftrace_dump, the ring buffer data was consumed by other readers.\nThis caused trace_find_next_entry_inc to return NULL, failing to populate\n`iter.seq`. At this point, due to the prior trace_iterator_reset, both\n`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,\nthe WARN_ON_ONCE condition is triggered.\n\nMove the trace_printk_seq() into the if block that checks to make sure the\nreturn value of trace_find_next_entry_inc() is non-NULL in\nftrace_dump_one(), ensuring the \u0027iter.seq\u0027 is properly populated before\nsubsequent operations."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:14.846Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f299353e7ccbcc5c2ed8993c48fbe7609cbe729a"
},
{
"url": "https://git.kernel.org/stable/c/5ab0ec206deb99eb3baf8f1d7602aeaa91dbcc85"
},
{
"url": "https://git.kernel.org/stable/c/a6f0f8873cc30fd4543b09adf03f7f51d293f0e6"
},
{
"url": "https://git.kernel.org/stable/c/e80ff23ba8bdb0f41a1afe2657078e4097d13a9a"
},
{
"url": "https://git.kernel.org/stable/c/28c8fb7ae2ad27d81c8de3c4fe608c509f6a18aa"
},
{
"url": "https://git.kernel.org/stable/c/ced94e137e6cd5e79c65564841d3b7695d0f5fa3"
},
{
"url": "https://git.kernel.org/stable/c/fbd4cf7ee4db65ef36796769fe978e9eba6f0de4"
},
{
"url": "https://git.kernel.org/stable/c/4013aef2ced9b756a410f50d12df9ebe6a883e4a"
}
],
"title": "ftrace: Fix potential warning in trace_printk_seq during ftrace_dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39813",
"datePublished": "2025-09-16T13:00:14.846Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-09-16T13:00:14.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39826 (GCVE-0-2025-39826)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: rose: convert 'use' field to refcount_t
The 'use' field in struct rose_neigh is used as a reference counter but
lacks atomicity. This can lead to race conditions where a rose_neigh
structure is freed while still being referenced by other code paths.
For example, when rose_neigh->use becomes zero during an ioctl operation
via rose_rt_ioctl(), the structure may be removed while its timer is
still active, potentially causing use-after-free issues.
This patch changes the type of 'use' from unsigned short to refcount_t and
updates all code paths to use rose_neigh_hold() and rose_neigh_put() which
operate reference counts atomically.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/rose.h",
"net/rose/af_rose.c",
"net/rose/rose_in.c",
"net/rose/rose_route.c",
"net/rose/rose_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb07156cc0742ba4e93dfcc84280c011d05b301f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f8c29fc437d03a98fb075c31c5be761cc8326284",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0085b250fcc79f900c82a69980ec2f3e1871823b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "203e4f42596ede31498744018716a3db6dbb7f51",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d860d1faa6b2ce3becfdb8b0c2b048ad31800061",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/rose.h",
"net/rose/af_rose.c",
"net/rose/rose_in.c",
"net/rose/rose_route.c",
"net/rose/rose_timer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: convert \u0027use\u0027 field to refcount_t\n\nThe \u0027use\u0027 field in struct rose_neigh is used as a reference counter but\nlacks atomicity. This can lead to race conditions where a rose_neigh\nstructure is freed while still being referenced by other code paths.\n\nFor example, when rose_neigh-\u003euse becomes zero during an ioctl operation\nvia rose_rt_ioctl(), the structure may be removed while its timer is\nstill active, potentially causing use-after-free issues.\n\nThis patch changes the type of \u0027use\u0027 from unsigned short to refcount_t and\nupdates all code paths to use rose_neigh_hold() and rose_neigh_put() which\noperate reference counts atomically."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:24.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb07156cc0742ba4e93dfcc84280c011d05b301f"
},
{
"url": "https://git.kernel.org/stable/c/f8c29fc437d03a98fb075c31c5be761cc8326284"
},
{
"url": "https://git.kernel.org/stable/c/0085b250fcc79f900c82a69980ec2f3e1871823b"
},
{
"url": "https://git.kernel.org/stable/c/203e4f42596ede31498744018716a3db6dbb7f51"
},
{
"url": "https://git.kernel.org/stable/c/d860d1faa6b2ce3becfdb8b0c2b048ad31800061"
}
],
"title": "net: rose: convert \u0027use\u0027 field to refcount_t",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39826",
"datePublished": "2025-09-16T13:00:24.618Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:00:24.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50341 (GCVE-0-2022-50341)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix oops during encryption
When running xfstests against Azure the following oops occurred on an
arm64 system
Unable to handle kernel write to read-only memory at virtual address
ffff0001221cf000
Mem abort info:
ESR = 0x9600004f
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x0f: level 3 permission fault
Data abort info:
ISV = 0, ISS = 0x0000004f
CM = 0, WnR = 1
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000
[ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,
pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787
Internal error: Oops: 9600004f [#1] PREEMPT SMP
...
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
pc : __memcpy+0x40/0x230
lr : scatterwalk_copychunks+0xe0/0x200
sp : ffff800014e92de0
x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008
x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008
x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000
x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014
x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058
x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590
x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580
x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005
x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001
x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000
Call trace:
__memcpy+0x40/0x230
scatterwalk_map_and_copy+0x98/0x100
crypto_ccm_encrypt+0x150/0x180
crypto_aead_encrypt+0x2c/0x40
crypt_message+0x750/0x880
smb3_init_transform_rq+0x298/0x340
smb_send_rqst.part.11+0xd8/0x180
smb_send_rqst+0x3c/0x100
compound_send_recv+0x534/0xbc0
smb2_query_info_compound+0x32c/0x440
smb2_set_ea+0x438/0x4c0
cifs_xattr_set+0x5d4/0x7c0
This is because in scatterwalk_copychunks(), we attempted to write to
a buffer (@sign) that was allocated in the stack (vmalloc area) by
crypt_message() and thus accessing its remaining 8 (x2) bytes ended up
crossing a page boundary.
To simply fix it, we could just pass @sign kmalloc'd from
crypt_message() and then we're done. Luckily, we don't seem to pass
any other vmalloc'd buffers in smb_rqst::rq_iov...
Instead, let's map the correct pages and offsets from vmalloc buffers
as well in cifs_sg_set_buf() and then avoiding such oopses.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsglob.h",
"fs/cifs/cifsproto.h",
"fs/cifs/misc.c",
"fs/cifs/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8e2861cc3258dbe407d01ea8c59bb5a53132301",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe6ea044c4f05706cb71040055b1c70c6c8275e0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bf0543b93740916ee91956f9a63da6fc0d79daaa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e8d16a54842d609fd4a3ed2d81d4333d6329aa94",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f7f291e14dde32a07b1f0aa06921d28f875a7b54",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsglob.h",
"fs/cifs/cifsproto.h",
"fs/cifs/misc.c",
"fs/cifs/smb2ops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix oops during encryption\n\nWhen running xfstests against Azure the following oops occurred on an\narm64 system\n\n Unable to handle kernel write to read-only memory at virtual address\n ffff0001221cf000\n Mem abort info:\n ESR = 0x9600004f\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x0f: level 3 permission fault\n Data abort info:\n ISV = 0, ISS = 0x0000004f\n CM = 0, WnR = 1\n swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000\n [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,\n pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787\n Internal error: Oops: 9600004f [#1] PREEMPT SMP\n ...\n pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)\n pc : __memcpy+0x40/0x230\n lr : scatterwalk_copychunks+0xe0/0x200\n sp : ffff800014e92de0\n x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008\n x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008\n x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000\n x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014\n x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058\n x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590\n x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580\n x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005\n x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001\n x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000\n Call trace:\n __memcpy+0x40/0x230\n scatterwalk_map_and_copy+0x98/0x100\n crypto_ccm_encrypt+0x150/0x180\n crypto_aead_encrypt+0x2c/0x40\n crypt_message+0x750/0x880\n smb3_init_transform_rq+0x298/0x340\n smb_send_rqst.part.11+0xd8/0x180\n smb_send_rqst+0x3c/0x100\n compound_send_recv+0x534/0xbc0\n smb2_query_info_compound+0x32c/0x440\n smb2_set_ea+0x438/0x4c0\n cifs_xattr_set+0x5d4/0x7c0\n\nThis is because in scatterwalk_copychunks(), we attempted to write to\na buffer (@sign) that was allocated in the stack (vmalloc area) by\ncrypt_message() and thus accessing its remaining 8 (x2) bytes ended up\ncrossing a page boundary.\n\nTo simply fix it, we could just pass @sign kmalloc\u0027d from\ncrypt_message() and then we\u0027re done. Luckily, we don\u0027t seem to pass\nany other vmalloc\u0027d buffers in smb_rqst::rq_iov...\n\nInstead, let\u0027s map the correct pages and offsets from vmalloc buffers\nas well in cifs_sg_set_buf() and then avoiding such oopses."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:32.923Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8e2861cc3258dbe407d01ea8c59bb5a53132301"
},
{
"url": "https://git.kernel.org/stable/c/fe6ea044c4f05706cb71040055b1c70c6c8275e0"
},
{
"url": "https://git.kernel.org/stable/c/bf0543b93740916ee91956f9a63da6fc0d79daaa"
},
{
"url": "https://git.kernel.org/stable/c/a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9"
},
{
"url": "https://git.kernel.org/stable/c/e8d16a54842d609fd4a3ed2d81d4333d6329aa94"
},
{
"url": "https://git.kernel.org/stable/c/f7f291e14dde32a07b1f0aa06921d28f875a7b54"
}
],
"title": "cifs: fix oops during encryption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50341",
"datePublished": "2025-09-16T16:11:20.838Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2025-09-16T16:11:32.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39805 (GCVE-0-2025-39805)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: fix unregister_netdev call order in macb_remove()
When removing a macb device, the driver calls phy_exit() before
unregister_netdev(). This leads to a WARN from kernfs:
------------[ cut here ]------------
kernfs: can not remove 'attached_dev', no directory
WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683
Call trace:
kernfs_remove_by_name_ns+0xd8/0xf0
sysfs_remove_link+0x24/0x58
phy_detach+0x5c/0x168
phy_disconnect+0x4c/0x70
phylink_disconnect_phy+0x6c/0xc0 [phylink]
macb_close+0x6c/0x170 [macb]
...
macb_remove+0x60/0x168 [macb]
platform_remove+0x5c/0x80
...
The warning happens because the PHY is being exited while the netdev
is still registered. The correct order is to unregister the netdev
before shutting down the PHY and cleaning up the MDIO bus.
Fix this by moving unregister_netdev() ahead of phy_exit() in
macb_remove().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ff0d3bad32108b57265e5b48f15327549af771d3",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "775fe690fd4a3337ad2115de2adb41b227d4dae7",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
},
{
"lessThan": "01b9128c5db1b470575d07b05b67ffa3cb02ebf1",
"status": "affected",
"version": "8b73fa3ae02b2401960de41b0454c0321377b203",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: fix unregister_netdev call order in macb_remove()\n\nWhen removing a macb device, the driver calls phy_exit() before\nunregister_netdev(). This leads to a WARN from kernfs:\n\n ------------[ cut here ]------------\n kernfs: can not remove \u0027attached_dev\u0027, no directory\n WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683\n Call trace:\n kernfs_remove_by_name_ns+0xd8/0xf0\n sysfs_remove_link+0x24/0x58\n phy_detach+0x5c/0x168\n phy_disconnect+0x4c/0x70\n phylink_disconnect_phy+0x6c/0xc0 [phylink]\n macb_close+0x6c/0x170 [macb]\n ...\n macb_remove+0x60/0x168 [macb]\n platform_remove+0x5c/0x80\n ...\n\nThe warning happens because the PHY is being exited while the netdev\nis still registered. The correct order is to unregister the netdev\nbefore shutting down the PHY and cleaning up the MDIO bus.\n\nFix this by moving unregister_netdev() ahead of phy_exit() in\nmacb_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:06.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ff0d3bad32108b57265e5b48f15327549af771d3"
},
{
"url": "https://git.kernel.org/stable/c/775fe690fd4a3337ad2115de2adb41b227d4dae7"
},
{
"url": "https://git.kernel.org/stable/c/01b9128c5db1b470575d07b05b67ffa3cb02ebf1"
}
],
"title": "net: macb: fix unregister_netdev call order in macb_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39805",
"datePublished": "2025-09-16T13:00:06.731Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2025-09-16T13:00:06.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53318 (GCVE-0-2023-53318)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
recordmcount: Fix memory leaks in the uwrite function
Common realloc mistake: 'file_append' nulled but not freed upon failure
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"scripts/recordmcount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bd39f68a309a947670379bf9a39b16c584f86ddb",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "444ec005404cead222ebce2561a9451c9ee5ad89",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ed95a6f6c646e8bb15c354536e0ab10e8f39c08",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2d9ca5f62f2ba160ff9c9be4adf401c46c04edef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ff70ad9159fbb566b2c15724f44207e8deccd527",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "895130e63c93926f07caf5db286b97bd27b81de9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25c9b185f121812cbc215fdaa1192c6b9025b428",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa359d068574d29e7d2f0fdd0ebe4c6a12b5cfb9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"scripts/recordmcount.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrecordmcount: Fix memory leaks in the uwrite function\n\nCommon realloc mistake: \u0027file_append\u0027 nulled but not freed upon failure"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:54.677Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bd39f68a309a947670379bf9a39b16c584f86ddb"
},
{
"url": "https://git.kernel.org/stable/c/444ec005404cead222ebce2561a9451c9ee5ad89"
},
{
"url": "https://git.kernel.org/stable/c/3ed95a6f6c646e8bb15c354536e0ab10e8f39c08"
},
{
"url": "https://git.kernel.org/stable/c/2d9ca5f62f2ba160ff9c9be4adf401c46c04edef"
},
{
"url": "https://git.kernel.org/stable/c/ff70ad9159fbb566b2c15724f44207e8deccd527"
},
{
"url": "https://git.kernel.org/stable/c/895130e63c93926f07caf5db286b97bd27b81de9"
},
{
"url": "https://git.kernel.org/stable/c/25c9b185f121812cbc215fdaa1192c6b9025b428"
},
{
"url": "https://git.kernel.org/stable/c/fa359d068574d29e7d2f0fdd0ebe4c6a12b5cfb9"
}
],
"title": "recordmcount: Fix memory leaks in the uwrite function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53318",
"datePublished": "2025-09-16T16:11:54.677Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:54.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53323 (GCVE-0-2023-53323)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext2/dax: Fix ext2_setsize when len is page aligned
PAGE_ALIGN(x) macro gives the next highest value which is multiple of
pagesize. But if x is already page aligned then it simply returns x.
So, if x passed is 0 in dax_zero_range() function, that means the
length gets passed as 0 to ->iomap_begin().
In ext2 it then calls ext2_get_blocks -> max_blocks as 0 and hits bug_on
here in ext2_get_blocks().
BUG_ON(maxblocks == 0);
Instead we should be calling dax_truncate_page() here which takes
care of it. i.e. it only calls dax_zero_range if the offset is not
page/block aligned.
This can be easily triggered with following on fsdax mounted pmem
device.
dd if=/dev/zero of=file count=1 bs=512
truncate -s 0 file
[79.525838] EXT2-fs (pmem0): DAX enabled. Warning: EXPERIMENTAL, use at your own risk
[79.529376] ext2 filesystem being mounted at /mnt1/test supports timestamps until 2038 (0x7fffffff)
[93.793207] ------------[ cut here ]------------
[93.795102] kernel BUG at fs/ext2/inode.c:637!
[93.796904] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[93.798659] CPU: 0 PID: 1192 Comm: truncate Not tainted 6.3.0-rc2-xfstests-00056-g131086faa369 #139
[93.806459] RIP: 0010:ext2_get_blocks.constprop.0+0x524/0x610
<...>
[93.835298] Call Trace:
[93.836253] <TASK>
[93.837103] ? lock_acquire+0xf8/0x110
[93.838479] ? d_lookup+0x69/0xd0
[93.839779] ext2_iomap_begin+0xa7/0x1c0
[93.841154] iomap_iter+0xc7/0x150
[93.842425] dax_zero_range+0x6e/0xa0
[93.843813] ext2_setsize+0x176/0x1b0
[93.845164] ext2_setattr+0x151/0x200
[93.846467] notify_change+0x341/0x4e0
[93.847805] ? lock_acquire+0xf8/0x110
[93.849143] ? do_truncate+0x74/0xe0
[93.850452] ? do_truncate+0x84/0xe0
[93.851739] do_truncate+0x84/0xe0
[93.852974] do_sys_ftruncate+0x2b4/0x2f0
[93.854404] do_syscall_64+0x3f/0x90
[93.855789] entry_SYSCALL_64_after_hwframe+0x72/0xdc
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e54fd14bd143c261e52fde74355e85e9526c58c",
"status": "affected",
"version": "2aa3048e03d38d5358be2553d4b638c1a018498c",
"versionType": "git"
},
{
"lessThan": "5cee8bfb8cbd99c97aff85d2bf066b6a496e13ab",
"status": "affected",
"version": "2aa3048e03d38d5358be2553d4b638c1a018498c",
"versionType": "git"
},
{
"lessThan": "fcced95b6ba2a507a83b8b3e0358a8ac16b13e35",
"status": "affected",
"version": "2aa3048e03d38d5358be2553d4b638c1a018498c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext2/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.40",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.5",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next2/dax: Fix ext2_setsize when len is page aligned\n\nPAGE_ALIGN(x) macro gives the next highest value which is multiple of\npagesize. But if x is already page aligned then it simply returns x.\nSo, if x passed is 0 in dax_zero_range() function, that means the\nlength gets passed as 0 to -\u003eiomap_begin().\n\nIn ext2 it then calls ext2_get_blocks -\u003e max_blocks as 0 and hits bug_on\nhere in ext2_get_blocks().\n\tBUG_ON(maxblocks == 0);\n\nInstead we should be calling dax_truncate_page() here which takes\ncare of it. i.e. it only calls dax_zero_range if the offset is not\npage/block aligned.\n\nThis can be easily triggered with following on fsdax mounted pmem\ndevice.\n\ndd if=/dev/zero of=file count=1 bs=512\ntruncate -s 0 file\n\n[79.525838] EXT2-fs (pmem0): DAX enabled. Warning: EXPERIMENTAL, use at your own risk\n[79.529376] ext2 filesystem being mounted at /mnt1/test supports timestamps until 2038 (0x7fffffff)\n[93.793207] ------------[ cut here ]------------\n[93.795102] kernel BUG at fs/ext2/inode.c:637!\n[93.796904] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[93.798659] CPU: 0 PID: 1192 Comm: truncate Not tainted 6.3.0-rc2-xfstests-00056-g131086faa369 #139\n[93.806459] RIP: 0010:ext2_get_blocks.constprop.0+0x524/0x610\n\u003c...\u003e\n[93.835298] Call Trace:\n[93.836253] \u003cTASK\u003e\n[93.837103] ? lock_acquire+0xf8/0x110\n[93.838479] ? d_lookup+0x69/0xd0\n[93.839779] ext2_iomap_begin+0xa7/0x1c0\n[93.841154] iomap_iter+0xc7/0x150\n[93.842425] dax_zero_range+0x6e/0xa0\n[93.843813] ext2_setsize+0x176/0x1b0\n[93.845164] ext2_setattr+0x151/0x200\n[93.846467] notify_change+0x341/0x4e0\n[93.847805] ? lock_acquire+0xf8/0x110\n[93.849143] ? do_truncate+0x74/0xe0\n[93.850452] ? do_truncate+0x84/0xe0\n[93.851739] do_truncate+0x84/0xe0\n[93.852974] do_sys_ftruncate+0x2b4/0x2f0\n[93.854404] do_syscall_64+0x3f/0x90\n[93.855789] entry_SYSCALL_64_after_hwframe+0x72/0xdc"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:58.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e54fd14bd143c261e52fde74355e85e9526c58c"
},
{
"url": "https://git.kernel.org/stable/c/5cee8bfb8cbd99c97aff85d2bf066b6a496e13ab"
},
{
"url": "https://git.kernel.org/stable/c/fcced95b6ba2a507a83b8b3e0358a8ac16b13e35"
}
],
"title": "ext2/dax: Fix ext2_setsize when len is page aligned",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53323",
"datePublished": "2025-09-16T16:11:58.877Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:58.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39816 (GCVE-0-2025-39816)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths
Since the buffers are mapped from userspace, it is prudent to use
READ_ONCE() to read the value into a local variable, and use that for
any other actions taken. Having a stable read of the buffer length
avoids worrying about it changing after checking, or being read multiple
times.
Similarly, the buffer may well change in between it being picked and
being committed. Ensure the looping for incremental ring buffer commit
stops if it hits a zero sized buffer, as no further progress can be made
at that point.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "390a61d284e1ced088d43928dfcf6f86fffdd780",
"status": "affected",
"version": "ae98dbf43d755b4e111fcd086e53939bef3e9a1a",
"versionType": "git"
},
{
"lessThan": "98b6fa62c84f2e129161e976a5b9b3cb4ccd117b",
"status": "affected",
"version": "ae98dbf43d755b4e111fcd086e53939bef3e9a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths\n\nSince the buffers are mapped from userspace, it is prudent to use\nREAD_ONCE() to read the value into a local variable, and use that for\nany other actions taken. Having a stable read of the buffer length\navoids worrying about it changing after checking, or being read multiple\ntimes.\n\nSimilarly, the buffer may well change in between it being picked and\nbeing committed. Ensure the looping for incremental ring buffer commit\nstops if it hits a zero sized buffer, as no further progress can be made\nat that point."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:17.026Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/390a61d284e1ced088d43928dfcf6f86fffdd780"
},
{
"url": "https://git.kernel.org/stable/c/98b6fa62c84f2e129161e976a5b9b3cb4ccd117b"
}
],
"title": "io_uring/kbuf: always use READ_ONCE() to read ring provided buffer lengths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39816",
"datePublished": "2025-09-16T13:00:17.026Z",
"dateReserved": "2025-04-16T07:20:57.138Z",
"dateUpdated": "2025-09-16T13:00:17.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39822 (GCVE-0-2025-39822)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/kbuf: fix signedness in this_len calculation
When importing and using buffers, buf->len is considered unsigned.
However, buf->len is converted to signed int when committing. This can
lead to unexpected behavior if the buffer is large enough to be
interpreted as a negative value. Make min_t calculation unsigned.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f4f411c068402c370c4f9a9d4950a97af97bbbb1",
"status": "affected",
"version": "ae98dbf43d755b4e111fcd086e53939bef3e9a1a",
"versionType": "git"
},
{
"lessThan": "c64eff368ac676e8540344d27a3de47e0ad90d21",
"status": "affected",
"version": "ae98dbf43d755b4e111fcd086e53939bef3e9a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: fix signedness in this_len calculation\n\nWhen importing and using buffers, buf-\u003elen is considered unsigned.\nHowever, buf-\u003elen is converted to signed int when committing. This can\nlead to unexpected behavior if the buffer is large enough to be\ninterpreted as a negative value. Make min_t calculation unsigned."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:21.533Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f4f411c068402c370c4f9a9d4950a97af97bbbb1"
},
{
"url": "https://git.kernel.org/stable/c/c64eff368ac676e8540344d27a3de47e0ad90d21"
}
],
"title": "io_uring/kbuf: fix signedness in this_len calculation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39822",
"datePublished": "2025-09-16T13:00:21.533Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-09-16T13:00:21.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39831 (GCVE-0-2025-39831)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-16 13:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbnic: Move phylink resume out of service_task and into open/close
The fbnic driver was presenting with the following locking assert coming
out of a PM resume:
[ 42.208116][ T164] RTNL: assertion failed at drivers/net/phy/phylink.c (2611)
[ 42.208492][ T164] WARNING: CPU: 1 PID: 164 at drivers/net/phy/phylink.c:2611 phylink_resume+0x190/0x1e0
[ 42.208872][ T164] Modules linked in:
[ 42.209140][ T164] CPU: 1 UID: 0 PID: 164 Comm: bash Not tainted 6.17.0-rc2-virtme #134 PREEMPT(full)
[ 42.209496][ T164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014
[ 42.209861][ T164] RIP: 0010:phylink_resume+0x190/0x1e0
[ 42.210057][ T164] Code: 83 e5 01 0f 85 b0 fe ff ff c6 05 1c cd 3e 02 01 90 ba 33 0a 00 00 48 c7 c6 20 3a 1d a5 48 c7 c7 e0 3e 1d a5 e8 21 b8 90 fe 90 <0f> 0b 90 90 e9 86 fe ff ff e8 42 ea 1f ff e9 e2 fe ff ff 48 89 ef
[ 42.210708][ T164] RSP: 0018:ffffc90000affbd8 EFLAGS: 00010296
[ 42.210983][ T164] RAX: 0000000000000000 RBX: ffff8880078d8400 RCX: 0000000000000000
[ 42.211235][ T164] RDX: 0000000000000000 RSI: 1ffffffff4f10938 RDI: 0000000000000001
[ 42.211466][ T164] RBP: 0000000000000000 R08: ffffffffa2ae79ea R09: fffffbfff4b3eb84
[ 42.211707][ T164] R10: 0000000000000003 R11: 0000000000000000 R12: ffff888007ad8000
[ 42.211997][ T164] R13: 0000000000000002 R14: ffff888006a18800 R15: ffffffffa34c59e0
[ 42.212234][ T164] FS: 00007f0dc8e39740(0000) GS:ffff88808f51f000(0000) knlGS:0000000000000000
[ 42.212505][ T164] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 42.212704][ T164] CR2: 00007f0dc8e9fe10 CR3: 000000000b56d003 CR4: 0000000000772ef0
[ 42.213227][ T164] PKRU: 55555554
[ 42.213366][ T164] Call Trace:
[ 42.213483][ T164] <TASK>
[ 42.213565][ T164] __fbnic_pm_attach.isra.0+0x8e/0xa0
[ 42.213725][ T164] pci_reset_function+0x116/0x1d0
[ 42.213895][ T164] reset_store+0xa0/0x100
[ 42.214025][ T164] ? pci_dev_reset_attr_is_visible+0x50/0x50
[ 42.214221][ T164] ? sysfs_file_kobj+0xc1/0x1e0
[ 42.214374][ T164] ? sysfs_kf_write+0x65/0x160
[ 42.214526][ T164] kernfs_fop_write_iter+0x2f8/0x4c0
[ 42.214677][ T164] ? kernfs_vma_page_mkwrite+0x1f0/0x1f0
[ 42.214836][ T164] new_sync_write+0x308/0x6f0
[ 42.214987][ T164] ? __lock_acquire+0x34c/0x740
[ 42.215135][ T164] ? new_sync_read+0x6f0/0x6f0
[ 42.215288][ T164] ? lock_acquire.part.0+0xbc/0x260
[ 42.215440][ T164] ? ksys_write+0xff/0x200
[ 42.215590][ T164] ? perf_trace_sched_switch+0x6d0/0x6d0
[ 42.215742][ T164] vfs_write+0x65e/0xbb0
[ 42.215876][ T164] ksys_write+0xff/0x200
[ 42.215994][ T164] ? __ia32_sys_read+0xc0/0xc0
[ 42.216141][ T164] ? do_user_addr_fault+0x269/0x9f0
[ 42.216292][ T164] ? rcu_is_watching+0x15/0xd0
[ 42.216442][ T164] do_syscall_64+0xbb/0x360
[ 42.216591][ T164] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 42.216784][ T164] RIP: 0033:0x7f0dc8ea9986
A bit of digging showed that we were invoking the phylink_resume as a part
of the fbnic_up path when we were enabling the service task while not
holding the RTNL lock. We should be enabling this sooner as a part of the
ndo_open path and then just letting the service task come online later.
This will help to enforce the correct locking and brings the phylink
interface online at the same time as the network interface, instead of at a
later time.
I tested this on QEMU to verify this was working by putting the system to
sleep using "echo mem > /sys/power/state" to put the system to sleep in the
guest and then using the command "system_wakeup" in the QEMU monitor.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/meta/fbnic/fbnic_netdev.c",
"drivers/net/ethernet/meta/fbnic/fbnic_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7aab65c62a8a8b48c02e600fe9367b2af662fcb6",
"status": "affected",
"version": "69684376eed517817251ea6a768cfc315350d5c1",
"versionType": "git"
},
{
"lessThan": "3ac5f54e47eb348a4bc26e600c63b4d778a22e23",
"status": "affected",
"version": "69684376eed517817251ea6a768cfc315350d5c1",
"versionType": "git"
},
{
"lessThan": "6ede14a2c6365e7e5d855643c7c8390b5268c467",
"status": "affected",
"version": "69684376eed517817251ea6a768cfc315350d5c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/meta/fbnic/fbnic_netdev.c",
"drivers/net/ethernet/meta/fbnic/fbnic_pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbnic: Move phylink resume out of service_task and into open/close\n\nThe fbnic driver was presenting with the following locking assert coming\nout of a PM resume:\n[ 42.208116][ T164] RTNL: assertion failed at drivers/net/phy/phylink.c (2611)\n[ 42.208492][ T164] WARNING: CPU: 1 PID: 164 at drivers/net/phy/phylink.c:2611 phylink_resume+0x190/0x1e0\n[ 42.208872][ T164] Modules linked in:\n[ 42.209140][ T164] CPU: 1 UID: 0 PID: 164 Comm: bash Not tainted 6.17.0-rc2-virtme #134 PREEMPT(full)\n[ 42.209496][ T164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014\n[ 42.209861][ T164] RIP: 0010:phylink_resume+0x190/0x1e0\n[ 42.210057][ T164] Code: 83 e5 01 0f 85 b0 fe ff ff c6 05 1c cd 3e 02 01 90 ba 33 0a 00 00 48 c7 c6 20 3a 1d a5 48 c7 c7 e0 3e 1d a5 e8 21 b8 90 fe 90 \u003c0f\u003e 0b 90 90 e9 86 fe ff ff e8 42 ea 1f ff e9 e2 fe ff ff 48 89 ef\n[ 42.210708][ T164] RSP: 0018:ffffc90000affbd8 EFLAGS: 00010296\n[ 42.210983][ T164] RAX: 0000000000000000 RBX: ffff8880078d8400 RCX: 0000000000000000\n[ 42.211235][ T164] RDX: 0000000000000000 RSI: 1ffffffff4f10938 RDI: 0000000000000001\n[ 42.211466][ T164] RBP: 0000000000000000 R08: ffffffffa2ae79ea R09: fffffbfff4b3eb84\n[ 42.211707][ T164] R10: 0000000000000003 R11: 0000000000000000 R12: ffff888007ad8000\n[ 42.211997][ T164] R13: 0000000000000002 R14: ffff888006a18800 R15: ffffffffa34c59e0\n[ 42.212234][ T164] FS: 00007f0dc8e39740(0000) GS:ffff88808f51f000(0000) knlGS:0000000000000000\n[ 42.212505][ T164] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 42.212704][ T164] CR2: 00007f0dc8e9fe10 CR3: 000000000b56d003 CR4: 0000000000772ef0\n[ 42.213227][ T164] PKRU: 55555554\n[ 42.213366][ T164] Call Trace:\n[ 42.213483][ T164] \u003cTASK\u003e\n[ 42.213565][ T164] __fbnic_pm_attach.isra.0+0x8e/0xa0\n[ 42.213725][ T164] pci_reset_function+0x116/0x1d0\n[ 42.213895][ T164] reset_store+0xa0/0x100\n[ 42.214025][ T164] ? pci_dev_reset_attr_is_visible+0x50/0x50\n[ 42.214221][ T164] ? sysfs_file_kobj+0xc1/0x1e0\n[ 42.214374][ T164] ? sysfs_kf_write+0x65/0x160\n[ 42.214526][ T164] kernfs_fop_write_iter+0x2f8/0x4c0\n[ 42.214677][ T164] ? kernfs_vma_page_mkwrite+0x1f0/0x1f0\n[ 42.214836][ T164] new_sync_write+0x308/0x6f0\n[ 42.214987][ T164] ? __lock_acquire+0x34c/0x740\n[ 42.215135][ T164] ? new_sync_read+0x6f0/0x6f0\n[ 42.215288][ T164] ? lock_acquire.part.0+0xbc/0x260\n[ 42.215440][ T164] ? ksys_write+0xff/0x200\n[ 42.215590][ T164] ? perf_trace_sched_switch+0x6d0/0x6d0\n[ 42.215742][ T164] vfs_write+0x65e/0xbb0\n[ 42.215876][ T164] ksys_write+0xff/0x200\n[ 42.215994][ T164] ? __ia32_sys_read+0xc0/0xc0\n[ 42.216141][ T164] ? do_user_addr_fault+0x269/0x9f0\n[ 42.216292][ T164] ? rcu_is_watching+0x15/0xd0\n[ 42.216442][ T164] do_syscall_64+0xbb/0x360\n[ 42.216591][ T164] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n[ 42.216784][ T164] RIP: 0033:0x7f0dc8ea9986\n\nA bit of digging showed that we were invoking the phylink_resume as a part\nof the fbnic_up path when we were enabling the service task while not\nholding the RTNL lock. We should be enabling this sooner as a part of the\nndo_open path and then just letting the service task come online later.\nThis will help to enforce the correct locking and brings the phylink\ninterface online at the same time as the network interface, instead of at a\nlater time.\n\nI tested this on QEMU to verify this was working by putting the system to\nsleep using \"echo mem \u003e /sys/power/state\" to put the system to sleep in the\nguest and then using the command \"system_wakeup\" in the QEMU monitor."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:08:48.841Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7aab65c62a8a8b48c02e600fe9367b2af662fcb6"
},
{
"url": "https://git.kernel.org/stable/c/3ac5f54e47eb348a4bc26e600c63b4d778a22e23"
},
{
"url": "https://git.kernel.org/stable/c/6ede14a2c6365e7e5d855643c7c8390b5268c467"
}
],
"title": "fbnic: Move phylink resume out of service_task and into open/close",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39831",
"datePublished": "2025-09-16T13:08:48.841Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:08:48.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53330 (GCVE-0-2023-53330)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
caif: fix memory leak in cfctrl_linkup_request()
When linktype is unknown or kzalloc failed in cfctrl_linkup_request(),
pkt is not released. Add release process to error path.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 Version: b482cd2053e3b90a7b33a78c63cdb6badf2ec383 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/caif/cfctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "badea57569db04b010e922e29a7aaf40a979a70b",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "3acf3783a84cbdf0c9f8cf2f32ee9c49af93a2da",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "33df9c5d5e2a18c70f5f5f3c2757d654c1b6ffa3",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "84b2cc7b36b7f6957d307fb3d01603f93cb2d655",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "dc1bc903970bdf63ca40ab923d3ccb765da9a8d9",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "1dddeceb26002cfea4c375e92ac6498768dc7349",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "3ad47c8aa5648226184415e4a0cb1bf67ffbfd48",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
},
{
"lessThan": "fe69230f05897b3de758427b574fc98025dfc907",
"status": "affected",
"version": "b482cd2053e3b90a7b33a78c63cdb6badf2ec383",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/caif/cfctrl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif: fix memory leak in cfctrl_linkup_request()\n\nWhen linktype is unknown or kzalloc failed in cfctrl_linkup_request(),\npkt is not released. Add release process to error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:06.005Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/badea57569db04b010e922e29a7aaf40a979a70b"
},
{
"url": "https://git.kernel.org/stable/c/3acf3783a84cbdf0c9f8cf2f32ee9c49af93a2da"
},
{
"url": "https://git.kernel.org/stable/c/33df9c5d5e2a18c70f5f5f3c2757d654c1b6ffa3"
},
{
"url": "https://git.kernel.org/stable/c/84b2cc7b36b7f6957d307fb3d01603f93cb2d655"
},
{
"url": "https://git.kernel.org/stable/c/dc1bc903970bdf63ca40ab923d3ccb765da9a8d9"
},
{
"url": "https://git.kernel.org/stable/c/1dddeceb26002cfea4c375e92ac6498768dc7349"
},
{
"url": "https://git.kernel.org/stable/c/3ad47c8aa5648226184415e4a0cb1bf67ffbfd48"
},
{
"url": "https://git.kernel.org/stable/c/fe69230f05897b3de758427b574fc98025dfc907"
}
],
"title": "caif: fix memory leak in cfctrl_linkup_request()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53330",
"datePublished": "2025-09-16T16:12:06.005Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:06.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53326 (GCVE-0-2023-53326)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc: Don't try to copy PPR for task with NULL pt_regs
powerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which
from my (arguably very short) checking is not commonly done for other
archs. This is fine, except when PF_IO_WORKER's have been created and
the task does something that causes a coredump to be generated. Then we
get this crash:
Kernel attempted to read user page (160) - exploit attempt? (uid: 1000)
BUG: Kernel NULL pointer dereference on read at 0x00000160
Faulting instruction address: 0xc0000000000c3a60
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries
Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod
CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88
Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries
NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0
REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+)
MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 88082828 XER: 200400f8
...
NIP memcpy_power7+0x200/0x7d0
LR ppr_get+0x64/0xb0
Call Trace:
ppr_get+0x40/0xb0 (unreliable)
__regset_get+0x180/0x1f0
regset_get_alloc+0x64/0x90
elf_core_dump+0xb98/0x1b60
do_coredump+0x1c34/0x24a0
get_signal+0x71c/0x1410
do_notify_resume+0x140/0x6f0
interrupt_exit_user_prepare_main+0x29c/0x320
interrupt_exit_user_prepare+0x6c/0xa0
interrupt_return_srr_user+0x8/0x138
Because ppr_get() is trying to copy from a PF_IO_WORKER with a NULL
pt_regs.
Check for a valid pt_regs in both ppc_get/ppr_set, and return an error
if not set. The actual error value doesn't seem to be important here, so
just pick -EINVAL.
[mpe: Trim oops in change log, add Fixes & Cc stable]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: fa439810cc1b3c927ec24ede17d02467e1b143a1 Version: fa439810cc1b3c927ec24ede17d02467e1b143a1 Version: fa439810cc1b3c927ec24ede17d02467e1b143a1 Version: fa439810cc1b3c927ec24ede17d02467e1b143a1 Version: fa439810cc1b3c927ec24ede17d02467e1b143a1 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/ptrace/ptrace-view.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80a4200d51e5a7e046f4a90f5faa5bafd5a60c58",
"status": "affected",
"version": "fa439810cc1b3c927ec24ede17d02467e1b143a1",
"versionType": "git"
},
{
"lessThan": "7624973bc15b76d000e8e6f9b8080fcb76d36595",
"status": "affected",
"version": "fa439810cc1b3c927ec24ede17d02467e1b143a1",
"versionType": "git"
},
{
"lessThan": "064a1c7b0f8403260d77627e62424a72ca26cee2",
"status": "affected",
"version": "fa439810cc1b3c927ec24ede17d02467e1b143a1",
"versionType": "git"
},
{
"lessThan": "01849382373b867ddcbe7536b9dfa89f3bcea60e",
"status": "affected",
"version": "fa439810cc1b3c927ec24ede17d02467e1b143a1",
"versionType": "git"
},
{
"lessThan": "fd7276189450110ed835eb0a334e62d2f1c4e3be",
"status": "affected",
"version": "fa439810cc1b3c927ec24ede17d02467e1b143a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/kernel/ptrace/ptrace-view.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.106",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.106",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.23",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.10",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Don\u0027t try to copy PPR for task with NULL pt_regs\n\npowerpc sets up PF_KTHREAD and PF_IO_WORKER with a NULL pt_regs, which\nfrom my (arguably very short) checking is not commonly done for other\narchs. This is fine, except when PF_IO_WORKER\u0027s have been created and\nthe task does something that causes a coredump to be generated. Then we\nget this crash:\n\n Kernel attempted to read user page (160) - exploit attempt? (uid: 1000)\n BUG: Kernel NULL pointer dereference on read at 0x00000160\n Faulting instruction address: 0xc0000000000c3a60\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=32 NUMA pSeries\n Modules linked in: bochs drm_vram_helper drm_kms_helper xts binfmt_misc ecb ctr syscopyarea sysfillrect cbc sysimgblt drm_ttm_helper aes_generic ttm sg libaes evdev joydev virtio_balloon vmx_crypto gf128mul drm dm_mod fuse loop configfs drm_panel_orientation_quirks ip_tables x_tables autofs4 hid_generic usbhid hid xhci_pci xhci_hcd usbcore usb_common sd_mod\n CPU: 1 PID: 1982 Comm: ppc-crash Not tainted 6.3.0-rc2+ #88\n Hardware name: IBM pSeries (emulated by qemu) POWER9 (raw) 0x4e1202 0xf000005 of:SLOF,HEAD hv:linux,kvm pSeries\n NIP: c0000000000c3a60 LR: c000000000039944 CTR: c0000000000398e0\n REGS: c0000000041833b0 TRAP: 0300 Not tainted (6.3.0-rc2+)\n MSR: 800000000280b033 \u003cSF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE\u003e CR: 88082828 XER: 200400f8\n ...\n NIP memcpy_power7+0x200/0x7d0\n LR ppr_get+0x64/0xb0\n Call Trace:\n ppr_get+0x40/0xb0 (unreliable)\n __regset_get+0x180/0x1f0\n regset_get_alloc+0x64/0x90\n elf_core_dump+0xb98/0x1b60\n do_coredump+0x1c34/0x24a0\n get_signal+0x71c/0x1410\n do_notify_resume+0x140/0x6f0\n interrupt_exit_user_prepare_main+0x29c/0x320\n interrupt_exit_user_prepare+0x6c/0xa0\n interrupt_return_srr_user+0x8/0x138\n\nBecause ppr_get() is trying to copy from a PF_IO_WORKER with a NULL\npt_regs.\n\nCheck for a valid pt_regs in both ppc_get/ppr_set, and return an error\nif not set. The actual error value doesn\u0027t seem to be important here, so\njust pick -EINVAL.\n\n[mpe: Trim oops in change log, add Fixes \u0026 Cc stable]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:01.464Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80a4200d51e5a7e046f4a90f5faa5bafd5a60c58"
},
{
"url": "https://git.kernel.org/stable/c/7624973bc15b76d000e8e6f9b8080fcb76d36595"
},
{
"url": "https://git.kernel.org/stable/c/064a1c7b0f8403260d77627e62424a72ca26cee2"
},
{
"url": "https://git.kernel.org/stable/c/01849382373b867ddcbe7536b9dfa89f3bcea60e"
},
{
"url": "https://git.kernel.org/stable/c/fd7276189450110ed835eb0a334e62d2f1c4e3be"
}
],
"title": "powerpc: Don\u0027t try to copy PPR for task with NULL pt_regs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53326",
"datePublished": "2025-09-16T16:12:01.464Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:01.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53333 (GCVE-0-2023-53333)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one
Eric Dumazet says:
nf_conntrack_dccp_packet() has an unique:
dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);
And nothing more is 'pulled' from the packet, depending on the content.
dh->dccph_doff, and/or dh->dccph_x ...)
So dccp_ack_seq() is happily reading stuff past the _dh buffer.
BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0
Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371
[..]
Fix this by increasing the stack buffer to also include room for
the extra sequence numbers and all the known dccp packet type headers,
then pull again after the initial validation of the basic header.
While at it, mark packets invalid that lack 48bit sequence bit but
where RFC says the type MUST use them.
Compile tested only.
v2: first skb_header_pointer() now needs to adjust the size to
only pull the generic header. (Eric)
Heads-up: I intend to remove dccp conntrack support later this year.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e Version: 2bc780499aa33311ec0f3e42624dfaa7be0ade5e |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_proto_dccp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "337fdce450637ea663bc816edc2ba81e5cdad02e",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "c052797ac36813419ad3bfa54cb8615db4b41f15",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "5c618daa5038712c4a4ef8923905a2ea1b8836a1",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "26bd1f210d3783a691052c51d76bb8a8bbd24c67",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "8c0980493beed3a80d6329c44ab293dc8c032927",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
},
{
"lessThan": "ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30",
"status": "affected",
"version": "2bc780499aa33311ec0f3e42624dfaa7be0ade5e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_proto_dccp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one\n\nEric Dumazet says:\n nf_conntrack_dccp_packet() has an unique:\n\n dh = skb_header_pointer(skb, dataoff, sizeof(_dh), \u0026_dh);\n\n And nothing more is \u0027pulled\u0027 from the packet, depending on the content.\n dh-\u003edccph_doff, and/or dh-\u003edccph_x ...)\n So dccp_ack_seq() is happily reading stuff past the _dh buffer.\n\nBUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0\nRead of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371\n[..]\n\nFix this by increasing the stack buffer to also include room for\nthe extra sequence numbers and all the known dccp packet type headers,\nthen pull again after the initial validation of the basic header.\n\nWhile at it, mark packets invalid that lack 48bit sequence bit but\nwhere RFC says the type MUST use them.\n\nCompile tested only.\n\nv2: first skb_header_pointer() now needs to adjust the size to\n only pull the generic header. (Eric)\n\nHeads-up: I intend to remove dccp conntrack support later this year."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:08.427Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/337fdce450637ea663bc816edc2ba81e5cdad02e"
},
{
"url": "https://git.kernel.org/stable/c/9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8"
},
{
"url": "https://git.kernel.org/stable/c/c052797ac36813419ad3bfa54cb8615db4b41f15"
},
{
"url": "https://git.kernel.org/stable/c/5c618daa5038712c4a4ef8923905a2ea1b8836a1"
},
{
"url": "https://git.kernel.org/stable/c/26bd1f210d3783a691052c51d76bb8a8bbd24c67"
},
{
"url": "https://git.kernel.org/stable/c/8c0980493beed3a80d6329c44ab293dc8c032927"
},
{
"url": "https://git.kernel.org/stable/c/ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30"
}
],
"title": "netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53333",
"datePublished": "2025-09-16T16:12:08.427Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:08.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39814 (GCVE-0-2025-39814)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset
Issuing a reset when the driver is loaded without RDMA support, will
results in a crash as it attempts to remove RDMA's non-existent auxbus
device:
echo 1 > /sys/class/net/<if>/device/reset
BUG: kernel NULL pointer dereference, address: 0000000000000008
...
RIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice]
...
Call Trace:
<TASK>
ice_prepare_for_reset+0x77/0x260 [ice]
pci_dev_save_and_disable+0x2c/0x70
pci_reset_function+0x88/0x130
reset_store+0x5a/0xa0
kernfs_fop_write_iter+0x15e/0x210
vfs_write+0x273/0x520
ksys_write+0x6b/0xe0
do_syscall_64+0x79/0x3b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
ice_unplug_aux_dev() checks pf->cdev_info->adev for NULL pointer, but
pf->cdev_info will also be NULL, leading to the deref in the trace above.
Introduce a flag to be set when the creation of the auxbus device is
successful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice.h",
"drivers/net/ethernet/intel/ice/ice_idc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db783756a7d7cfaea039411971d0dc0a374e85cb",
"status": "affected",
"version": "c24a65b6a27c78d8540409800886b6622ea86ebf",
"versionType": "git"
},
{
"lessThan": "60dfe2434eed13082f26eb7409665dfafb38fa51",
"status": "affected",
"version": "c24a65b6a27c78d8540409800886b6622ea86ebf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice.h",
"drivers/net/ethernet/intel/ice/ice_idc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset\n\nIssuing a reset when the driver is loaded without RDMA support, will\nresults in a crash as it attempts to remove RDMA\u0027s non-existent auxbus\ndevice:\necho 1 \u003e /sys/class/net/\u003cif\u003e/device/reset\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\n...\nRIP: 0010:ice_unplug_aux_dev+0x29/0x70 [ice]\n...\nCall Trace:\n\u003cTASK\u003e\nice_prepare_for_reset+0x77/0x260 [ice]\npci_dev_save_and_disable+0x2c/0x70\npci_reset_function+0x88/0x130\nreset_store+0x5a/0xa0\nkernfs_fop_write_iter+0x15e/0x210\nvfs_write+0x273/0x520\nksys_write+0x6b/0xe0\ndo_syscall_64+0x79/0x3b0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nice_unplug_aux_dev() checks pf-\u003ecdev_info-\u003eadev for NULL pointer, but\npf-\u003ecdev_info will also be NULL, leading to the deref in the trace above.\n\nIntroduce a flag to be set when the creation of the auxbus device is\nsuccessful, to avoid multiple NULL pointer checks in ice_unplug_aux_dev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:15.552Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db783756a7d7cfaea039411971d0dc0a374e85cb"
},
{
"url": "https://git.kernel.org/stable/c/60dfe2434eed13082f26eb7409665dfafb38fa51"
}
],
"title": "ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39814",
"datePublished": "2025-09-16T13:00:15.552Z",
"dateReserved": "2025-04-16T07:20:57.138Z",
"dateUpdated": "2025-09-16T13:00:15.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39808 (GCVE-0-2025-39808)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()
in ntrig_report_version(), hdev parameter passed from hid_probe().
sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null
if hdev->dev.parent->parent is null, usb_dev has
invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned
when usb_rcvctrlpipe() use usb_dev,it trigger
page fault error for address(0xffffffffffffff58)
add null check logic to ntrig_report_version()
before calling hid_to_usb_dev()
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-ntrig.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22ddb5eca4af5e69dffe2b54551d2487424448f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "019c34ca11372de891c06644846eb41fca7c890c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4338b0f6544c3ff042bfbaf40bc9afe531fb08c7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6070123d5344d0950f10ef6a5fdc3f076abb7ad2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e422370e6ab28478872b914cee5d49a9bdfae0c6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "98520a9a3d69a530dd1ee280cbe0abc232a35bff",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "183def8e4d786e50165e5d992df6a3083e45e16c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "185c926283da67a72df20a63a5046b3b4631b7d9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-ntrig.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()\n\nin ntrig_report_version(), hdev parameter passed from hid_probe().\nsending descriptor to /dev/uhid can make hdev-\u003edev.parent-\u003eparent to null\nif hdev-\u003edev.parent-\u003eparent is null, usb_dev has\ninvalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned\nwhen usb_rcvctrlpipe() use usb_dev,it trigger\npage fault error for address(0xffffffffffffff58)\n\nadd null check logic to ntrig_report_version()\nbefore calling hid_to_usb_dev()"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:11.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22ddb5eca4af5e69dffe2b54551d2487424448f1"
},
{
"url": "https://git.kernel.org/stable/c/019c34ca11372de891c06644846eb41fca7c890c"
},
{
"url": "https://git.kernel.org/stable/c/4338b0f6544c3ff042bfbaf40bc9afe531fb08c7"
},
{
"url": "https://git.kernel.org/stable/c/6070123d5344d0950f10ef6a5fdc3f076abb7ad2"
},
{
"url": "https://git.kernel.org/stable/c/e422370e6ab28478872b914cee5d49a9bdfae0c6"
},
{
"url": "https://git.kernel.org/stable/c/98520a9a3d69a530dd1ee280cbe0abc232a35bff"
},
{
"url": "https://git.kernel.org/stable/c/183def8e4d786e50165e5d992df6a3083e45e16c"
},
{
"url": "https://git.kernel.org/stable/c/185c926283da67a72df20a63a5046b3b4631b7d9"
}
],
"title": "HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39808",
"datePublished": "2025-09-16T13:00:11.242Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-09-16T13:00:11.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53309 (GCVE-0-2023-53309)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/radeon: Fix integer overflow in radeon_cs_parser_init
The type of size is unsigned, if size is 0x40000000, there will be an
integer overflow, size will be zero after size *= sizeof(uint32_t),
will cause uninitialized memory to be referenced later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d05ba46134d07e889de7d23cf8503574a22ede09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cfa9148bafb2d3292b65de1bac79dcca65be2643",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b8fab6aebdf2115ec2d7bd2f3498d5b911ff351e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e6825b30d37fe89ceb87f926d33d4fad321a331e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c0d7dbc6b7a61a56028118c00af2c8319d44a682",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2e1be420b86980c25a75325e90dfc3fc73126f61",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "25e634d7f44eb13113139040e5366bebe48c882f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f828b681d0cd566f86351c0b913e6cb6ed8c7b9c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/radeon/radeon_cs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.123",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.123",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Fix integer overflow in radeon_cs_parser_init\n\nThe type of size is unsigned, if size is 0x40000000, there will be an\ninteger overflow, size will be zero after size *= sizeof(uint32_t),\nwill cause uninitialized memory to be referenced later"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:47.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d05ba46134d07e889de7d23cf8503574a22ede09"
},
{
"url": "https://git.kernel.org/stable/c/cfa9148bafb2d3292b65de1bac79dcca65be2643"
},
{
"url": "https://git.kernel.org/stable/c/b8fab6aebdf2115ec2d7bd2f3498d5b911ff351e"
},
{
"url": "https://git.kernel.org/stable/c/e6825b30d37fe89ceb87f926d33d4fad321a331e"
},
{
"url": "https://git.kernel.org/stable/c/c0d7dbc6b7a61a56028118c00af2c8319d44a682"
},
{
"url": "https://git.kernel.org/stable/c/2e1be420b86980c25a75325e90dfc3fc73126f61"
},
{
"url": "https://git.kernel.org/stable/c/25e634d7f44eb13113139040e5366bebe48c882f"
},
{
"url": "https://git.kernel.org/stable/c/f828b681d0cd566f86351c0b913e6cb6ed8c7b9c"
}
],
"title": "drm/radeon: Fix integer overflow in radeon_cs_parser_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53309",
"datePublished": "2025-09-16T16:11:47.700Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:47.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39828 (GCVE-0-2025-39828)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().
syzbot reported the splat below. [0]
When atmtcp_v_open() or atmtcp_v_close() is called via connect()
or close(), atmtcp_send_control() is called to send an in-kernel
special message.
The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.
Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc.
The notable thing is struct atmtcp_control is uAPI but has a
space for an in-kernel pointer.
struct atmtcp_control {
struct atmtcp_hdr hdr; /* must be first */
...
atm_kptr_t vcc; /* both directions */
...
} __ATM_API_ALIGN;
typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;
The special message is processed in atmtcp_recv_control() called
from atmtcp_c_send().
atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths:
1. .ndo_start_xmit() (vcc->send() == atm_send_aal0())
2. vcc_sendmsg()
The problem is sendmsg() does not validate the message length and
userspace can abuse atmtcp_recv_control() to overwrite any kptr
by atmtcp_control.
Let's add a new ->pre_send() hook to validate messages from sendmsg().
[0]:
Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]
CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]
RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297
Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c
RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203
RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c
RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd
R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000
R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff
FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0
Call Trace:
<TASK>
vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:729
____sys_sendmsg+0x505/0x830 net/socket.c:2614
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668
__sys_sendmsg net/socket.c:2700 [inline]
__do_sys_sendmsg net/socket.c:2705 [inline]
__se_sys_sendmsg net/socket.c:2703 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8d7e96a4a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9
RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005
RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f
R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac
R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250
</TASK>
Modules linked in:
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/atm/atmtcp.c",
"include/linux/atmdev.h",
"net/atm/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b502f16bad8f0a4cfbd023452766f21bfda39dde",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0a6a6d4fb333f7afe22e59ffed18511a7a98efc8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "62f368472b0aa4b5d91d9b983152855c6b6d8925",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "51872b26429077be611b0a1816e0e722278015c3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/atm/atmtcp.c",
"include/linux/atmdev.h",
"net/atm/common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().\n\nsyzbot reported the splat below. [0]\n\nWhen atmtcp_v_open() or atmtcp_v_close() is called via connect()\nor close(), atmtcp_send_control() is called to send an in-kernel\nspecial message.\n\nThe message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length.\nAlso, a pointer of struct atm_vcc is set to atmtcp_control.vcc.\n\nThe notable thing is struct atmtcp_control is uAPI but has a\nspace for an in-kernel pointer.\n\n struct atmtcp_control {\n \tstruct atmtcp_hdr hdr;\t/* must be first */\n ...\n \tatm_kptr_t vcc;\t\t/* both directions */\n ...\n } __ATM_API_ALIGN;\n\n typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t;\n\nThe special message is processed in atmtcp_recv_control() called\nfrom atmtcp_c_send().\n\natmtcp_c_send() is vcc-\u003edev-\u003eops-\u003esend() and called from 2 paths:\n\n 1. .ndo_start_xmit() (vcc-\u003esend() == atm_send_aal0())\n 2. vcc_sendmsg()\n\nThe problem is sendmsg() does not validate the message length and\nuserspace can abuse atmtcp_recv_control() to overwrite any kptr\nby atmtcp_control.\n\nLet\u0027s add a new -\u003epre_send() hook to validate messages from sendmsg().\n\n[0]:\nOops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI\nKASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f]\nCPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline]\nRIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297\nCode: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 \u003c42\u003e 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c\nRSP: 0018:ffffc90003f5f810 EFLAGS: 00010203\nRAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000\nRDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c\nRBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd\nR10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000\nR13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff\nFS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x219/0x270 net/socket.c:729\n ____sys_sendmsg+0x505/0x830 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f8d7e96a4a9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9\nRDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005\nRBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f\nR10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac\nR13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250\n \u003c/TASK\u003e\nModules linked in:"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:26.433Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b502f16bad8f0a4cfbd023452766f21bfda39dde"
},
{
"url": "https://git.kernel.org/stable/c/0a6a6d4fb333f7afe22e59ffed18511a7a98efc8"
},
{
"url": "https://git.kernel.org/stable/c/62f368472b0aa4b5d91d9b983152855c6b6d8925"
},
{
"url": "https://git.kernel.org/stable/c/51872b26429077be611b0a1816e0e722278015c3"
},
{
"url": "https://git.kernel.org/stable/c/3c80c230d6e3e6f63d43f4c3f0bb344e3e8b119b"
},
{
"url": "https://git.kernel.org/stable/c/33f9e6dc66b32202b95fc861e6b3ea4b0c185b0b"
},
{
"url": "https://git.kernel.org/stable/c/3ab9f5ad9baefe6d3d4c37053cdfca2761001dfe"
},
{
"url": "https://git.kernel.org/stable/c/ec79003c5f9d2c7f9576fc69b8dbda80305cbe3a"
}
],
"title": "atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39828",
"datePublished": "2025-09-16T13:00:26.433Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:00:26.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53312 (GCVE-0-2023-53312)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix net_dev_start_xmit trace event vs skb_transport_offset()
After blamed commit, we must be more careful about using
skb_transport_offset(), as reminded us by syzbot:
WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 skb_transport_offset include/linux/skbuff.h:2977 [inline]
WARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14
Modules linked in:
CPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
RIP: 0010:skb_transport_header include/linux/skbuff.h:2868 [inline]
RIP: 0010:skb_transport_offset include/linux/skbuff.h:2977 [inline]
RIP: 0010:perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14
Code: 8b 04 25 28 00 00 00 48 3b 84 24 c0 00 00 00 0f 85 4e 04 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc e8 56 22 01 fd <0f> 0b e9 f6 fc ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 86 f9 ff
RSP: 0018:ffffc900002bf700 EFLAGS: 00010293
RAX: ffffffff8485d8ca RBX: 000000000000ffff RCX: ffff888100914280
RDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff
RBP: ffffc900002bf818 R08: ffffffff8485d5b6 R09: fffffbfff0f8fb5e
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110217d8f67
R13: ffff88810bec7b3a R14: dffffc0000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f96cf6d52f0 CR3: 000000012224c000 CR4: 0000000000350ef0
Call Trace:
<TASK>
[<ffffffff84715e35>] trace_net_dev_start_xmit include/trace/events/net.h:14 [inline]
[<ffffffff84715e35>] xmit_one net/core/dev.c:3643 [inline]
[<ffffffff84715e35>] dev_hard_start_xmit+0x705/0x980 net/core/dev.c:3660
[<ffffffff8471a232>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
[<ffffffff85416493>] dev_queue_xmit include/linux/netdevice.h:3030 [inline]
[<ffffffff85416493>] batadv_send_skb_packet+0x3f3/0x680 net/batman-adv/send.c:108
[<ffffffff85416744>] batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127
[<ffffffff853bc52a>] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]
[<ffffffff853bc52a>] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline]
[<ffffffff853bc52a>] batadv_iv_send_outstanding_bat_ogm_packet+0x69a/0x840 net/batman-adv/bat_iv_ogm.c:1701
[<ffffffff8151023c>] process_one_work+0x8ac/0x1170 kernel/workqueue.c:2289
[<ffffffff81511938>] worker_thread+0xaa8/0x12d0 kernel/workqueue.c:2436
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/net.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ced61418f46993d571385812bafed3a7d4ab6918",
"status": "affected",
"version": "66e4c8d950083df8e12981babca788e1635c92b6",
"versionType": "git"
},
{
"lessThan": "58f9e88eb247263c74383b4ee8858abac15cdbe0",
"status": "affected",
"version": "66e4c8d950083df8e12981babca788e1635c92b6",
"versionType": "git"
},
{
"lessThan": "f88fcb1d7d961b4b402d675109726f94db87571c",
"status": "affected",
"version": "66e4c8d950083df8e12981babca788e1635c92b6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/net.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix net_dev_start_xmit trace event vs skb_transport_offset()\n\nAfter blamed commit, we must be more careful about using\nskb_transport_offset(), as reminded us by syzbot:\n\nWARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 skb_transport_offset include/linux/skbuff.h:2977 [inline]\nWARNING: CPU: 0 PID: 10 at include/linux/skbuff.h:2868 perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14\nModules linked in:\nCPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 6.1.30-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet\nRIP: 0010:skb_transport_header include/linux/skbuff.h:2868 [inline]\nRIP: 0010:skb_transport_offset include/linux/skbuff.h:2977 [inline]\nRIP: 0010:perf_trace_net_dev_start_xmit+0x89a/0xce0 include/trace/events/net.h:14\nCode: 8b 04 25 28 00 00 00 48 3b 84 24 c0 00 00 00 0f 85 4e 04 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc e8 56 22 01 fd \u003c0f\u003e 0b e9 f6 fc ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 86 f9 ff\nRSP: 0018:ffffc900002bf700 EFLAGS: 00010293\nRAX: ffffffff8485d8ca RBX: 000000000000ffff RCX: ffff888100914280\nRDX: 0000000000000000 RSI: 000000000000ffff RDI: 000000000000ffff\nRBP: ffffc900002bf818 R08: ffffffff8485d5b6 R09: fffffbfff0f8fb5e\nR10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110217d8f67\nR13: ffff88810bec7b3a R14: dffffc0000000000 R15: dffffc0000000000\nFS: 0000000000000000(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f96cf6d52f0 CR3: 000000012224c000 CR4: 0000000000350ef0\nCall Trace:\n\u003cTASK\u003e\n[\u003cffffffff84715e35\u003e] trace_net_dev_start_xmit include/trace/events/net.h:14 [inline]\n[\u003cffffffff84715e35\u003e] xmit_one net/core/dev.c:3643 [inline]\n[\u003cffffffff84715e35\u003e] dev_hard_start_xmit+0x705/0x980 net/core/dev.c:3660\n[\u003cffffffff8471a232\u003e] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324\n[\u003cffffffff85416493\u003e] dev_queue_xmit include/linux/netdevice.h:3030 [inline]\n[\u003cffffffff85416493\u003e] batadv_send_skb_packet+0x3f3/0x680 net/batman-adv/send.c:108\n[\u003cffffffff85416744\u003e] batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n[\u003cffffffff853bc52a\u003e] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline]\n[\u003cffffffff853bc52a\u003e] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline]\n[\u003cffffffff853bc52a\u003e] batadv_iv_send_outstanding_bat_ogm_packet+0x69a/0x840 net/batman-adv/bat_iv_ogm.c:1701\n[\u003cffffffff8151023c\u003e] process_one_work+0x8ac/0x1170 kernel/workqueue.c:2289\n[\u003cffffffff81511938\u003e] worker_thread+0xaa8/0x12d0 kernel/workqueue.c:2436"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:49.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ced61418f46993d571385812bafed3a7d4ab6918"
},
{
"url": "https://git.kernel.org/stable/c/58f9e88eb247263c74383b4ee8858abac15cdbe0"
},
{
"url": "https://git.kernel.org/stable/c/f88fcb1d7d961b4b402d675109726f94db87571c"
}
],
"title": "net: fix net_dev_start_xmit trace event vs skb_transport_offset()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53312",
"datePublished": "2025-09-16T16:11:49.832Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:49.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53305 (GCVE-0-2023-53305)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free
Fix potential use-after-free in l2cap_le_command_rej.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e76bab1b7afa580cd76362540fc37551ada4359b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1a40c56e8bff3e424724d78a9a6b3272dd8a371d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fe49aa73cca6608714477b74bfc6874b9db979df",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "548a6b64b3c0688f01119a6fcccceb41f8c984e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "149daab45922ab1ac7f0cbeacab7251a46bf5e63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "255be68150291440657b2cdb09420b69441af3d8",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f752a0b334bb95fe9b42ecb511e0864e2768046f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free\n\nFix potential use-after-free in l2cap_le_command_rej."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:44.845Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e76bab1b7afa580cd76362540fc37551ada4359b"
},
{
"url": "https://git.kernel.org/stable/c/1a40c56e8bff3e424724d78a9a6b3272dd8a371d"
},
{
"url": "https://git.kernel.org/stable/c/fe49aa73cca6608714477b74bfc6874b9db979df"
},
{
"url": "https://git.kernel.org/stable/c/2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e"
},
{
"url": "https://git.kernel.org/stable/c/548a6b64b3c0688f01119a6fcccceb41f8c984e4"
},
{
"url": "https://git.kernel.org/stable/c/149daab45922ab1ac7f0cbeacab7251a46bf5e63"
},
{
"url": "https://git.kernel.org/stable/c/255be68150291440657b2cdb09420b69441af3d8"
},
{
"url": "https://git.kernel.org/stable/c/f752a0b334bb95fe9b42ecb511e0864e2768046f"
}
],
"title": "Bluetooth: L2CAP: Fix use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53305",
"datePublished": "2025-09-16T16:11:44.845Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2025-09-16T16:11:44.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39811 (GCVE-0-2025-39811)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/vm: Clear the scratch_pt pointer on error
Avoid triggering a dereference of an error pointer on cleanup in
xe_vm_free_scratch() by clearing any scratch_pt error pointer.
(cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8277d229c7840e8090d4704e50f2ca014d194c7",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
},
{
"lessThan": "84603ed1d73ebb8de856dc11f4f5d3541c48f7a2",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
},
{
"lessThan": "2b55ddf36229e0278c956215784ab1feeff510aa",
"status": "affected",
"version": "06951c2ee72df2f53b71e7cf2b504d4fa6bba453",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/vm: Clear the scratch_pt pointer on error\n\nAvoid triggering a dereference of an error pointer on cleanup in\nxe_vm_free_scratch() by clearing any scratch_pt error pointer.\n\n(cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:13.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8277d229c7840e8090d4704e50f2ca014d194c7"
},
{
"url": "https://git.kernel.org/stable/c/84603ed1d73ebb8de856dc11f4f5d3541c48f7a2"
},
{
"url": "https://git.kernel.org/stable/c/2b55ddf36229e0278c956215784ab1feeff510aa"
}
],
"title": "drm/xe/vm: Clear the scratch_pt pointer on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39811",
"datePublished": "2025-09-16T13:00:13.395Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-09-16T13:00:13.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53324 (GCVE-0-2023-53324)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/mdp5: Don't leak some plane state
Apparently no one noticed that mdp5 plane states leak like a sieve
ever since we introduced plane_state->commit refcount a few years ago
in 21a01abbe32a ("drm/atomic: Fix freeing connector/plane state too
early by tracking commits, v3.")
Fix it by using the right helpers.
Patchwork: https://patchwork.freedesktop.org/patch/551236/
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Version: 21a01abbe32a3cbeb903378a24e504bfd9fe0648 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fc11a830b2eb07a0e3c6f917e5e636df6fc5d4c",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "b8a61df6f40448cf46611f7af05b00970d08d620",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "815e42029f6e1e762898079f85546d6a0391ab95",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "c0b1eee648702e04f1005d451f9689575b7f52ed",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "2965015006ef18ca96d2eab9ebe6bca884c63291",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "5b0dd3a102f64996598bd1e8d8388848a7c561bc",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "12dfd02cbd1a678fbd66be0c2f79d5299c4921a9",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
},
{
"lessThan": "fd0ad3b2365c1c58aa5a761c18efc4817193beb6",
"status": "affected",
"version": "21a01abbe32a3cbeb903378a24e504bfd9fe0648",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.53",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.53",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.16",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/mdp5: Don\u0027t leak some plane state\n\nApparently no one noticed that mdp5 plane states leak like a sieve\never since we introduced plane_state-\u003ecommit refcount a few years ago\nin 21a01abbe32a (\"drm/atomic: Fix freeing connector/plane state too\nearly by tracking commits, v3.\")\n\nFix it by using the right helpers.\n\nPatchwork: https://patchwork.freedesktop.org/patch/551236/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:59.672Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fc11a830b2eb07a0e3c6f917e5e636df6fc5d4c"
},
{
"url": "https://git.kernel.org/stable/c/b8a61df6f40448cf46611f7af05b00970d08d620"
},
{
"url": "https://git.kernel.org/stable/c/815e42029f6e1e762898079f85546d6a0391ab95"
},
{
"url": "https://git.kernel.org/stable/c/c0b1eee648702e04f1005d451f9689575b7f52ed"
},
{
"url": "https://git.kernel.org/stable/c/2965015006ef18ca96d2eab9ebe6bca884c63291"
},
{
"url": "https://git.kernel.org/stable/c/5b0dd3a102f64996598bd1e8d8388848a7c561bc"
},
{
"url": "https://git.kernel.org/stable/c/12dfd02cbd1a678fbd66be0c2f79d5299c4921a9"
},
{
"url": "https://git.kernel.org/stable/c/fd0ad3b2365c1c58aa5a761c18efc4817193beb6"
}
],
"title": "drm/msm/mdp5: Don\u0027t leak some plane state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53324",
"datePublished": "2025-09-16T16:11:59.672Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:59.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39815 (GCVE-0-2025-39815)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RISC-V: KVM: fix stack overrun when loading vlenb
The userspace load can put up to 2048 bits into an xlen bit stack
buffer. We want only xlen bits, so check the size beforehand.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kvm/vcpu_vector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c76bf8359188a11f8fd790e5bbd6077894a245cc",
"status": "affected",
"version": "2fa290372dfe7dd248b1c16f943f273a3e674f22",
"versionType": "git"
},
{
"lessThan": "6d28659b692a0212f360f8bd8a58712b339f9aac",
"status": "affected",
"version": "2fa290372dfe7dd248b1c16f943f273a3e674f22",
"versionType": "git"
},
{
"lessThan": "799766208f09f95677a9ab111b93872d414fbad7",
"status": "affected",
"version": "2fa290372dfe7dd248b1c16f943f273a3e674f22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kvm/vcpu_vector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: fix stack overrun when loading vlenb\n\nThe userspace load can put up to 2048 bits into an xlen bit stack\nbuffer. We want only xlen bits, so check the size beforehand."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:16.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c76bf8359188a11f8fd790e5bbd6077894a245cc"
},
{
"url": "https://git.kernel.org/stable/c/6d28659b692a0212f360f8bd8a58712b339f9aac"
},
{
"url": "https://git.kernel.org/stable/c/799766208f09f95677a9ab111b93872d414fbad7"
}
],
"title": "RISC-V: KVM: fix stack overrun when loading vlenb",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39815",
"datePublished": "2025-09-16T13:00:16.250Z",
"dateReserved": "2025-04-16T07:20:57.138Z",
"dateUpdated": "2025-09-16T13:00:16.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53310 (GCVE-0-2023-53310)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: axp288_fuel_gauge: Fix external_power_changed race
fuel_gauge_external_power_changed() dereferences info->bat,
which gets sets in axp288_fuel_gauge_probe() like this:
info->bat = devm_power_supply_register(dev, &fuel_gauge_desc, &psy_cfg);
As soon as devm_power_supply_register() has called device_add()
the external_power_changed callback can get called. So there is a window
where fuel_gauge_external_power_changed() may get called while
info->bat has not been set yet leading to a NULL pointer dereference.
Fixing this is easy. The external_power_changed callback gets passed
the power_supply which will eventually get stored in info->bat,
so fuel_gauge_external_power_changed() can simply directly use
the passed in psy argument which is always valid.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/axp288_fuel_gauge.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0456b912121e45b3ef54abe3135e5dcb541f956c",
"status": "affected",
"version": "30abb3d07929137bf72327560e1595508a692c4e",
"versionType": "git"
},
{
"lessThan": "a636c6ba9ce898207f283271cb28511206ab739b",
"status": "affected",
"version": "30abb3d07929137bf72327560e1595508a692c4e",
"versionType": "git"
},
{
"lessThan": "f8319774d6f1567d6e7d03653174ab0c82c5c66d",
"status": "affected",
"version": "30abb3d07929137bf72327560e1595508a692c4e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/axp288_fuel_gauge.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.31",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: axp288_fuel_gauge: Fix external_power_changed race\n\nfuel_gauge_external_power_changed() dereferences info-\u003ebat,\nwhich gets sets in axp288_fuel_gauge_probe() like this:\n\n info-\u003ebat = devm_power_supply_register(dev, \u0026fuel_gauge_desc, \u0026psy_cfg);\n\nAs soon as devm_power_supply_register() has called device_add()\nthe external_power_changed callback can get called. So there is a window\nwhere fuel_gauge_external_power_changed() may get called while\ninfo-\u003ebat has not been set yet leading to a NULL pointer dereference.\n\nFixing this is easy. The external_power_changed callback gets passed\nthe power_supply which will eventually get stored in info-\u003ebat,\nso fuel_gauge_external_power_changed() can simply directly use\nthe passed in psy argument which is always valid."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:48.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0456b912121e45b3ef54abe3135e5dcb541f956c"
},
{
"url": "https://git.kernel.org/stable/c/a636c6ba9ce898207f283271cb28511206ab739b"
},
{
"url": "https://git.kernel.org/stable/c/f8319774d6f1567d6e7d03653174ab0c82c5c66d"
}
],
"title": "power: supply: axp288_fuel_gauge: Fix external_power_changed race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53310",
"datePublished": "2025-09-16T16:11:48.399Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:48.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53329 (GCVE-0-2023-53329)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
workqueue: fix data race with the pwq->stats[] increment
KCSAN has discovered a data race in kernel/workqueue.c:2598:
[ 1863.554079] ==================================================================
[ 1863.554118] BUG: KCSAN: data-race in process_one_work / process_one_work
[ 1863.554142] write to 0xffff963d99d79998 of 8 bytes by task 5394 on cpu 27:
[ 1863.554154] process_one_work (kernel/workqueue.c:2598)
[ 1863.554166] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)
[ 1863.554177] kthread (kernel/kthread.c:389)
[ 1863.554186] ret_from_fork (arch/x86/kernel/process.c:145)
[ 1863.554197] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)
[ 1863.554213] read to 0xffff963d99d79998 of 8 bytes by task 5450 on cpu 12:
[ 1863.554224] process_one_work (kernel/workqueue.c:2598)
[ 1863.554235] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)
[ 1863.554247] kthread (kernel/kthread.c:389)
[ 1863.554255] ret_from_fork (arch/x86/kernel/process.c:145)
[ 1863.554266] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)
[ 1863.554280] value changed: 0x0000000000001766 -> 0x000000000000176a
[ 1863.554295] Reported by Kernel Concurrency Sanitizer on:
[ 1863.554303] CPU: 12 PID: 5450 Comm: kworker/u64:1 Tainted: G L 6.5.0-rc6+ #44
[ 1863.554314] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
[ 1863.554322] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
[ 1863.554941] ==================================================================
lockdep_invariant_state(true);
→ pwq->stats[PWQ_STAT_STARTED]++;
trace_workqueue_execute_start(work);
worker->current_func(work);
Moving pwq->stats[PWQ_STAT_STARTED]++; before the line
raw_spin_unlock_irq(&pool->lock);
resolves the data race without performance penalty.
KCSAN detected at least one additional data race:
[ 157.834751] ==================================================================
[ 157.834770] BUG: KCSAN: data-race in process_one_work / process_one_work
[ 157.834793] write to 0xffff9934453f77a0 of 8 bytes by task 468 on cpu 29:
[ 157.834804] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)
[ 157.834815] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)
[ 157.834826] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)
[ 157.834834] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)
[ 157.834845] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)
[ 157.834859] read to 0xffff9934453f77a0 of 8 bytes by task 214 on cpu 7:
[ 157.834868] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)
[ 157.834879] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)
[ 157.834890] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)
[ 157.834897] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)
[ 157.834907] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)
[ 157.834920] value changed: 0x000000000000052a -> 0x0000000000000532
[ 157.834933] Reported by Kernel Concurrency Sanitizer on:
[ 157.834941] CPU: 7 PID: 214 Comm: kworker/u64:2 Tainted: G L 6.5.0-rc7-kcsan-00169-g81eaf55a60fc #4
[ 157.834951] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
[ 157.834958] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
[ 157.835567] ==================================================================
in code:
trace_workqueue_execute_end(work, worker->current_func);
→ pwq->stats[PWQ_STAT_COM
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/workqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ce55024f28589b0012fa2c6b5748ec5a180b7fbe",
"status": "affected",
"version": "725e8ec59c56c65fb92e343c10a8842cd0d4f194",
"versionType": "git"
},
{
"lessThan": "fe48ba7daefe75bbbefa2426deddc05f2d530d2d",
"status": "affected",
"version": "725e8ec59c56c65fb92e343c10a8842cd0d4f194",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/workqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nworkqueue: fix data race with the pwq-\u003estats[] increment\n\nKCSAN has discovered a data race in kernel/workqueue.c:2598:\n\n[ 1863.554079] ==================================================================\n[ 1863.554118] BUG: KCSAN: data-race in process_one_work / process_one_work\n\n[ 1863.554142] write to 0xffff963d99d79998 of 8 bytes by task 5394 on cpu 27:\n[ 1863.554154] process_one_work (kernel/workqueue.c:2598)\n[ 1863.554166] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)\n[ 1863.554177] kthread (kernel/kthread.c:389)\n[ 1863.554186] ret_from_fork (arch/x86/kernel/process.c:145)\n[ 1863.554197] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)\n\n[ 1863.554213] read to 0xffff963d99d79998 of 8 bytes by task 5450 on cpu 12:\n[ 1863.554224] process_one_work (kernel/workqueue.c:2598)\n[ 1863.554235] worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2752)\n[ 1863.554247] kthread (kernel/kthread.c:389)\n[ 1863.554255] ret_from_fork (arch/x86/kernel/process.c:145)\n[ 1863.554266] ret_from_fork_asm (arch/x86/entry/entry_64.S:312)\n\n[ 1863.554280] value changed: 0x0000000000001766 -\u003e 0x000000000000176a\n\n[ 1863.554295] Reported by Kernel Concurrency Sanitizer on:\n[ 1863.554303] CPU: 12 PID: 5450 Comm: kworker/u64:1 Tainted: G L 6.5.0-rc6+ #44\n[ 1863.554314] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023\n[ 1863.554322] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n[ 1863.554941] ==================================================================\n\n lockdep_invariant_state(true);\n\u2192 pwq-\u003estats[PWQ_STAT_STARTED]++;\n trace_workqueue_execute_start(work);\n worker-\u003ecurrent_func(work);\n\nMoving pwq-\u003estats[PWQ_STAT_STARTED]++; before the line\n\n raw_spin_unlock_irq(\u0026pool-\u003elock);\n\nresolves the data race without performance penalty.\n\nKCSAN detected at least one additional data race:\n\n[ 157.834751] ==================================================================\n[ 157.834770] BUG: KCSAN: data-race in process_one_work / process_one_work\n\n[ 157.834793] write to 0xffff9934453f77a0 of 8 bytes by task 468 on cpu 29:\n[ 157.834804] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)\n[ 157.834815] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)\n[ 157.834826] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)\n[ 157.834834] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)\n[ 157.834845] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)\n\n[ 157.834859] read to 0xffff9934453f77a0 of 8 bytes by task 214 on cpu 7:\n[ 157.834868] process_one_work (/home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2606)\n[ 157.834879] worker_thread (/home/marvin/linux/kernel/linux_torvalds/./include/linux/list.h:292 /home/marvin/linux/kernel/linux_torvalds/kernel/workqueue.c:2752)\n[ 157.834890] kthread (/home/marvin/linux/kernel/linux_torvalds/kernel/kthread.c:389)\n[ 157.834897] ret_from_fork (/home/marvin/linux/kernel/linux_torvalds/arch/x86/kernel/process.c:145)\n[ 157.834907] ret_from_fork_asm (/home/marvin/linux/kernel/linux_torvalds/arch/x86/entry/entry_64.S:312)\n\n[ 157.834920] value changed: 0x000000000000052a -\u003e 0x0000000000000532\n\n[ 157.834933] Reported by Kernel Concurrency Sanitizer on:\n[ 157.834941] CPU: 7 PID: 214 Comm: kworker/u64:2 Tainted: G L 6.5.0-rc7-kcsan-00169-g81eaf55a60fc #4\n[ 157.834951] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023\n[ 157.834958] Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]\n[ 157.835567] ==================================================================\n\nin code:\n\n trace_workqueue_execute_end(work, worker-\u003ecurrent_func);\n\u2192 pwq-\u003estats[PWQ_STAT_COM\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:05.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ce55024f28589b0012fa2c6b5748ec5a180b7fbe"
},
{
"url": "https://git.kernel.org/stable/c/fe48ba7daefe75bbbefa2426deddc05f2d530d2d"
}
],
"title": "workqueue: fix data race with the pwq-\u003estats[] increment",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53329",
"datePublished": "2025-09-16T16:12:05.196Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-16T16:12:05.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53314 (GCVE-0-2023-53314)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
Do not assing the Linux device to struct fb_info.dev. The call to
register_framebuffer() initializes the field to the fbdev device.
Drivers should not override its value.
Fixes a bug where the driver incorrectly decreases the hardware
device's reference counter and leaks the fbdev device.
v2:
* add Fixes tag (Dan)
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 Version: 88017bda96a5fd568a982b01546c8fb1782dda62 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/ep93xx-fb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ffdf2b020db717853167391a3a8d912e13428fa6",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "1c6ff2a7c593db851f23e31ace2baf557ea9d0ff",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "8ffa40ff64aa43a9a28fcf209b48d86a3e0f4972",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "4aade6c9100a3537788b6a9c7ac481037d19efdf",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "309c27162afea79b3c7f8747bb650faf6923b639",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "f83c1b13f8154e0284448912756d0a351a1a602a",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "0517fc5a71333b315164736bbd32608894fbb872",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
},
{
"lessThan": "f90a0e5265b60cdd3c77990e8105f79aa2fac994",
"status": "affected",
"version": "88017bda96a5fd568a982b01546c8fb1782dda62",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/ep93xx-fb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.195",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.132",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.54",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.326",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.295",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.257",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.195",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.132",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.54",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.4",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev/ep93xx-fb: Do not assign to struct fb_info.dev\n\nDo not assing the Linux device to struct fb_info.dev. The call to\nregister_framebuffer() initializes the field to the fbdev device.\nDrivers should not override its value.\n\nFixes a bug where the driver incorrectly decreases the hardware\ndevice\u0027s reference counter and leaks the fbdev device.\n\nv2:\n\t* add Fixes tag (Dan)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:51.435Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ffdf2b020db717853167391a3a8d912e13428fa6"
},
{
"url": "https://git.kernel.org/stable/c/1c6ff2a7c593db851f23e31ace2baf557ea9d0ff"
},
{
"url": "https://git.kernel.org/stable/c/8ffa40ff64aa43a9a28fcf209b48d86a3e0f4972"
},
{
"url": "https://git.kernel.org/stable/c/4aade6c9100a3537788b6a9c7ac481037d19efdf"
},
{
"url": "https://git.kernel.org/stable/c/309c27162afea79b3c7f8747bb650faf6923b639"
},
{
"url": "https://git.kernel.org/stable/c/f83c1b13f8154e0284448912756d0a351a1a602a"
},
{
"url": "https://git.kernel.org/stable/c/0517fc5a71333b315164736bbd32608894fbb872"
},
{
"url": "https://git.kernel.org/stable/c/f90a0e5265b60cdd3c77990e8105f79aa2fac994"
}
],
"title": "fbdev/ep93xx-fb: Do not assign to struct fb_info.dev",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53314",
"datePublished": "2025-09-16T16:11:51.435Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:51.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53307 (GCVE-0-2023-53307)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
If getting an ID or setting up a work queue in rbd_dev_create() fails,
use-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts
is triggered in do_rbd_add(). The root cause is that the ownership of
these structures is transfered to rbd_dev prematurely and they all end
up getting freed when rbd_dev_create() calls rbd_dev_free() prior to
returning to do_rbd_add().
Found by Linux Verification Center (linuxtesting.org) with SVACE, an
incomplete patch submitted by Natalia Petrova <n.petrova@fintech.ru>.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1643dfa4c2c827d6e2aa419df8c17b0f24090278 Version: 1643dfa4c2c827d6e2aa419df8c17b0f24090278 Version: 1643dfa4c2c827d6e2aa419df8c17b0f24090278 Version: 1643dfa4c2c827d6e2aa419df8c17b0f24090278 Version: 1643dfa4c2c827d6e2aa419df8c17b0f24090278 Version: 1643dfa4c2c827d6e2aa419df8c17b0f24090278 Version: 1643dfa4c2c827d6e2aa419df8c17b0f24090278 Version: 1643dfa4c2c827d6e2aa419df8c17b0f24090278 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/rbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71da2a151ed1adb0aea4252b16d81b53012e7afd",
"status": "affected",
"version": "1643dfa4c2c827d6e2aa419df8c17b0f24090278",
"versionType": "git"
},
{
"lessThan": "e3cbb4d60764295992c95344f2d779439e8b34ce",
"status": "affected",
"version": "1643dfa4c2c827d6e2aa419df8c17b0f24090278",
"versionType": "git"
},
{
"lessThan": "9787b328c42c13c4f31e7d5042c4e877e9344068",
"status": "affected",
"version": "1643dfa4c2c827d6e2aa419df8c17b0f24090278",
"versionType": "git"
},
{
"lessThan": "ae16346078b1189aee934afd872d9f3d0a682c33",
"status": "affected",
"version": "1643dfa4c2c827d6e2aa419df8c17b0f24090278",
"versionType": "git"
},
{
"lessThan": "a73783e4e0c4d1507794da211eeca75498544dff",
"status": "affected",
"version": "1643dfa4c2c827d6e2aa419df8c17b0f24090278",
"versionType": "git"
},
{
"lessThan": "faa7b683e436664fff5648426950718277831348",
"status": "affected",
"version": "1643dfa4c2c827d6e2aa419df8c17b0f24090278",
"versionType": "git"
},
{
"lessThan": "cc8c0dd2984503ed09efa37bcafcef3d3da104e8",
"status": "affected",
"version": "1643dfa4c2c827d6e2aa419df8c17b0f24090278",
"versionType": "git"
},
{
"lessThan": "f7c4d9b133c7a04ca619355574e96b6abf209fba",
"status": "affected",
"version": "1643dfa4c2c827d6e2aa419df8c17b0f24090278",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/rbd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails\n\nIf getting an ID or setting up a work queue in rbd_dev_create() fails,\nuse-after-free on rbd_dev-\u003erbd_client, rbd_dev-\u003espec and rbd_dev-\u003eopts\nis triggered in do_rbd_add(). The root cause is that the ownership of\nthese structures is transfered to rbd_dev prematurely and they all end\nup getting freed when rbd_dev_create() calls rbd_dev_free() prior to\nreturning to do_rbd_add().\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE, an\nincomplete patch submitted by Natalia Petrova \u003cn.petrova@fintech.ru\u003e."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:46.288Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71da2a151ed1adb0aea4252b16d81b53012e7afd"
},
{
"url": "https://git.kernel.org/stable/c/e3cbb4d60764295992c95344f2d779439e8b34ce"
},
{
"url": "https://git.kernel.org/stable/c/9787b328c42c13c4f31e7d5042c4e877e9344068"
},
{
"url": "https://git.kernel.org/stable/c/ae16346078b1189aee934afd872d9f3d0a682c33"
},
{
"url": "https://git.kernel.org/stable/c/a73783e4e0c4d1507794da211eeca75498544dff"
},
{
"url": "https://git.kernel.org/stable/c/faa7b683e436664fff5648426950718277831348"
},
{
"url": "https://git.kernel.org/stable/c/cc8c0dd2984503ed09efa37bcafcef3d3da104e8"
},
{
"url": "https://git.kernel.org/stable/c/f7c4d9b133c7a04ca619355574e96b6abf209fba"
}
],
"title": "rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53307",
"datePublished": "2025-09-16T16:11:46.288Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2025-09-16T16:11:46.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39819 (GCVE-0-2025-39819)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/smb: Fix inconsistent refcnt update
A possible inconsistent update of refcount was identified in `smb2_compound_op`.
Such inconsistent update could lead to possible resource leaks.
Why it is a possible bug:
1. In the comment section of the function, it clearly states that the
reference to `cfile` should be dropped after calling this function.
2. Every control flow path would check and drop the reference to
`cfile`, except the patched one.
3. Existing callers would not handle refcount update of `cfile` if
-ENOMEM is returned.
To fix the bug, an extra goto label "out" is added, to make sure that the
cleanup logic would always be respected. As the problem is caused by the
allocation failure of `vars`, the cleanup logic between label "finished"
and "out" can be safely ignored. According to the definition of function
`is_replayable_error`, the error code of "-ENOMEM" is not recoverable.
Therefore, the replay logic also gets ignored.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3fc11ff13fbc2749871d6ac2141685cf54699997",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4191ea1f0bb3e27d65c5dcde7bd00e709ec67141",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4735f5991f51468b85affb8366b7067248457a71",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cc82c6dff548f0066a51a6e577c7454e7d26a968",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/smb: Fix inconsistent refcnt update\n\nA possible inconsistent update of refcount was identified in `smb2_compound_op`.\nSuch inconsistent update could lead to possible resource leaks.\n\nWhy it is a possible bug:\n1. In the comment section of the function, it clearly states that the\nreference to `cfile` should be dropped after calling this function.\n2. Every control flow path would check and drop the reference to\n`cfile`, except the patched one.\n3. Existing callers would not handle refcount update of `cfile` if\n-ENOMEM is returned.\n\nTo fix the bug, an extra goto label \"out\" is added, to make sure that the\ncleanup logic would always be respected. As the problem is caused by the\nallocation failure of `vars`, the cleanup logic between label \"finished\"\nand \"out\" can be safely ignored. According to the definition of function\n`is_replayable_error`, the error code of \"-ENOMEM\" is not recoverable.\nTherefore, the replay logic also gets ignored."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:19.320Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3fc11ff13fbc2749871d6ac2141685cf54699997"
},
{
"url": "https://git.kernel.org/stable/c/4191ea1f0bb3e27d65c5dcde7bd00e709ec67141"
},
{
"url": "https://git.kernel.org/stable/c/4735f5991f51468b85affb8366b7067248457a71"
},
{
"url": "https://git.kernel.org/stable/c/cc82c6dff548f0066a51a6e577c7454e7d26a968"
},
{
"url": "https://git.kernel.org/stable/c/ab529e6ca1f67bcf31f3ea80c72bffde2e9e053e"
}
],
"title": "fs/smb: Fix inconsistent refcnt update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39819",
"datePublished": "2025-09-16T13:00:19.320Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-09-16T13:00:19.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39836 (GCVE-0-2025-39836)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-16 13:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: stmm: Fix incorrect buffer allocation method
The communication buffer allocated by setup_mm_hdr() is later on passed
to tee_shm_register_kernel_buf(). The latter expects those buffers to be
contiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause
various corruptions or BUGs, specifically since commit 9aec2fb0fd5e
("slab: allocate frozen pages"), though it was broken before as well.
Fix this by using alloc_pages_exact() instead of kmalloc().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/stmm/tee_stmm_efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "77ff27ff0e4529a003c8a1c2492c111968c378d3",
"status": "affected",
"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f",
"versionType": "git"
},
{
"lessThan": "630c0e6064daf84f17aad1a7d9ca76b562e3fe47",
"status": "affected",
"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f",
"versionType": "git"
},
{
"lessThan": "c5e81e672699e0c5557b2b755cc8f7a69aa92bff",
"status": "affected",
"version": "c44b6be62e8dd4ee0a308c36a70620613e6fc55f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/stmm/tee_stmm_efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: stmm: Fix incorrect buffer allocation method\n\nThe communication buffer allocated by setup_mm_hdr() is later on passed\nto tee_shm_register_kernel_buf(). The latter expects those buffers to be\ncontiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause\nvarious corruptions or BUGs, specifically since commit 9aec2fb0fd5e\n(\"slab: allocate frozen pages\"), though it was broken before as well.\n\nFix this by using alloc_pages_exact() instead of kmalloc()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:08:52.326Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/77ff27ff0e4529a003c8a1c2492c111968c378d3"
},
{
"url": "https://git.kernel.org/stable/c/630c0e6064daf84f17aad1a7d9ca76b562e3fe47"
},
{
"url": "https://git.kernel.org/stable/c/c5e81e672699e0c5557b2b755cc8f7a69aa92bff"
}
],
"title": "efi: stmm: Fix incorrect buffer allocation method",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39836",
"datePublished": "2025-09-16T13:08:52.326Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-09-16T13:08:52.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53311 (GCVE-0-2023-53311)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,
nilfs_evict_inode() could cause use-after-free read for nilfs_root if
inodes are left in "garbage_list" and released by nilfs_dispose_list at
the end of nilfs_detach_log_writer(), and this bug was fixed by commit
9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in
nilfs_evict_inode()").
However, it turned out that there is another possibility of UAF in the
call path where mark_inode_dirty_sync() is called from iput():
nilfs_detach_log_writer()
nilfs_dispose_list()
iput()
mark_inode_dirty_sync()
__mark_inode_dirty()
nilfs_dirty_inode()
__nilfs_mark_inode_dirty()
nilfs_load_inode_block() --> causes UAF of nilfs_root struct
This can happen after commit 0ae45f63d4ef ("vfs: add support for a
lazytime mount option"), which changed iput() to call
mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME
flag and i_nlink is non-zero.
This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty
data after degenerating to read-only") when using the syzbot reproducer,
but the issue has potentially existed before.
Fix this issue by adding a "purging flag" to the nilfs structure, setting
that flag while disposing the "garbage_list" and checking it in
__nilfs_mark_inode_dirty().
Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root
in nilfs_evict_inode()"), this patch does not rely on ns_writer to
determine whether to skip operations, so as not to break recovery on
mount. The nilfs_salvage_orphan_logs routine dirties the buffer of
salvaged data before attaching the log writer, so changing
__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL
will cause recovery write to fail. The purpose of using the cleanup-only
flag is to allow for narrowing of such conditions.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 Version: 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c",
"fs/nilfs2/segment.c",
"fs/nilfs2/the_nilfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11afd67f1b3c28eb216e50a3ca8dbcb69bb71793",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "a3c3b4cbf9b8554120fb230e6516e980c6277487",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "d2c539c216cce74837a9cf5804eb205939b82227",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "37207240872456fbab44a110bde6640445233963",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "3645510cf926e6af2f4d44899370d7e5331c93bd",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "7532ff6edbf5242376b24a95a2fefb59bb653e5a",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "5828d5f5dc877dcfdd7b23102e978e2ecfd86d82",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
},
{
"lessThan": "f8654743a0e6909dc634cbfad6db6816f10f3399",
"status": "affected",
"version": "0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/inode.c",
"fs/nilfs2/segment.c",
"fs/nilfs2/the_nilfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.323",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.292",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.323",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.292",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.254",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.191",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.127",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.46",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.11",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput\n\nDuring unmount process of nilfs2, nothing holds nilfs_root structure after\nnilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,\nnilfs_evict_inode() could cause use-after-free read for nilfs_root if\ninodes are left in \"garbage_list\" and released by nilfs_dispose_list at\nthe end of nilfs_detach_log_writer(), and this bug was fixed by commit\n9b5a04ac3ad9 (\"nilfs2: fix use-after-free bug of nilfs_root in\nnilfs_evict_inode()\").\n\nHowever, it turned out that there is another possibility of UAF in the\ncall path where mark_inode_dirty_sync() is called from iput():\n\nnilfs_detach_log_writer()\n nilfs_dispose_list()\n iput()\n mark_inode_dirty_sync()\n __mark_inode_dirty()\n nilfs_dirty_inode()\n __nilfs_mark_inode_dirty()\n nilfs_load_inode_block() --\u003e causes UAF of nilfs_root struct\n\nThis can happen after commit 0ae45f63d4ef (\"vfs: add support for a\nlazytime mount option\"), which changed iput() to call\nmark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME\nflag and i_nlink is non-zero.\n\nThis issue appears after commit 28a65b49eb53 (\"nilfs2: do not write dirty\ndata after degenerating to read-only\") when using the syzbot reproducer,\nbut the issue has potentially existed before.\n\nFix this issue by adding a \"purging flag\" to the nilfs structure, setting\nthat flag while disposing the \"garbage_list\" and checking it in\n__nilfs_mark_inode_dirty().\n\nUnlike commit 9b5a04ac3ad9 (\"nilfs2: fix use-after-free bug of nilfs_root\nin nilfs_evict_inode()\"), this patch does not rely on ns_writer to\ndetermine whether to skip operations, so as not to break recovery on\nmount. The nilfs_salvage_orphan_logs routine dirties the buffer of\nsalvaged data before attaching the log writer, so changing\n__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL\nwill cause recovery write to fail. The purpose of using the cleanup-only\nflag is to allow for narrowing of such conditions."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:49.099Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11afd67f1b3c28eb216e50a3ca8dbcb69bb71793"
},
{
"url": "https://git.kernel.org/stable/c/a3c3b4cbf9b8554120fb230e6516e980c6277487"
},
{
"url": "https://git.kernel.org/stable/c/d2c539c216cce74837a9cf5804eb205939b82227"
},
{
"url": "https://git.kernel.org/stable/c/37207240872456fbab44a110bde6640445233963"
},
{
"url": "https://git.kernel.org/stable/c/3645510cf926e6af2f4d44899370d7e5331c93bd"
},
{
"url": "https://git.kernel.org/stable/c/7532ff6edbf5242376b24a95a2fefb59bb653e5a"
},
{
"url": "https://git.kernel.org/stable/c/5828d5f5dc877dcfdd7b23102e978e2ecfd86d82"
},
{
"url": "https://git.kernel.org/stable/c/f8654743a0e6909dc634cbfad6db6816f10f3399"
}
],
"title": "nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53311",
"datePublished": "2025-09-16T16:11:49.099Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:49.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53325 (GCVE-0-2023-53325)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-17 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()
Change logging from drm_{err,info}() to dev_{err,info}() in functions
mtk_dp_aux_transfer() and mtk_dp_aux_do_transfer(): this will be
essential to avoid getting NULL pointer kernel panics if any kind
of error happens during AUX transfers happening before the bridge
is attached.
This may potentially start happening in a later commit implementing
aux-bus support, as AUX transfers will be triggered from the panel
driver (for EDID) before the mtk-dp bridge gets attached, and it's
done in preparation for the same.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4c743c1dd2ee2a72951660b6798d4d7f7674f87b",
"status": "affected",
"version": "f70ac097a2cf5d4b67b2c1bbb73196c573ffcb7b",
"versionType": "git"
},
{
"lessThan": "7839f62294039959076dd06232e07aec7f7d5b2b",
"status": "affected",
"version": "f70ac097a2cf5d4b67b2c1bbb73196c573ffcb7b",
"versionType": "git"
},
{
"lessThan": "fd70e2019bfbcb0ed90c5e23839bf510ce6acf8f",
"status": "affected",
"version": "f70ac097a2cf5d4b67b2c1bbb73196c573ffcb7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.55",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.5.*",
"status": "unaffected",
"version": "6.5.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.55",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5.5",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()\n\nChange logging from drm_{err,info}() to dev_{err,info}() in functions\nmtk_dp_aux_transfer() and mtk_dp_aux_do_transfer(): this will be\nessential to avoid getting NULL pointer kernel panics if any kind\nof error happens during AUX transfers happening before the bridge\nis attached.\n\nThis may potentially start happening in a later commit implementing\naux-bus support, as AUX transfers will be triggered from the panel\ndriver (for EDID) before the mtk-dp bridge gets attached, and it\u0027s\ndone in preparation for the same."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T11:02:54.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4c743c1dd2ee2a72951660b6798d4d7f7674f87b"
},
{
"url": "https://git.kernel.org/stable/c/7839f62294039959076dd06232e07aec7f7d5b2b"
},
{
"url": "https://git.kernel.org/stable/c/fd70e2019bfbcb0ed90c5e23839bf510ce6acf8f"
}
],
"title": "drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53325",
"datePublished": "2025-09-16T16:12:00.595Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-17T11:02:54.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53304 (GCVE-0-2023-53304)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_set_rbtree: fix overlap expiration walk
The lazy gc on insert that should remove timed-out entries fails to release
the other half of the interval, if any.
Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0
in nftables.git and kmemleak enabled kernel.
Second bug is the use of rbe_prev vs. prev pointer.
If rbe_prev() returns NULL after at least one iteration, rbe_prev points
to element that is not an end interval, hence it should not be removed.
Lastly, check the genmask of the end interval if this is active in the
current generation.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 7ab87a326f20c52ff4d9972052d085be951c704b Version: 181859bdfb9734aca449512fccaee4cacce64aed Version: 4aacf3d78424293e318c616016865380b37b9cc5 Version: 2bf1435fa19d2c58054391b3bba40d5510a5758c Version: 318cb24a4c3fce8140afaf84e4d45fcb76fb280b Version: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 Version: c9e6978e2725a7d4b6cd23b2facd3f11422c0643 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8284a79136c384059e85e278da2210b809730287",
"status": "affected",
"version": "7ab87a326f20c52ff4d9972052d085be951c704b",
"versionType": "git"
},
{
"lessThan": "acaee227cf79c45a5d2d49c3e9a66333a462802c",
"status": "affected",
"version": "181859bdfb9734aca449512fccaee4cacce64aed",
"versionType": "git"
},
{
"lessThan": "893cb3c3513cf661a0ff45fe0cfa83fe27131f76",
"status": "affected",
"version": "4aacf3d78424293e318c616016865380b37b9cc5",
"versionType": "git"
},
{
"lessThan": "50cbb9d195c197af671869c8cadce3bd483735a0",
"status": "affected",
"version": "2bf1435fa19d2c58054391b3bba40d5510a5758c",
"versionType": "git"
},
{
"lessThan": "89a4d1a89751a0fbd520e64091873e19cc0979e8",
"status": "affected",
"version": "318cb24a4c3fce8140afaf84e4d45fcb76fb280b",
"versionType": "git"
},
{
"lessThan": "cd66733932399475fe933cb3ec03e687ed401462",
"status": "affected",
"version": "c9e6978e2725a7d4b6cd23b2facd3f11422c0643",
"versionType": "git"
},
{
"lessThan": "f718863aca469a109895cb855e6b81fff4827d71",
"status": "affected",
"version": "c9e6978e2725a7d4b6cd23b2facd3f11422c0643",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_set_rbtree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"versionStartIncluding": "5.10.166",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.124",
"versionStartIncluding": "5.15.91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.43",
"versionStartIncluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: fix overlap expiration walk\n\nThe lazy gc on insert that should remove timed-out entries fails to release\nthe other half of the interval, if any.\n\nCan be reproduced with tests/shell/testcases/sets/0044interval_overlap_0\nin nftables.git and kmemleak enabled kernel.\n\nSecond bug is the use of rbe_prev vs. prev pointer.\nIf rbe_prev() returns NULL after at least one iteration, rbe_prev points\nto element that is not an end interval, hence it should not be removed.\n\nLastly, check the genmask of the end interval if this is active in the\ncurrent generation."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:44.147Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8284a79136c384059e85e278da2210b809730287"
},
{
"url": "https://git.kernel.org/stable/c/acaee227cf79c45a5d2d49c3e9a66333a462802c"
},
{
"url": "https://git.kernel.org/stable/c/893cb3c3513cf661a0ff45fe0cfa83fe27131f76"
},
{
"url": "https://git.kernel.org/stable/c/50cbb9d195c197af671869c8cadce3bd483735a0"
},
{
"url": "https://git.kernel.org/stable/c/89a4d1a89751a0fbd520e64091873e19cc0979e8"
},
{
"url": "https://git.kernel.org/stable/c/cd66733932399475fe933cb3ec03e687ed401462"
},
{
"url": "https://git.kernel.org/stable/c/f718863aca469a109895cb855e6b81fff4827d71"
}
],
"title": "netfilter: nft_set_rbtree: fix overlap expiration walk",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53304",
"datePublished": "2025-09-16T16:11:44.147Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2025-09-16T16:11:44.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39823 (GCVE-0-2025-39823)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: use array_index_nospec with indices that come from guest
min and dest_id are guest-controlled indices. Using array_index_nospec()
after the bounds checks clamps these values to mitigate speculative execution
side-channels.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 4180bf1b655a791a0a6ef93a2ffffc762722c782 Version: 4180bf1b655a791a0a6ef93a2ffffc762722c782 Version: 4180bf1b655a791a0a6ef93a2ffffc762722c782 Version: 4180bf1b655a791a0a6ef93a2ffffc762722c782 Version: 4180bf1b655a791a0a6ef93a2ffffc762722c782 Version: 4180bf1b655a791a0a6ef93a2ffffc762722c782 Version: 4180bf1b655a791a0a6ef93a2ffffc762722c782 Version: 4180bf1b655a791a0a6ef93a2ffffc762722c782 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72777fc31aa7ab2ce00f44bfa3929c6eabbeaf48",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "31a0ad2f60cb4816e06218b63e695eb72ce74974",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "d51e381beed5e2f50f85f49f6c90e023754efa12",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "33e974c2d5a82b2f9d9ba0ad9cbaabc1c8e3985f",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "f49161646e03d107ce81a99c6ca5da682fe5fb69",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "67a05679621b7f721bdba37a5d18665d3aceb695",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "f57a4bd8d6cb5af05b8ac1be9098e249034639fb",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
},
{
"lessThan": "c87bd4dd43a624109c3cc42d843138378a7f4548",
"status": "affected",
"version": "4180bf1b655a791a0a6ef93a2ffffc762722c782",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/lapic.c",
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: use array_index_nospec with indices that come from guest\n\nmin and dest_id are guest-controlled indices. Using array_index_nospec()\nafter the bounds checks clamps these values to mitigate speculative execution\nside-channels."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:22.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72777fc31aa7ab2ce00f44bfa3929c6eabbeaf48"
},
{
"url": "https://git.kernel.org/stable/c/31a0ad2f60cb4816e06218b63e695eb72ce74974"
},
{
"url": "https://git.kernel.org/stable/c/d51e381beed5e2f50f85f49f6c90e023754efa12"
},
{
"url": "https://git.kernel.org/stable/c/33e974c2d5a82b2f9d9ba0ad9cbaabc1c8e3985f"
},
{
"url": "https://git.kernel.org/stable/c/f49161646e03d107ce81a99c6ca5da682fe5fb69"
},
{
"url": "https://git.kernel.org/stable/c/67a05679621b7f721bdba37a5d18665d3aceb695"
},
{
"url": "https://git.kernel.org/stable/c/f57a4bd8d6cb5af05b8ac1be9098e249034639fb"
},
{
"url": "https://git.kernel.org/stable/c/c87bd4dd43a624109c3cc42d843138378a7f4548"
}
],
"title": "KVM: x86: use array_index_nospec with indices that come from guest",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39823",
"datePublished": "2025-09-16T13:00:22.298Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-09-16T13:00:22.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39835 (GCVE-0-2025-39835)
Vulnerability from cvelistv5
Published
2025-09-16 13:08
Modified
2025-09-16 13:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: do not propagate ENODATA disk errors into xattr code
ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code;
namely, that the requested attribute name could not be found.
However, a medium error from disk may also return ENODATA. At best,
this medium error may escape to userspace as "attribute not found"
when in fact it's an IO (disk) error.
At worst, we may oops in xfs_attr_leaf_get() when we do:
error = xfs_attr_leaf_hasname(args, &bp);
if (error == -ENOATTR) {
xfs_trans_brelse(args->trans, bp);
return error;
}
because an ENODATA/ENOATTR error from disk leaves us with a null bp,
and the xfs_trans_brelse will then null-deref it.
As discussed on the list, we really need to modify the lower level
IO functions to trap all disk errors and ensure that we don't let
unique errors like this leak up into higher xfs functions - many
like this should be remapped to EIO.
However, this patch directly addresses a reported bug in the xattr
code, and should be safe to backport to stable kernels. A larger-scope
patch to handle more unique errors at lower levels can follow later.
(Note, prior to 07120f1abdff we did not oops, but we did return the
wrong error code to userspace.)
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 07120f1abdff80f3d1351f733661abe28d609535 Version: 07120f1abdff80f3d1351f733661abe28d609535 Version: 07120f1abdff80f3d1351f733661abe28d609535 Version: 07120f1abdff80f3d1351f733661abe28d609535 Version: 07120f1abdff80f3d1351f733661abe28d609535 Version: 07120f1abdff80f3d1351f733661abe28d609535 Version: 07120f1abdff80f3d1351f733661abe28d609535 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/libxfs/xfs_attr_remote.c",
"fs/xfs/libxfs/xfs_da_btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "157ddfb05961c68ab7d457a462822a698e4e4bf4",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "90bae69c2959c39912f0c2f07a9a7894f3fc49f5",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "e358d4b6225e4c1eb208686a05e360ef8df59e07",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "d3cc7476b89fb45b7e00874f4f56f6b928467c60",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "dcdf36f1b67884c722abce9b8946e34ffb9f67c8",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "39fc2742ca14f7fbc621ce9b43bcbd00248cb9a8",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
},
{
"lessThan": "ae668cd567a6a7622bc813ee0bb61c42bed61ba7",
"status": "affected",
"version": "07120f1abdff80f3d1351f733661abe28d609535",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/libxfs/xfs_attr_remote.c",
"fs/xfs/libxfs/xfs_da_btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "5.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: do not propagate ENODATA disk errors into xattr code\n\nENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code;\nnamely, that the requested attribute name could not be found.\n\nHowever, a medium error from disk may also return ENODATA. At best,\nthis medium error may escape to userspace as \"attribute not found\"\nwhen in fact it\u0027s an IO (disk) error.\n\nAt worst, we may oops in xfs_attr_leaf_get() when we do:\n\n\terror = xfs_attr_leaf_hasname(args, \u0026bp);\n\tif (error == -ENOATTR) {\n\t\txfs_trans_brelse(args-\u003etrans, bp);\n\t\treturn error;\n\t}\n\nbecause an ENODATA/ENOATTR error from disk leaves us with a null bp,\nand the xfs_trans_brelse will then null-deref it.\n\nAs discussed on the list, we really need to modify the lower level\nIO functions to trap all disk errors and ensure that we don\u0027t let\nunique errors like this leak up into higher xfs functions - many\nlike this should be remapped to EIO.\n\nHowever, this patch directly addresses a reported bug in the xattr\ncode, and should be safe to backport to stable kernels. A larger-scope\npatch to handle more unique errors at lower levels can follow later.\n\n(Note, prior to 07120f1abdff we did not oops, but we did return the\nwrong error code to userspace.)"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:08:51.599Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/157ddfb05961c68ab7d457a462822a698e4e4bf4"
},
{
"url": "https://git.kernel.org/stable/c/90bae69c2959c39912f0c2f07a9a7894f3fc49f5"
},
{
"url": "https://git.kernel.org/stable/c/e358d4b6225e4c1eb208686a05e360ef8df59e07"
},
{
"url": "https://git.kernel.org/stable/c/d3cc7476b89fb45b7e00874f4f56f6b928467c60"
},
{
"url": "https://git.kernel.org/stable/c/dcdf36f1b67884c722abce9b8946e34ffb9f67c8"
},
{
"url": "https://git.kernel.org/stable/c/39fc2742ca14f7fbc621ce9b43bcbd00248cb9a8"
},
{
"url": "https://git.kernel.org/stable/c/ae668cd567a6a7622bc813ee0bb61c42bed61ba7"
}
],
"title": "xfs: do not propagate ENODATA disk errors into xattr code",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39835",
"datePublished": "2025-09-16T13:08:51.599Z",
"dateReserved": "2025-04-16T07:20:57.141Z",
"dateUpdated": "2025-09-16T13:08:51.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50343 (GCVE-0-2022-50343)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
rapidio: fix possible name leaks when rio_add_device() fails
Patch series "rapidio: fix three possible memory leaks".
This patchset fixes three name leaks in error handling.
- patch #1 fixes two name leaks while rio_add_device() fails.
- patch #2 fixes a name leak while rio_register_mport() fails.
This patch (of 2):
If rio_add_device() returns error, the name allocated by dev_set_name()
need be freed. It should use put_device() to give up the reference in the
error path, so that the name can be freed in kobject_cleanup(), and the
'rdev' can be freed in rio_release_dev().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e Version: 1fa5ae857bb14f6046205171d98506d8112dd74e |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/rapidio/devices/rio_mport_cdev.c",
"drivers/rapidio/rio-scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b4676f274a6b5d001176f15d0542100bbf4b59a",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "c482cb0deb57924335103fe592c379a076d867f8",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "80fad2e53eaed2b3a2ff596575f65669e13ceda5",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "440afd7fd9b164fdde6fc9da8c47d3d7f20dcce8",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "88fa351b20ca300693a206ccd3c4b0e0647944d8",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "ec3f04f74f50d0b6bac04d795c93c2b852753a7a",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "c413f65011ff8caffabcde0e1c3ceede48a48d6f",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "85fbf58b15c09d3a6a03098c1e42ebfe9002f39d",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
},
{
"lessThan": "f9574cd48679926e2a569e1957a5a1bcc8a719ac",
"status": "affected",
"version": "1fa5ae857bb14f6046205171d98506d8112dd74e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/rapidio/devices/rio_mport_cdev.c",
"drivers/rapidio/rio-scan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.30"
},
{
"lessThan": "2.6.30",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: fix possible name leaks when rio_add_device() fails\n\nPatch series \"rapidio: fix three possible memory leaks\".\n\nThis patchset fixes three name leaks in error handling.\n - patch #1 fixes two name leaks while rio_add_device() fails.\n - patch #2 fixes a name leak while rio_register_mport() fails.\n\n\nThis patch (of 2):\n\nIf rio_add_device() returns error, the name allocated by dev_set_name()\nneed be freed. It should use put_device() to give up the reference in the\nerror path, so that the name can be freed in kobject_cleanup(), and the\n\u0027rdev\u0027 can be freed in rio_release_dev()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:35.603Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b4676f274a6b5d001176f15d0542100bbf4b59a"
},
{
"url": "https://git.kernel.org/stable/c/c482cb0deb57924335103fe592c379a076d867f8"
},
{
"url": "https://git.kernel.org/stable/c/80fad2e53eaed2b3a2ff596575f65669e13ceda5"
},
{
"url": "https://git.kernel.org/stable/c/440afd7fd9b164fdde6fc9da8c47d3d7f20dcce8"
},
{
"url": "https://git.kernel.org/stable/c/88fa351b20ca300693a206ccd3c4b0e0647944d8"
},
{
"url": "https://git.kernel.org/stable/c/ec3f04f74f50d0b6bac04d795c93c2b852753a7a"
},
{
"url": "https://git.kernel.org/stable/c/c413f65011ff8caffabcde0e1c3ceede48a48d6f"
},
{
"url": "https://git.kernel.org/stable/c/85fbf58b15c09d3a6a03098c1e42ebfe9002f39d"
},
{
"url": "https://git.kernel.org/stable/c/f9574cd48679926e2a569e1957a5a1bcc8a719ac"
}
],
"title": "rapidio: fix possible name leaks when rio_add_device() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50343",
"datePublished": "2025-09-16T16:11:22.514Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2025-09-16T16:11:35.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53319 (GCVE-0-2023-53319)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm
Currently there is no synchronisation between finalize_pkvm() and
kvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if
kvm_arm_init() fails resulting in the following warning on all the CPUs
and eventually a HYP panic:
| kvm [1]: IPA Size Limit: 48 bits
| kvm [1]: Failed to init hyp memory protection
| kvm [1]: error initializing Hyp mode: -22
|
| <snip>
|
| WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50
| Modules linked in:
| CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237
| Hardware name: FVP Base RevC (DT)
| pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
| pc : _kvm_host_prot_finalize+0x30/0x50
| lr : __flush_smp_call_function_queue+0xd8/0x230
|
| Call trace:
| _kvm_host_prot_finalize+0x3c/0x50
| on_each_cpu_cond_mask+0x3c/0x6c
| pkvm_drop_host_privileges+0x4c/0x78
| finalize_pkvm+0x3c/0x5c
| do_one_initcall+0xcc/0x240
| do_initcall_level+0x8c/0xac
| do_initcalls+0x54/0x94
| do_basic_setup+0x1c/0x28
| kernel_init_freeable+0x100/0x16c
| kernel_init+0x20/0x1a0
| ret_from_fork+0x10/0x20
| Failed to finalize Hyp protection: -22
| dtb=fvp-base-revc.dtb
| kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540!
| kvm [95]: nVHE call trace:
| kvm [95]: [<ffff800081052984>] __kvm_nvhe_hyp_panic+0xac/0xf8
| kvm [95]: [<ffff800081059644>] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac
| kvm [95]: [<ffff80008105511c>] __kvm_nvhe_handle_trap+0x4c/0x160
| kvm [95]: [<ffff8000810540fc>] __kvm_nvhe___skip_pauth_save+0x4/0x4
| kvm [95]: ---[ end nVHE call trace ]---
| kvm [95]: Hyp Offset: 0xfffe8db00ffa0000
| Kernel panic - not syncing: HYP panic:
| PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800
| FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000
| VCPU:0000000000000000
| CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237
| Hardware name: FVP Base RevC (DT)
| Workqueue: rpciod rpc_async_schedule
| Call trace:
| dump_backtrace+0xec/0x108
| show_stack+0x18/0x2c
| dump_stack_lvl+0x50/0x68
| dump_stack+0x18/0x24
| panic+0x138/0x33c
| nvhe_hyp_panic_handler+0x100/0x184
| new_slab+0x23c/0x54c
| ___slab_alloc+0x3e4/0x770
| kmem_cache_alloc_node+0x1f0/0x278
| __alloc_skb+0xdc/0x294
| tcp_stream_alloc_skb+0x2c/0xf0
| tcp_sendmsg_locked+0x3d0/0xda4
| tcp_sendmsg+0x38/0x5c
| inet_sendmsg+0x44/0x60
| sock_sendmsg+0x1c/0x34
| xprt_sock_sendmsg+0xdc/0x274
| xs_tcp_send_request+0x1ac/0x28c
| xprt_transmit+0xcc/0x300
| call_transmit+0x78/0x90
| __rpc_execute+0x114/0x3d8
| rpc_async_schedule+0x28/0x48
| process_one_work+0x1d8/0x314
| worker_thread+0x248/0x474
| kthread+0xfc/0x184
| ret_from_fork+0x10/0x20
| SMP: stopping secondary CPUs
| Kernel Offset: 0x57c5cb460000 from 0xffff800080000000
| PHYS_OFFSET: 0x80000000
| CPU features: 0x00000000,1035b7a3,ccfe773f
| Memory Limit: none
| ---[ end Kernel panic - not syncing: HYP panic:
| PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800
| FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000
| VCPU:0000000000000000 ]---
Fix it by checking for the successfull initialisation of kvm_arm_init()
in finalize_pkvm() before proceeding any futher.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/virt.h",
"arch/arm64/kvm/arm.c",
"arch/arm64/kvm/pkvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "91450dec0445f4d12f960ba68d8d05c3cb2ab5b8",
"status": "affected",
"version": "87727ba2bb05cc3cb4233231faa7ab4c7eeb6c73",
"versionType": "git"
},
{
"lessThan": "fa729bc7c9c8c17a2481358c841ef8ca920485d3",
"status": "affected",
"version": "87727ba2bb05cc3cb4233231faa7ab4c7eeb6c73",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/include/asm/virt.h",
"arch/arm64/kvm/arm.c",
"arch/arm64/kvm/pkvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.8",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm\n\nCurrently there is no synchronisation between finalize_pkvm() and\nkvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if\nkvm_arm_init() fails resulting in the following warning on all the CPUs\nand eventually a HYP panic:\n\n | kvm [1]: IPA Size Limit: 48 bits\n | kvm [1]: Failed to init hyp memory protection\n | kvm [1]: error initializing Hyp mode: -22\n |\n | \u003csnip\u003e\n |\n | WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50\n | Modules linked in:\n | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237\n | Hardware name: FVP Base RevC (DT)\n | pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n | pc : _kvm_host_prot_finalize+0x30/0x50\n | lr : __flush_smp_call_function_queue+0xd8/0x230\n |\n | Call trace:\n | _kvm_host_prot_finalize+0x3c/0x50\n | on_each_cpu_cond_mask+0x3c/0x6c\n | pkvm_drop_host_privileges+0x4c/0x78\n | finalize_pkvm+0x3c/0x5c\n | do_one_initcall+0xcc/0x240\n | do_initcall_level+0x8c/0xac\n | do_initcalls+0x54/0x94\n | do_basic_setup+0x1c/0x28\n | kernel_init_freeable+0x100/0x16c\n | kernel_init+0x20/0x1a0\n | ret_from_fork+0x10/0x20\n | Failed to finalize Hyp protection: -22\n | dtb=fvp-base-revc.dtb\n | kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540!\n | kvm [95]: nVHE call trace:\n | kvm [95]: [\u003cffff800081052984\u003e] __kvm_nvhe_hyp_panic+0xac/0xf8\n | kvm [95]: [\u003cffff800081059644\u003e] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac\n | kvm [95]: [\u003cffff80008105511c\u003e] __kvm_nvhe_handle_trap+0x4c/0x160\n | kvm [95]: [\u003cffff8000810540fc\u003e] __kvm_nvhe___skip_pauth_save+0x4/0x4\n | kvm [95]: ---[ end nVHE call trace ]---\n | kvm [95]: Hyp Offset: 0xfffe8db00ffa0000\n | Kernel panic - not syncing: HYP panic:\n | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n | VCPU:0000000000000000\n | CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237\n | Hardware name: FVP Base RevC (DT)\n | Workqueue: rpciod rpc_async_schedule\n | Call trace:\n | dump_backtrace+0xec/0x108\n | show_stack+0x18/0x2c\n | dump_stack_lvl+0x50/0x68\n | dump_stack+0x18/0x24\n | panic+0x138/0x33c\n | nvhe_hyp_panic_handler+0x100/0x184\n | new_slab+0x23c/0x54c\n | ___slab_alloc+0x3e4/0x770\n | kmem_cache_alloc_node+0x1f0/0x278\n | __alloc_skb+0xdc/0x294\n | tcp_stream_alloc_skb+0x2c/0xf0\n | tcp_sendmsg_locked+0x3d0/0xda4\n | tcp_sendmsg+0x38/0x5c\n | inet_sendmsg+0x44/0x60\n | sock_sendmsg+0x1c/0x34\n | xprt_sock_sendmsg+0xdc/0x274\n | xs_tcp_send_request+0x1ac/0x28c\n | xprt_transmit+0xcc/0x300\n | call_transmit+0x78/0x90\n | __rpc_execute+0x114/0x3d8\n | rpc_async_schedule+0x28/0x48\n | process_one_work+0x1d8/0x314\n | worker_thread+0x248/0x474\n | kthread+0xfc/0x184\n | ret_from_fork+0x10/0x20\n | SMP: stopping secondary CPUs\n | Kernel Offset: 0x57c5cb460000 from 0xffff800080000000\n | PHYS_OFFSET: 0x80000000\n | CPU features: 0x00000000,1035b7a3,ccfe773f\n | Memory Limit: none\n | ---[ end Kernel panic - not syncing: HYP panic:\n | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n | VCPU:0000000000000000 ]---\n\nFix it by checking for the successfull initialisation of kvm_arm_init()\nin finalize_pkvm() before proceeding any futher."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:55.490Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/91450dec0445f4d12f960ba68d8d05c3cb2ab5b8"
},
{
"url": "https://git.kernel.org/stable/c/fa729bc7c9c8c17a2481358c841ef8ca920485d3"
}
],
"title": "KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53319",
"datePublished": "2025-09-16T16:11:55.490Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:55.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50340 (GCVE-0-2022-50340)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: vimc: Fix wrong function called when vimc_init() fails
In vimc_init(), when platform_driver_register(&vimc_pdrv) fails,
platform_driver_unregister(&vimc_pdrv) is wrongly called rather than
platform_device_unregister(&vimc_pdev), which causes kernel warning:
Unexpected driver unregister!
WARNING: CPU: 1 PID: 14517 at drivers/base/driver.c:270 driver_unregister+0x8f/0xb0
RIP: 0010:driver_unregister+0x8f/0xb0
Call Trace:
<TASK>
vimc_init+0x7d/0x1000 [vimc]
do_one_initcall+0xd0/0x4e0
do_init_module+0x1cf/0x6b0
load_module+0x65c2/0x7820
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 4a29b70907496aa9da79112ec31cf9cf2b972c3f Version: 4a29b70907496aa9da79112ec31cf9cf2b972c3f Version: 4a29b70907496aa9da79112ec31cf9cf2b972c3f Version: 4a29b70907496aa9da79112ec31cf9cf2b972c3f Version: 4a29b70907496aa9da79112ec31cf9cf2b972c3f |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vimc/vimc-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "14d85b600bb1f6f8ef61fa8fc1907e2e623d8350",
"status": "affected",
"version": "4a29b70907496aa9da79112ec31cf9cf2b972c3f",
"versionType": "git"
},
{
"lessThan": "9c9ff35d68691aaea85b2e93763772e23930b3a3",
"status": "affected",
"version": "4a29b70907496aa9da79112ec31cf9cf2b972c3f",
"versionType": "git"
},
{
"lessThan": "681ac2902039d9b497b3ae18fdc204314979e61e",
"status": "affected",
"version": "4a29b70907496aa9da79112ec31cf9cf2b972c3f",
"versionType": "git"
},
{
"lessThan": "f38df8984ef1b45ba23888d0e232cc21a95bd04b",
"status": "affected",
"version": "4a29b70907496aa9da79112ec31cf9cf2b972c3f",
"versionType": "git"
},
{
"lessThan": "f74d3f326d1d5b8951ce263c59a121ecfa65e7c0",
"status": "affected",
"version": "4a29b70907496aa9da79112ec31cf9cf2b972c3f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/test-drivers/vimc/vimc-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vimc: Fix wrong function called when vimc_init() fails\n\nIn vimc_init(), when platform_driver_register(\u0026vimc_pdrv) fails,\nplatform_driver_unregister(\u0026vimc_pdrv) is wrongly called rather than\nplatform_device_unregister(\u0026vimc_pdev), which causes kernel warning:\n\n Unexpected driver unregister!\n WARNING: CPU: 1 PID: 14517 at drivers/base/driver.c:270 driver_unregister+0x8f/0xb0\n RIP: 0010:driver_unregister+0x8f/0xb0\n Call Trace:\n \u003cTASK\u003e\n vimc_init+0x7d/0x1000 [vimc]\n do_one_initcall+0xd0/0x4e0\n do_init_module+0x1cf/0x6b0\n load_module+0x65c2/0x7820"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:31.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/14d85b600bb1f6f8ef61fa8fc1907e2e623d8350"
},
{
"url": "https://git.kernel.org/stable/c/9c9ff35d68691aaea85b2e93763772e23930b3a3"
},
{
"url": "https://git.kernel.org/stable/c/681ac2902039d9b497b3ae18fdc204314979e61e"
},
{
"url": "https://git.kernel.org/stable/c/f38df8984ef1b45ba23888d0e232cc21a95bd04b"
},
{
"url": "https://git.kernel.org/stable/c/f74d3f326d1d5b8951ce263c59a121ecfa65e7c0"
}
],
"title": "media: vimc: Fix wrong function called when vimc_init() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50340",
"datePublished": "2025-09-16T16:11:19.986Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2025-09-16T16:11:31.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50342 (GCVE-0-2022-50342)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
floppy: Fix memory leak in do_floppy_init()
A memory leak was reported when floppy_alloc_disk() failed in
do_floppy_init().
unreferenced object 0xffff888115ed25a0 (size 8):
comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s)
hex dump (first 8 bytes):
00 ac 67 5b 81 88 ff ff ..g[....
backtrace:
[<000000007f457abb>] __kmalloc_node+0x4c/0xc0
[<00000000a87bfa9e>] blk_mq_realloc_tag_set_tags.part.0+0x6f/0x180
[<000000006f02e8b1>] blk_mq_alloc_tag_set+0x573/0x1130
[<0000000066007fd7>] 0xffffffffc06b8b08
[<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0
[<00000000e26d04ee>] do_init_module+0x1a4/0x680
[<000000001bb22407>] load_module+0x6249/0x7110
[<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200
[<000000007bddca46>] do_syscall_64+0x35/0x80
[<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
unreferenced object 0xffff88810fc30540 (size 32):
comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000007f457abb>] __kmalloc_node+0x4c/0xc0
[<000000006b91eab4>] blk_mq_alloc_tag_set+0x393/0x1130
[<0000000066007fd7>] 0xffffffffc06b8b08
[<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0
[<00000000e26d04ee>] do_init_module+0x1a4/0x680
[<000000001bb22407>] load_module+0x6249/0x7110
[<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200
[<000000007bddca46>] do_syscall_64+0x35/0x80
[<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
If the floppy_alloc_disk() failed, disks of current drive will not be set,
thus the lastest allocated set->tag cannot be freed in the error handling
path. A simple call graph shown as below:
floppy_module_init()
floppy_init()
do_floppy_init()
for (drive = 0; drive < N_DRIVE; drive++)
blk_mq_alloc_tag_set()
blk_mq_alloc_tag_set_tags()
blk_mq_realloc_tag_set_tags() # set->tag allocated
floppy_alloc_disk()
blk_mq_alloc_disk() # error occurred, disks failed to allocated
->out_put_disk:
for (drive = 0; drive < N_DRIVE; drive++)
if (!disks[drive][0]) # the last disks is not set and loop break
break;
blk_mq_free_tag_set() # the latest allocated set->tag leaked
Fix this problem by free the set->tag of current drive before jump to
error handling path.
[efremov: added stable list, changed title]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/floppy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f36d8c8651506aea5f09899f5356ece5d1384f50",
"status": "affected",
"version": "302cfee150291c6cd85b1ca197d062d0b423d09c",
"versionType": "git"
},
{
"lessThan": "75d8c8851a4da0190c2480e84315b5fd3d0356c5",
"status": "affected",
"version": "302cfee150291c6cd85b1ca197d062d0b423d09c",
"versionType": "git"
},
{
"lessThan": "55b3c66a0d441cd37154ae95e44d0b82ccfd580e",
"status": "affected",
"version": "302cfee150291c6cd85b1ca197d062d0b423d09c",
"versionType": "git"
},
{
"lessThan": "f8ace2e304c5dd8a7328db9cd2b8a4b1b98d83ec",
"status": "affected",
"version": "302cfee150291c6cd85b1ca197d062d0b423d09c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/floppy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfloppy: Fix memory leak in do_floppy_init()\n\nA memory leak was reported when floppy_alloc_disk() failed in\ndo_floppy_init().\n\nunreferenced object 0xffff888115ed25a0 (size 8):\n comm \"modprobe\", pid 727, jiffies 4295051278 (age 25.529s)\n hex dump (first 8 bytes):\n 00 ac 67 5b 81 88 ff ff ..g[....\n backtrace:\n [\u003c000000007f457abb\u003e] __kmalloc_node+0x4c/0xc0\n [\u003c00000000a87bfa9e\u003e] blk_mq_realloc_tag_set_tags.part.0+0x6f/0x180\n [\u003c000000006f02e8b1\u003e] blk_mq_alloc_tag_set+0x573/0x1130\n [\u003c0000000066007fd7\u003e] 0xffffffffc06b8b08\n [\u003c0000000081f5ac40\u003e] do_one_initcall+0xd0/0x4f0\n [\u003c00000000e26d04ee\u003e] do_init_module+0x1a4/0x680\n [\u003c000000001bb22407\u003e] load_module+0x6249/0x7110\n [\u003c00000000ad31ac4d\u003e] __do_sys_finit_module+0x140/0x200\n [\u003c000000007bddca46\u003e] do_syscall_64+0x35/0x80\n [\u003c00000000b5afec39\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\nunreferenced object 0xffff88810fc30540 (size 32):\n comm \"modprobe\", pid 727, jiffies 4295051278 (age 25.529s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c000000007f457abb\u003e] __kmalloc_node+0x4c/0xc0\n [\u003c000000006b91eab4\u003e] blk_mq_alloc_tag_set+0x393/0x1130\n [\u003c0000000066007fd7\u003e] 0xffffffffc06b8b08\n [\u003c0000000081f5ac40\u003e] do_one_initcall+0xd0/0x4f0\n [\u003c00000000e26d04ee\u003e] do_init_module+0x1a4/0x680\n [\u003c000000001bb22407\u003e] load_module+0x6249/0x7110\n [\u003c00000000ad31ac4d\u003e] __do_sys_finit_module+0x140/0x200\n [\u003c000000007bddca46\u003e] do_syscall_64+0x35/0x80\n [\u003c00000000b5afec39\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nIf the floppy_alloc_disk() failed, disks of current drive will not be set,\nthus the lastest allocated set-\u003etag cannot be freed in the error handling\npath. A simple call graph shown as below:\n\n floppy_module_init()\n floppy_init()\n do_floppy_init()\n for (drive = 0; drive \u003c N_DRIVE; drive++)\n blk_mq_alloc_tag_set()\n blk_mq_alloc_tag_set_tags()\n blk_mq_realloc_tag_set_tags() # set-\u003etag allocated\n floppy_alloc_disk()\n blk_mq_alloc_disk() # error occurred, disks failed to allocated\n\n -\u003eout_put_disk:\n for (drive = 0; drive \u003c N_DRIVE; drive++)\n if (!disks[drive][0]) # the last disks is not set and loop break\n break;\n blk_mq_free_tag_set() # the latest allocated set-\u003etag leaked\n\nFix this problem by free the set-\u003etag of current drive before jump to\nerror handling path.\n\n[efremov: added stable list, changed title]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:34.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f36d8c8651506aea5f09899f5356ece5d1384f50"
},
{
"url": "https://git.kernel.org/stable/c/75d8c8851a4da0190c2480e84315b5fd3d0356c5"
},
{
"url": "https://git.kernel.org/stable/c/55b3c66a0d441cd37154ae95e44d0b82ccfd580e"
},
{
"url": "https://git.kernel.org/stable/c/f8ace2e304c5dd8a7328db9cd2b8a4b1b98d83ec"
}
],
"title": "floppy: Fix memory leak in do_floppy_init()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50342",
"datePublished": "2025-09-16T16:11:21.665Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2025-09-16T16:11:34.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50346 (GCVE-0-2022-50346)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: init quota for 'old.inode' in 'ext4_rename'
Syzbot found the following issue:
ext4_parse_param: s_want_extra_isize=128
ext4_inode_info_init: s_want_extra_isize=32
ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828
__ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128
__ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128
ext4_xattr_block_set: inode=ffff88823869a2c8
------------[ cut here ]------------
WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980
Modules linked in:
RIP: 0010:ext4_xattr_block_set.cold+0x22/0x980
RSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000
RDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178
RBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e
R10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000
R13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000
FS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? ext4_xattr_set_entry+0x3b7/0x2320
? ext4_xattr_block_set+0x0/0x2020
? ext4_xattr_set_entry+0x0/0x2320
? ext4_xattr_check_entries+0x77/0x310
? ext4_xattr_ibody_set+0x23b/0x340
ext4_xattr_move_to_block+0x594/0x720
ext4_expand_extra_isize_ea+0x59a/0x10f0
__ext4_expand_extra_isize+0x278/0x3f0
__ext4_mark_inode_dirty.cold+0x347/0x410
ext4_rename+0xed3/0x174f
vfs_rename+0x13a7/0x2510
do_renameat2+0x55d/0x920
__x64_sys_rename+0x7d/0xb0
do_syscall_64+0x3b/0xa0
entry_SYSCALL_64_after_hwframe+0x72/0xdc
As 'ext4_rename' will modify 'old.inode' ctime and mark inode dirty,
which may trigger expand 'extra_isize' and allocate block. If inode
didn't init quota will lead to warning. To solve above issue, init
'old.inode' firstly in 'ext4_rename'.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67f6d5a4043f3db0c6bb0e14a0d97a7be8bfb8b5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "33fd7031d634f3b46e59f61adfbb0ea9fe514fef",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7dfb8259f66faafa68d23a261b284d2c2c67649b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f263e349bacc2f303526dcfa61c4bc50132418b1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "84a2f2ed49d6a4d92b354219077434c57d334620",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "def7a39091e60e1c4a2f623629082a00092602be",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "135ba9146f4d38abed48a540ef8a8770ff0bd34f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "13271fbbe85d73a7c47058f56a52f2a7f00d6e39",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fae381a3d79bb94aa2eb752170d47458d778b797",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/namei.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: init quota for \u0027old.inode\u0027 in \u0027ext4_rename\u0027\n\nSyzbot found the following issue:\next4_parse_param: s_want_extra_isize=128\next4_inode_info_init: s_want_extra_isize=32\next4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828\n__ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128\n__ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128\next4_xattr_block_set: inode=ffff88823869a2c8\n------------[ cut here ]------------\nWARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980\nModules linked in:\nRIP: 0010:ext4_xattr_block_set.cold+0x22/0x980\nRSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000\nRDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178\nRBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e\nR10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000\nR13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000\nFS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? ext4_xattr_set_entry+0x3b7/0x2320\n ? ext4_xattr_block_set+0x0/0x2020\n ? ext4_xattr_set_entry+0x0/0x2320\n ? ext4_xattr_check_entries+0x77/0x310\n ? ext4_xattr_ibody_set+0x23b/0x340\n ext4_xattr_move_to_block+0x594/0x720\n ext4_expand_extra_isize_ea+0x59a/0x10f0\n __ext4_expand_extra_isize+0x278/0x3f0\n __ext4_mark_inode_dirty.cold+0x347/0x410\n ext4_rename+0xed3/0x174f\n vfs_rename+0x13a7/0x2510\n do_renameat2+0x55d/0x920\n __x64_sys_rename+0x7d/0xb0\n do_syscall_64+0x3b/0xa0\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n\nAs \u0027ext4_rename\u0027 will modify \u0027old.inode\u0027 ctime and mark inode dirty,\nwhich may trigger expand \u0027extra_isize\u0027 and allocate block. If inode\ndidn\u0027t init quota will lead to warning. To solve above issue, init\n\u0027old.inode\u0027 firstly in \u0027ext4_rename\u0027."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:39.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67f6d5a4043f3db0c6bb0e14a0d97a7be8bfb8b5"
},
{
"url": "https://git.kernel.org/stable/c/33fd7031d634f3b46e59f61adfbb0ea9fe514fef"
},
{
"url": "https://git.kernel.org/stable/c/7dfb8259f66faafa68d23a261b284d2c2c67649b"
},
{
"url": "https://git.kernel.org/stable/c/f263e349bacc2f303526dcfa61c4bc50132418b1"
},
{
"url": "https://git.kernel.org/stable/c/84a2f2ed49d6a4d92b354219077434c57d334620"
},
{
"url": "https://git.kernel.org/stable/c/def7a39091e60e1c4a2f623629082a00092602be"
},
{
"url": "https://git.kernel.org/stable/c/135ba9146f4d38abed48a540ef8a8770ff0bd34f"
},
{
"url": "https://git.kernel.org/stable/c/13271fbbe85d73a7c47058f56a52f2a7f00d6e39"
},
{
"url": "https://git.kernel.org/stable/c/fae381a3d79bb94aa2eb752170d47458d778b797"
}
],
"title": "ext4: init quota for \u0027old.inode\u0027 in \u0027ext4_rename\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50346",
"datePublished": "2025-09-16T16:11:39.179Z",
"dateReserved": "2025-09-16T16:03:27.882Z",
"dateUpdated": "2025-09-16T16:11:39.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39810 (GCVE-0-2025-39810)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Fix memory corruption when FW resources change during ifdown
bnxt_set_dflt_rings() assumes that it is always called before any TC has
been created. So it doesn't take bp->num_tc into account and assumes
that it is always 0 or 1.
In the FW resource or capability change scenario, the FW will return
flags in bnxt_hwrm_if_change() that will cause the driver to
reinitialize and call bnxt_cancel_reservations(). This will lead to
bnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp->num_tc
may be greater than 1. This will cause bp->tx_ring[] to be sized too
small and cause memory corruption in bnxt_alloc_cp_rings().
Fix it by properly scaling the TX rings by bp->num_tc in the code
paths mentioned above. Add 2 helper functions to determine
bp->tx_nr_rings and bp->tx_nr_rings_per_tc.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d00e98977ef519280b075d783653e2c492fffbb6",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
},
{
"lessThan": "9ab6a9950f152e094395d2e3967f889857daa185",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
},
{
"lessThan": "2747328ba2714f1a7454208dbbc1dc0631990b4a",
"status": "affected",
"version": "ec5d31e3c15d5233b491400133c67f78a320062c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix memory corruption when FW resources change during ifdown\n\nbnxt_set_dflt_rings() assumes that it is always called before any TC has\nbeen created. So it doesn\u0027t take bp-\u003enum_tc into account and assumes\nthat it is always 0 or 1.\n\nIn the FW resource or capability change scenario, the FW will return\nflags in bnxt_hwrm_if_change() that will cause the driver to\nreinitialize and call bnxt_cancel_reservations(). This will lead to\nbnxt_init_dflt_ring_mode() calling bnxt_set_dflt_rings() and bp-\u003enum_tc\nmay be greater than 1. This will cause bp-\u003etx_ring[] to be sized too\nsmall and cause memory corruption in bnxt_alloc_cp_rings().\n\nFix it by properly scaling the TX rings by bp-\u003enum_tc in the code\npaths mentioned above. Add 2 helper functions to determine\nbp-\u003etx_nr_rings and bp-\u003etx_nr_rings_per_tc."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:12.677Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d00e98977ef519280b075d783653e2c492fffbb6"
},
{
"url": "https://git.kernel.org/stable/c/9ab6a9950f152e094395d2e3967f889857daa185"
},
{
"url": "https://git.kernel.org/stable/c/2747328ba2714f1a7454208dbbc1dc0631990b4a"
}
],
"title": "bnxt_en: Fix memory corruption when FW resources change during ifdown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39810",
"datePublished": "2025-09-16T13:00:12.677Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-09-16T13:00:12.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50351 (GCVE-0-2022-50351)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix xid leak in cifs_create()
If the cifs already shutdown, we should free the xid before return,
otherwise, the xid will be leaked.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "593d877c39aa9f3fe1a4b5b022492886d7d700ec",
"status": "affected",
"version": "087f757b0129850c99cc9116df4909dac1bce871",
"versionType": "git"
},
{
"lessThan": "92aa09c86ef297976a3c27c6574c0839418dc2c4",
"status": "affected",
"version": "087f757b0129850c99cc9116df4909dac1bce871",
"versionType": "git"
},
{
"lessThan": "fee0fb1f15054bb6a0ede452acb42da5bef4d587",
"status": "affected",
"version": "087f757b0129850c99cc9116df4909dac1bce871",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/dir.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix xid leak in cifs_create()\n\nIf the cifs already shutdown, we should free the xid before return,\notherwise, the xid will be leaked."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:42.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/593d877c39aa9f3fe1a4b5b022492886d7d700ec"
},
{
"url": "https://git.kernel.org/stable/c/92aa09c86ef297976a3c27c6574c0839418dc2c4"
},
{
"url": "https://git.kernel.org/stable/c/fee0fb1f15054bb6a0ede452acb42da5bef4d587"
}
],
"title": "cifs: Fix xid leak in cifs_create()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50351",
"datePublished": "2025-09-16T16:11:42.725Z",
"dateReserved": "2025-09-16T16:03:27.882Z",
"dateUpdated": "2025-09-16T16:11:42.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39824 (GCVE-0-2025-39824)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: asus: fix UAF via HID_CLAIMED_INPUT validation
After hid_hw_start() is called hidinput_connect() will eventually be
called to set up the device with the input layer since the
HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()
all input and output reports are processed and corresponding hid_inputs
are allocated and configured via hidinput_configure_usages(). This
process involves slot tagging report fields and configuring usages
by setting relevant bits in the capability bitmaps. However it is possible
that the capability bitmaps are not set at all leading to the subsequent
hidinput_has_been_populated() check to fail leading to the freeing of the
hid_input and the underlying input device.
This becomes problematic because a malicious HID device like a
ASUS ROG N-Key keyboard can trigger the above scenario via a
specially crafted descriptor which then leads to a user-after-free
when the name of the freed input device is written to later on after
hid_hw_start(). Below, report 93 intentionally utilises the
HID_UP_UNDEFINED Usage Page which is skipped during usage
configuration, leading to the frees.
0x05, 0x0D, // Usage Page (Digitizer)
0x09, 0x05, // Usage (Touch Pad)
0xA1, 0x01, // Collection (Application)
0x85, 0x0D, // Report ID (13)
0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)
0x09, 0xC5, // Usage (0xC5)
0x15, 0x00, // Logical Minimum (0)
0x26, 0xFF, 0x00, // Logical Maximum (255)
0x75, 0x08, // Report Size (8)
0x95, 0x04, // Report Count (4)
0xB1, 0x02, // Feature (Data,Var,Abs)
0x85, 0x5D, // Report ID (93)
0x06, 0x00, 0x00, // Usage Page (Undefined)
0x09, 0x01, // Usage (0x01)
0x15, 0x00, // Logical Minimum (0)
0x26, 0xFF, 0x00, // Logical Maximum (255)
0x75, 0x08, // Report Size (8)
0x95, 0x1B, // Report Count (27)
0x81, 0x02, // Input (Data,Var,Abs)
0xC0, // End Collection
Below is the KASAN splat after triggering the UAF:
[ 21.672709] ==================================================================
[ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80
[ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54
[ 21.673700]
[ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)
[ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 21.673700] Call Trace:
[ 21.673700] <TASK>
[ 21.673700] dump_stack_lvl+0x5f/0x80
[ 21.673700] print_report+0xd1/0x660
[ 21.673700] kasan_report+0xe5/0x120
[ 21.673700] __asan_report_store8_noabort+0x1b/0x30
[ 21.673700] asus_probe+0xeeb/0xf80
[ 21.673700] hid_device_probe+0x2ee/0x700
[ 21.673700] really_probe+0x1c6/0x6b0
[ 21.673700] __driver_probe_device+0x24f/0x310
[ 21.673700] driver_probe_device+0x4e/0x220
[...]
[ 21.673700]
[ 21.673700] Allocated by task 54:
[ 21.673700] kasan_save_stack+0x3d/0x60
[ 21.673700] kasan_save_track+0x18/0x40
[ 21.673700] kasan_save_alloc_info+0x3b/0x50
[ 21.673700] __kasan_kmalloc+0x9c/0xa0
[ 21.673700] __kmalloc_cache_noprof+0x139/0x340
[ 21.673700] input_allocate_device+0x44/0x370
[ 21.673700] hidinput_connect+0xcb6/0x2630
[ 21.673700] hid_connect+0xf74/0x1d60
[ 21.673700] hid_hw_start+0x8c/0x110
[ 21.673700] asus_probe+0x5a3/0xf80
[ 21.673700] hid_device_probe+0x2ee/0x700
[ 21.673700] really_probe+0x1c6/0x6b0
[ 21.673700] __driver_probe_device+0x24f/0x310
[ 21.673700] driver_probe_device+0x4e/0x220
[...]
[ 21.673700]
[ 21.673700] Freed by task 54:
[ 21.673700] kasan_save_stack+0x3d/0x60
[ 21.673700] kasan_save_track+0x18/0x40
[ 21.673700] kasan_save_free_info+0x3f/0x60
[ 21.673700] __kasan_slab_free+0x3c/0x50
[ 21.673700] kfre
---truncated---
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f Version: 9ce12d8be12c94334634dd57050444910415e45f |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a9e4a8317437bf944fa017c66e1e23a0368b5c7",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "eaae728e7335b5dbad70966e2bd520a731fdf7b2",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "5f3c0839b173f7f33415eb098331879e547d1d2d",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
},
{
"lessThan": "d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4",
"status": "affected",
"version": "9ce12d8be12c94334634dd57050444910415e45f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-asus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: asus: fix UAF via HID_CLAIMED_INPUT validation\n\nAfter hid_hw_start() is called hidinput_connect() will eventually be\ncalled to set up the device with the input layer since the\nHID_CONNECT_DEFAULT connect mask is used. During hidinput_connect()\nall input and output reports are processed and corresponding hid_inputs\nare allocated and configured via hidinput_configure_usages(). This\nprocess involves slot tagging report fields and configuring usages\nby setting relevant bits in the capability bitmaps. However it is possible\nthat the capability bitmaps are not set at all leading to the subsequent\nhidinput_has_been_populated() check to fail leading to the freeing of the\nhid_input and the underlying input device.\n\nThis becomes problematic because a malicious HID device like a\nASUS ROG N-Key keyboard can trigger the above scenario via a\nspecially crafted descriptor which then leads to a user-after-free\nwhen the name of the freed input device is written to later on after\nhid_hw_start(). Below, report 93 intentionally utilises the\nHID_UP_UNDEFINED Usage Page which is skipped during usage\nconfiguration, leading to the frees.\n\n0x05, 0x0D, // Usage Page (Digitizer)\n0x09, 0x05, // Usage (Touch Pad)\n0xA1, 0x01, // Collection (Application)\n0x85, 0x0D, // Report ID (13)\n0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00)\n0x09, 0xC5, // Usage (0xC5)\n0x15, 0x00, // Logical Minimum (0)\n0x26, 0xFF, 0x00, // Logical Maximum (255)\n0x75, 0x08, // Report Size (8)\n0x95, 0x04, // Report Count (4)\n0xB1, 0x02, // Feature (Data,Var,Abs)\n0x85, 0x5D, // Report ID (93)\n0x06, 0x00, 0x00, // Usage Page (Undefined)\n0x09, 0x01, // Usage (0x01)\n0x15, 0x00, // Logical Minimum (0)\n0x26, 0xFF, 0x00, // Logical Maximum (255)\n0x75, 0x08, // Report Size (8)\n0x95, 0x1B, // Report Count (27)\n0x81, 0x02, // Input (Data,Var,Abs)\n0xC0, // End Collection\n\nBelow is the KASAN splat after triggering the UAF:\n\n[ 21.672709] ==================================================================\n[ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80\n[ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54\n[ 21.673700]\n[ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary)\n[ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\n[ 21.673700] Call Trace:\n[ 21.673700] \u003cTASK\u003e\n[ 21.673700] dump_stack_lvl+0x5f/0x80\n[ 21.673700] print_report+0xd1/0x660\n[ 21.673700] kasan_report+0xe5/0x120\n[ 21.673700] __asan_report_store8_noabort+0x1b/0x30\n[ 21.673700] asus_probe+0xeeb/0xf80\n[ 21.673700] hid_device_probe+0x2ee/0x700\n[ 21.673700] really_probe+0x1c6/0x6b0\n[ 21.673700] __driver_probe_device+0x24f/0x310\n[ 21.673700] driver_probe_device+0x4e/0x220\n[...]\n[ 21.673700]\n[ 21.673700] Allocated by task 54:\n[ 21.673700] kasan_save_stack+0x3d/0x60\n[ 21.673700] kasan_save_track+0x18/0x40\n[ 21.673700] kasan_save_alloc_info+0x3b/0x50\n[ 21.673700] __kasan_kmalloc+0x9c/0xa0\n[ 21.673700] __kmalloc_cache_noprof+0x139/0x340\n[ 21.673700] input_allocate_device+0x44/0x370\n[ 21.673700] hidinput_connect+0xcb6/0x2630\n[ 21.673700] hid_connect+0xf74/0x1d60\n[ 21.673700] hid_hw_start+0x8c/0x110\n[ 21.673700] asus_probe+0x5a3/0xf80\n[ 21.673700] hid_device_probe+0x2ee/0x700\n[ 21.673700] really_probe+0x1c6/0x6b0\n[ 21.673700] __driver_probe_device+0x24f/0x310\n[ 21.673700] driver_probe_device+0x4e/0x220\n[...]\n[ 21.673700]\n[ 21.673700] Freed by task 54:\n[ 21.673700] kasan_save_stack+0x3d/0x60\n[ 21.673700] kasan_save_track+0x18/0x40\n[ 21.673700] kasan_save_free_info+0x3f/0x60\n[ 21.673700] __kasan_slab_free+0x3c/0x50\n[ 21.673700] kfre\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:23.135Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a9e4a8317437bf944fa017c66e1e23a0368b5c7"
},
{
"url": "https://git.kernel.org/stable/c/7170122e2ae4ab378c9cdf7cc54dea8b0abbbca5"
},
{
"url": "https://git.kernel.org/stable/c/eaae728e7335b5dbad70966e2bd520a731fdf7b2"
},
{
"url": "https://git.kernel.org/stable/c/a8ca8fe7f516d27ece3afb995c3bd4d07dcbe62c"
},
{
"url": "https://git.kernel.org/stable/c/5f3c0839b173f7f33415eb098331879e547d1d2d"
},
{
"url": "https://git.kernel.org/stable/c/c0d77e3441a92d0b4958193c9ac1c3f81c6f1d1c"
},
{
"url": "https://git.kernel.org/stable/c/72a4ec018c9e9bc52f4f80eb3afb5d6a6b752275"
},
{
"url": "https://git.kernel.org/stable/c/d3af6ca9a8c34bbd8cff32b469b84c9021c9e7e4"
}
],
"title": "HID: asus: fix UAF via HID_CLAIMED_INPUT validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39824",
"datePublished": "2025-09-16T13:00:23.135Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-09-16T13:00:23.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53334 (GCVE-0-2023-53334)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-16 16:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: chipidea: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic
at once.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/chipidea/debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4322661af6d7a586a5798ab9aa443f49895b6943",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "610373dd354f3d393aa3bdcab59f55024c16b5e5",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "972e0682f6e3ee6ecf002657df4aaa511d51dd6c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ff35f3ea3baba5b81416ac02d005cfbf6dd182fa",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/chipidea/debug.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.100",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: chipidea: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:12:09.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4322661af6d7a586a5798ab9aa443f49895b6943"
},
{
"url": "https://git.kernel.org/stable/c/610373dd354f3d393aa3bdcab59f55024c16b5e5"
},
{
"url": "https://git.kernel.org/stable/c/972e0682f6e3ee6ecf002657df4aaa511d51dd6c"
},
{
"url": "https://git.kernel.org/stable/c/ff35f3ea3baba5b81416ac02d005cfbf6dd182fa"
}
],
"title": "USB: chipidea: fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53334",
"datePublished": "2025-09-16T16:12:09.226Z",
"dateReserved": "2025-09-16T16:08:59.565Z",
"dateUpdated": "2025-09-16T16:12:09.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53317 (GCVE-0-2023-53317)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix WARNING in mb_find_extent
Syzbot found the following issue:
EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!
EXT4-fs (loop0): orphan cleanup on readonly fs
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5067 at fs/ext4/mballoc.c:1869 mb_find_extent+0x8a1/0xe30
Modules linked in:
CPU: 1 PID: 5067 Comm: syz-executor307 Not tainted 6.2.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:mb_find_extent+0x8a1/0xe30 fs/ext4/mballoc.c:1869
RSP: 0018:ffffc90003c9e098 EFLAGS: 00010293
RAX: ffffffff82405731 RBX: 0000000000000041 RCX: ffff8880783457c0
RDX: 0000000000000000 RSI: 0000000000000041 RDI: 0000000000000040
RBP: 0000000000000040 R08: ffffffff82405723 R09: ffffed10053c9402
R10: ffffed10053c9402 R11: 1ffff110053c9401 R12: 0000000000000000
R13: ffffc90003c9e538 R14: dffffc0000000000 R15: ffffc90003c9e2cc
FS: 0000555556665300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056312f6796f8 CR3: 0000000022437000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_mb_complex_scan_group+0x353/0x1100 fs/ext4/mballoc.c:2307
ext4_mb_regular_allocator+0x1533/0x3860 fs/ext4/mballoc.c:2735
ext4_mb_new_blocks+0xddf/0x3db0 fs/ext4/mballoc.c:5605
ext4_ext_map_blocks+0x1868/0x6880 fs/ext4/extents.c:4286
ext4_map_blocks+0xa49/0x1cc0 fs/ext4/inode.c:651
ext4_getblk+0x1b9/0x770 fs/ext4/inode.c:864
ext4_bread+0x2a/0x170 fs/ext4/inode.c:920
ext4_quota_write+0x225/0x570 fs/ext4/super.c:7105
write_blk fs/quota/quota_tree.c:64 [inline]
get_free_dqblk+0x34a/0x6d0 fs/quota/quota_tree.c:130
do_insert_tree+0x26b/0x1aa0 fs/quota/quota_tree.c:340
do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375
do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375
do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375
dq_insert_tree fs/quota/quota_tree.c:401 [inline]
qtree_write_dquot+0x3b6/0x530 fs/quota/quota_tree.c:420
v2_write_dquot+0x11b/0x190 fs/quota/quota_v2.c:358
dquot_acquire+0x348/0x670 fs/quota/dquot.c:444
ext4_acquire_dquot+0x2dc/0x400 fs/ext4/super.c:6740
dqget+0x999/0xdc0 fs/quota/dquot.c:914
__dquot_initialize+0x3d0/0xcf0 fs/quota/dquot.c:1492
ext4_process_orphan+0x57/0x2d0 fs/ext4/orphan.c:329
ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474
__ext4_fill_super fs/ext4/super.c:5516 [inline]
ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644
get_tree_bdev+0x400/0x620 fs/super.c:1282
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Add some debug information:
mb_find_extent: mb_find_extent block=41, order=0 needed=64 next=0 ex=0/41/1@3735929054 64 64 7
block_bitmap: ff 3f 0c 00 fc 01 00 00 d2 3d 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Acctually, blocks per group is 64, but block bitmap indicate at least has
128 blocks. Now, ext4_validate_block_bitmap() didn't check invalid block's
bitmap if set.
To resolve above issue, add check like fsck "Padding at end of block bitmap is
not set".
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ext4/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "775b00ba23f6f916fe2ac60c5ff7fd0fe4f28d0d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b90fbc7590124c57a2e590de7fd07eba26606f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5d356d902e9d5b1aaaaf2326d365340fa8a90c1b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d55e76e11592a1d18a179c7fd34ca1b52632beb3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dba62fa84a8eac44a53a2862de8a40e5bdfa0ae3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e4d503c956a744cb59e509ca5f134cfad423c7a3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dd45e536f47a82e0a405f9a4b6c7ceb367171ee9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fa08a7b61dff8a4df11ff1e84abfc214b487caf7",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ext4/balloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.283",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.112",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.243",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix WARNING in mb_find_extent\n\nSyzbot found the following issue:\n\nEXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!\nEXT4-fs (loop0): orphan cleanup on readonly fs\n------------[ cut here ]------------\nWARNING: CPU: 1 PID: 5067 at fs/ext4/mballoc.c:1869 mb_find_extent+0x8a1/0xe30\nModules linked in:\nCPU: 1 PID: 5067 Comm: syz-executor307 Not tainted 6.2.0-rc1-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:mb_find_extent+0x8a1/0xe30 fs/ext4/mballoc.c:1869\nRSP: 0018:ffffc90003c9e098 EFLAGS: 00010293\nRAX: ffffffff82405731 RBX: 0000000000000041 RCX: ffff8880783457c0\nRDX: 0000000000000000 RSI: 0000000000000041 RDI: 0000000000000040\nRBP: 0000000000000040 R08: ffffffff82405723 R09: ffffed10053c9402\nR10: ffffed10053c9402 R11: 1ffff110053c9401 R12: 0000000000000000\nR13: ffffc90003c9e538 R14: dffffc0000000000 R15: ffffc90003c9e2cc\nFS: 0000555556665300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000056312f6796f8 CR3: 0000000022437000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ext4_mb_complex_scan_group+0x353/0x1100 fs/ext4/mballoc.c:2307\n ext4_mb_regular_allocator+0x1533/0x3860 fs/ext4/mballoc.c:2735\n ext4_mb_new_blocks+0xddf/0x3db0 fs/ext4/mballoc.c:5605\n ext4_ext_map_blocks+0x1868/0x6880 fs/ext4/extents.c:4286\n ext4_map_blocks+0xa49/0x1cc0 fs/ext4/inode.c:651\n ext4_getblk+0x1b9/0x770 fs/ext4/inode.c:864\n ext4_bread+0x2a/0x170 fs/ext4/inode.c:920\n ext4_quota_write+0x225/0x570 fs/ext4/super.c:7105\n write_blk fs/quota/quota_tree.c:64 [inline]\n get_free_dqblk+0x34a/0x6d0 fs/quota/quota_tree.c:130\n do_insert_tree+0x26b/0x1aa0 fs/quota/quota_tree.c:340\n do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375\n do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375\n do_insert_tree+0x722/0x1aa0 fs/quota/quota_tree.c:375\n dq_insert_tree fs/quota/quota_tree.c:401 [inline]\n qtree_write_dquot+0x3b6/0x530 fs/quota/quota_tree.c:420\n v2_write_dquot+0x11b/0x190 fs/quota/quota_v2.c:358\n dquot_acquire+0x348/0x670 fs/quota/dquot.c:444\n ext4_acquire_dquot+0x2dc/0x400 fs/ext4/super.c:6740\n dqget+0x999/0xdc0 fs/quota/dquot.c:914\n __dquot_initialize+0x3d0/0xcf0 fs/quota/dquot.c:1492\n ext4_process_orphan+0x57/0x2d0 fs/ext4/orphan.c:329\n ext4_orphan_cleanup+0xb60/0x1340 fs/ext4/orphan.c:474\n __ext4_fill_super fs/ext4/super.c:5516 [inline]\n ext4_fill_super+0x81cd/0x8700 fs/ext4/super.c:5644\n get_tree_bdev+0x400/0x620 fs/super.c:1282\n vfs_get_tree+0x88/0x270 fs/super.c:1489\n do_new_mount+0x289/0xad0 fs/namespace.c:3145\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAdd some debug information:\nmb_find_extent: mb_find_extent block=41, order=0 needed=64 next=0 ex=0/41/1@3735929054 64 64 7\nblock_bitmap: ff 3f 0c 00 fc 01 00 00 d2 3d 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAcctually, blocks per group is 64, but block bitmap indicate at least has\n128 blocks. Now, ext4_validate_block_bitmap() didn\u0027t check invalid block\u0027s\nbitmap if set.\nTo resolve above issue, add check like fsck \"Padding at end of block bitmap is\nnot set\"."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:53.877Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/775b00ba23f6f916fe2ac60c5ff7fd0fe4f28d0d"
},
{
"url": "https://git.kernel.org/stable/c/1b90fbc7590124c57a2e590de7fd07eba26606f1"
},
{
"url": "https://git.kernel.org/stable/c/5d356d902e9d5b1aaaaf2326d365340fa8a90c1b"
},
{
"url": "https://git.kernel.org/stable/c/d55e76e11592a1d18a179c7fd34ca1b52632beb3"
},
{
"url": "https://git.kernel.org/stable/c/dba62fa84a8eac44a53a2862de8a40e5bdfa0ae3"
},
{
"url": "https://git.kernel.org/stable/c/e4d503c956a744cb59e509ca5f134cfad423c7a3"
},
{
"url": "https://git.kernel.org/stable/c/dd45e536f47a82e0a405f9a4b6c7ceb367171ee9"
},
{
"url": "https://git.kernel.org/stable/c/fa08a7b61dff8a4df11ff1e84abfc214b487caf7"
}
],
"title": "ext4: fix WARNING in mb_find_extent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53317",
"datePublished": "2025-09-16T16:11:53.877Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:53.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53316 (GCVE-0-2023-53316)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: Free resources after unregistering them
The DP component's unbind operation walks through the submodules to
unregister and clean things up. But if the unbind happens because the DP
controller itself is being removed, all the memory for those submodules
has just been freed.
Change the order of these operations to avoid the many use-after-free
that otherwise happens in this code path.
Patchwork: https://patchwork.freedesktop.org/patch/542166/
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 Version: c943b4948b5848fc0e07f875edbd35a973879e22 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c67a55f7cc8d767d624235bf1bcd0947e56abe0f",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "3c3f3d35f5e05c468b048eb42a4f8c62c6655692",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "4e9f1a2367aea7d61f6781213e25313cd983b0d7",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "5c3278db06e332fdc14f3f297499fb88ded264d2",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "ca47d0dc00968358c136a1847cfed550cedfd1b5",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
},
{
"lessThan": "fa0048a4b1fa7a50c8b0e514f5b428abdf69a6f8",
"status": "affected",
"version": "c943b4948b5848fc0e07f875edbd35a973879e22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/dp/dp_display.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: Free resources after unregistering them\n\nThe DP component\u0027s unbind operation walks through the submodules to\nunregister and clean things up. But if the unbind happens because the DP\ncontroller itself is being removed, all the memory for those submodules\nhas just been freed.\n\nChange the order of these operations to avoid the many use-after-free\nthat otherwise happens in this code path.\n\nPatchwork: https://patchwork.freedesktop.org/patch/542166/"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:53.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c67a55f7cc8d767d624235bf1bcd0947e56abe0f"
},
{
"url": "https://git.kernel.org/stable/c/3c3f3d35f5e05c468b048eb42a4f8c62c6655692"
},
{
"url": "https://git.kernel.org/stable/c/4e9f1a2367aea7d61f6781213e25313cd983b0d7"
},
{
"url": "https://git.kernel.org/stable/c/5c3278db06e332fdc14f3f297499fb88ded264d2"
},
{
"url": "https://git.kernel.org/stable/c/ca47d0dc00968358c136a1847cfed550cedfd1b5"
},
{
"url": "https://git.kernel.org/stable/c/fa0048a4b1fa7a50c8b0e514f5b428abdf69a6f8"
}
],
"title": "drm/msm/dp: Free resources after unregistering them",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53316",
"datePublished": "2025-09-16T16:11:53.059Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:53.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53313 (GCVE-0-2023-53313)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix wrong setting of max_corr_read_errors
There is no input check when echo md/max_read_errors and overflow might
occur. Add check of input number.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d Version: 1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74050a3fdd4aecfd2cbf74d3c145812ab2744375",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "025fde32fb957a5c271711bc66841f817ff5f299",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "31c805a44b7569ca1017a4714385182d98bba212",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "b1d8f38310bce3282374983b229d94edbaf1e570",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "3c76920e547d4b931bed758bad83fd658dd88b4e",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "05d10428e8dffed0bac2502f34151729fc189cd3",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "aef6e98eb772594edd4399625e4e1bbe45971fa1",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "e83cb411aa1c6c9617db9329897f4506ba9e9b9d",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
},
{
"lessThan": "f8b20a405428803bd9881881d8242c9d72c6b2b2",
"status": "affected",
"version": "1e50915fe0bbf7a46db0fa7e1e604d3fc95f057d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/md.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.322",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.188",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.121",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.322",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.291",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.251",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.188",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.121",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.39",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.13",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/raid10: fix wrong setting of max_corr_read_errors\n\nThere is no input check when echo md/max_read_errors and overflow might\noccur. Add check of input number."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:50.642Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74050a3fdd4aecfd2cbf74d3c145812ab2744375"
},
{
"url": "https://git.kernel.org/stable/c/025fde32fb957a5c271711bc66841f817ff5f299"
},
{
"url": "https://git.kernel.org/stable/c/31c805a44b7569ca1017a4714385182d98bba212"
},
{
"url": "https://git.kernel.org/stable/c/b1d8f38310bce3282374983b229d94edbaf1e570"
},
{
"url": "https://git.kernel.org/stable/c/3c76920e547d4b931bed758bad83fd658dd88b4e"
},
{
"url": "https://git.kernel.org/stable/c/05d10428e8dffed0bac2502f34151729fc189cd3"
},
{
"url": "https://git.kernel.org/stable/c/aef6e98eb772594edd4399625e4e1bbe45971fa1"
},
{
"url": "https://git.kernel.org/stable/c/e83cb411aa1c6c9617db9329897f4506ba9e9b9d"
},
{
"url": "https://git.kernel.org/stable/c/f8b20a405428803bd9881881d8242c9d72c6b2b2"
}
],
"title": "md/raid10: fix wrong setting of max_corr_read_errors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53313",
"datePublished": "2025-09-16T16:11:50.642Z",
"dateReserved": "2025-09-16T16:08:59.562Z",
"dateUpdated": "2025-09-16T16:11:50.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53328 (GCVE-0-2023-53328)
Vulnerability from cvelistv5
Published
2025-09-16 16:12
Modified
2025-09-17 11:02
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Enhance sanity check while generating attr_list
ni_create_attr_list uses WARN_ON to catch error cases while generating
attribute list, which only prints out stack trace and may not be enough.
This repalces them with more proper error handling flow.
[ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e
[ 59.673268] #PF: supervisor read access in kernel mode
[ 59.678354] #PF: error_code(0x0000) - not-present page
[ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0
[ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI
[ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4
[ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860
[ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8
[ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282
[ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe
[ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0
[ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9
[ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180
[ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050
[ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000
[ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0
[ 59.787607] Call Trace:
[ 59.790271] <TASK>
[ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10
[ 59.797235] ? kernel_text_address+0xd3/0xe0
[ 59.800856] ? unwind_get_return_address+0x3e/0x60
[ 59.805101] ? __kasan_check_write+0x18/0x20
[ 59.809296] ? preempt_count_sub+0x1c/0xd0
[ 59.813421] ni_ins_attr_ext+0x52c/0x5c0
[ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10
[ 59.821926] ? __vfs_setxattr+0x121/0x170
[ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300
[ 59.829562] ? __vfs_setxattr_locked+0x145/0x170
[ 59.833987] ? vfs_setxattr+0x137/0x2a0
[ 59.836732] ? do_setxattr+0xce/0x150
[ 59.839807] ? setxattr+0x126/0x140
[ 59.842353] ? path_setxattr+0x164/0x180
[ 59.845275] ? __x64_sys_setxattr+0x71/0x90
[ 59.848838] ? do_syscall_64+0x3f/0x90
[ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 59.857046] ? stack_depot_save+0x17/0x20
[ 59.860299] ni_insert_attr+0x1ba/0x420
[ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10
[ 59.867069] ? preempt_count_sub+0x1c/0xd0
[ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50
[ 59.874088] ? __create_object+0x3ae/0x5d0
[ 59.877865] ni_insert_resident+0xc4/0x1c0
[ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10
[ 59.886355] ? kasan_save_alloc_info+0x1f/0x30
[ 59.891117] ? __kasan_kmalloc+0x8b/0xa0
[ 59.894383] ntfs_set_ea+0x90d/0xbf0
[ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10
[ 59.901011] ? kernel_text_address+0xd3/0xe0
[ 59.905308] ? __kernel_text_address+0x16/0x50
[ 59.909811] ? unwind_get_return_address+0x3e/0x60
[ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 59.920250] ? arch_stack_walk+0xa2/0x100
[ 59.924560] ? filter_irq_stacks+0x27/0x80
[ 59.928722] ntfs_setxattr+0x405/0x440
[ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10
[ 59.936634] ? kvmalloc_node+0x2d/0x120
[ 59.940378] ? kasan_save_stack+0x41/0x60
[ 59.943870] ? kasan_save_stack+0x2a/0x60
[ 59.947719] ? kasan_set_track+0x29/0x40
[ 59.951417] ? kasan_save_alloc_info+0x1f/0x30
[ 59.955733] ? __kasan_kmalloc+0x8b/0xa0
[ 59.959598] ? __kmalloc_node+0x68/0x150
[ 59.963163] ? kvmalloc_node+0x2d/0x120
[ 59.966490] ? vmemdup_user+0x2b/0xa0
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/frecord.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7799bb4dbe26bfb665f29ea87981708fd6012d8",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "4246bbef0442f4a1e974df0ab091f4f33ac69451",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "64fab8bce5237ca225ee1ec9dff5cc8c31b0631f",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
},
{
"lessThan": "fdec309c7672cbee4dc0229ee4cbb33c948a1bdd",
"status": "affected",
"version": "4534a70b7056fd4b9a1c6db5a4ce3c98546b291e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ntfs3/frecord.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Enhance sanity check while generating attr_list\n\nni_create_attr_list uses WARN_ON to catch error cases while generating\nattribute list, which only prints out stack trace and may not be enough.\nThis repalces them with more proper error handling flow.\n\n[ 59.666332] BUG: kernel NULL pointer dereference, address: 000000000000000e\n[ 59.673268] #PF: supervisor read access in kernel mode\n[ 59.678354] #PF: error_code(0x0000) - not-present page\n[ 59.682831] PGD 8000000005ff1067 P4D 8000000005ff1067 PUD 7dee067 PMD 0\n[ 59.688556] Oops: 0000 [#1] PREEMPT SMP KASAN PTI\n[ 59.692642] CPU: 0 PID: 198 Comm: poc Tainted: G B W 6.2.0-rc1+ #4\n[ 59.698868] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[ 59.708795] RIP: 0010:ni_create_attr_list+0x505/0x860\n[ 59.713657] Code: 7e 10 e8 5e d0 d0 ff 45 0f b7 76 10 48 8d 7b 16 e8 00 d1 d0 ff 66 44 89 73 16 4d 8d 75 0e 4c 89 f7 e8 3f d0 d0 ff 4c 8d8\n[ 59.731559] RSP: 0018:ffff88800a56f1e0 EFLAGS: 00010282\n[ 59.735691] RAX: 0000000000000001 RBX: ffff88800b7b5088 RCX: ffffffffb83079fe\n[ 59.741792] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffffbb7f9fc0\n[ 59.748423] RBP: ffff88800a56f3a8 R08: ffff88800b7b50a0 R09: fffffbfff76ff3f9\n[ 59.754654] R10: ffffffffbb7f9fc7 R11: fffffbfff76ff3f8 R12: ffff88800b756180\n[ 59.761552] R13: 0000000000000000 R14: 000000000000000e R15: 0000000000000050\n[ 59.768323] FS: 00007feaa8c96440(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000\n[ 59.776027] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 59.781395] CR2: 00007f3a2e0b1000 CR3: 000000000a5bc000 CR4: 00000000000006f0\n[ 59.787607] Call Trace:\n[ 59.790271] \u003cTASK\u003e\n[ 59.792488] ? __pfx_ni_create_attr_list+0x10/0x10\n[ 59.797235] ? kernel_text_address+0xd3/0xe0\n[ 59.800856] ? unwind_get_return_address+0x3e/0x60\n[ 59.805101] ? __kasan_check_write+0x18/0x20\n[ 59.809296] ? preempt_count_sub+0x1c/0xd0\n[ 59.813421] ni_ins_attr_ext+0x52c/0x5c0\n[ 59.817034] ? __pfx_ni_ins_attr_ext+0x10/0x10\n[ 59.821926] ? __vfs_setxattr+0x121/0x170\n[ 59.825718] ? __vfs_setxattr_noperm+0x97/0x300\n[ 59.829562] ? __vfs_setxattr_locked+0x145/0x170\n[ 59.833987] ? vfs_setxattr+0x137/0x2a0\n[ 59.836732] ? do_setxattr+0xce/0x150\n[ 59.839807] ? setxattr+0x126/0x140\n[ 59.842353] ? path_setxattr+0x164/0x180\n[ 59.845275] ? __x64_sys_setxattr+0x71/0x90\n[ 59.848838] ? do_syscall_64+0x3f/0x90\n[ 59.851898] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc\n[ 59.857046] ? stack_depot_save+0x17/0x20\n[ 59.860299] ni_insert_attr+0x1ba/0x420\n[ 59.863104] ? __pfx_ni_insert_attr+0x10/0x10\n[ 59.867069] ? preempt_count_sub+0x1c/0xd0\n[ 59.869897] ? _raw_spin_unlock_irqrestore+0x2b/0x50\n[ 59.874088] ? __create_object+0x3ae/0x5d0\n[ 59.877865] ni_insert_resident+0xc4/0x1c0\n[ 59.881430] ? __pfx_ni_insert_resident+0x10/0x10\n[ 59.886355] ? kasan_save_alloc_info+0x1f/0x30\n[ 59.891117] ? __kasan_kmalloc+0x8b/0xa0\n[ 59.894383] ntfs_set_ea+0x90d/0xbf0\n[ 59.897703] ? __pfx_ntfs_set_ea+0x10/0x10\n[ 59.901011] ? kernel_text_address+0xd3/0xe0\n[ 59.905308] ? __kernel_text_address+0x16/0x50\n[ 59.909811] ? unwind_get_return_address+0x3e/0x60\n[ 59.914898] ? __pfx_stack_trace_consume_entry+0x10/0x10\n[ 59.920250] ? arch_stack_walk+0xa2/0x100\n[ 59.924560] ? filter_irq_stacks+0x27/0x80\n[ 59.928722] ntfs_setxattr+0x405/0x440\n[ 59.932512] ? __pfx_ntfs_setxattr+0x10/0x10\n[ 59.936634] ? kvmalloc_node+0x2d/0x120\n[ 59.940378] ? kasan_save_stack+0x41/0x60\n[ 59.943870] ? kasan_save_stack+0x2a/0x60\n[ 59.947719] ? kasan_set_track+0x29/0x40\n[ 59.951417] ? kasan_save_alloc_info+0x1f/0x30\n[ 59.955733] ? __kasan_kmalloc+0x8b/0xa0\n[ 59.959598] ? __kmalloc_node+0x68/0x150\n[ 59.963163] ? kvmalloc_node+0x2d/0x120\n[ 59.966490] ? vmemdup_user+0x2b/0xa0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T11:02:55.849Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7799bb4dbe26bfb665f29ea87981708fd6012d8"
},
{
"url": "https://git.kernel.org/stable/c/4246bbef0442f4a1e974df0ab091f4f33ac69451"
},
{
"url": "https://git.kernel.org/stable/c/64fab8bce5237ca225ee1ec9dff5cc8c31b0631f"
},
{
"url": "https://git.kernel.org/stable/c/fdec309c7672cbee4dc0229ee4cbb33c948a1bdd"
}
],
"title": "fs/ntfs3: Enhance sanity check while generating attr_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53328",
"datePublished": "2025-09-16T16:12:04.352Z",
"dateReserved": "2025-09-16T16:08:59.564Z",
"dateUpdated": "2025-09-17T11:02:55.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50349 (GCVE-0-2022-50349)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
If device_register() returns error in tifm_7xx1_switch_media(),
name of kobject which is allocated in dev_set_name() called in device_add()
is leaked.
Never directly free @dev after calling device_register(), even
if it returned an error! Always use put_device() to give up the
reference initialized.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 Version: 2428a8fe2261e901e058d9ea8b6ed7e1b4268b79 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/tifm_7xx1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bbb222a54ff501f77ce593d21b76b79c905045e",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "d861b7d41b17942b337d4b87a70de7cd1dc44d4e",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "1695b1adcc3a7d985cd22fa3b55761edf3fab50d",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "ee2715faf7e7153f5142ed09aacfa89a64d45dcb",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "57c857353d5020bdec8284d9c0fee447484fe5e0",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "848c45964ded537107e010aaf353aa30a0855387",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "35abbc8406cc39e72d3ce85f6e869555afe50d54",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "ef843ee20576039126d34d6eb5f45d14c3e6ce18",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
},
{
"lessThan": "fd2c930cf6a5b9176382c15f9acb1996e76e25ad",
"status": "affected",
"version": "2428a8fe2261e901e058d9ea8b6ed7e1b4268b79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/tifm_7xx1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.337",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.337",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.86",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: tifm: fix possible memory leak in tifm_7xx1_switch_media()\n\nIf device_register() returns error in tifm_7xx1_switch_media(),\nname of kobject which is allocated in dev_set_name() called in device_add()\nis leaked.\n\nNever directly free @dev after calling device_register(), even\nif it returned an error! Always use put_device() to give up the\nreference initialized."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:41.340Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bbb222a54ff501f77ce593d21b76b79c905045e"
},
{
"url": "https://git.kernel.org/stable/c/d861b7d41b17942b337d4b87a70de7cd1dc44d4e"
},
{
"url": "https://git.kernel.org/stable/c/1695b1adcc3a7d985cd22fa3b55761edf3fab50d"
},
{
"url": "https://git.kernel.org/stable/c/ee2715faf7e7153f5142ed09aacfa89a64d45dcb"
},
{
"url": "https://git.kernel.org/stable/c/57c857353d5020bdec8284d9c0fee447484fe5e0"
},
{
"url": "https://git.kernel.org/stable/c/848c45964ded537107e010aaf353aa30a0855387"
},
{
"url": "https://git.kernel.org/stable/c/35abbc8406cc39e72d3ce85f6e869555afe50d54"
},
{
"url": "https://git.kernel.org/stable/c/ef843ee20576039126d34d6eb5f45d14c3e6ce18"
},
{
"url": "https://git.kernel.org/stable/c/fd2c930cf6a5b9176382c15f9acb1996e76e25ad"
}
],
"title": "misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50349",
"datePublished": "2025-09-16T16:11:41.340Z",
"dateReserved": "2025-09-16T16:03:27.882Z",
"dateUpdated": "2025-09-16T16:11:41.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53308 (GCVE-0-2023-53308)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fec: Better handle pm_runtime_get() failing in .remove()
In the (unlikely) event that pm_runtime_get() (disguised as
pm_runtime_resume_and_get()) fails, the remove callback returned an
error early. The problem with this is that the driver core ignores the
error value and continues removing the device. This results in a
resource leak. Worse the devm allocated resources are freed and so if a
callback of the driver is called later the register mapping is already
gone which probably results in a crash.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 982d424239d7fae74938557428d45c717567ea9b Version: 04748841f7a02ec6ff07fadfc5d1f8e24e61946d Version: a31eda65ba210741b598044d045480494d0ed52a Version: a31eda65ba210741b598044d045480494d0ed52a Version: a31eda65ba210741b598044d045480494d0ed52a Version: a31eda65ba210741b598044d045480494d0ed52a Version: a31eda65ba210741b598044d045480494d0ed52a Version: a31eda65ba210741b598044d045480494d0ed52a Version: d961a58dcc9778948502847303d29d018a49710a Version: d9c7531fb4708eb3f22cccdb0b7371834d37555a |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d52a0cca591e899d4e5c8ab19e067b4c6b7d104f",
"status": "affected",
"version": "982d424239d7fae74938557428d45c717567ea9b",
"versionType": "git"
},
{
"lessThan": "be85912c36ddca3e8b2eef1b5392cd8db6bdb730",
"status": "affected",
"version": "04748841f7a02ec6ff07fadfc5d1f8e24e61946d",
"versionType": "git"
},
{
"lessThan": "b22b514209ff8c4287abb853399890ab97e1b5ca",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "83996d317b1deddc85006376082e8886f55aa709",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "c1bc2870f14e526a01897e14c747a0a0ca125231",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "9407454a9b18bbeff216e8ecde87ffb2171e9ccf",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "e02d8d5b1602689b98d9b91550a11b9b57baedbe",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"lessThan": "f816b9829b19394d318e01953aa3b2721bca040d",
"status": "affected",
"version": "a31eda65ba210741b598044d045480494d0ed52a",
"versionType": "git"
},
{
"status": "affected",
"version": "d961a58dcc9778948502847303d29d018a49710a",
"versionType": "git"
},
{
"status": "affected",
"version": "d9c7531fb4708eb3f22cccdb0b7371834d37555a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.316",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.284",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.244",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.113",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.3.*",
"status": "unaffected",
"version": "6.3.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.316",
"versionStartIncluding": "4.14.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.284",
"versionStartIncluding": "4.19.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.244",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.181",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.113",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.30",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.206",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Better handle pm_runtime_get() failing in .remove()\n\nIn the (unlikely) event that pm_runtime_get() (disguised as\npm_runtime_resume_and_get()) fails, the remove callback returned an\nerror early. The problem with this is that the driver core ignores the\nerror value and continues removing the device. This results in a\nresource leak. Worse the devm allocated resources are freed and so if a\ncallback of the driver is called later the register mapping is already\ngone which probably results in a crash."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:46.998Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d52a0cca591e899d4e5c8ab19e067b4c6b7d104f"
},
{
"url": "https://git.kernel.org/stable/c/be85912c36ddca3e8b2eef1b5392cd8db6bdb730"
},
{
"url": "https://git.kernel.org/stable/c/b22b514209ff8c4287abb853399890ab97e1b5ca"
},
{
"url": "https://git.kernel.org/stable/c/83996d317b1deddc85006376082e8886f55aa709"
},
{
"url": "https://git.kernel.org/stable/c/c1bc2870f14e526a01897e14c747a0a0ca125231"
},
{
"url": "https://git.kernel.org/stable/c/9407454a9b18bbeff216e8ecde87ffb2171e9ccf"
},
{
"url": "https://git.kernel.org/stable/c/e02d8d5b1602689b98d9b91550a11b9b57baedbe"
},
{
"url": "https://git.kernel.org/stable/c/f816b9829b19394d318e01953aa3b2721bca040d"
}
],
"title": "net: fec: Better handle pm_runtime_get() failing in .remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53308",
"datePublished": "2025-09-16T16:11:46.998Z",
"dateReserved": "2025-09-16T16:08:59.561Z",
"dateUpdated": "2025-09-16T16:11:46.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39807 (GCVE-0-2025-39807)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/mediatek: Add error handling for old state CRTC in atomic_disable
Introduce error handling to address an issue where, after a hotplug
event, the cursor continues to update. This situation can lead to a
kernel panic due to accessing the NULL `old_state->crtc`.
E,g.
Unable to handle kernel NULL pointer dereference at virtual address
Call trace:
mtk_crtc_plane_disable+0x24/0x140
mtk_plane_atomic_update+0x8c/0xa8
drm_atomic_helper_commit_planes+0x114/0x2c8
drm_atomic_helper_commit_tail_rpm+0x4c/0x158
commit_tail+0xa0/0x168
drm_atomic_helper_commit+0x110/0x120
drm_atomic_commit+0x8c/0xe0
drm_atomic_helper_update_plane+0xd4/0x128
__setplane_atomic+0xcc/0x110
drm_mode_cursor_common+0x250/0x440
drm_mode_cursor_ioctl+0x44/0x70
drm_ioctl+0x264/0x5d8
__arm64_sys_ioctl+0xd8/0x510
invoke_syscall+0x6c/0xe0
do_el0_svc+0x68/0xe8
el0_svc+0x34/0x60
el0t_64_sync_handler+0x1c/0xf8
el0t_64_sync+0x180/0x188
Adding NULL pointer checks to ensure stability by preventing operations
on an invalid CRTC state.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d5cc22efa44e0fe321ce195c71c3d7da211fbb2",
"status": "affected",
"version": "40b5b4ba8ed87c0bfb6268c10589777652ebde4c",
"versionType": "git"
},
{
"lessThan": "9a94e9d8b50bcfe89693bc899a54d3866d86e973",
"status": "affected",
"version": "d208261e9f7c66960587b10473081dc1cecbe50b",
"versionType": "git"
},
{
"lessThan": "0c6b24d70da21201ed009a2aca740d2dfddc7ab5",
"status": "affected",
"version": "d208261e9f7c66960587b10473081dc1cecbe50b",
"versionType": "git"
},
{
"status": "affected",
"version": "a9c482689051ca96f4a4630fe49fd6919694caaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/mediatek/mtk_plane.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.12.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Add error handling for old state CRTC in atomic_disable\n\nIntroduce error handling to address an issue where, after a hotplug\nevent, the cursor continues to update. This situation can lead to a\nkernel panic due to accessing the NULL `old_state-\u003ecrtc`.\n\nE,g.\nUnable to handle kernel NULL pointer dereference at virtual address\nCall trace:\n mtk_crtc_plane_disable+0x24/0x140\n mtk_plane_atomic_update+0x8c/0xa8\n drm_atomic_helper_commit_planes+0x114/0x2c8\n drm_atomic_helper_commit_tail_rpm+0x4c/0x158\n commit_tail+0xa0/0x168\n drm_atomic_helper_commit+0x110/0x120\n drm_atomic_commit+0x8c/0xe0\n drm_atomic_helper_update_plane+0xd4/0x128\n __setplane_atomic+0xcc/0x110\n drm_mode_cursor_common+0x250/0x440\n drm_mode_cursor_ioctl+0x44/0x70\n drm_ioctl+0x264/0x5d8\n __arm64_sys_ioctl+0xd8/0x510\n invoke_syscall+0x6c/0xe0\n do_el0_svc+0x68/0xe8\n el0_svc+0x34/0x60\n el0t_64_sync_handler+0x1c/0xf8\n el0t_64_sync+0x180/0x188\n\nAdding NULL pointer checks to ensure stability by preventing operations\non an invalid CRTC state."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:10.408Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d5cc22efa44e0fe321ce195c71c3d7da211fbb2"
},
{
"url": "https://git.kernel.org/stable/c/9a94e9d8b50bcfe89693bc899a54d3866d86e973"
},
{
"url": "https://git.kernel.org/stable/c/0c6b24d70da21201ed009a2aca740d2dfddc7ab5"
}
],
"title": "drm/mediatek: Add error handling for old state CRTC in atomic_disable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39807",
"datePublished": "2025-09-16T13:00:10.408Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-09-16T13:00:10.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39821 (GCVE-0-2025-39821)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf: Avoid undefined behavior from stopping/starting inactive events
Calling pmu->start()/stop() on perf events in PERF_EVENT_STATE_OFF can
leave event->hw.idx at -1. When PMU drivers later attempt to use this
negative index as a shift exponent in bitwise operations, it leads to UBSAN
shift-out-of-bounds reports.
The issue is a logical flaw in how event groups handle throttling when some
members are intentionally disabled. Based on the analysis and the
reproducer provided by Mark Rutland (this issue on both arm64 and x86-64).
The scenario unfolds as follows:
1. A group leader event is configured with a very aggressive sampling
period (e.g., sample_period = 1). This causes frequent interrupts and
triggers the throttling mechanism.
2. A child event in the same group is created in a disabled state
(.disabled = 1). This event remains in PERF_EVENT_STATE_OFF.
Since it hasn't been scheduled onto the PMU, its event->hw.idx remains
initialized at -1.
3. When throttling occurs, perf_event_throttle_group() and later
perf_event_unthrottle_group() iterate through all siblings, including
the disabled child event.
4. perf_event_throttle()/unthrottle() are called on this inactive child
event, which then call event->pmu->start()/stop().
5. The PMU driver receives the event with hw.idx == -1 and attempts to
use it as a shift exponent. e.g., in macros like PMCNTENSET(idx),
leading to the UBSAN report.
The throttling mechanism attempts to start/stop events that are not
actively scheduled on the hardware.
Move the state check into perf_event_throttle()/perf_event_unthrottle() so
that inactive events are skipped entirely. This ensures only active events
with a valid hw.idx are processed, preventing undefined behavior and
silencing UBSAN warnings. The corrected check ensures true before
proceeding with PMU operations.
The problem can be reproduced with the syzkaller reproducer:
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d689135aa9c5e4e0eab5a92bbe35dab0c8d6677f",
"status": "affected",
"version": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141",
"versionType": "git"
},
{
"lessThan": "b64fdd422a85025b5e91ead794db9d3ef970e369",
"status": "affected",
"version": "9734e25fbf5ae68eb04234b2cd14a4b36ab89141",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc3",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Avoid undefined behavior from stopping/starting inactive events\n\nCalling pmu-\u003estart()/stop() on perf events in PERF_EVENT_STATE_OFF can\nleave event-\u003ehw.idx at -1. When PMU drivers later attempt to use this\nnegative index as a shift exponent in bitwise operations, it leads to UBSAN\nshift-out-of-bounds reports.\n\nThe issue is a logical flaw in how event groups handle throttling when some\nmembers are intentionally disabled. Based on the analysis and the\nreproducer provided by Mark Rutland (this issue on both arm64 and x86-64).\n\nThe scenario unfolds as follows:\n\n 1. A group leader event is configured with a very aggressive sampling\n period (e.g., sample_period = 1). This causes frequent interrupts and\n triggers the throttling mechanism.\n 2. A child event in the same group is created in a disabled state\n (.disabled = 1). This event remains in PERF_EVENT_STATE_OFF.\n Since it hasn\u0027t been scheduled onto the PMU, its event-\u003ehw.idx remains\n initialized at -1.\n 3. When throttling occurs, perf_event_throttle_group() and later\n perf_event_unthrottle_group() iterate through all siblings, including\n the disabled child event.\n 4. perf_event_throttle()/unthrottle() are called on this inactive child\n event, which then call event-\u003epmu-\u003estart()/stop().\n 5. The PMU driver receives the event with hw.idx == -1 and attempts to\n use it as a shift exponent. e.g., in macros like PMCNTENSET(idx),\n leading to the UBSAN report.\n\nThe throttling mechanism attempts to start/stop events that are not\nactively scheduled on the hardware.\n\nMove the state check into perf_event_throttle()/perf_event_unthrottle() so\nthat inactive events are skipped entirely. This ensures only active events\nwith a valid hw.idx are processed, preventing undefined behavior and\nsilencing UBSAN warnings. The corrected check ensures true before\nproceeding with PMU operations.\n\nThe problem can be reproduced with the syzkaller reproducer:"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:20.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d689135aa9c5e4e0eab5a92bbe35dab0c8d6677f"
},
{
"url": "https://git.kernel.org/stable/c/b64fdd422a85025b5e91ead794db9d3ef970e369"
}
],
"title": "perf: Avoid undefined behavior from stopping/starting inactive events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39821",
"datePublished": "2025-09-16T13:00:20.805Z",
"dateReserved": "2025-04-16T07:20:57.139Z",
"dateUpdated": "2025-09-16T13:00:20.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39817 (GCVE-0-2025-39817)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
Observed on kernel 6.6 (present on master as well):
BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0
Call trace:
kasan_check_range+0xe8/0x190
__asan_loadN+0x1c/0x28
memcmp+0x98/0xd0
efivarfs_d_compare+0x68/0xd8
__d_lookup_rcu_op_compare+0x178/0x218
__d_lookup_rcu+0x1f8/0x228
d_alloc_parallel+0x150/0x648
lookup_open.isra.0+0x5f0/0x8d0
open_last_lookups+0x264/0x828
path_openat+0x130/0x3f8
do_filp_open+0x114/0x248
do_sys_openat2+0x340/0x3c0
__arm64_sys_openat+0x120/0x1a0
If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become
negative, leadings to oob. The issue can be triggered by parallel
lookups using invalid filename:
T1 T2
lookup_open
->lookup
simple_lookup
d_add
// invalid dentry is added to hash list
lookup_open
d_alloc_parallel
__d_lookup_rcu
__d_lookup_rcu_op_compare
hlist_bl_for_each_entry_rcu
// invalid dentry can be retrieved
->d_compare
efivarfs_d_compare
// oob
Fix it by checking 'guid' before cmp.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: da27a24383b2b10bf6ebd0db29b325548aafecb4 Version: da27a24383b2b10bf6ebd0db29b325548aafecb4 Version: da27a24383b2b10bf6ebd0db29b325548aafecb4 Version: da27a24383b2b10bf6ebd0db29b325548aafecb4 Version: da27a24383b2b10bf6ebd0db29b325548aafecb4 Version: da27a24383b2b10bf6ebd0db29b325548aafecb4 Version: da27a24383b2b10bf6ebd0db29b325548aafecb4 Version: da27a24383b2b10bf6ebd0db29b325548aafecb4 Version: 688289c4b745c018b3449b4b4c5a2030083c8eaf |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "794399019301944fd6d2e0d7a51b3327e26c410e",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "568e7761279b99c6daa3002290fd6d8047ddb6d2",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "925599eba46045930b850a98ae594d2e3028ac40",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "c2925cd6207079c3f4d040d082515db78d63afbf",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "71581a82f38e5a4d807d71fc1bb59aead80ccf95",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"lessThan": "a6358f8cf64850f3f27857b8ed8c1b08cfc4685c",
"status": "affected",
"version": "da27a24383b2b10bf6ebd0db29b325548aafecb4",
"versionType": "git"
},
{
"status": "affected",
"version": "688289c4b745c018b3449b4b4c5a2030083c8eaf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/efivarfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.298",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.242",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.298",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.242",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\n\nObserved on kernel 6.6 (present on master as well):\n\n BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0\n Call trace:\n kasan_check_range+0xe8/0x190\n __asan_loadN+0x1c/0x28\n memcmp+0x98/0xd0\n efivarfs_d_compare+0x68/0xd8\n __d_lookup_rcu_op_compare+0x178/0x218\n __d_lookup_rcu+0x1f8/0x228\n d_alloc_parallel+0x150/0x648\n lookup_open.isra.0+0x5f0/0x8d0\n open_last_lookups+0x264/0x828\n path_openat+0x130/0x3f8\n do_filp_open+0x114/0x248\n do_sys_openat2+0x340/0x3c0\n __arm64_sys_openat+0x120/0x1a0\n\nIf dentry-\u003ed_name.len \u003c EFI_VARIABLE_GUID_LEN , \u0027guid\u0027 can become\nnegative, leadings to oob. The issue can be triggered by parallel\nlookups using invalid filename:\n\n T1\t\t\tT2\n lookup_open\n -\u003elookup\n simple_lookup\n d_add\n // invalid dentry is added to hash list\n\n\t\t\tlookup_open\n\t\t\t d_alloc_parallel\n\t\t\t __d_lookup_rcu\n\t\t\t __d_lookup_rcu_op_compare\n\t\t\t hlist_bl_for_each_entry_rcu\n\t\t\t // invalid dentry can be retrieved\n\t\t\t -\u003ed_compare\n\t\t\t efivarfs_d_compare\n\t\t\t // oob\n\nFix it by checking \u0027guid\u0027 before cmp."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:17.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f63fbabeaaaaaaf5b742a2f4c1b4590d50bf1f6"
},
{
"url": "https://git.kernel.org/stable/c/794399019301944fd6d2e0d7a51b3327e26c410e"
},
{
"url": "https://git.kernel.org/stable/c/568e7761279b99c6daa3002290fd6d8047ddb6d2"
},
{
"url": "https://git.kernel.org/stable/c/d7f5e35e70507d10cbaff5f9e194ed54c4ee14f7"
},
{
"url": "https://git.kernel.org/stable/c/925599eba46045930b850a98ae594d2e3028ac40"
},
{
"url": "https://git.kernel.org/stable/c/c2925cd6207079c3f4d040d082515db78d63afbf"
},
{
"url": "https://git.kernel.org/stable/c/71581a82f38e5a4d807d71fc1bb59aead80ccf95"
},
{
"url": "https://git.kernel.org/stable/c/a6358f8cf64850f3f27857b8ed8c1b08cfc4685c"
}
],
"title": "efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39817",
"datePublished": "2025-09-16T13:00:17.776Z",
"dateReserved": "2025-04-16T07:20:57.138Z",
"dateUpdated": "2025-09-16T13:00:17.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39806 (GCVE-0-2025-39806)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()
A malicious HID device can trigger a slab out-of-bounds during
mt_report_fixup() by passing in report descriptor smaller than
607 bytes. mt_report_fixup() attempts to patch byte offset 607
of the descriptor with 0x25 by first checking if byte offset
607 is 0x15 however it lacks bounds checks to verify if the
descriptor is big enough before conducting this check. Fix
this bug by ensuring the descriptor size is at least 608
bytes before accessing it.
Below is the KASAN splat after the out of bounds access happens:
[ 13.671954] ==================================================================
[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110
[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10
[ 13.673297]
[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3
[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04
[ 13.673297] Call Trace:
[ 13.673297] <TASK>
[ 13.673297] dump_stack_lvl+0x5f/0x80
[ 13.673297] print_report+0xd1/0x660
[ 13.673297] kasan_report+0xe5/0x120
[ 13.673297] __asan_report_load1_noabort+0x18/0x20
[ 13.673297] mt_report_fixup+0x103/0x110
[ 13.673297] hid_open_report+0x1ef/0x810
[ 13.673297] mt_probe+0x422/0x960
[ 13.673297] hid_device_probe+0x2e2/0x6f0
[ 13.673297] really_probe+0x1c6/0x6b0
[ 13.673297] __driver_probe_device+0x24f/0x310
[ 13.673297] driver_probe_device+0x4e/0x220
[ 13.673297] __device_attach_driver+0x169/0x320
[ 13.673297] bus_for_each_drv+0x11d/0x1b0
[ 13.673297] __device_attach+0x1b8/0x3e0
[ 13.673297] device_initial_probe+0x12/0x20
[ 13.673297] bus_probe_device+0x13d/0x180
[ 13.673297] device_add+0xe3a/0x1670
[ 13.673297] hid_add_device+0x31d/0xa40
[...]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0 Version: 45ec9f17ce46417fc4eccecf388c99e81fb7fcc1 Version: 1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b Version: c8000deb68365b461b324d68c7ea89d730f0bb85 Version: c8000deb68365b461b324d68c7ea89d730f0bb85 Version: c8000deb68365b461b324d68c7ea89d730f0bb85 Version: d189e24a42b8bd0ece3d28801d751bf66dba8e92 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d",
"status": "affected",
"version": "7d91a0b2151a9c3b61d44c85c8eba930eddd1dd0",
"versionType": "git"
},
{
"lessThan": "7ab7311c43ae19c66c53ccd8c5052a9072a4e338",
"status": "affected",
"version": "45ec9f17ce46417fc4eccecf388c99e81fb7fcc1",
"versionType": "git"
},
{
"lessThan": "d4e6e2680807671e1c73cd6a986b33659ce92f2b",
"status": "affected",
"version": "1d5c7d0a49ec9d8786f266ac6d1d7c4960e1787b",
"versionType": "git"
},
{
"lessThan": "3055309821dd3da92888f88bad10f0324c3c89fe",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "c13e95587583d018cfbcc277df7e02d41902ac5a",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"lessThan": "0379eb8691b9c4477da0277ae0832036ca4410b4",
"status": "affected",
"version": "c8000deb68365b461b324d68c7ea89d730f0bb85",
"versionType": "git"
},
{
"status": "affected",
"version": "d189e24a42b8bd0ece3d28801d751bf66dba8e92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-multitouch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.191",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.191",
"versionStartIncluding": "5.15.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"versionStartIncluding": "6.1.111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"versionStartIncluding": "6.6.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: multitouch: fix slab out-of-bounds access in mt_report_fixup()\n\nA malicious HID device can trigger a slab out-of-bounds during\nmt_report_fixup() by passing in report descriptor smaller than\n607 bytes. mt_report_fixup() attempts to patch byte offset 607\nof the descriptor with 0x25 by first checking if byte offset\n607 is 0x15 however it lacks bounds checks to verify if the\ndescriptor is big enough before conducting this check. Fix\nthis bug by ensuring the descriptor size is at least 608\nbytes before accessing it.\n\nBelow is the KASAN splat after the out of bounds access happens:\n\n[ 13.671954] ==================================================================\n[ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110\n[ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10\n[ 13.673297]\n[ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3\n[ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04\n[ 13.673297] Call Trace:\n[ 13.673297] \u003cTASK\u003e\n[ 13.673297] dump_stack_lvl+0x5f/0x80\n[ 13.673297] print_report+0xd1/0x660\n[ 13.673297] kasan_report+0xe5/0x120\n[ 13.673297] __asan_report_load1_noabort+0x18/0x20\n[ 13.673297] mt_report_fixup+0x103/0x110\n[ 13.673297] hid_open_report+0x1ef/0x810\n[ 13.673297] mt_probe+0x422/0x960\n[ 13.673297] hid_device_probe+0x2e2/0x6f0\n[ 13.673297] really_probe+0x1c6/0x6b0\n[ 13.673297] __driver_probe_device+0x24f/0x310\n[ 13.673297] driver_probe_device+0x4e/0x220\n[ 13.673297] __device_attach_driver+0x169/0x320\n[ 13.673297] bus_for_each_drv+0x11d/0x1b0\n[ 13.673297] __device_attach+0x1b8/0x3e0\n[ 13.673297] device_initial_probe+0x12/0x20\n[ 13.673297] bus_probe_device+0x13d/0x180\n[ 13.673297] device_add+0xe3a/0x1670\n[ 13.673297] hid_add_device+0x31d/0xa40\n[...]"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:09.524Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4263e5851779f7d8ebfbc9cc7d2e9b0217adba8d"
},
{
"url": "https://git.kernel.org/stable/c/7ab7311c43ae19c66c53ccd8c5052a9072a4e338"
},
{
"url": "https://git.kernel.org/stable/c/d4e6e2680807671e1c73cd6a986b33659ce92f2b"
},
{
"url": "https://git.kernel.org/stable/c/3055309821dd3da92888f88bad10f0324c3c89fe"
},
{
"url": "https://git.kernel.org/stable/c/c13e95587583d018cfbcc277df7e02d41902ac5a"
},
{
"url": "https://git.kernel.org/stable/c/0379eb8691b9c4477da0277ae0832036ca4410b4"
}
],
"title": "HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39806",
"datePublished": "2025-09-16T13:00:09.524Z",
"dateReserved": "2025-04-16T07:20:57.136Z",
"dateUpdated": "2025-09-16T13:00:09.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50350 (GCVE-0-2022-50350)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix a race condition between login_work and the login thread
In case a malicious initiator sends some random data immediately after a
login PDU; the iscsi_target_sk_data_ready() callback will schedule the
login_work and, at the same time, the negotiation may end without clearing
the LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are
required to complete the login).
The login has been completed but the login_work function will find the
LOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling
itself; at this point, if the initiator drops the connection, the
iscsit_conn structure will be freed, login_work will dereference a released
socket structure and the kernel crashes.
BUG: kernel NULL pointer dereference, address: 0000000000000230
PF: supervisor write access in kernel mode
PF: error_code(0x0002) - not-present page
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
RIP: 0010:_raw_read_lock_bh+0x15/0x30
Call trace:
iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod]
process_one_work+0x1e8/0x3c0
Fix this bug by forcing login_work to stop after the login has been
completed and the socket callbacks have been restored.
Add a comment to clearify the return values of iscsi_target_do_login()
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_nego.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1533b8b3058db618409f41554ebe768c2e3acfae",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3ecdca49ca49d4770639d81503c873b6d25887c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fec1b2fa62c162d03f5dcd7b03e3c89d3116d49f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_nego.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix a race condition between login_work and the login thread\n\nIn case a malicious initiator sends some random data immediately after a\nlogin PDU; the iscsi_target_sk_data_ready() callback will schedule the\nlogin_work and, at the same time, the negotiation may end without clearing\nthe LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are\nrequired to complete the login).\n\nThe login has been completed but the login_work function will find the\nLOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling\nitself; at this point, if the initiator drops the connection, the\niscsit_conn structure will be freed, login_work will dereference a released\nsocket structure and the kernel crashes.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000230\nPF: supervisor write access in kernel mode\nPF: error_code(0x0002) - not-present page\nWorkqueue: events iscsi_target_do_login_rx [iscsi_target_mod]\nRIP: 0010:_raw_read_lock_bh+0x15/0x30\nCall trace:\n iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod]\n process_one_work+0x1e8/0x3c0\n\nFix this bug by forcing login_work to stop after the login has been\ncompleted and the socket callbacks have been restored.\n\nAdd a comment to clearify the return values of iscsi_target_do_login()"
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:42.029Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1533b8b3058db618409f41554ebe768c2e3acfae"
},
{
"url": "https://git.kernel.org/stable/c/3ecdca49ca49d4770639d81503c873b6d25887c4"
},
{
"url": "https://git.kernel.org/stable/c/fec1b2fa62c162d03f5dcd7b03e3c89d3116d49f"
}
],
"title": "scsi: target: iscsi: Fix a race condition between login_work and the login thread",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50350",
"datePublished": "2025-09-16T16:11:42.029Z",
"dateReserved": "2025-09-16T16:03:27.882Z",
"dateUpdated": "2025-09-16T16:11:42.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53320 (GCVE-0-2023-53320)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()
The function mpi3mr_get_all_tgt_info() has four issues:
1) It calculates valid entry length in alltgt_info assuming the header part
of the struct mpi3mr_device_map_info would equal to sizeof(u32). The
correct size is sizeof(u64).
2) When it calculates the valid entry length kern_entrylen, it excludes one
entry by subtracting 1 from num_devices.
3) It copies num_device by calling memcpy(). Substitution is enough.
4) It does not specify the calculated length to sg_copy_from_buffer().
Instead, it specifies the payload length which is larger than the
alltgt_info size. It causes "BUG: KASAN: slab-out-of-bounds".
Fix the issues by using the correct header size, removing the subtraction
from num_devices, replacing the memcpy() with substitution and specifying
the correct length to sg_copy_from_buffer().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_app.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ba997b22f2cd5d29aad8c39f6201f7608ed0c04",
"status": "affected",
"version": "f5e6d5a343761081317c89d23489c93fbafc69ff",
"versionType": "git"
},
{
"lessThan": "2f3d3fa5b8ed7d3b147478f42b00b468eeb1ecd2",
"status": "affected",
"version": "f5e6d5a343761081317c89d23489c93fbafc69ff",
"versionType": "git"
},
{
"lessThan": "fb428a2005fc1260d18b989cc5199f281617f44d",
"status": "affected",
"version": "f5e6d5a343761081317c89d23489c93fbafc69ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_app.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()\n\nThe function mpi3mr_get_all_tgt_info() has four issues:\n\n1) It calculates valid entry length in alltgt_info assuming the header part\n of the struct mpi3mr_device_map_info would equal to sizeof(u32). The\n correct size is sizeof(u64).\n\n2) When it calculates the valid entry length kern_entrylen, it excludes one\n entry by subtracting 1 from num_devices.\n\n3) It copies num_device by calling memcpy(). Substitution is enough.\n\n4) It does not specify the calculated length to sg_copy_from_buffer().\n Instead, it specifies the payload length which is larger than the\n alltgt_info size. It causes \"BUG: KASAN: slab-out-of-bounds\".\n\nFix the issues by using the correct header size, removing the subtraction\nfrom num_devices, replacing the memcpy() with substitution and specifying\nthe correct length to sg_copy_from_buffer()."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:56.323Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ba997b22f2cd5d29aad8c39f6201f7608ed0c04"
},
{
"url": "https://git.kernel.org/stable/c/2f3d3fa5b8ed7d3b147478f42b00b468eeb1ecd2"
},
{
"url": "https://git.kernel.org/stable/c/fb428a2005fc1260d18b989cc5199f281617f44d"
}
],
"title": "scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53320",
"datePublished": "2025-09-16T16:11:56.323Z",
"dateReserved": "2025-09-16T16:08:59.563Z",
"dateUpdated": "2025-09-16T16:11:56.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50339 (GCVE-0-2022-50339)
Vulnerability from cvelistv5
Published
2025-09-16 16:11
Modified
2025-09-16 16:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()
syzbot is again reporting attempt to cancel uninitialized work
at mgmt_index_removed() [1], for setting of HCI_MGMT flag from
mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can
race with testing of HCI_MGMT flag from mgmt_index_removed() from
hci_sock_bind() due to lack of serialization via hci_dev_lock().
Since mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can
safely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and
hci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag
after INIT_DELAYED_WORK() completed.
This is a local fix based on mgmt_chan_list_lock. Lack of serialization
via hci_dev_lock() might be causing different race conditions somewhere
else. But a global fix based on hci_dev_lock() should deserve a future
patch.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e53c6180db8dd09de94e0a3bdf4fef6f5f9dd6e6",
"status": "affected",
"version": "3f2893d3c142986aa935821460cb3adb77044722",
"versionType": "git"
},
{
"lessThan": "f74ca25d6d6629ffd4fd80a1a73037253b57d06b",
"status": "affected",
"version": "3f2893d3c142986aa935821460cb3adb77044722",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()\n\nsyzbot is again reporting attempt to cancel uninitialized work\nat mgmt_index_removed() [1], for setting of HCI_MGMT flag from\nmgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can\nrace with testing of HCI_MGMT flag from mgmt_index_removed() from\nhci_sock_bind() due to lack of serialization via hci_dev_lock().\n\nSince mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can\nsafely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and\nhci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag\nafter INIT_DELAYED_WORK() completed.\n\nThis is a local fix based on mgmt_chan_list_lock. Lack of serialization\nvia hci_dev_lock() might be causing different race conditions somewhere\nelse. But a global fix based on hci_dev_lock() should deserve a future\npatch."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:11:30.176Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e53c6180db8dd09de94e0a3bdf4fef6f5f9dd6e6"
},
{
"url": "https://git.kernel.org/stable/c/f74ca25d6d6629ffd4fd80a1a73037253b57d06b"
}
],
"title": "Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50339",
"datePublished": "2025-09-16T16:11:19.138Z",
"dateReserved": "2025-09-16T16:03:27.881Z",
"dateUpdated": "2025-09-16T16:11:30.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39825 (GCVE-0-2025-39825)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix race with concurrent opens in rename(2)
Besides sending the rename request to the server, the rename process
also involves closing any deferred close, waiting for outstanding I/O
to complete as well as marking all existing open handles as deleted to
prevent them from deferring closes, which increases the race window
for potential concurrent opens on the target file.
Fix this by unhashing the dentry in advance to prevent any concurrent
opens on the target.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c9e7de284da0be5b44dbe79d71573f9f7f9b144c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "24b9ed739c8c5b464d983e12cf308982f3ae93c2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c9991af5e09924f6f3b3e6996a5e09f9504b4358",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "289f945acb20b9b54fe4d13895e44aa58965ddb2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d84291fc7453df7881a970716f8256273aca5747",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix race with concurrent opens in rename(2)\n\nBesides sending the rename request to the server, the rename process\nalso involves closing any deferred close, waiting for outstanding I/O\nto complete as well as marking all existing open handles as deleted to\nprevent them from deferring closes, which increases the race window\nfor potential concurrent opens on the target file.\n\nFix this by unhashing the dentry in advance to prevent any concurrent\nopens on the target."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:23.897Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c9e7de284da0be5b44dbe79d71573f9f7f9b144c"
},
{
"url": "https://git.kernel.org/stable/c/24b9ed739c8c5b464d983e12cf308982f3ae93c2"
},
{
"url": "https://git.kernel.org/stable/c/c9991af5e09924f6f3b3e6996a5e09f9504b4358"
},
{
"url": "https://git.kernel.org/stable/c/289f945acb20b9b54fe4d13895e44aa58965ddb2"
},
{
"url": "https://git.kernel.org/stable/c/d84291fc7453df7881a970716f8256273aca5747"
}
],
"title": "smb: client: fix race with concurrent opens in rename(2)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39825",
"datePublished": "2025-09-16T13:00:23.897Z",
"dateReserved": "2025-04-16T07:20:57.140Z",
"dateUpdated": "2025-09-16T13:00:23.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39809 (GCVE-0-2025-39809)
Vulnerability from cvelistv5
Published
2025-09-16 13:00
Modified
2025-09-16 13:00
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length
The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a
trailing byte, making the actual length is one more byte than the
structs defined.
It caused stack-out-of-bounds and kernel crash:
kernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]
kernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75
kernel:
kernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary)
kernel: Workqueue: async async_run_entry_fn
kernel: Call Trace:
kernel: <TASK>
kernel: dump_stack_lvl+0x76/0xa0
kernel: print_report+0xd1/0x660
kernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10
kernel: ? __kasan_slab_free+0x5d/0x80
kernel: ? kasan_addr_to_slab+0xd/0xb0
kernel: kasan_report+0xe1/0x120
kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]
kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]
kernel: kasan_check_range+0x11c/0x200
kernel: __asan_memcpy+0x3b/0x80
kernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]
kernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c]
kernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c]
[...]
kernel: </TASK>
kernel:
kernel: The buggy address belongs to stack of task kworker/u33:2/75
kernel: and is located at offset 48 in frame:
kernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c]
kernel:
kernel: This frame has 3 objects:
kernel: [32, 36) 'hid_desc_addr'
kernel: [48, 59) 'i2c_param'
kernel: [80, 224) 'i2c_config'
ACPI DSD methods return:
\_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00
\_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00
Adding reserved padding to quicki2c_subip_acpi_parameter/config.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4adce86d4b13d15dec7810967839b931b1598700",
"status": "affected",
"version": "5282e45ccbfa91524944a32d40386c54fdd4d145",
"versionType": "git"
},
{
"lessThan": "1db9df89a213318a48d958385dc1b17b379dc32b",
"status": "affected",
"version": "5282e45ccbfa91524944a32d40386c54fdd4d145",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.5",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17-rc4",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length\n\nThe QuickI2C ACPI _DSD methods return ICRS and ISUB data with a\ntrailing byte, making the actual length is one more byte than the\nstructs defined.\n\nIt caused stack-out-of-bounds and kernel crash:\n\nkernel: BUG: KASAN: stack-out-of-bounds in quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75\nkernel:\nkernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3 PREEMPT(voluntary)\nkernel: Workqueue: async async_run_entry_fn\nkernel: Call Trace:\nkernel: \u003cTASK\u003e\nkernel: dump_stack_lvl+0x76/0xa0\nkernel: print_report+0xd1/0x660\nkernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10\nkernel: ? __kasan_slab_free+0x5d/0x80\nkernel: ? kasan_addr_to_slab+0xd/0xb0\nkernel: kasan_report+0xe1/0x120\nkernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: kasan_check_range+0x11c/0x200\nkernel: __asan_memcpy+0x3b/0x80\nkernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]\nkernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10 [intel_quicki2c]\nkernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c]\n[...]\nkernel: \u003c/TASK\u003e\nkernel:\nkernel: The buggy address belongs to stack of task kworker/u33:2/75\nkernel: and is located at offset 48 in frame:\nkernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c]\nkernel:\nkernel: This frame has 3 objects:\nkernel: [32, 36) \u0027hid_desc_addr\u0027\nkernel: [48, 59) \u0027i2c_param\u0027\nkernel: [80, 224) \u0027i2c_config\u0027\n\nACPI DSD methods return:\n\n\\_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06 00 00 00 00 00 00 00\n\\_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00 00 00 00 00 00 00 00\n\nAdding reserved padding to quicki2c_subip_acpi_parameter/config."
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T13:00:11.977Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4adce86d4b13d15dec7810967839b931b1598700"
},
{
"url": "https://git.kernel.org/stable/c/1db9df89a213318a48d958385dc1b17b379dc32b"
}
],
"title": "HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39809",
"datePublished": "2025-09-16T13:00:11.977Z",
"dateReserved": "2025-04-16T07:20:57.137Z",
"dateUpdated": "2025-09-16T13:00:11.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…