Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-2170
Vulnerability from csaf_certbund
Published
2025-09-30 22:00
Modified
2025-12-16 23:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen und andere nicht näher spezifizierte Angriffe durchzuführen, möglicherweise um beliebigen Code auszuführen oder eine Speicherbeschädigung zu verursachen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren und andere nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, m\u00f6glicherweise um beliebigen Code auszuf\u00fchren oder eine Speicherbesch\u00e4digung zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2170 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2170.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2170 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2170"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39891",
"url": "https://lore.kernel.org/linux-cve-announce/2025100114-CVE-2025-39891-61f7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39892",
"url": "https://lore.kernel.org/linux-cve-announce/2025100114-CVE-2025-39892-ec4d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39893",
"url": "https://lore.kernel.org/linux-cve-announce/2025100115-CVE-2025-39893-6653@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39894",
"url": "https://lore.kernel.org/linux-cve-announce/2025100115-CVE-2025-39894-f2dd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39895",
"url": "https://lore.kernel.org/linux-cve-announce/2025100115-CVE-2025-39895-d6e8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39896",
"url": "https://lore.kernel.org/linux-cve-announce/2025100116-CVE-2025-39896-e29a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39897",
"url": "https://lore.kernel.org/linux-cve-announce/2025100116-CVE-2025-39897-a100@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39898",
"url": "https://lore.kernel.org/linux-cve-announce/2025100116-CVE-2025-39898-d844@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39899",
"url": "https://lore.kernel.org/linux-cve-announce/2025100117-CVE-2025-39899-3921@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39900",
"url": "https://lore.kernel.org/linux-cve-announce/2025100117-CVE-2025-39900-bb5f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39901",
"url": "https://lore.kernel.org/linux-cve-announce/2025100117-CVE-2025-39901-d6f4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39902",
"url": "https://lore.kernel.org/linux-cve-announce/2025100118-CVE-2025-39902-0fe1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39903",
"url": "https://lore.kernel.org/linux-cve-announce/2025100118-CVE-2025-39903-6698@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39904",
"url": "https://lore.kernel.org/linux-cve-announce/2025100108-CVE-2025-39904-77a6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39905",
"url": "https://lore.kernel.org/linux-cve-announce/2025100108-CVE-2025-39905-157f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39906",
"url": "https://lore.kernel.org/linux-cve-announce/2025100108-CVE-2025-39906-5913@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39907",
"url": "https://lore.kernel.org/linux-cve-announce/2025100109-CVE-2025-39907-73b1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39908",
"url": "https://lore.kernel.org/linux-cve-announce/2025100109-CVE-2025-39908-5d27@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39909",
"url": "https://lore.kernel.org/linux-cve-announce/2025100109-CVE-2025-39909-202c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39910",
"url": "https://lore.kernel.org/linux-cve-announce/2025100110-CVE-2025-39910-568a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39911",
"url": "https://lore.kernel.org/linux-cve-announce/2025100110-CVE-2025-39911-5646@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39912",
"url": "https://lore.kernel.org/linux-cve-announce/2025100110-CVE-2025-39912-13cf@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39913",
"url": "https://lore.kernel.org/linux-cve-announce/2025100111-CVE-2025-39913-f166@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39914",
"url": "https://lore.kernel.org/linux-cve-announce/2025100111-CVE-2025-39914-a6eb@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39915",
"url": "https://lore.kernel.org/linux-cve-announce/2025100111-CVE-2025-39915-7a9f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39916",
"url": "https://lore.kernel.org/linux-cve-announce/2025100111-CVE-2025-39916-63c0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39917",
"url": "https://lore.kernel.org/linux-cve-announce/2025100112-CVE-2025-39917-b3a9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39918",
"url": "https://lore.kernel.org/linux-cve-announce/2025100119-CVE-2025-39918-7902@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39919",
"url": "https://lore.kernel.org/linux-cve-announce/2025100119-CVE-2025-39919-b28a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39920",
"url": "https://lore.kernel.org/linux-cve-announce/2025100120-CVE-2025-39920-5dbe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39921",
"url": "https://lore.kernel.org/linux-cve-announce/2025100120-CVE-2025-39921-820c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39922",
"url": "https://lore.kernel.org/linux-cve-announce/2025100120-CVE-2025-39922-36d0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39923",
"url": "https://lore.kernel.org/linux-cve-announce/2025100122-CVE-2025-39923-6775@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39924",
"url": "https://lore.kernel.org/linux-cve-announce/2025100124-CVE-2025-39924-1a11@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39925",
"url": "https://lore.kernel.org/linux-cve-announce/2025100124-CVE-2025-39925-bcec@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39926",
"url": "https://lore.kernel.org/linux-cve-announce/2025100125-CVE-2025-39926-06ea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39927",
"url": "https://lore.kernel.org/linux-cve-announce/2025100125-CVE-2025-39927-5a57@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-39928",
"url": "https://lore.kernel.org/linux-cve-announce/2025100125-CVE-2025-39928-b66c@gregkh/"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4327 vom 2025-10-13",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4328 vom 2025-10-13",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03600-1 vom 2025-10-15",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VHWHH7ZSMFJ6PQZ3CBDGGCWHNBCWD26Z/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03601-1 vom 2025-10-15",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022903.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03634-1 vom 2025-10-17",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022925.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:03633-1 vom 2025-10-17",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022926.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:3751-1 vom 2025-10-23",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NMB6RXALFYMRMM4UK7R54RAQRCZJEBH4/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20851-1 vom 2025-10-24",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/023025.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20861-1 vom 2025-10-24",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/023019.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20870-1 vom 2025-10-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/023060.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2-2025-3053 vom 2025-10-27",
"url": "https://alas.aws.amazon.com/AL2/ALAS2-2025-3053.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2025-109 vom 2025-10-27",
"url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2025-109.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2LIVEPATCH-2025-277 vom 2025-10-27",
"url": "https://alas.aws.amazon.com/AL2/ALAS2LIVEPATCH-2025-277.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2LIVEPATCH-2025-278 vom 2025-10-27",
"url": "https://alas.aws.amazon.com/AL2/ALAS2LIVEPATCH-2025-278.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2LIVEPATCH-2025-279 vom 2025-10-27",
"url": "https://alas.aws.amazon.com/AL2/ALAS2LIVEPATCH-2025-279.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2LIVEPATCH-2025-280 vom 2025-10-27",
"url": "https://alas.aws.amazon.com/AL2/ALAS2LIVEPATCH-2025-280.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2LIVEPATCH-2025-281 vom 2025-10-27",
"url": "https://alas.aws.amazon.com/AL2/ALAS2LIVEPATCH-2025-281.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS2LIVEPATCH-2025-282 vom 2025-10-27",
"url": "https://alas.aws.amazon.com/AL2/ALAS2LIVEPATCH-2025-282.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20898-1 vom 2025-10-30",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/023116.html"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2025-390 vom 2025-11-05",
"url": "https://www.dell.com/support/kbdoc/000385230"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-25754 vom 2025-11-10",
"url": "https://linux.oracle.com/errata/ELSA-2025-25754.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-25755 vom 2025-11-10",
"url": "https://linux.oracle.com/errata/ELSA-2025-25755.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4057-1 vom 2025-11-11",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023254.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-25757 vom 2025-11-12",
"url": "https://linux.oracle.com/errata/ELSA-2025-25757.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20994-1 vom 2025-11-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023276.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20996-1 vom 2025-11-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023275.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:21463 vom 2025-11-17",
"url": "https://access.redhat.com/errata/RHSA-2025:21463"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:21492 vom 2025-11-17",
"url": "https://access.redhat.com/errata/RHSA-2025:21492"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4128-1 vom 2025-11-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023299.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4132-1 vom 2025-11-18",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023302.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4141-1 vom 2025-11-19",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023304.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4140-1 vom 2025-11-19",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023305.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:21933 vom 2025-11-24",
"url": "https://access.redhat.com/errata/RHSA-2025:21933"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4189-1 vom 2025-11-24",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023334.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025-20081-1 vom 2025-11-26",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J4KLZE7HUQJ2N6IQEI3G2KJZ5VB36YBI/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025-20091-1 vom 2025-11-27",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QVNKE6YBHUN7AVUHO7UZCJJGK4HYS62H/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21064-1 vom 2025-11-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023415.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21056-1 vom 2025-11-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023419.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21040-1 vom 2025-11-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023394.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21052-1 vom 2025-11-27",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023389.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21074-1 vom 2025-11-28",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023431.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:4301-1 vom 2025-11-28",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LLIMXFMWOGTFRJZEC4XPGIMNBCRKQ7IF/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:22387 vom 2025-12-01",
"url": "https://access.redhat.com/errata/RHSA-2025:22387"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:22388 vom 2025-12-01",
"url": "https://access.redhat.com/errata/RHSA-2025:22388"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21080-1 vom 2025-11-28",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-November/023429.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:22405 vom 2025-12-01",
"url": "https://access.redhat.com/errata/RHSA-2025:22405"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:22392 vom 2025-12-01",
"url": "https://access.redhat.com/errata/RHSA-2025:22392"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:22395 vom 2025-12-01",
"url": "https://access.redhat.com/errata/RHSA-2025:22395"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-22388 vom 2025-12-01",
"url": "https://linux.oracle.com/errata/ELSA-2025-22388.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-22405 vom 2025-12-02",
"url": "https://linux.oracle.com/errata/ELSA-2025-22405.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:22571 vom 2025-12-02",
"url": "https://access.redhat.com/errata/RHSA-2025:22571"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-21118 vom 2025-12-04",
"url": "https://linux.oracle.com/errata/ELSA-2025-21118.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:22387 vom 2025-12-04",
"url": "https://errata.build.resf.org/RLSA-2025:22387"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7909-1 vom 2025-12-04",
"url": "https://ubuntu.com/security/notices/USN-7909-1"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:22405 vom 2025-12-04",
"url": "https://errata.build.resf.org/RLSA-2025:22405"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7909-3 vom 2025-12-04",
"url": "https://ubuntu.com/security/notices/USN-7909-3"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7909-2 vom 2025-12-04",
"url": "https://ubuntu.com/security/notices/USN-7909-2"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7910-1 vom 2025-12-04",
"url": "https://ubuntu.com/security/notices/USN-7910-1"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-21463 vom 2025-12-05",
"url": "https://linux.oracle.com/errata/ELSA-2025-21463.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:22395 vom 2025-12-05",
"url": "https://errata.build.resf.org/RLSA-2025:22395"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7909-4 vom 2025-12-05",
"url": "https://ubuntu.com/security/notices/USN-7909-4"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-22395 vom 2025-12-06",
"url": "https://linux.oracle.com/errata/ELSA-2025-22395.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-21931 vom 2025-12-05",
"url": "https://linux.oracle.com/errata/ELSA-2025-21931.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:22854 vom 2025-12-08",
"url": "https://access.redhat.com/errata/RHSA-2025:22854"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-22854 vom 2025-12-09",
"url": "https://linux.oracle.com/errata/ELSA-2025-22854.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:22865 vom 2025-12-09",
"url": "https://access.redhat.com/errata/RHSA-2025:22865"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-22865 vom 2025-12-09",
"url": "https://linux.oracle.com/errata/ELSA-2025-22865.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21147-1 vom 2025-12-10",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023511.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21179-1 vom 2025-12-10",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023499.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21139-1 vom 2025-12-10",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023515.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:21180-1 vom 2025-12-10",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023498.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-28049 vom 2025-12-15",
"url": "https://linux.oracle.com/errata/ELSA-2025-28049.html"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:22854 vom 2025-12-14",
"url": "https://errata.build.resf.org/RLSA-2025:22854"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:22865 vom 2025-12-13",
"url": "https://errata.build.resf.org/RLSA-2025:22865"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-28048 vom 2025-12-12",
"url": "https://linux.oracle.com/errata/ELSA-2025-28048.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4404 vom 2025-12-12",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00015.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-28049 vom 2025-12-15",
"url": "https://oss.oracle.com/pipermail/el-errata/2025-December/019260.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7909-5 vom 2025-12-15",
"url": "https://ubuntu.com/security/notices/USN-7909-5"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7933-1 vom 2025-12-15",
"url": "https://ubuntu.com/security/notices/USN-7933-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7938-1 vom 2025-12-16",
"url": "https://ubuntu.com/security/notices/USN-7938-1"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-12-16T23:00:00.000+00:00",
"generator": {
"date": "2025-12-17T09:45:45.201+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2170",
"initial_release_date": "2025-09-30T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-09-30T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-10-01T22:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: EUVD-2025-31827, EUVD-2025-31825, EUVD-2025-31823, EUVD-2025-31830, EUVD-2025-31824, EUVD-2025-31829, EUVD-2025-31828, EUVD-2025-31826"
},
{
"date": "2025-10-12T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-10-15T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-10-19T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-10-23T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-10-26T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-10-27T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von SUSE und Amazon aufgenommen"
},
{
"date": "2025-10-30T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-04T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2025-11-10T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-11-11T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-12T23:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-16T23:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-11-18T23:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-19T23:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-23T23:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-11-24T23:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-25T23:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-11-26T23:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von openSUSE aufgenommen"
},
{
"date": "2025-11-27T23:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-11-30T23:00:00.000+00:00",
"number": "22",
"summary": "Neue Updates von SUSE und Red Hat aufgenommen"
},
{
"date": "2025-12-01T23:00:00.000+00:00",
"number": "23",
"summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
},
{
"date": "2025-12-02T23:00:00.000+00:00",
"number": "24",
"summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen"
},
{
"date": "2025-12-03T23:00:00.000+00:00",
"number": "25",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-12-04T23:00:00.000+00:00",
"number": "26",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-12-07T23:00:00.000+00:00",
"number": "27",
"summary": "Neue Updates von Oracle Linux aufgenommen"
},
{
"date": "2025-12-08T23:00:00.000+00:00",
"number": "28",
"summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
},
{
"date": "2025-12-09T23:00:00.000+00:00",
"number": "29",
"summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
},
{
"date": "2025-12-10T23:00:00.000+00:00",
"number": "30",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-12-14T23:00:00.000+00:00",
"number": "31",
"summary": "Neue Updates von Oracle Linux, Rocky Enterprise Software Foundation und Debian aufgenommen"
},
{
"date": "2025-12-15T23:00:00.000+00:00",
"number": "32",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2025-12-16T23:00:00.000+00:00",
"number": "33",
"summary": "Neue Updates von Ubuntu aufgenommen"
}
],
"status": "final",
"version": "33"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "Appliance \u003c5.32.00.18",
"product": {
"name": "Dell Secure Connect Gateway Appliance \u003c5.32.00.18",
"product_id": "T048301"
}
},
{
"category": "product_version",
"name": "Appliance 5.32.00.18",
"product": {
"name": "Dell Secure Connect Gateway Appliance 5.32.00.18",
"product_id": "T048301-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:dell:secure_connect_gateway:appliance__5.32.00.18"
}
}
}
],
"category": "product_name",
"name": "Secure Connect Gateway"
}
],
"category": "vendor",
"name": "Dell"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T047322",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-39891",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39891"
},
{
"cve": "CVE-2025-39892",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39892"
},
{
"cve": "CVE-2025-39893",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39893"
},
{
"cve": "CVE-2025-39894",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39894"
},
{
"cve": "CVE-2025-39895",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39895"
},
{
"cve": "CVE-2025-39896",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39896"
},
{
"cve": "CVE-2025-39897",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39897"
},
{
"cve": "CVE-2025-39898",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39898"
},
{
"cve": "CVE-2025-39899",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39899"
},
{
"cve": "CVE-2025-39900",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39900"
},
{
"cve": "CVE-2025-39901",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39901"
},
{
"cve": "CVE-2025-39902",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39902"
},
{
"cve": "CVE-2025-39903",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39903"
},
{
"cve": "CVE-2025-39904",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39904"
},
{
"cve": "CVE-2025-39905",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39905"
},
{
"cve": "CVE-2025-39906",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39906"
},
{
"cve": "CVE-2025-39907",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39907"
},
{
"cve": "CVE-2025-39908",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39908"
},
{
"cve": "CVE-2025-39909",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39909"
},
{
"cve": "CVE-2025-39910",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39910"
},
{
"cve": "CVE-2025-39911",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39911"
},
{
"cve": "CVE-2025-39912",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39912"
},
{
"cve": "CVE-2025-39913",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39913"
},
{
"cve": "CVE-2025-39914",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39914"
},
{
"cve": "CVE-2025-39915",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39915"
},
{
"cve": "CVE-2025-39916",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39916"
},
{
"cve": "CVE-2025-39917",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39917"
},
{
"cve": "CVE-2025-39918",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39918"
},
{
"cve": "CVE-2025-39919",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39919"
},
{
"cve": "CVE-2025-39920",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39920"
},
{
"cve": "CVE-2025-39921",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39921"
},
{
"cve": "CVE-2025-39922",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39922"
},
{
"cve": "CVE-2025-39923",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39923"
},
{
"cve": "CVE-2025-39924",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39924"
},
{
"cve": "CVE-2025-39925",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39925"
},
{
"cve": "CVE-2025-39926",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39926"
},
{
"cve": "CVE-2025-39927",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39927"
},
{
"cve": "CVE-2025-39928",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T027843",
"398363",
"T004914",
"T032255",
"T047322",
"T048301"
]
},
"release_date": "2025-09-30T22:00:00.000+00:00",
"title": "CVE-2025-39928"
}
]
}
CVE-2025-39928 (GCVE-0-2025-39928)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-10-01 08:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: rtl9300: ensure data length is within supported range
Add an explicit check for the xfer length to 'rtl9300_i2c_config_xfer'
to ensure the data length isn't within the supported range. In
particular a data length of 0 is not supported by the hardware and
causes unintended or destructive behaviour.
This limitation becomes obvious when looking at the register
documentation [1]. 4 bits are reserved for DATA_WIDTH and the value
of these 4 bits is used as N + 1, allowing a data length range of
1 <= len <= 16.
Affected by this is the SMBus Quick Operation which works with a data
length of 0. Passing 0 as the length causes an underflow of the value
due to:
(len - 1) & 0xf
and effectively specifying a transfer length of 16 via the registers.
This causes a 16-byte write operation instead of a Quick Write. For
example, on SFP modules without write-protected EEPROM this soft-bricks
them by overwriting some initial bytes.
For completeness, also add a quirk for the zero length.
[1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-rtl9300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c91382328fc89f73144d5582f2d8f1dd3e41c8f7",
"status": "affected",
"version": "c366be720235301fdadf67e6f1ea6ff32669c074",
"versionType": "git"
},
{
"lessThan": "06418cb5a1a542a003fdb4ad8e76ea542d57cfba",
"status": "affected",
"version": "c366be720235301fdadf67e6f1ea6ff32669c074",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-rtl9300.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: rtl9300: ensure data length is within supported range\n\nAdd an explicit check for the xfer length to \u0027rtl9300_i2c_config_xfer\u0027\nto ensure the data length isn\u0027t within the supported range. In\nparticular a data length of 0 is not supported by the hardware and\ncauses unintended or destructive behaviour.\n\nThis limitation becomes obvious when looking at the register\ndocumentation [1]. 4 bits are reserved for DATA_WIDTH and the value\nof these 4 bits is used as N + 1, allowing a data length range of\n1 \u003c= len \u003c= 16.\n\nAffected by this is the SMBus Quick Operation which works with a data\nlength of 0. Passing 0 as the length causes an underflow of the value\ndue to:\n\n(len - 1) \u0026 0xf\n\nand effectively specifying a transfer length of 16 via the registers.\nThis causes a 16-byte write operation instead of a Quick Write. For\nexample, on SFP modules without write-protected EEPROM this soft-bricks\nthem by overwriting some initial bytes.\n\nFor completeness, also add a quirk for the zero length.\n\n[1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:15.530Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c91382328fc89f73144d5582f2d8f1dd3e41c8f7"
},
{
"url": "https://git.kernel.org/stable/c/06418cb5a1a542a003fdb4ad8e76ea542d57cfba"
}
],
"title": "i2c: rtl9300: ensure data length is within supported range",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39928",
"datePublished": "2025-10-01T08:07:15.530Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:15.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39902 (GCVE-0-2025-39902)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: avoid accessing metadata when pointer is invalid in object_err()
object_err() reports details of an object for further debugging, such as
the freelist pointer, redzone, etc. However, if the pointer is invalid,
attempting to access object metadata can lead to a crash since it does
not point to a valid object.
One known path to the crash is when alloc_consistency_checks()
determines the pointer to the allocated object is invalid because of a
freelist corruption, and calls object_err() to report it. The debug code
should report and handle the corruption gracefully and not crash in the
process.
In case the pointer is NULL or check_valid_pointer() returns false for
the pointer, only print the pointer value and skip accessing metadata.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 Version: 81819f0fc8285a2a5a921c019e3e3d7b6169d225 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:33.198Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "872f2c34ff232af1e65ad2df86d61163c8ffad42",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "f66012909e7bf383fcdc5850709ed5716073fdc4",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "7e287256904ee796c9477e3ec92b07f236481ef3",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "1f0797f17927b5cad0fb7eced422f9a7c30a3191",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "0ef7058b4dc6fcef622ac23b45225db57f17b83f",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "dda6ec365ab04067adae40ef17015db447e90736",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "3baa1da473e6e50281324ff1d332d1a07a3bb02e",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
},
{
"lessThan": "b4efccec8d06ceb10a7d34d7b1c449c569d53770",
"status": "affected",
"version": "81819f0fc8285a2a5a921c019e3e3d7b6169d225",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/slub.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.22"
},
{
"lessThan": "2.6.22",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slub: avoid accessing metadata when pointer is invalid in object_err()\n\nobject_err() reports details of an object for further debugging, such as\nthe freelist pointer, redzone, etc. However, if the pointer is invalid,\nattempting to access object metadata can lead to a crash since it does\nnot point to a valid object.\n\nOne known path to the crash is when alloc_consistency_checks()\ndetermines the pointer to the allocated object is invalid because of a\nfreelist corruption, and calls object_err() to report it. The debug code\nshould report and handle the corruption gracefully and not crash in the\nprocess.\n\nIn case the pointer is NULL or check_valid_pointer() returns false for\nthe pointer, only print the pointer value and skip accessing metadata."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:49.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/872f2c34ff232af1e65ad2df86d61163c8ffad42"
},
{
"url": "https://git.kernel.org/stable/c/f66012909e7bf383fcdc5850709ed5716073fdc4"
},
{
"url": "https://git.kernel.org/stable/c/7e287256904ee796c9477e3ec92b07f236481ef3"
},
{
"url": "https://git.kernel.org/stable/c/1f0797f17927b5cad0fb7eced422f9a7c30a3191"
},
{
"url": "https://git.kernel.org/stable/c/0ef7058b4dc6fcef622ac23b45225db57f17b83f"
},
{
"url": "https://git.kernel.org/stable/c/dda6ec365ab04067adae40ef17015db447e90736"
},
{
"url": "https://git.kernel.org/stable/c/3baa1da473e6e50281324ff1d332d1a07a3bb02e"
},
{
"url": "https://git.kernel.org/stable/c/b4efccec8d06ceb10a7d34d7b1c449c569d53770"
}
],
"title": "mm/slub: avoid accessing metadata when pointer is invalid in object_err()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39902",
"datePublished": "2025-10-01T07:42:49.415Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:33.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39912 (GCVE-0-2025-39912)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs/localio: restore creds before releasing pageio data
Otherwise if the nfsd filecache code releases the nfsd_file
immediately, it can trigger the BUG_ON(cred == current->cred) in
__put_cred() when it puts the nfsd_file->nf_file->f-cred.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/localio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "57c1bb02b4fc8eec6eb01736e7fad26dffacf18c",
"status": "affected",
"version": "b9f5dd57f4a52990963eeb1f1b58d00f717ece69",
"versionType": "git"
},
{
"lessThan": "c250be1d75bf80dc5ab46f0b434b746c1868a1ea",
"status": "affected",
"version": "b9f5dd57f4a52990963eeb1f1b58d00f717ece69",
"versionType": "git"
},
{
"lessThan": "992203a1fba51b025c60ec0c8b0d9223343dea95",
"status": "affected",
"version": "b9f5dd57f4a52990963eeb1f1b58d00f717ece69",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/localio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs/localio: restore creds before releasing pageio data\n\nOtherwise if the nfsd filecache code releases the nfsd_file\nimmediately, it can trigger the BUG_ON(cred == current-\u003ecred) in\n__put_cred() when it puts the nfsd_file-\u003enf_file-\u003ef-cred."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:35.513Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/57c1bb02b4fc8eec6eb01736e7fad26dffacf18c"
},
{
"url": "https://git.kernel.org/stable/c/c250be1d75bf80dc5ab46f0b434b746c1868a1ea"
},
{
"url": "https://git.kernel.org/stable/c/992203a1fba51b025c60ec0c8b0d9223343dea95"
}
],
"title": "nfs/localio: restore creds before releasing pageio data",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39912",
"datePublished": "2025-10-01T07:44:35.513Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:35.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39914 (GCVE-0-2025-39914)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Silence warning when chunk allocation fails in trace_pid_write
Syzkaller trigger a fault injection warning:
WARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0
Modules linked in:
CPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0
Tainted: [U]=USER
Hardware name: Google Compute Engine/Google Compute Engine
RIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294
Code: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff
RSP: 0018:ffffc9000414fb48 EFLAGS: 00010283
RAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000
RDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef
R13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0
FS: 00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464
register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]
register_pid_events kernel/trace/trace_events.c:2354 [inline]
event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425
vfs_write+0x24c/0x1150 fs/read_write.c:677
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
We can reproduce the warning by following the steps below:
1. echo 8 >> set_event_notrace_pid. Let tr->filtered_pids owns one pid
and register sched_switch tracepoint.
2. echo ' ' >> set_event_pid, and perform fault injection during chunk
allocation of trace_pid_list_alloc. Let pid_list with no pid and
assign to tr->filtered_pids.
3. echo ' ' >> set_event_pid. Let pid_list is NULL and assign to
tr->filtered_pids.
4. echo 9 >> set_event_pid, will trigger the double register
sched_switch tracepoint warning.
The reason is that syzkaller injects a fault into the chunk allocation
in trace_pid_list_alloc, causing a failure in trace_pid_list_set, which
may trigger double register of the same tracepoint. This only occurs
when the system is about to crash, but to suppress this warning, let's
add failure handling logic to trace_pid_list_set.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:37.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7583a73c53f1d1ae7a39b130eb7190a11f0a902f",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "1262bda871dace8c6efae25f3b6a2d34f6f06d54",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "88525accf16947ab459f8e91c27c8c53e1d612d7",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "793338906ff57d8c683f44fe48ca99d49c8782a7",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
},
{
"lessThan": "cd4453c5e983cf1fd5757e9acb915adb1e4602b6",
"status": "affected",
"version": "8d6e90983ade25ec7925211ac31d9ccaf64b7edf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Silence warning when chunk allocation fails in trace_pid_write\n\nSyzkaller trigger a fault injection warning:\n\nWARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0\nModules linked in:\nCPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0\nTainted: [U]=USER\nHardware name: Google Compute Engine/Google Compute Engine\nRIP: 0010:tracepoint_add_func+0xbfc/0xeb0 kernel/tracepoint.c:294\nCode: 09 fe ff 90 0f 0b 90 0f b6 74 24 43 31 ff 41 bc ea ff ff ff\nRSP: 0018:ffffc9000414fb48 EFLAGS: 00010283\nRAX: 00000000000012a1 RBX: ffffffff8e240ae0 RCX: ffffc90014b78000\nRDX: 0000000000080000 RSI: ffffffff81bbd78b RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffffffffffef\nR13: 0000000000000000 R14: dffffc0000000000 R15: ffffffff81c264f0\nFS: 00007f27217f66c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b2e80dff8 CR3: 00000000268f8000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tracepoint_probe_register_prio+0xc0/0x110 kernel/tracepoint.c:464\n register_trace_prio_sched_switch include/trace/events/sched.h:222 [inline]\n register_pid_events kernel/trace/trace_events.c:2354 [inline]\n event_pid_write.isra.0+0x439/0x7a0 kernel/trace/trace_events.c:2425\n vfs_write+0x24c/0x1150 fs/read_write.c:677\n ksys_write+0x12b/0x250 fs/read_write.c:731\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nWe can reproduce the warning by following the steps below:\n1. echo 8 \u003e\u003e set_event_notrace_pid. Let tr-\u003efiltered_pids owns one pid\n and register sched_switch tracepoint.\n2. echo \u0027 \u0027 \u003e\u003e set_event_pid, and perform fault injection during chunk\n allocation of trace_pid_list_alloc. Let pid_list with no pid and\nassign to tr-\u003efiltered_pids.\n3. echo \u0027 \u0027 \u003e\u003e set_event_pid. Let pid_list is NULL and assign to\n tr-\u003efiltered_pids.\n4. echo 9 \u003e\u003e set_event_pid, will trigger the double register\n sched_switch tracepoint warning.\n\nThe reason is that syzkaller injects a fault into the chunk allocation\nin trace_pid_list_alloc, causing a failure in trace_pid_list_set, which\nmay trigger double register of the same tracepoint. This only occurs\nwhen the system is about to crash, but to suppress this warning, let\u0027s\nadd failure handling logic to trace_pid_list_set."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:37.018Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7583a73c53f1d1ae7a39b130eb7190a11f0a902f"
},
{
"url": "https://git.kernel.org/stable/c/1262bda871dace8c6efae25f3b6a2d34f6f06d54"
},
{
"url": "https://git.kernel.org/stable/c/88525accf16947ab459f8e91c27c8c53e1d612d7"
},
{
"url": "https://git.kernel.org/stable/c/793338906ff57d8c683f44fe48ca99d49c8782a7"
},
{
"url": "https://git.kernel.org/stable/c/cd4453c5e983cf1fd5757e9acb915adb1e4602b6"
}
],
"title": "tracing: Silence warning when chunk allocation fails in trace_pid_write",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39914",
"datePublished": "2025-10-01T07:44:37.018Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:37.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39909 (GCVE-0-2025-39909)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()
Patch series "mm/damon: avoid divide-by-zero in DAMON module's parameters
application".
DAMON's RECLAIM and LRU_SORT modules perform no validation on
user-configured parameters during application, which may lead to
division-by-zero errors.
Avoid the divide-by-zero by adding validation checks when DAMON modules
attempt to apply the parameters.
This patch (of 2):
During the calculation of 'hot_thres' and 'cold_thres', either
'sample_interval' or 'aggr_interval' is used as the divisor, which may
lead to division-by-zero errors. Fix it by directly returning -EINVAL
when such a case occurs. Additionally, since 'aggr_interval' is already
required to be set no smaller than 'sample_interval' in damon_set_attrs(),
only the case where 'sample_interval' is zero needs to be checked.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:35.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/lru_sort.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74e391f7da7d9d5235a3cca88ee9fc18f720c75b",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
},
{
"lessThan": "7bb675c9f0257840d33e5d1337d7e3afdd74a6bf",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
},
{
"lessThan": "af0ae62b935317bed1a1361c8c9579db9d300e70",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
},
{
"lessThan": "326a4b3750c71af3f3c52399ec4dbe33b6da4c26",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
},
{
"lessThan": "711f19dfd783ffb37ca4324388b9c4cb87e71363",
"status": "affected",
"version": "40e983cca9274e177bd5b9379299b44d9536ac68",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/lru_sort.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()\n\nPatch series \"mm/damon: avoid divide-by-zero in DAMON module\u0027s parameters\napplication\".\n\nDAMON\u0027s RECLAIM and LRU_SORT modules perform no validation on\nuser-configured parameters during application, which may lead to\ndivision-by-zero errors.\n\nAvoid the divide-by-zero by adding validation checks when DAMON modules\nattempt to apply the parameters.\n\n\nThis patch (of 2):\n\nDuring the calculation of \u0027hot_thres\u0027 and \u0027cold_thres\u0027, either\n\u0027sample_interval\u0027 or \u0027aggr_interval\u0027 is used as the divisor, which may\nlead to division-by-zero errors. Fix it by directly returning -EINVAL\nwhen such a case occurs. Additionally, since \u0027aggr_interval\u0027 is already\nrequired to be set no smaller than \u0027sample_interval\u0027 in damon_set_attrs(),\nonly the case where \u0027sample_interval\u0027 is zero needs to be checked."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:32.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74e391f7da7d9d5235a3cca88ee9fc18f720c75b"
},
{
"url": "https://git.kernel.org/stable/c/7bb675c9f0257840d33e5d1337d7e3afdd74a6bf"
},
{
"url": "https://git.kernel.org/stable/c/af0ae62b935317bed1a1361c8c9579db9d300e70"
},
{
"url": "https://git.kernel.org/stable/c/326a4b3750c71af3f3c52399ec4dbe33b6da4c26"
},
{
"url": "https://git.kernel.org/stable/c/711f19dfd783ffb37ca4324388b9c4cb87e71363"
}
],
"title": "mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39909",
"datePublished": "2025-10-01T07:44:32.936Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:35.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39910 (GCVE-0-2025-39910)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()
kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and
always allocate memory using the hardcoded GFP_KERNEL flag. This makes
them inconsistent with vmalloc(), which was recently extended to support
GFP_NOFS and GFP_NOIO allocations.
Page table allocations performed during shadow population also ignore the
external gfp_mask. To preserve the intended semantics of GFP_NOFS and
GFP_NOIO, wrap the apply_to_page_range() calls into the appropriate
memalloc scope.
xfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock.
There was a report here
https://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com
This patch:
- Extends kasan_populate_vmalloc() and helpers to take gfp_mask;
- Passes gfp_mask down to alloc_pages_bulk() and __get_free_page();
- Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore()
around apply_to_page_range();
- Updates vmalloc.c and percpu allocator call sites accordingly.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/kasan.h",
"mm/kasan/shadow.c",
"mm/vmalloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33b95d90427cb4babf32059e323a6d0c027610fe",
"status": "affected",
"version": "451769ebb7e792c3404db53b3c2a422990de654e",
"versionType": "git"
},
{
"lessThan": "79357cd06d41d0f5a11b17d7c86176e395d10ef2",
"status": "affected",
"version": "451769ebb7e792c3404db53b3c2a422990de654e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/kasan.h",
"mm/kasan/shadow.c",
"mm/vmalloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()\n\nkasan_populate_vmalloc() and its helpers ignore the caller\u0027s gfp_mask and\nalways allocate memory using the hardcoded GFP_KERNEL flag. This makes\nthem inconsistent with vmalloc(), which was recently extended to support\nGFP_NOFS and GFP_NOIO allocations.\n\nPage table allocations performed during shadow population also ignore the\nexternal gfp_mask. To preserve the intended semantics of GFP_NOFS and\nGFP_NOIO, wrap the apply_to_page_range() calls into the appropriate\nmemalloc scope.\n\nxfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock.\n\nThere was a report here\nhttps://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com\n\nThis patch:\n - Extends kasan_populate_vmalloc() and helpers to take gfp_mask;\n - Passes gfp_mask down to alloc_pages_bulk() and __get_free_page();\n - Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore()\n around apply_to_page_range();\n - Updates vmalloc.c and percpu allocator call sites accordingly."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:33.759Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33b95d90427cb4babf32059e323a6d0c027610fe"
},
{
"url": "https://git.kernel.org/stable/c/79357cd06d41d0f5a11b17d7c86176e395d10ef2"
}
],
"title": "mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39910",
"datePublished": "2025-10-01T07:44:33.759Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:33.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39892 (GCVE-0-2025-39892)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()
soc-generic-dmaengine-pcm.c uses same dev for both CPU and Platform.
In such case, CPU component driver might not have driver->name, then
snd_soc_lookup_component_nolocked() will be NULL pointer access error.
Care NULL driver name.
Call trace:
strcmp from snd_soc_lookup_component_nolocked+0x64/0xa4
snd_soc_lookup_component_nolocked from snd_soc_unregister_component_by_driver+0x2c/0x44
snd_soc_unregister_component_by_driver from snd_dmaengine_pcm_unregister+0x28/0x64
snd_dmaengine_pcm_unregister from devres_release_all+0x98/0xfc
devres_release_all from device_unbind_cleanup+0xc/0x60
device_unbind_cleanup from really_probe+0x220/0x2c8
really_probe from __driver_probe_device+0x88/0x1a0
__driver_probe_device from driver_probe_device+0x30/0x110
driver_probe_device from __driver_attach+0x90/0x178
__driver_attach from bus_for_each_dev+0x7c/0xcc
bus_for_each_dev from bus_add_driver+0xcc/0x1ec
bus_add_driver from driver_register+0x80/0x11c
driver_register from do_one_initcall+0x58/0x23c
do_one_initcall from kernel_init_freeable+0x198/0x1f4
kernel_init_freeable from kernel_init+0x1c/0x12c
kernel_init from ret_from_fork+0x14/0x28
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d282dcd46d972be338085ae9e217462b366ce6e",
"status": "affected",
"version": "144d6dfc7482455eabf8e8caa974a6e8d9572705",
"versionType": "git"
},
{
"lessThan": "168873ca1799d3f23442b9e79eae55f907b9b126",
"status": "affected",
"version": "144d6dfc7482455eabf8e8caa974a6e8d9572705",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/soc-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()\n\nsoc-generic-dmaengine-pcm.c uses same dev for both CPU and Platform.\nIn such case, CPU component driver might not have driver-\u003ename, then\nsnd_soc_lookup_component_nolocked() will be NULL pointer access error.\nCare NULL driver name.\n\n\tCall trace:\n\t strcmp from snd_soc_lookup_component_nolocked+0x64/0xa4\n\t snd_soc_lookup_component_nolocked from snd_soc_unregister_component_by_driver+0x2c/0x44\n\t snd_soc_unregister_component_by_driver from snd_dmaengine_pcm_unregister+0x28/0x64\n\t snd_dmaengine_pcm_unregister from devres_release_all+0x98/0xfc\n\t devres_release_all from device_unbind_cleanup+0xc/0x60\n\t device_unbind_cleanup from really_probe+0x220/0x2c8\n\t really_probe from __driver_probe_device+0x88/0x1a0\n\t __driver_probe_device from driver_probe_device+0x30/0x110\n\tdriver_probe_device from __driver_attach+0x90/0x178\n\t__driver_attach from bus_for_each_dev+0x7c/0xcc\n\tbus_for_each_dev from bus_add_driver+0xcc/0x1ec\n\tbus_add_driver from driver_register+0x80/0x11c\n\tdriver_register from do_one_initcall+0x58/0x23c\n\tdo_one_initcall from kernel_init_freeable+0x198/0x1f4\n\tkernel_init_freeable from kernel_init+0x1c/0x12c\n\tkernel_init from ret_from_fork+0x14/0x28"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:41.643Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d282dcd46d972be338085ae9e217462b366ce6e"
},
{
"url": "https://git.kernel.org/stable/c/168873ca1799d3f23442b9e79eae55f907b9b126"
}
],
"title": "ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39892",
"datePublished": "2025-10-01T07:42:41.643Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-10-01T07:42:41.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39917 (GCVE-0-2025-39917)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt
Stanislav reported that in bpf_crypto_crypt() the destination dynptr's
size is not validated to be at least as large as the source dynptr's
size before calling into the crypto backend with 'len = src_len'. This
can result in an OOB write when the destination is smaller than the
source.
Concretely, in mentioned function, psrc and pdst are both linear
buffers fetched from each dynptr:
psrc = __bpf_dynptr_data(src, src_len);
[...]
pdst = __bpf_dynptr_data_rw(dst, dst_len);
[...]
err = decrypt ?
ctx->type->decrypt(ctx->tfm, psrc, pdst, src_len, piv) :
ctx->type->encrypt(ctx->tfm, psrc, pdst, src_len, piv);
The crypto backend expects pdst to be large enough with a src_len length
that can be written. Add an additional src_len > dst_len check and bail
out if it's the case. Note that these kfuncs are accessible under root
privileges only.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0126358df12d6f476f79251d9c398ac5c1b3062d",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
},
{
"lessThan": "c4be24ef0510c146dca4671effb127e97631534b",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
},
{
"lessThan": "f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt\n\nStanislav reported that in bpf_crypto_crypt() the destination dynptr\u0027s\nsize is not validated to be at least as large as the source dynptr\u0027s\nsize before calling into the crypto backend with \u0027len = src_len\u0027. This\ncan result in an OOB write when the destination is smaller than the\nsource.\n\nConcretely, in mentioned function, psrc and pdst are both linear\nbuffers fetched from each dynptr:\n\n psrc = __bpf_dynptr_data(src, src_len);\n [...]\n pdst = __bpf_dynptr_data_rw(dst, dst_len);\n [...]\n err = decrypt ?\n ctx-\u003etype-\u003edecrypt(ctx-\u003etfm, psrc, pdst, src_len, piv) :\n ctx-\u003etype-\u003eencrypt(ctx-\u003etfm, psrc, pdst, src_len, piv);\n\nThe crypto backend expects pdst to be large enough with a src_len length\nthat can be written. Add an additional src_len \u003e dst_len check and bail\nout if it\u0027s the case. Note that these kfuncs are accessible under root\nprivileges only."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:39.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0126358df12d6f476f79251d9c398ac5c1b3062d"
},
{
"url": "https://git.kernel.org/stable/c/c4be24ef0510c146dca4671effb127e97631534b"
},
{
"url": "https://git.kernel.org/stable/c/f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14"
}
],
"title": "bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39917",
"datePublished": "2025-10-01T07:44:39.423Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:39.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39919 (GCVE-0-2025-39919)
Vulnerability from cvelistv5
Published
2025-10-01 07:55
Modified
2025-10-01 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: add missing check for rx wcid entries
Non-station wcid entries must not be passed to the rx functions.
In case of the global wcid entry, it could even lead to corruption in the wcid
array due to pointer being casted to struct mt7996_sta_link using container_of.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7996/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69dcc19048fcdc3fb166fd25b805470ee8fc0eb1",
"status": "affected",
"version": "7464b12b7d92b9641d4664735b9f3c3f0b6173d9",
"versionType": "git"
},
{
"lessThan": "4a522b01e368eec58d182ecc47d24f49a39e440d",
"status": "affected",
"version": "7464b12b7d92b9641d4664735b9f3c3f0b6173d9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/mt7996/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7996: add missing check for rx wcid entries\n\nNon-station wcid entries must not be passed to the rx functions.\nIn case of the global wcid entry, it could even lead to corruption in the wcid\narray due to pointer being casted to struct mt7996_sta_link using container_of."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:14.804Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69dcc19048fcdc3fb166fd25b805470ee8fc0eb1"
},
{
"url": "https://git.kernel.org/stable/c/4a522b01e368eec58d182ecc47d24f49a39e440d"
}
],
"title": "wifi: mt76: mt7996: add missing check for rx wcid entries",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39919",
"datePublished": "2025-10-01T07:55:14.804Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:55:14.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39891 (GCVE-0-2025-39891)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mwifiex: Initialize the chan_stats array to zero
The adapter->chan_stats[] array is initialized in
mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out
memory. The array is filled in mwifiex_update_chan_statistics()
and then the user can query the data in mwifiex_cfg80211_dump_survey().
There are two potential issues here. What if the user calls
mwifiex_cfg80211_dump_survey() before the data has been filled in.
Also the mwifiex_update_chan_statistics() function doesn't necessarily
initialize the whole array. Since the array was not initialized at
the start that could result in an information leak.
Also this array is pretty small. It's a maximum of 900 bytes so it's
more appropriate to use kcalloc() instead vmalloc().
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b Version: bf35443314acb43fa8a3f9f8046e14cbe178762b |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:27.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/cfg80211.c",
"drivers/net/wireless/marvell/mwifiex/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "05daef0442d28350a1a0d6d0e2cab4a7a91df475",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "acdf26a912190fc6746e2a890d7d0338190527b4",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "32c124c9c03aa755cbaf60ef7f76afd918d47659",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "9df29aa5637d94d24f7c5f054ef4feaa7b766111",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "06616410a3e5e6cd1de5b7cbc668f1a7edeedad9",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "5285b7009dc1e09d5bb9e05fae82e1a807882dbc",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
},
{
"lessThan": "0e20450829ca3c1dbc2db536391537c57a40fe0b",
"status": "affected",
"version": "bf35443314acb43fa8a3f9f8046e14cbe178762b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/marvell/mwifiex/cfg80211.c",
"drivers/net/wireless/marvell/mwifiex/main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mwifiex: Initialize the chan_stats array to zero\n\nThe adapter-\u003echan_stats[] array is initialized in\nmwifiex_init_channel_scan_gap() with vmalloc(), which doesn\u0027t zero out\nmemory. The array is filled in mwifiex_update_chan_statistics()\nand then the user can query the data in mwifiex_cfg80211_dump_survey().\n\nThere are two potential issues here. What if the user calls\nmwifiex_cfg80211_dump_survey() before the data has been filled in.\nAlso the mwifiex_update_chan_statistics() function doesn\u0027t necessarily\ninitialize the whole array. Since the array was not initialized at\nthe start that could result in an information leak.\n\nAlso this array is pretty small. It\u0027s a maximum of 900 bytes so it\u0027s\nmore appropriate to use kcalloc() instead vmalloc()."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:40.633Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9eb0118b3470b4d2e4e3bbb1fc088b30c0285d65"
},
{
"url": "https://git.kernel.org/stable/c/05daef0442d28350a1a0d6d0e2cab4a7a91df475"
},
{
"url": "https://git.kernel.org/stable/c/acdf26a912190fc6746e2a890d7d0338190527b4"
},
{
"url": "https://git.kernel.org/stable/c/32c124c9c03aa755cbaf60ef7f76afd918d47659"
},
{
"url": "https://git.kernel.org/stable/c/9df29aa5637d94d24f7c5f054ef4feaa7b766111"
},
{
"url": "https://git.kernel.org/stable/c/06616410a3e5e6cd1de5b7cbc668f1a7edeedad9"
},
{
"url": "https://git.kernel.org/stable/c/5285b7009dc1e09d5bb9e05fae82e1a807882dbc"
},
{
"url": "https://git.kernel.org/stable/c/0e20450829ca3c1dbc2db536391537c57a40fe0b"
}
],
"title": "wifi: mwifiex: Initialize the chan_stats array to zero",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39891",
"datePublished": "2025-10-01T07:42:40.633Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-11-03T17:44:27.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39918 (GCVE-0-2025-39918)
Vulnerability from cvelistv5
Published
2025-10-01 07:55
Modified
2025-10-01 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: fix linked list corruption
Never leave scheduled wcid entries on the temporary on-stack list
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4d5a5fc61fdc65220a1ce078d24c1d20bbb0835",
"status": "affected",
"version": "0b3be9d1d34e21dada69c539fbf51a5fe868028a",
"versionType": "git"
},
{
"lessThan": "c91a59b04f928cb4a1436b0e0a27650883d0388a",
"status": "affected",
"version": "0b3be9d1d34e21dada69c539fbf51a5fe868028a",
"versionType": "git"
},
{
"lessThan": "49fba87205bec14a0f6bd997635bf3968408161e",
"status": "affected",
"version": "0b3be9d1d34e21dada69c539fbf51a5fe868028a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/mediatek/mt76/tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: fix linked list corruption\n\nNever leave scheduled wcid entries on the temporary on-stack list"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:13.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4d5a5fc61fdc65220a1ce078d24c1d20bbb0835"
},
{
"url": "https://git.kernel.org/stable/c/c91a59b04f928cb4a1436b0e0a27650883d0388a"
},
{
"url": "https://git.kernel.org/stable/c/49fba87205bec14a0f6bd997635bf3968408161e"
}
],
"title": "wifi: mt76: fix linked list corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39918",
"datePublished": "2025-10-01T07:55:13.851Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:55:13.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39923 (GCVE-0-2025-39923)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
When we don't have a clock specified in the device tree, we have no way to
ensure the BAM is on. This is often the case for remotely-controlled or
remotely-powered BAM instances. In this case, we need to read num-channels
from the DT to have all the necessary information to complete probing.
However, at the moment invalid device trees without clock and without
num-channels still continue probing, because the error handling is missing
return statements. The driver will then later try to read the number of
channels from the registers. This is unsafe, because it relies on boot
firmware and lucky timing to succeed. Unfortunately, the lack of proper
error handling here has been abused for several Qualcomm SoCs upstream,
causing early boot crashes in several situations [1, 2].
Avoid these early crashes by erroring out when any of the required DT
properties are missing. Note that this will break some of the existing DTs
upstream (mainly BAM instances related to the crypto engine). However,
clearly these DTs have never been tested properly, since the error in the
kernel log was just ignored. It's safer to disable the crypto engine for
these broken DTBs.
[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/
[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 Version: cecf8a69042b3a54cb843223756c10ee8a8665e3 Version: 909474cd384cb206f33461fbd18089cf170533f8 Version: 5e0986f7caf17d7b1acd2092975360bf8e88a57d |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:41.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2e257a6125c63350f00dc42b9674f20fd3cf4a9f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "555bd16351a35c79efb029a196975a5a27f7fbc4",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "ebf6c7c908e5999531c3517289598f187776124f",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "1fc14731f0be4885e60702b9596d14d9a79cf053",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "0ff9df758af7022d749718fb6b8385cc5693acf3",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"lessThan": "5068b5254812433e841a40886e695633148d362d",
"status": "affected",
"version": "48d163b1aa6e7f650c0b7a4f9c61c387a6def868",
"versionType": "git"
},
{
"status": "affected",
"version": "cecf8a69042b3a54cb843223756c10ee8a8665e3",
"versionType": "git"
},
{
"status": "affected",
"version": "909474cd384cb206f33461fbd18089cf170533f8",
"versionType": "git"
},
{
"status": "affected",
"version": "5e0986f7caf17d7b1acd2092975360bf8e88a57d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/qcom/bam_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.104",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.16.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees\n\nWhen we don\u0027t have a clock specified in the device tree, we have no way to\nensure the BAM is on. This is often the case for remotely-controlled or\nremotely-powered BAM instances. In this case, we need to read num-channels\nfrom the DT to have all the necessary information to complete probing.\n\nHowever, at the moment invalid device trees without clock and without\nnum-channels still continue probing, because the error handling is missing\nreturn statements. The driver will then later try to read the number of\nchannels from the registers. This is unsafe, because it relies on boot\nfirmware and lucky timing to succeed. Unfortunately, the lack of proper\nerror handling here has been abused for several Qualcomm SoCs upstream,\ncausing early boot crashes in several situations [1, 2].\n\nAvoid these early crashes by erroring out when any of the required DT\nproperties are missing. Note that this will break some of the existing DTs\nupstream (mainly BAM instances related to the crypto engine). However,\nclearly these DTs have never been tested properly, since the error in the\nkernel log was just ignored. It\u0027s safer to disable the crypto engine for\nthese broken DTBs.\n\n[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/\n[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:52.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2e257a6125c63350f00dc42b9674f20fd3cf4a9f"
},
{
"url": "https://git.kernel.org/stable/c/1d98ba204d8a6db0d986c7f1aefaa0dcd1c007a2"
},
{
"url": "https://git.kernel.org/stable/c/6ac1599d0e78036d9d08efc2f58c2d91f0a3ee4c"
},
{
"url": "https://git.kernel.org/stable/c/555bd16351a35c79efb029a196975a5a27f7fbc4"
},
{
"url": "https://git.kernel.org/stable/c/ebf6c7c908e5999531c3517289598f187776124f"
},
{
"url": "https://git.kernel.org/stable/c/1fc14731f0be4885e60702b9596d14d9a79cf053"
},
{
"url": "https://git.kernel.org/stable/c/0ff9df758af7022d749718fb6b8385cc5693acf3"
},
{
"url": "https://git.kernel.org/stable/c/5068b5254812433e841a40886e695633148d362d"
}
],
"title": "dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39923",
"datePublished": "2025-10-01T08:07:11.469Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:41.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39924 (GCVE-0-2025-39924)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-10-01 08:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix invalid algorithm for encoded extents
The current algorithm sanity checks do not properly apply to new
encoded extents.
Unify the algorithm check with Z_EROFS_COMPRESSION(_RUNTIME)_MAX
and ensure consistency with sbi->available_compr_algs.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db5d7abd379a8dcf030be8f52f99cadf7e397ba8",
"status": "affected",
"version": "1d191b4ca51d73699cb127386b95ac152af2b930",
"versionType": "git"
},
{
"lessThan": "131897c65e2b86cf14bec7379f44aa8fbb407526",
"status": "affected",
"version": "1d191b4ca51d73699cb127386b95ac152af2b930",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix invalid algorithm for encoded extents\n\nThe current algorithm sanity checks do not properly apply to new\nencoded extents.\n\nUnify the algorithm check with Z_EROFS_COMPRESSION(_RUNTIME)_MAX\nand ensure consistency with sbi-\u003eavailable_compr_algs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:12.300Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db5d7abd379a8dcf030be8f52f99cadf7e397ba8"
},
{
"url": "https://git.kernel.org/stable/c/131897c65e2b86cf14bec7379f44aa8fbb407526"
}
],
"title": "erofs: fix invalid algorithm for encoded extents",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39924",
"datePublished": "2025-10-01T08:07:12.300Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:12.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39916 (GCVE-0-2025-39916)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()
When creating a new scheme of DAMON_RECLAIM, the calculation of
'min_age_region' uses 'aggr_interval' as the divisor, which may lead to
division-by-zero errors. Fix it by directly returning -EINVAL when such a
case occurs.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 Version: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 Version: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 Version: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 Version: f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05 Version: fd3e613a912bbb344ee18579cc2ad3329aacba41 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:38.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/reclaim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "64dc351e58271c1e9005e42f5216b4f3d7a39b66",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"lessThan": "9fe0415156fbde773b31f920201cb70b1f0e40fe",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"lessThan": "5d6eeb3c683c777ed4538eb3a650bb7da17a7cff",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"lessThan": "40cb9b38b645126fdd1d6aa3d6811a8ad50ddfa1",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"lessThan": "e6b543ca9806d7bced863f43020e016ee996c057",
"status": "affected",
"version": "f5a79d7c0c87c8d88bb5e3f3c898258fdf1b3b05",
"versionType": "git"
},
{
"status": "affected",
"version": "fd3e613a912bbb344ee18579cc2ad3329aacba41",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/reclaim.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()\n\nWhen creating a new scheme of DAMON_RECLAIM, the calculation of\n\u0027min_age_region\u0027 uses \u0027aggr_interval\u0027 as the divisor, which may lead to\ndivision-by-zero errors. Fix it by directly returning -EINVAL when such a\ncase occurs."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:38.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/64dc351e58271c1e9005e42f5216b4f3d7a39b66"
},
{
"url": "https://git.kernel.org/stable/c/9fe0415156fbde773b31f920201cb70b1f0e40fe"
},
{
"url": "https://git.kernel.org/stable/c/5d6eeb3c683c777ed4538eb3a650bb7da17a7cff"
},
{
"url": "https://git.kernel.org/stable/c/40cb9b38b645126fdd1d6aa3d6811a8ad50ddfa1"
},
{
"url": "https://git.kernel.org/stable/c/e6b543ca9806d7bced863f43020e016ee996c057"
}
],
"title": "mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39916",
"datePublished": "2025-10-01T07:44:38.690Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:38.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39906 (GCVE-0-2025-39906)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: remove oem i2c adapter on finish
Fixes a bug where unbinding of the GPU would leave the oem i2c adapter
registered resulting in a null pointer dereference when applications try
to access the invalid device.
(cherry picked from commit 89923fb7ead4fdd37b78dd49962d9bb5892403e6)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c686124bcf06253620790857ff462f00f3f7a4ab",
"status": "affected",
"version": "3d5470c973149f479572dcf4eea064775041ea6c",
"versionType": "git"
},
{
"lessThan": "1dfd2864a1c4909147663e5a27c055f50f7c2796",
"status": "affected",
"version": "3d5470c973149f479572dcf4eea064775041ea6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: remove oem i2c adapter on finish\n\nFixes a bug where unbinding of the GPU would leave the oem i2c adapter\nregistered resulting in a null pointer dereference when applications try\nto access the invalid device.\n\n(cherry picked from commit 89923fb7ead4fdd37b78dd49962d9bb5892403e6)"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:29.666Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c686124bcf06253620790857ff462f00f3f7a4ab"
},
{
"url": "https://git.kernel.org/stable/c/1dfd2864a1c4909147663e5a27c055f50f7c2796"
}
],
"title": "drm/amd/display: remove oem i2c adapter on finish",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39906",
"datePublished": "2025-10-01T07:44:29.666Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:44:29.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39896 (GCVE-0-2025-39896)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Prevent recovery work from being queued during device removal
Use disable_work_sync() instead of cancel_work_sync() in ivpu_dev_fini()
to ensure that no new recovery work items can be queued after device
removal has started. Previously, recovery work could be scheduled even
after canceling existing work, potentially leading to use-after-free
bugs if recovery accessed freed resources.
Rename ivpu_pm_cancel_recovery() to ivpu_pm_disable_recovery() to better
reflect its new behavior.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_drv.c",
"drivers/accel/ivpu/ivpu_pm.c",
"drivers/accel/ivpu/ivpu_pm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "54c49eca38dbd06913a696f6d7610937dcfad226",
"status": "affected",
"version": "58cde80f45a2b1683ea3c24a9a9a4b0e1005336b",
"versionType": "git"
},
{
"lessThan": "565d2c15b6c36c3250e694f7b9a86229c1787be5",
"status": "affected",
"version": "58cde80f45a2b1683ea3c24a9a9a4b0e1005336b",
"versionType": "git"
},
{
"lessThan": "69a79ada8eb034ce016b5b78fb7d08d8687223de",
"status": "affected",
"version": "58cde80f45a2b1683ea3c24a9a9a4b0e1005336b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_drv.c",
"drivers/accel/ivpu/ivpu_pm.c",
"drivers/accel/ivpu/ivpu_pm.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Prevent recovery work from being queued during device removal\n\nUse disable_work_sync() instead of cancel_work_sync() in ivpu_dev_fini()\nto ensure that no new recovery work items can be queued after device\nremoval has started. Previously, recovery work could be scheduled even\nafter canceling existing work, potentially leading to use-after-free\nbugs if recovery accessed freed resources.\n\nRename ivpu_pm_cancel_recovery() to ivpu_pm_disable_recovery() to better\nreflect its new behavior."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:44.714Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/54c49eca38dbd06913a696f6d7610937dcfad226"
},
{
"url": "https://git.kernel.org/stable/c/565d2c15b6c36c3250e694f7b9a86229c1787be5"
},
{
"url": "https://git.kernel.org/stable/c/69a79ada8eb034ce016b5b78fb7d08d8687223de"
}
],
"title": "accel/ivpu: Prevent recovery work from being queued during device removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39896",
"datePublished": "2025-10-01T07:42:44.714Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:44.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39898 (GCVE-0-2025-39898)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-10-24T11:41:53.958Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39898",
"datePublished": "2025-10-01T07:42:46.360Z",
"dateRejected": "2025-10-24T11:41:53.958Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-24T11:41:53.958Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39905 (GCVE-0-2025-39905)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phylink: add lock for serializing concurrent pl->phydev writes with resolver
Currently phylink_resolve() protects itself against concurrent
phylink_bringup_phy() or phylink_disconnect_phy() calls which modify
pl->phydev by relying on pl->state_mutex.
The problem is that in phylink_resolve(), pl->state_mutex is in a lock
inversion state with pl->phydev->lock. So pl->phydev->lock needs to be
acquired prior to pl->state_mutex. But that requires dereferencing
pl->phydev in the first place, and without pl->state_mutex, that is
racy.
Hence the reason for the extra lock. Currently it is redundant, but it
will serve a functional purpose once mutex_lock(&phy->lock) will be
moved outside of the mutex_lock(&pl->state_mutex) section.
Another alternative considered would have been to let phylink_resolve()
acquire the rtnl_mutex, which is also held when phylink_bringup_phy()
and phylink_disconnect_phy() are called. But since phylink_disconnect_phy()
runs under rtnl_lock(), it would deadlock with phylink_resolve() when
calling flush_work(&pl->resolve). Additionally, it would have been
undesirable because it would have unnecessarily blocked many other call
paths as well in the entire kernel, so the smaller-scoped lock was
preferred.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56fe63b05ec84ae6674269d78397cec43a7a295a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0ba5b2f2c381dbec9ed9e4ab3ae5d3e667de0dc3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phylink: add lock for serializing concurrent pl-\u003ephydev writes with resolver\n\nCurrently phylink_resolve() protects itself against concurrent\nphylink_bringup_phy() or phylink_disconnect_phy() calls which modify\npl-\u003ephydev by relying on pl-\u003estate_mutex.\n\nThe problem is that in phylink_resolve(), pl-\u003estate_mutex is in a lock\ninversion state with pl-\u003ephydev-\u003elock. So pl-\u003ephydev-\u003elock needs to be\nacquired prior to pl-\u003estate_mutex. But that requires dereferencing\npl-\u003ephydev in the first place, and without pl-\u003estate_mutex, that is\nracy.\n\nHence the reason for the extra lock. Currently it is redundant, but it\nwill serve a functional purpose once mutex_lock(\u0026phy-\u003elock) will be\nmoved outside of the mutex_lock(\u0026pl-\u003estate_mutex) section.\n\nAnother alternative considered would have been to let phylink_resolve()\nacquire the rtnl_mutex, which is also held when phylink_bringup_phy()\nand phylink_disconnect_phy() are called. But since phylink_disconnect_phy()\nruns under rtnl_lock(), it would deadlock with phylink_resolve() when\ncalling flush_work(\u0026pl-\u003eresolve). Additionally, it would have been\nundesirable because it would have unnecessarily blocked many other call\npaths as well in the entire kernel, so the smaller-scoped lock was\npreferred."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:28.758Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56fe63b05ec84ae6674269d78397cec43a7a295a"
},
{
"url": "https://git.kernel.org/stable/c/0ba5b2f2c381dbec9ed9e4ab3ae5d3e667de0dc3"
}
],
"title": "net: phylink: add lock for serializing concurrent pl-\u003ephydev writes with resolver",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39905",
"datePublished": "2025-10-01T07:44:28.758Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:44:28.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39893 (GCVE-0-2025-39893)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: spi-qpic-snand: unregister ECC engine on probe error and device remove
The on-host hardware ECC engine remains registered both when
the spi_register_controller() function returns with an error
and also on device removal.
Change the qcom_spi_probe() function to unregister the engine
on the error path, and add the missing unregistering call to
qcom_spi_remove() to avoid possible use-after-free issues.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-qpic-snand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e4de48e66af17547727bb2e4b1867952817edff7",
"status": "affected",
"version": "7304d1909080ef0c9da703500a97f46c98393fcd",
"versionType": "git"
},
{
"lessThan": "1991a458528588ff34e98b6365362560d208710f",
"status": "affected",
"version": "7304d1909080ef0c9da703500a97f46c98393fcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-qpic-snand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-qpic-snand: unregister ECC engine on probe error and device remove\n\nThe on-host hardware ECC engine remains registered both when\nthe spi_register_controller() function returns with an error\nand also on device removal.\n\nChange the qcom_spi_probe() function to unregister the engine\non the error path, and add the missing unregistering call to\nqcom_spi_remove() to avoid possible use-after-free issues."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:42.344Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e4de48e66af17547727bb2e4b1867952817edff7"
},
{
"url": "https://git.kernel.org/stable/c/1991a458528588ff34e98b6365362560d208710f"
}
],
"title": "spi: spi-qpic-snand: unregister ECC engine on probe error and device remove",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39893",
"datePublished": "2025-10-01T07:42:42.344Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-10-01T07:42:42.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39927 (GCVE-0-2025-39927)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-10-02 07:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ceph: fix race condition validating r_parent before applying state
Add validation to ensure the cached parent directory inode matches the
directory info in MDS replies. This prevents client-side race conditions
where concurrent operations (e.g. rename) cause r_parent to become stale
between request initiation and reply processing, which could lead to
applying state changes to incorrect directory inodes.
[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to
move CEPH_CAP_PIN reference when r_parent is updated:
When the parent directory lock is not held, req->r_parent can become
stale and is updated to point to the correct inode. However, the
associated CEPH_CAP_PIN reference was not being adjusted. The
CEPH_CAP_PIN is a reference on an inode that is tracked for
accounting purposes. Moving this pin is important to keep the
accounting balanced. When the pin was not moved from the old parent
to the new one, it created two problems: The reference on the old,
stale parent was never released, causing a reference leak.
A reference for the new parent was never acquired, creating the risk
of a reference underflow later in ceph_mdsc_release_request(). This
patch corrects the logic by releasing the pin from the old parent and
acquiring it for the new parent when r_parent is switched. This
ensures reference accounting stays balanced. ]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/ceph/debugfs.c",
"fs/ceph/dir.c",
"fs/ceph/file.c",
"fs/ceph/inode.c",
"fs/ceph/mds_client.c",
"fs/ceph/mds_client.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db378e6f83ec705c6091c65d482d555edc2b0a72",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "2bfe45987eb346e299d9f763f9cd05f77011519f",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
},
{
"lessThan": "15f519e9f883b316d86e2bb6b767a023aafd9d83",
"status": "affected",
"version": "9030aaf9bf0a1eee47a154c316c789e959638b0f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/ceph/debugfs.c",
"fs/ceph/dir.c",
"fs/ceph/file.c",
"fs/ceph/inode.c",
"fs/ceph/mds_client.c",
"fs/ceph/mds_client.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix race condition validating r_parent before applying state\n\nAdd validation to ensure the cached parent directory inode matches the\ndirectory info in MDS replies. This prevents client-side race conditions\nwhere concurrent operations (e.g. rename) cause r_parent to become stale\nbetween request initiation and reply processing, which could lead to\napplying state changes to incorrect directory inodes.\n\n[ idryomov: folded a kerneldoc fixup and a follow-up fix from Alex to\n move CEPH_CAP_PIN reference when r_parent is updated:\n\n When the parent directory lock is not held, req-\u003er_parent can become\n stale and is updated to point to the correct inode. However, the\n associated CEPH_CAP_PIN reference was not being adjusted. The\n CEPH_CAP_PIN is a reference on an inode that is tracked for\n accounting purposes. Moving this pin is important to keep the\n accounting balanced. When the pin was not moved from the old parent\n to the new one, it created two problems: The reference on the old,\n stale parent was never released, causing a reference leak.\n A reference for the new parent was never acquired, creating the risk\n of a reference underflow later in ceph_mdsc_release_request(). This\n patch corrects the logic by releasing the pin from the old parent and\n acquiring it for the new parent when r_parent is switched. This\n ensures reference accounting stays balanced. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T07:04:31.647Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db378e6f83ec705c6091c65d482d555edc2b0a72"
},
{
"url": "https://git.kernel.org/stable/c/2bfe45987eb346e299d9f763f9cd05f77011519f"
},
{
"url": "https://git.kernel.org/stable/c/15f519e9f883b316d86e2bb6b767a023aafd9d83"
}
],
"title": "ceph: fix race condition validating r_parent before applying state",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39927",
"datePublished": "2025-10-01T08:07:14.595Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-02T07:04:31.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39915 (GCVE-0-2025-39915)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: transfer phy_config_inband() locking responsibility to phylink
Problem description
===================
Lockdep reports a possible circular locking dependency (AB/BA) between
&pl->state_mutex and &phy->lock, as follows.
phylink_resolve() // acquires &pl->state_mutex
-> phylink_major_config()
-> phy_config_inband() // acquires &pl->phydev->lock
whereas all the other call sites where &pl->state_mutex and
&pl->phydev->lock have the locking scheme reversed. Everywhere else,
&pl->phydev->lock is acquired at the top level, and &pl->state_mutex at
the lower level. A clear example is phylink_bringup_phy().
The outlier is the newly introduced phy_config_inband() and the existing
lock order is the correct one. To understand why it cannot be the other
way around, it is sufficient to consider phylink_phy_change(), phylink's
callback from the PHY device's phy->phy_link_change() virtual method,
invoked by the PHY state machine.
phy_link_up() and phy_link_down(), the (indirect) callers of
phylink_phy_change(), are called with &phydev->lock acquired.
Then phylink_phy_change() acquires its own &pl->state_mutex, to
serialize changes made to its pl->phy_state and pl->link_config.
So all other instances of &pl->state_mutex and &phydev->lock must be
consistent with this order.
Problem impact
==============
I think the kernel runs a serious deadlock risk if an existing
phylink_resolve() thread, which results in a phy_config_inband() call,
is concurrent with a phy_link_up() or phy_link_down() call, which will
deadlock on &pl->state_mutex in phylink_phy_change(). Practically
speaking, the impact may be limited by the slow speed of the medium
auto-negotiation protocol, which makes it unlikely for the current state
to still be unresolved when a new one is detected, but I think the
problem is there. Nonetheless, the problem was discovered using lockdep.
Proposed solution
=================
Practically speaking, the phy_config_inband() requirement of having
phydev->lock acquired must transfer to the caller (phylink is the only
caller). There, it must bubble up until immediately before
&pl->state_mutex is acquired, for the cases where that takes place.
Solution details, considerations, notes
=======================================
This is the phy_config_inband() call graph:
sfp_upstream_ops :: connect_phy()
|
v
phylink_sfp_connect_phy()
|
v
phylink_sfp_config_phy()
|
| sfp_upstream_ops :: module_insert()
| |
| v
| phylink_sfp_module_insert()
| |
| | sfp_upstream_ops :: module_start()
| | |
| | v
| | phylink_sfp_module_start()
| | |
| v v
| phylink_sfp_config_optical()
phylink_start() | |
| phylink_resume() v v
| | phylink_sfp_set_config()
| | |
v v v
phylink_mac_initial_config()
| phylink_resolve()
| | phylink_ethtool_ksettings_set()
v v v
phylink_major_config()
|
v
phy_config_inband()
phylink_major_config() caller #1, phylink_mac_initial_config(), does not
acquire &pl->state_mutex nor do its callers. It must acquire
&pl->phydev->lock prior to calling phylink_major_config().
phylink_major_config() caller #2, phylink_resolve() acquires
&pl->state_mutex, thus also needs to acquire &pl->phydev->lock.
phylink_major_config() caller #3, phylink_ethtool_ksettings_set(), is
completely uninteresting, because it only call
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy.c",
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "052ac41c379c8b87629808be612a482b2d0ae283",
"status": "affected",
"version": "5fd0f1a02e750e2db4038dee60edea669ce5aab1",
"versionType": "git"
},
{
"lessThan": "e2a10daba84968f6b5777d150985fd7d6abc9c84",
"status": "affected",
"version": "5fd0f1a02e750e2db4038dee60edea669ce5aab1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/phy.c",
"drivers/net/phy/phylink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: transfer phy_config_inband() locking responsibility to phylink\n\nProblem description\n===================\n\nLockdep reports a possible circular locking dependency (AB/BA) between\n\u0026pl-\u003estate_mutex and \u0026phy-\u003elock, as follows.\n\nphylink_resolve() // acquires \u0026pl-\u003estate_mutex\n-\u003e phylink_major_config()\n -\u003e phy_config_inband() // acquires \u0026pl-\u003ephydev-\u003elock\n\nwhereas all the other call sites where \u0026pl-\u003estate_mutex and\n\u0026pl-\u003ephydev-\u003elock have the locking scheme reversed. Everywhere else,\n\u0026pl-\u003ephydev-\u003elock is acquired at the top level, and \u0026pl-\u003estate_mutex at\nthe lower level. A clear example is phylink_bringup_phy().\n\nThe outlier is the newly introduced phy_config_inband() and the existing\nlock order is the correct one. To understand why it cannot be the other\nway around, it is sufficient to consider phylink_phy_change(), phylink\u0027s\ncallback from the PHY device\u0027s phy-\u003ephy_link_change() virtual method,\ninvoked by the PHY state machine.\n\nphy_link_up() and phy_link_down(), the (indirect) callers of\nphylink_phy_change(), are called with \u0026phydev-\u003elock acquired.\nThen phylink_phy_change() acquires its own \u0026pl-\u003estate_mutex, to\nserialize changes made to its pl-\u003ephy_state and pl-\u003elink_config.\nSo all other instances of \u0026pl-\u003estate_mutex and \u0026phydev-\u003elock must be\nconsistent with this order.\n\nProblem impact\n==============\n\nI think the kernel runs a serious deadlock risk if an existing\nphylink_resolve() thread, which results in a phy_config_inband() call,\nis concurrent with a phy_link_up() or phy_link_down() call, which will\ndeadlock on \u0026pl-\u003estate_mutex in phylink_phy_change(). Practically\nspeaking, the impact may be limited by the slow speed of the medium\nauto-negotiation protocol, which makes it unlikely for the current state\nto still be unresolved when a new one is detected, but I think the\nproblem is there. Nonetheless, the problem was discovered using lockdep.\n\nProposed solution\n=================\n\nPractically speaking, the phy_config_inband() requirement of having\nphydev-\u003elock acquired must transfer to the caller (phylink is the only\ncaller). There, it must bubble up until immediately before\n\u0026pl-\u003estate_mutex is acquired, for the cases where that takes place.\n\nSolution details, considerations, notes\n=======================================\n\nThis is the phy_config_inband() call graph:\n\n sfp_upstream_ops :: connect_phy()\n |\n v\n phylink_sfp_connect_phy()\n |\n v\n phylink_sfp_config_phy()\n |\n | sfp_upstream_ops :: module_insert()\n | |\n | v\n | phylink_sfp_module_insert()\n | |\n | | sfp_upstream_ops :: module_start()\n | | |\n | | v\n | | phylink_sfp_module_start()\n | | |\n | v v\n | phylink_sfp_config_optical()\n phylink_start() | |\n | phylink_resume() v v\n | | phylink_sfp_set_config()\n | | |\n v v v\n phylink_mac_initial_config()\n | phylink_resolve()\n | | phylink_ethtool_ksettings_set()\n v v v\n phylink_major_config()\n |\n v\n phy_config_inband()\n\nphylink_major_config() caller #1, phylink_mac_initial_config(), does not\nacquire \u0026pl-\u003estate_mutex nor do its callers. It must acquire\n\u0026pl-\u003ephydev-\u003elock prior to calling phylink_major_config().\n\nphylink_major_config() caller #2, phylink_resolve() acquires\n\u0026pl-\u003estate_mutex, thus also needs to acquire \u0026pl-\u003ephydev-\u003elock.\n\nphylink_major_config() caller #3, phylink_ethtool_ksettings_set(), is\ncompletely uninteresting, because it only call\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:37.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/052ac41c379c8b87629808be612a482b2d0ae283"
},
{
"url": "https://git.kernel.org/stable/c/e2a10daba84968f6b5777d150985fd7d6abc9c84"
}
],
"title": "net: phy: transfer phy_config_inband() locking responsibility to phylink",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39915",
"datePublished": "2025-10-01T07:44:37.884Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:44:37.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39907 (GCVE-0-2025-39907)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
Avoid below overlapping mappings by using a contiguous
non-cacheable buffer.
[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,
overlapping mappings aren't supported
[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300
[ 4.097071] Modules linked in:
[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1
[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)
[ 4.118824] Workqueue: events_unbound deferred_probe_work_func
[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.131624] pc : add_dma_entry+0x23c/0x300
[ 4.135658] lr : add_dma_entry+0x23c/0x300
[ 4.139792] sp : ffff800009dbb490
[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000
[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8
[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20
[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006
[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e
[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec
[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58
[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000
[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40
[ 4.214185] Call trace:
[ 4.216605] add_dma_entry+0x23c/0x300
[ 4.220338] debug_dma_map_sg+0x198/0x350
[ 4.224373] __dma_map_sg_attrs+0xa0/0x110
[ 4.228411] dma_map_sg_attrs+0x10/0x2c
[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc
[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174
[ 4.242127] nand_read_oob+0x1d4/0x8e0
[ 4.245861] mtd_read_oob_std+0x58/0x84
[ 4.249596] mtd_read_oob+0x90/0x150
[ 4.253231] mtd_read+0x68/0xac
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 Version: 2cd457f328c100bc98e36d55fe210e9ab067c704 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:34.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/stm32_fmc2_nand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dc1c6e60993b93b87604eb11266ac72e1a3be9e0",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "dfe2ac47a6ee0ab50393694517c54ef1e276dda3",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "e32a2ea52b51368774d014e5bcd9b86110a2b727",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "75686c49574dd5f171ca682c18717787f1d8d55e",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "06d8ef8f853752fea88c8d5bb093a40e71b330cf",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "26adba1e7d7924174e15a3ba4b1132990786300b",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "f6fd98d961fa6f97347cead4f08ed862cbbb91ff",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
},
{
"lessThan": "513c40e59d5a414ab763a9c84797534b5e8c208d",
"status": "affected",
"version": "2cd457f328c100bc98e36d55fe210e9ab067c704",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mtd/nand/raw/stm32_fmc2_nand.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer\n\nAvoid below overlapping mappings by using a contiguous\nnon-cacheable buffer.\n\n[ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST,\noverlapping mappings aren\u0027t supported\n[ 4.089103] WARNING: CPU: 1 PID: 44 at kernel/dma/debug.c:568 add_dma_entry+0x23c/0x300\n[ 4.097071] Modules linked in:\n[ 4.100101] CPU: 1 PID: 44 Comm: kworker/u4:2 Not tainted 6.1.82 #1\n[ 4.106346] Hardware name: STMicroelectronics STM32MP257F VALID1 SNOR / MB1704 (LPDDR4 Power discrete) + MB1703 + MB1708 (SNOR MB1730) (DT)\n[ 4.118824] Workqueue: events_unbound deferred_probe_work_func\n[ 4.124674] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 4.131624] pc : add_dma_entry+0x23c/0x300\n[ 4.135658] lr : add_dma_entry+0x23c/0x300\n[ 4.139792] sp : ffff800009dbb490\n[ 4.143016] x29: ffff800009dbb4a0 x28: 0000000004008022 x27: ffff8000098a6000\n[ 4.150174] x26: 0000000000000000 x25: ffff8000099e7000 x24: ffff8000099e7de8\n[ 4.157231] x23: 00000000ffffffff x22: 0000000000000000 x21: ffff8000098a6a20\n[ 4.164388] x20: ffff000080964180 x19: ffff800009819ba0 x18: 0000000000000006\n[ 4.171545] x17: 6361727420656e69 x16: 6c6568636163203a x15: 72656c6c6f72746e\n[ 4.178602] x14: 6f632d646e616e2e x13: ffff800009832f58 x12: 00000000000004ec\n[ 4.185759] x11: 00000000000001a4 x10: ffff80000988af58 x9 : ffff800009832f58\n[ 4.192916] x8 : 00000000ffffefff x7 : ffff80000988af58 x6 : 80000000fffff000\n[ 4.199972] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 4.207128] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000812d2c40\n[ 4.214185] Call trace:\n[ 4.216605] add_dma_entry+0x23c/0x300\n[ 4.220338] debug_dma_map_sg+0x198/0x350\n[ 4.224373] __dma_map_sg_attrs+0xa0/0x110\n[ 4.228411] dma_map_sg_attrs+0x10/0x2c\n[ 4.232247] stm32_fmc2_nfc_xfer.isra.0+0x1c8/0x3fc\n[ 4.237088] stm32_fmc2_nfc_seq_read_page+0xc8/0x174\n[ 4.242127] nand_read_oob+0x1d4/0x8e0\n[ 4.245861] mtd_read_oob_std+0x58/0x84\n[ 4.249596] mtd_read_oob+0x90/0x150\n[ 4.253231] mtd_read+0x68/0xac"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:38.328Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dc1c6e60993b93b87604eb11266ac72e1a3be9e0"
},
{
"url": "https://git.kernel.org/stable/c/dfe2ac47a6ee0ab50393694517c54ef1e276dda3"
},
{
"url": "https://git.kernel.org/stable/c/e32a2ea52b51368774d014e5bcd9b86110a2b727"
},
{
"url": "https://git.kernel.org/stable/c/75686c49574dd5f171ca682c18717787f1d8d55e"
},
{
"url": "https://git.kernel.org/stable/c/06d8ef8f853752fea88c8d5bb093a40e71b330cf"
},
{
"url": "https://git.kernel.org/stable/c/26adba1e7d7924174e15a3ba4b1132990786300b"
},
{
"url": "https://git.kernel.org/stable/c/f6fd98d961fa6f97347cead4f08ed862cbbb91ff"
},
{
"url": "https://git.kernel.org/stable/c/513c40e59d5a414ab763a9c84797534b5e8c208d"
}
],
"title": "mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39907",
"datePublished": "2025-10-01T07:44:30.864Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-11-03T17:44:34.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39913 (GCVE-0-2025-39913)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.
syzbot reported the splat below. [0]
The repro does the following:
1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)
2. Attach the prog to a SOCKMAP
3. Add a socket to the SOCKMAP
4. Activate fault injection
5. Send data less than cork_bytes
At 5., the data is carried over to the next sendmsg() as it is
smaller than the cork_bytes specified by bpf_msg_cork_bytes().
Then, tcp_bpf_send_verdict() tries to allocate psock->cork to hold
the data, but this fails silently due to fault injection + __GFP_NOWARN.
If the allocation fails, we need to revert the sk->sk_forward_alloc
change done by sk_msg_alloc().
Let's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate
psock->cork.
The "*copied" also needs to be updated such that a proper error can
be returned to the caller, sendmsg. It fails to allocate psock->cork.
Nothing has been corked so far, so this patch simply sets "*copied"
to 0.
[0]:
WARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983
Modules linked in:
CPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156
Code: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc
RSP: 0018:ffffc90000a08b48 EFLAGS: 00010246
RAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80
RDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000
RBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4
R10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380
R13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872
FS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0
Call Trace:
<IRQ>
__sk_destruct+0x86/0x660 net/core/sock.c:2339
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
</IRQ>
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 Version: 4f738adba30a7cfc006f605707e7aee847ffefa0 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:36.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08f58d10f5abf11d297cc910754922498c921f91",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "05366527f44cf4b884f3d9462ae8009be9665856",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "7429b8b9bfbc276fd304fbaebc405f46b421fedf",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "9c2a6456bdf9794474460d885c359b6c4522d6e3",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "66bcb04a441fbf15d66834b7e3eefb313dd750c8",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "539920180c55f5e13a2488a2339f94e6b8cb69e0",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "de89e58368f8f07df005ecc1c86ad94898a999f2",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
},
{
"lessThan": "a3967baad4d533dc254c31e0d221e51c8d223d58",
"status": "affected",
"version": "4f738adba30a7cfc006f605707e7aee847ffefa0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork.\n\nsyzbot reported the splat below. [0]\n\nThe repro does the following:\n\n 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes)\n 2. Attach the prog to a SOCKMAP\n 3. Add a socket to the SOCKMAP\n 4. Activate fault injection\n 5. Send data less than cork_bytes\n\nAt 5., the data is carried over to the next sendmsg() as it is\nsmaller than the cork_bytes specified by bpf_msg_cork_bytes().\n\nThen, tcp_bpf_send_verdict() tries to allocate psock-\u003ecork to hold\nthe data, but this fails silently due to fault injection + __GFP_NOWARN.\n\nIf the allocation fails, we need to revert the sk-\u003esk_forward_alloc\nchange done by sk_msg_alloc().\n\nLet\u0027s call sk_msg_free() when tcp_bpf_send_verdict fails to allocate\npsock-\u003ecork.\n\nThe \"*copied\" also needs to be updated such that a proper error can\nbe returned to the caller, sendmsg. It fails to allocate psock-\u003ecork.\nNothing has been corked so far, so this patch simply sets \"*copied\"\nto 0.\n\n[0]:\nWARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983\nModules linked in:\nCPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\nRIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156\nCode: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 \u003c0f\u003e 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc\nRSP: 0018:ffffc90000a08b48 EFLAGS: 00010246\nRAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80\nRDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000\nRBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4\nR10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380\nR13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872\nFS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0\nCall Trace:\n \u003cIRQ\u003e\n __sk_destruct+0x86/0x660 net/core/sock.c:2339\n rcu_do_batch kernel/rcu/tree.c:2605 [inline]\n rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861\n handle_softirqs+0x286/0x870 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n invoke_softirq kernel/softirq.c:453 [inline]\n __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680\n irq_exit_rcu+0x9/0x30 kernel/softirq.c:696\n instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]\n sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052\n \u003c/IRQ\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:46.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08f58d10f5abf11d297cc910754922498c921f91"
},
{
"url": "https://git.kernel.org/stable/c/05366527f44cf4b884f3d9462ae8009be9665856"
},
{
"url": "https://git.kernel.org/stable/c/7429b8b9bfbc276fd304fbaebc405f46b421fedf"
},
{
"url": "https://git.kernel.org/stable/c/9c2a6456bdf9794474460d885c359b6c4522d6e3"
},
{
"url": "https://git.kernel.org/stable/c/66bcb04a441fbf15d66834b7e3eefb313dd750c8"
},
{
"url": "https://git.kernel.org/stable/c/539920180c55f5e13a2488a2339f94e6b8cb69e0"
},
{
"url": "https://git.kernel.org/stable/c/de89e58368f8f07df005ecc1c86ad94898a999f2"
},
{
"url": "https://git.kernel.org/stable/c/a3967baad4d533dc254c31e0d221e51c8d223d58"
}
],
"title": "tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39913",
"datePublished": "2025-10-01T07:44:36.244Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:36.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39911 (GCVE-0-2025-39911)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration
later than the first, the error path wants to free the IRQs requested
so far. However, it uses the wrong dev_id argument for free_irq(), so
it does not free the IRQs correctly and instead triggers the warning:
Trying to free already-free IRQ 173
WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0
Modules linked in: i40e(+) [...]
CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: [...]
RIP: 0010:__free_irq+0x192/0x2c0
[...]
Call Trace:
<TASK>
free_irq+0x32/0x70
i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]
i40e_vsi_request_irq+0x79/0x80 [i40e]
i40e_vsi_open+0x21f/0x2f0 [i40e]
i40e_open+0x63/0x130 [i40e]
__dev_open+0xfc/0x210
__dev_change_flags+0x1fc/0x240
netif_change_flags+0x27/0x70
do_setlink.isra.0+0x341/0xc70
rtnl_newlink+0x468/0x860
rtnetlink_rcv_msg+0x375/0x450
netlink_rcv_skb+0x5c/0x110
netlink_unicast+0x288/0x3c0
netlink_sendmsg+0x20d/0x430
____sys_sendmsg+0x3a2/0x3d0
___sys_sendmsg+0x99/0xe0
__sys_sendmsg+0x8a/0xf0
do_syscall_64+0x82/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
[...]
</TASK>
---[ end trace 0000000000000000 ]---
Use the same dev_id for free_irq() as for request_irq().
I tested this with inserting code to fail intentionally.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 Version: 493fb30011b3ab5173cef96f1d1ce126da051792 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:36.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "13ab9adef3cd386511c930a9660ae06595007f89",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "6e4016c0dca53afc71e3b99e24252b63417395df",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "b9721a023df38cf44a88f2739b4cf51efd051f85",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "b905b2acb3a0bbb08ad9be9984d8cdabdf827315",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "23431998a37764c464737b855c71a81d50992e98",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "a30afd6617c30aaa338d1dbcb1e34e7a1890085c",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "c62580674ce5feb1be4f90b5873ff3ce50e0a1db",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
},
{
"lessThan": "915470e1b44e71d1dd07ee067276f003c3521ee3",
"status": "affected",
"version": "493fb30011b3ab5173cef96f1d1ce126da051792",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.13"
},
{
"lessThan": "3.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.245",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.194",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.153",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.107",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.300",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.245",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.194",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.153",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.107",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path\n\nIf request_irq() in i40e_vsi_request_irq_msix() fails in an iteration\nlater than the first, the error path wants to free the IRQs requested\nso far. However, it uses the wrong dev_id argument for free_irq(), so\nit does not free the IRQs correctly and instead triggers the warning:\n\n Trying to free already-free IRQ 173\n WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0\n Modules linked in: i40e(+) [...]\n CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:__free_irq+0x192/0x2c0\n [...]\n Call Trace:\n \u003cTASK\u003e\n free_irq+0x32/0x70\n i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e]\n i40e_vsi_request_irq+0x79/0x80 [i40e]\n i40e_vsi_open+0x21f/0x2f0 [i40e]\n i40e_open+0x63/0x130 [i40e]\n __dev_open+0xfc/0x210\n __dev_change_flags+0x1fc/0x240\n netif_change_flags+0x27/0x70\n do_setlink.isra.0+0x341/0xc70\n rtnl_newlink+0x468/0x860\n rtnetlink_rcv_msg+0x375/0x450\n netlink_rcv_skb+0x5c/0x110\n netlink_unicast+0x288/0x3c0\n netlink_sendmsg+0x20d/0x430\n ____sys_sendmsg+0x3a2/0x3d0\n ___sys_sendmsg+0x99/0xe0\n __sys_sendmsg+0x8a/0xf0\n do_syscall_64+0x82/0x2c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nUse the same dev_id for free_irq() as for request_irq().\n\nI tested this with inserting code to fail intentionally."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T13:26:41.601Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/13ab9adef3cd386511c930a9660ae06595007f89"
},
{
"url": "https://git.kernel.org/stable/c/6e4016c0dca53afc71e3b99e24252b63417395df"
},
{
"url": "https://git.kernel.org/stable/c/b9721a023df38cf44a88f2739b4cf51efd051f85"
},
{
"url": "https://git.kernel.org/stable/c/b905b2acb3a0bbb08ad9be9984d8cdabdf827315"
},
{
"url": "https://git.kernel.org/stable/c/23431998a37764c464737b855c71a81d50992e98"
},
{
"url": "https://git.kernel.org/stable/c/a30afd6617c30aaa338d1dbcb1e34e7a1890085c"
},
{
"url": "https://git.kernel.org/stable/c/c62580674ce5feb1be4f90b5873ff3ce50e0a1db"
},
{
"url": "https://git.kernel.org/stable/c/915470e1b44e71d1dd07ee067276f003c3521ee3"
}
],
"title": "i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39911",
"datePublished": "2025-10-01T07:44:34.561Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:36.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39894 (GCVE-0-2025-39894)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
When send a broadcast packet to a tap device, which was added to a bridge,
br_nf_local_in() is called to confirm the conntrack. If another conntrack
with the same hash value is added to the hash table, which can be
triggered by a normal packet to a non-bridge device, the below warning
may happen.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
RIP: 0010:br_nf_local_in+0x168/0x200
Call Trace:
<TASK>
nf_hook_slow+0x3e/0xf0
br_pass_frame_up+0x103/0x180
br_handle_frame_finish+0x2de/0x5b0
br_nf_hook_thresh+0xc0/0x120
br_nf_pre_routing_finish+0x168/0x3a0
br_nf_pre_routing+0x237/0x5e0
br_handle_frame+0x1ec/0x3c0
__netif_receive_skb_core+0x225/0x1210
__netif_receive_skb_one_core+0x37/0xa0
netif_receive_skb+0x36/0x160
tun_get_user+0xa54/0x10c0
tun_chr_write_iter+0x65/0xb0
vfs_write+0x305/0x410
ksys_write+0x60/0xd0
do_syscall_64+0xa4/0x260
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
---[ end trace 0000000000000000 ]---
To solve the hash conflict, nf_ct_resolve_clash() try to merge the
conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
old ct from local variable 'nfct' after confirm(), which leads to this
warning.
If confirm() does not insert the conntrack entry and return NF_DROP, the
warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
remove it.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7c3f28599652acf431a2211168de4a583f30b6d5 Version: 2b1414d5e94e477edff1d2c79030f1d742625ea0 Version: 80cd0487f630b5382734997c3e5e3003a77db315 Version: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 Version: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 Version: 62e7151ae3eb465e0ab52a20c941ff33bb6332e9 Version: cb734975b0ffa688ff6cc0eed463865bf07b6c01 |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:28.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_netfilter_hooks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d00c8b0daf56012f69075e3377da67878c775e4c",
"status": "affected",
"version": "7c3f28599652acf431a2211168de4a583f30b6d5",
"versionType": "git"
},
{
"lessThan": "ccbad4803225eafe0175d3cb19f0d8d73b504a94",
"status": "affected",
"version": "2b1414d5e94e477edff1d2c79030f1d742625ea0",
"versionType": "git"
},
{
"lessThan": "50db11e2bbb635e38e3dd096215580d6adb41fb0",
"status": "affected",
"version": "80cd0487f630b5382734997c3e5e3003a77db315",
"versionType": "git"
},
{
"lessThan": "c47ca77fee9071aa543bae592dd2a384f895c8b6",
"status": "affected",
"version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
"versionType": "git"
},
{
"lessThan": "a74abcf0f09f59daeecf7a3ba9c1d690808b0afe",
"status": "affected",
"version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
"versionType": "git"
},
{
"lessThan": "479a54ab92087318514c82428a87af2d7af1a576",
"status": "affected",
"version": "62e7151ae3eb465e0ab52a20c941ff33bb6332e9",
"versionType": "git"
},
{
"status": "affected",
"version": "cb734975b0ffa688ff6cc0eed463865bf07b6c01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_netfilter_hooks.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "5.15.151",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "6.1.81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.6.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm\n\nWhen send a broadcast packet to a tap device, which was added to a bridge,\nbr_nf_local_in() is called to confirm the conntrack. If another conntrack\nwith the same hash value is added to the hash table, which can be\ntriggered by a normal packet to a non-bridge device, the below warning\nmay happen.\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200\n CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)\n RIP: 0010:br_nf_local_in+0x168/0x200\n Call Trace:\n \u003cTASK\u003e\n nf_hook_slow+0x3e/0xf0\n br_pass_frame_up+0x103/0x180\n br_handle_frame_finish+0x2de/0x5b0\n br_nf_hook_thresh+0xc0/0x120\n br_nf_pre_routing_finish+0x168/0x3a0\n br_nf_pre_routing+0x237/0x5e0\n br_handle_frame+0x1ec/0x3c0\n __netif_receive_skb_core+0x225/0x1210\n __netif_receive_skb_one_core+0x37/0xa0\n netif_receive_skb+0x36/0x160\n tun_get_user+0xa54/0x10c0\n tun_chr_write_iter+0x65/0xb0\n vfs_write+0x305/0x410\n ksys_write+0x60/0xd0\n do_syscall_64+0xa4/0x260\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nTo solve the hash conflict, nf_ct_resolve_clash() try to merge the\nconntracks, and update skb-\u003e_nfct. However, br_nf_local_in() still use the\nold ct from local variable \u0027nfct\u0027 after confirm(), which leads to this\nwarning.\n\nIf confirm() does not insert the conntrack entry and return NF_DROP, the\nwarning may also occur. There is no need to reserve the WARN_ON_ONCE, just\nremove it."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:43.126Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d00c8b0daf56012f69075e3377da67878c775e4c"
},
{
"url": "https://git.kernel.org/stable/c/ccbad4803225eafe0175d3cb19f0d8d73b504a94"
},
{
"url": "https://git.kernel.org/stable/c/50db11e2bbb635e38e3dd096215580d6adb41fb0"
},
{
"url": "https://git.kernel.org/stable/c/c47ca77fee9071aa543bae592dd2a384f895c8b6"
},
{
"url": "https://git.kernel.org/stable/c/a74abcf0f09f59daeecf7a3ba9c1d690808b0afe"
},
{
"url": "https://git.kernel.org/stable/c/479a54ab92087318514c82428a87af2d7af1a576"
}
],
"title": "netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39894",
"datePublished": "2025-10-01T07:42:43.126Z",
"dateReserved": "2025-04-16T07:20:57.145Z",
"dateUpdated": "2025-11-03T17:44:28.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39908 (GCVE-0-2025-39908)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dev_ioctl: take ops lock in hwtstamp lower paths
ndo hwtstamp callbacks are expected to run under the per-device ops
lock. Make the lower get/set paths consistent with the rest of ndo
invocations.
Kernel log:
WARNING: CPU: 13 PID: 51364 at ./include/net/netdev_lock.h:70 __netdev_update_features+0x4bd/0xe60
...
RIP: 0010:__netdev_update_features+0x4bd/0xe60
...
Call Trace:
<TASK>
netdev_update_features+0x1f/0x60
mlx5_hwtstamp_set+0x181/0x290 [mlx5_core]
mlx5e_hwtstamp_set+0x19/0x30 [mlx5_core]
dev_set_hwtstamp_phylib+0x9f/0x220
dev_set_hwtstamp_phylib+0x9f/0x220
dev_set_hwtstamp+0x13d/0x240
dev_ioctl+0x12f/0x4b0
sock_ioctl+0x171/0x370
__x64_sys_ioctl+0x3f7/0x900
? __sys_setsockopt+0x69/0xb0
do_syscall_64+0x6f/0x2e0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
...
</TASK>
....
---[ end trace 0000000000000000 ]---
Note that the mlx5_hwtstamp_set and mlx5e_hwtstamp_set functions shown
in the trace come from an in progress patch converting the legacy ioctl
to ndo_hwtstamp_get/set and are not present in mainline.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/dev_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d92fa0cdc02291de57f72170e8b60cef0cf5372",
"status": "affected",
"version": "ffb7ed19ac0a9fa9ea79af1d7b42c03a10da98a5",
"versionType": "git"
},
{
"lessThan": "686cab5a18e443e1d5f2abb17bed45837836425f",
"status": "affected",
"version": "ffb7ed19ac0a9fa9ea79af1d7b42c03a10da98a5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/dev_ioctl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dev_ioctl: take ops lock in hwtstamp lower paths\n\nndo hwtstamp callbacks are expected to run under the per-device ops\nlock. Make the lower get/set paths consistent with the rest of ndo\ninvocations.\n\nKernel log:\nWARNING: CPU: 13 PID: 51364 at ./include/net/netdev_lock.h:70 __netdev_update_features+0x4bd/0xe60\n...\nRIP: 0010:__netdev_update_features+0x4bd/0xe60\n...\nCall Trace:\n\u003cTASK\u003e\nnetdev_update_features+0x1f/0x60\nmlx5_hwtstamp_set+0x181/0x290 [mlx5_core]\nmlx5e_hwtstamp_set+0x19/0x30 [mlx5_core]\ndev_set_hwtstamp_phylib+0x9f/0x220\ndev_set_hwtstamp_phylib+0x9f/0x220\ndev_set_hwtstamp+0x13d/0x240\ndev_ioctl+0x12f/0x4b0\nsock_ioctl+0x171/0x370\n__x64_sys_ioctl+0x3f7/0x900\n? __sys_setsockopt+0x69/0xb0\ndo_syscall_64+0x6f/0x2e0\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\n...\n\u003c/TASK\u003e\n....\n---[ end trace 0000000000000000 ]---\n\nNote that the mlx5_hwtstamp_set and mlx5e_hwtstamp_set functions shown\nin the trace come from an in progress patch converting the legacy ioctl\nto ndo_hwtstamp_get/set and are not present in mainline."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:31.904Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d92fa0cdc02291de57f72170e8b60cef0cf5372"
},
{
"url": "https://git.kernel.org/stable/c/686cab5a18e443e1d5f2abb17bed45837836425f"
}
],
"title": "net: dev_ioctl: take ops lock in hwtstamp lower paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39908",
"datePublished": "2025-10-01T07:44:31.904Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:44:31.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39895 (GCVE-0-2025-39895)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched: Fix sched_numa_find_nth_cpu() if mask offline
sched_numa_find_nth_cpu() uses a bsearch to look for the 'closest'
CPU in sched_domains_numa_masks and given cpus mask. However they
might not intersect if all CPUs in the cpus mask are offline. bsearch
will return NULL in that case, bail out instead of dereferencing a
bogus pointer.
The previous behaviour lead to this bug when using maxcpus=4 on an
rk3399 (LLLLbb) (i.e. booting with all big CPUs offline):
[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000
[ 1.423635] Mem abort info:
[ 1.423889] ESR = 0x0000000096000006
[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits
[ 1.424715] SET = 0, FnV = 0
[ 1.424995] EA = 0, S1PTW = 0
[ 1.425279] FSC = 0x06: level 2 translation fault
[ 1.425735] Data abort info:
[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000
[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000
[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP
[ 1.429525] Modules linked in:
[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT
[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)
[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488
[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488
[ 1.432543] sp : ffffffc084e1b960
[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0
[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378
[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff
[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7
[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372
[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860
[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000
[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68
[ 1.439332] Call trace:
[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)
[ 1.440016] smp_call_function_any+0xc8/0xd0
[ 1.440416] armv8_pmu_init+0x58/0x27c
[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c
[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8
[ 1.441603] armv8_pmu_device_probe+0x1c/0x28
[ 1.442007] platform_probe+0x5c/0xac
[ 1.442347] really_probe+0xbc/0x298
[ 1.442683] __driver_probe_device+0x78/0x12c
[ 1.443087] driver_probe_device+0xdc/0x160
[ 1.443475] __driver_attach+0x94/0x19c
[ 1.443833] bus_for_each_dev+0x74/0xd4
[ 1.444190] driver_attach+0x24/0x30
[ 1.444525] bus_add_driver+0xe4/0x208
[ 1.444874] driver_register+0x60/0x128
[ 1.445233] __platform_driver_register+0x24/0x30
[ 1.445662] armv8_pmu_driver_init+0x28/0x4c
[ 1.446059] do_one_initcall+0x44/0x25c
[ 1.446416] kernel_init_freeable+0x1dc/0x3bc
[ 1.446820] kernel_init+0x20/0x1d8
[ 1.447151] ret_from_fork+0x10/0x20
[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)
[ 1.448040] ---[ end trace 0000000000000000 ]---
[ 1.448483] note: swapper/0[1] exited with preempt_count 1
[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 1.449741] SMP: stopping secondary CPUs
[ 1.450105] Kernel Offset: disabled
[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b
[
---truncated---
References
| URL | Tags | |
|---|---|---|
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f9b8d4dba8e78c1887fecd81ba0d8204d6ff05fc",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "b3ec50cc5eb5ca84256ca701d28b137a6036c412",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "b921c288cd8abef9af5b59e056a63cc2c263a9e3",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
},
{
"lessThan": "5ebf512f335053a42482ebff91e46c6dc156bf8c",
"status": "affected",
"version": "cd7f55359c90a4108e6528e326b8623fce1ad72a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched: Fix sched_numa_find_nth_cpu() if mask offline\n\nsched_numa_find_nth_cpu() uses a bsearch to look for the \u0027closest\u0027\nCPU in sched_domains_numa_masks and given cpus mask. However they\nmight not intersect if all CPUs in the cpus mask are offline. bsearch\nwill return NULL in that case, bail out instead of dereferencing a\nbogus pointer.\n\nThe previous behaviour lead to this bug when using maxcpus=4 on an\nrk3399 (LLLLbb) (i.e. booting with all big CPUs offline):\n\n[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000\n[ 1.423635] Mem abort info:\n[ 1.423889] ESR = 0x0000000096000006\n[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1.424715] SET = 0, FnV = 0\n[ 1.424995] EA = 0, S1PTW = 0\n[ 1.425279] FSC = 0x06: level 2 translation fault\n[ 1.425735] Data abort info:\n[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000\n[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000\n[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP\n[ 1.429525] Modules linked in:\n[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT\n[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)\n[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488\n[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488\n[ 1.432543] sp : ffffffc084e1b960\n[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0\n[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378\n[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff\n[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7\n[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372\n[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860\n[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000\n[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000\n[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68\n[ 1.439332] Call trace:\n[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)\n[ 1.440016] smp_call_function_any+0xc8/0xd0\n[ 1.440416] armv8_pmu_init+0x58/0x27c\n[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c\n[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8\n[ 1.441603] armv8_pmu_device_probe+0x1c/0x28\n[ 1.442007] platform_probe+0x5c/0xac\n[ 1.442347] really_probe+0xbc/0x298\n[ 1.442683] __driver_probe_device+0x78/0x12c\n[ 1.443087] driver_probe_device+0xdc/0x160\n[ 1.443475] __driver_attach+0x94/0x19c\n[ 1.443833] bus_for_each_dev+0x74/0xd4\n[ 1.444190] driver_attach+0x24/0x30\n[ 1.444525] bus_add_driver+0xe4/0x208\n[ 1.444874] driver_register+0x60/0x128\n[ 1.445233] __platform_driver_register+0x24/0x30\n[ 1.445662] armv8_pmu_driver_init+0x28/0x4c\n[ 1.446059] do_one_initcall+0x44/0x25c\n[ 1.446416] kernel_init_freeable+0x1dc/0x3bc\n[ 1.446820] kernel_init+0x20/0x1d8\n[ 1.447151] ret_from_fork+0x10/0x20\n[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)\n[ 1.448040] ---[ end trace 0000000000000000 ]---\n[ 1.448483] note: swapper/0[1] exited with preempt_count 1\n[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n[ 1.449741] SMP: stopping secondary CPUs\n[ 1.450105] Kernel Offset: disabled\n[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b\n[ \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:43.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f9b8d4dba8e78c1887fecd81ba0d8204d6ff05fc"
},
{
"url": "https://git.kernel.org/stable/c/b3ec50cc5eb5ca84256ca701d28b137a6036c412"
},
{
"url": "https://git.kernel.org/stable/c/b921c288cd8abef9af5b59e056a63cc2c263a9e3"
},
{
"url": "https://git.kernel.org/stable/c/5ebf512f335053a42482ebff91e46c6dc156bf8c"
}
],
"title": "sched: Fix sched_numa_find_nth_cpu() if mask offline",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39895",
"datePublished": "2025-10-01T07:42:43.920Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:43.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39922 (GCVE-0-2025-39922)
Vulnerability from cvelistv5
Published
2025-10-01 07:55
Modified
2025-10-01 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ixgbe: fix incorrect map used in eee linkmode
incorrectly used ixgbe_lp_map in loops intended to populate the
supported and advertised EEE linkmode bitmaps based on ixgbe_ls_map.
This results in incorrect bit setting and potential out-of-bounds
access, since ixgbe_lp_map and ixgbe_ls_map have different sizes
and purposes.
ixgbe_lp_map[i] -> ixgbe_ls_map[i]
Use ixgbe_ls_map for supported and advertised linkmodes, and keep
ixgbe_lp_map usage only for link partner (lp_advertised) mapping.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "682105ab63826fb7ca7c112b42b478d156fbb19f",
"status": "affected",
"version": "9356b6db9d051e9d939dd0f9ae7a0514103ef228",
"versionType": "git"
},
{
"lessThan": "129c1cb8a081a02d99267cb51708f1326395f4e8",
"status": "affected",
"version": "9356b6db9d051e9d939dd0f9ae7a0514103ef228",
"versionType": "git"
},
{
"lessThan": "b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4",
"status": "affected",
"version": "9356b6db9d051e9d939dd0f9ae7a0514103ef228",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nixgbe: fix incorrect map used in eee linkmode\n\nincorrectly used ixgbe_lp_map in loops intended to populate the\nsupported and advertised EEE linkmode bitmaps based on ixgbe_ls_map.\nThis results in incorrect bit setting and potential out-of-bounds\naccess, since ixgbe_lp_map and ixgbe_ls_map have different sizes\nand purposes.\n\nixgbe_lp_map[i] -\u003e ixgbe_ls_map[i]\n\nUse ixgbe_ls_map for supported and advertised linkmodes, and keep\nixgbe_lp_map usage only for link partner (lp_advertised) mapping."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:17.475Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/682105ab63826fb7ca7c112b42b478d156fbb19f"
},
{
"url": "https://git.kernel.org/stable/c/129c1cb8a081a02d99267cb51708f1326395f4e8"
},
{
"url": "https://git.kernel.org/stable/c/b7e5c3e3bfa9dc8af75ff6d8633ad7070e1985e4"
}
],
"title": "ixgbe: fix incorrect map used in eee linkmode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39922",
"datePublished": "2025-10-01T07:55:17.475Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:55:17.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39899 (GCVE-0-2025-39899)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE
With CONFIG_HIGHPTE on 32-bit ARM, move_pages_pte() maps PTE pages using
kmap_local_page(), which requires unmapping in Last-In-First-Out order.
The current code maps dst_pte first, then src_pte, but unmaps them in the
same order (dst_pte, src_pte), violating the LIFO requirement. This
causes the warning in kunmap_local_indexed():
WARNING: CPU: 0 PID: 604 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c
addr \!= __fix_to_virt(FIX_KMAP_BEGIN + idx)
Fix this by reversing the unmap order to respect LIFO ordering.
This issue follows the same pattern as similar fixes:
- commit eca6828403b8 ("crypto: skcipher - fix mismatch between mapping and unmapping order")
- commit 8cf57c6df818 ("nilfs2: eliminate staggered calls to kunmap in nilfs_rename")
Both of which addressed the same fundamental requirement that kmap_local
operations must follow LIFO ordering.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/userfaultfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b051f707018967ea8f697d790a1ed8c443f63812",
"status": "affected",
"version": "adef440691bab824e39c1b17382322d195e1fab0",
"versionType": "git"
},
{
"lessThan": "bd1ee62759d0bd4d6b909731c076c230ac89d61e",
"status": "affected",
"version": "adef440691bab824e39c1b17382322d195e1fab0",
"versionType": "git"
},
{
"lessThan": "9614d8bee66387501f48718fa306e17f2aa3f2f3",
"status": "affected",
"version": "adef440691bab824e39c1b17382322d195e1fab0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/userfaultfd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE\n\nWith CONFIG_HIGHPTE on 32-bit ARM, move_pages_pte() maps PTE pages using\nkmap_local_page(), which requires unmapping in Last-In-First-Out order.\n\nThe current code maps dst_pte first, then src_pte, but unmaps them in the\nsame order (dst_pte, src_pte), violating the LIFO requirement. This\ncauses the warning in kunmap_local_indexed():\n\n WARNING: CPU: 0 PID: 604 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c\n addr \\!= __fix_to_virt(FIX_KMAP_BEGIN + idx)\n\nFix this by reversing the unmap order to respect LIFO ordering.\n\nThis issue follows the same pattern as similar fixes:\n- commit eca6828403b8 (\"crypto: skcipher - fix mismatch between mapping and unmapping order\")\n- commit 8cf57c6df818 (\"nilfs2: eliminate staggered calls to kunmap in nilfs_rename\")\n\nBoth of which addressed the same fundamental requirement that kmap_local\noperations must follow LIFO ordering."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:47.100Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b051f707018967ea8f697d790a1ed8c443f63812"
},
{
"url": "https://git.kernel.org/stable/c/bd1ee62759d0bd4d6b909731c076c230ac89d61e"
},
{
"url": "https://git.kernel.org/stable/c/9614d8bee66387501f48718fa306e17f2aa3f2f3"
}
],
"title": "mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39899",
"datePublished": "2025-10-01T07:42:47.100Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:47.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39925 (GCVE-0-2025-39925)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-10-01 08:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: implement NETDEV_UNREGISTER notification handler
syzbot is reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
problem, for j1939 protocol did not have NETDEV_UNREGISTER notification
handler for undoing changes made by j1939_sk_bind().
Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct
callback") expects that a call to j1939_priv_put() can be unconditionally
delayed until j1939_sk_sock_destruct() is called. But we need to call
j1939_priv_put() against an extra ref held by j1939_sk_bind() call
(as a part of undoing changes made by j1939_sk_bind()) as soon as
NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()
is called via j1939_sk_release()). Otherwise, the extra ref on "struct
j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from
dropping the usage count to 1; making it impossible for
unregister_netdevice() to continue.
[mkl: remove space in front of label]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da9e8f429139928570407e8f90559b5d46c20262",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
},
{
"lessThan": "7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a",
"status": "affected",
"version": "9d71dd0c70099914fcd063135da3c580865e924c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/j1939-priv.h",
"net/can/j1939/main.c",
"net/can/j1939/socket.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: implement NETDEV_UNREGISTER notification handler\n\nsyzbot is reporting\n\n unregister_netdevice: waiting for vcan0 to become free. Usage count = 2\n\nproblem, for j1939 protocol did not have NETDEV_UNREGISTER notification\nhandler for undoing changes made by j1939_sk_bind().\n\nCommit 25fe97cb7620 (\"can: j1939: move j1939_priv_put() into sk_destruct\ncallback\") expects that a call to j1939_priv_put() can be unconditionally\ndelayed until j1939_sk_sock_destruct() is called. But we need to call\nj1939_priv_put() against an extra ref held by j1939_sk_bind() call\n(as a part of undoing changes made by j1939_sk_bind()) as soon as\nNETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct()\nis called via j1939_sk_release()). Otherwise, the extra ref on \"struct\nj1939_priv\" held by j1939_sk_bind() call prevents \"struct net_device\" from\ndropping the usage count to 1; making it impossible for\nunregister_netdevice() to continue.\n\n[mkl: remove space in front of label]"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:13.123Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da9e8f429139928570407e8f90559b5d46c20262"
},
{
"url": "https://git.kernel.org/stable/c/7fcbe5b2c6a4b5407bf2241fdb71e0a390f6ab9a"
}
],
"title": "can: j1939: implement NETDEV_UNREGISTER notification handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39925",
"datePublished": "2025-10-01T08:07:13.123Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:13.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39904 (GCVE-0-2025-39904)
Vulnerability from cvelistv5
Published
2025-10-01 07:44
Modified
2025-10-01 07:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: kexec: initialize kexec_buf struct in load_other_segments()
Patch series "kexec: Fix invalid field access".
The kexec_buf structure was previously declared without initialization.
commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
added a field that is always read but not consistently populated by all
architectures. This un-initialized field will contain garbage.
This is also triggering a UBSAN warning when the uninitialized data was
accessed:
------------[ cut here ]------------
UBSAN: invalid-load in ./include/linux/kexec.h:210:10
load of value 252 is not a valid value for type '_Bool'
Zero-initializing kexec_buf at declaration ensures all fields are cleanly
set, preventing future instances of uninitialized memory being used.
An initial fix was already landed for arm64[0], and this patchset fixes
the problem on the remaining arm64 code and on riscv, as raised by Mark.
Discussions about this problem could be found at[1][2].
This patch (of 3):
The kexec_buf structure was previously declared without initialization.
commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly")
added a field that is always read but not consistently populated by all
architectures. This un-initialized field will contain garbage.
This is also triggering a UBSAN warning when the uninitialized data was
accessed:
------------[ cut here ]------------
UBSAN: invalid-load in ./include/linux/kexec.h:210:10
load of value 252 is not a valid value for type '_Bool'
Zero-initializing kexec_buf at declaration ensures all fields are
cleanly set, preventing future instances of uninitialized memory being
used.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/machine_kexec_file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "340cc9a3bd30b25edaf6a9708d41b5f2c10a054a",
"status": "affected",
"version": "bf454ec31add6790f6cdc88328e38901fcbbade6",
"versionType": "git"
},
{
"lessThan": "04d3cd43700a2d0fe4bfb1012a8ec7f2e34a3507",
"status": "affected",
"version": "bf454ec31add6790f6cdc88328e38901fcbbade6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kernel/machine_kexec_file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: kexec: initialize kexec_buf struct in load_other_segments()\n\nPatch series \"kexec: Fix invalid field access\".\n\nThe kexec_buf structure was previously declared without initialization. \ncommit bf454ec31add (\"kexec_file: allow to place kexec_buf randomly\")\nadded a field that is always read but not consistently populated by all\narchitectures. This un-initialized field will contain garbage.\n\nThis is also triggering a UBSAN warning when the uninitialized data was\naccessed:\n\n\t------------[ cut here ]------------\n\tUBSAN: invalid-load in ./include/linux/kexec.h:210:10\n\tload of value 252 is not a valid value for type \u0027_Bool\u0027\n\nZero-initializing kexec_buf at declaration ensures all fields are cleanly\nset, preventing future instances of uninitialized memory being used.\n\nAn initial fix was already landed for arm64[0], and this patchset fixes\nthe problem on the remaining arm64 code and on riscv, as raised by Mark.\n\nDiscussions about this problem could be found at[1][2].\n\n\nThis patch (of 3):\n\nThe kexec_buf structure was previously declared without initialization.\ncommit bf454ec31add (\"kexec_file: allow to place kexec_buf randomly\")\nadded a field that is always read but not consistently populated by all\narchitectures. This un-initialized field will contain garbage.\n\nThis is also triggering a UBSAN warning when the uninitialized data was\naccessed:\n\n\t------------[ cut here ]------------\n\tUBSAN: invalid-load in ./include/linux/kexec.h:210:10\n\tload of value 252 is not a valid value for type \u0027_Bool\u0027\n\nZero-initializing kexec_buf at declaration ensures all fields are\ncleanly set, preventing future instances of uninitialized memory being\nused."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:44:27.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/340cc9a3bd30b25edaf6a9708d41b5f2c10a054a"
},
{
"url": "https://git.kernel.org/stable/c/04d3cd43700a2d0fe4bfb1012a8ec7f2e34a3507"
}
],
"title": "arm64: kexec: initialize kexec_buf struct in load_other_segments()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39904",
"datePublished": "2025-10-01T07:44:27.739Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:44:27.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39897 (GCVE-0-2025-39897)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: xilinx: axienet: Add error handling for RX metadata pointer retrieval
Add proper error checking for dmaengine_desc_get_metadata_ptr() which
can return an error pointer and lead to potential crashes or undefined
behaviour if the pointer retrieval fails.
Properly handle the error by unmapping DMA buffer, freeing the skb and
returning early to prevent further processing with invalid data.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/xilinx/xilinx_axienet_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0ecda6fdd840b406df6617b003b036f65dd8926",
"status": "affected",
"version": "6a91b846af85a24241decd686269e8e038eb13d1",
"versionType": "git"
},
{
"lessThan": "92e2fc92bc4eb2bc0e84404316fbc02ddd0a3196",
"status": "affected",
"version": "6a91b846af85a24241decd686269e8e038eb13d1",
"versionType": "git"
},
{
"lessThan": "8bbceba7dc5090c00105e006ce28d1292cfda8dd",
"status": "affected",
"version": "6a91b846af85a24241decd686269e8e038eb13d1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/xilinx/xilinx_axienet_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Add error handling for RX metadata pointer retrieval\n\nAdd proper error checking for dmaengine_desc_get_metadata_ptr() which\ncan return an error pointer and lead to potential crashes or undefined\nbehaviour if the pointer retrieval fails.\n\nProperly handle the error by unmapping DMA buffer, freeing the skb and\nreturning early to prevent further processing with invalid data."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:45.593Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0ecda6fdd840b406df6617b003b036f65dd8926"
},
{
"url": "https://git.kernel.org/stable/c/92e2fc92bc4eb2bc0e84404316fbc02ddd0a3196"
},
{
"url": "https://git.kernel.org/stable/c/8bbceba7dc5090c00105e006ce28d1292cfda8dd"
}
],
"title": "net: xilinx: axienet: Add error handling for RX metadata pointer retrieval",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39897",
"datePublished": "2025-10-01T07:42:45.593Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:45.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39920 (GCVE-0-2025-39920)
Vulnerability from cvelistv5
Published
2025-10-01 07:55
Modified
2025-11-03 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
pcmcia: Add error handling for add_interval() in do_validate_mem()
In the do_validate_mem(), the call to add_interval() does not
handle errors. If kmalloc() fails in add_interval(), it could
result in a null pointer being inserted into the linked list,
leading to illegal memory access when sub_interval() is called
next.
This patch adds an error handling for the add_interval(). If
add_interval() returns an error, the function will return early
with the error code.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a Version: 7b4884ca8853a638df0eb5d251d80d67777b8b1a |
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:44:40.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_nonstatic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b60ed401b47897352c520bc724c85aa908dedcc",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "ae184024ef31423e5beb44cf4f52999bbcf2fe5b",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "85be7ef8c8e792a414940a38d94565dd48d2f236",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "06b26e3099207c94b3d1be8565aedc6edc4f0a60",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "8699358b6ac99b8ccc97ed9e6e3669ef8958ef7b",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "289b58f8ff3198d091074a751d6b8f6827726f3e",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "369bf6e241506583f4ee7593c53b92e5a9f271b4",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
},
{
"lessThan": "4a81f78caa53e0633cf311ca1526377d9bff7479",
"status": "affected",
"version": "7b4884ca8853a638df0eb5d251d80d67777b8b1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pcmcia/rsrc_nonstatic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.243",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.151",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.105",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.299",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.243",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.192",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.151",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.105",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npcmcia: Add error handling for add_interval() in do_validate_mem()\n\nIn the do_validate_mem(), the call to add_interval() does not\nhandle errors. If kmalloc() fails in add_interval(), it could\nresult in a null pointer being inserted into the linked list,\nleading to illegal memory access when sub_interval() is called\nnext.\n\nThis patch adds an error handling for the add_interval(). If\nadd_interval() returns an error, the function will return early\nwith the error code."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:15.731Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b60ed401b47897352c520bc724c85aa908dedcc"
},
{
"url": "https://git.kernel.org/stable/c/ae184024ef31423e5beb44cf4f52999bbcf2fe5b"
},
{
"url": "https://git.kernel.org/stable/c/85be7ef8c8e792a414940a38d94565dd48d2f236"
},
{
"url": "https://git.kernel.org/stable/c/06b26e3099207c94b3d1be8565aedc6edc4f0a60"
},
{
"url": "https://git.kernel.org/stable/c/8699358b6ac99b8ccc97ed9e6e3669ef8958ef7b"
},
{
"url": "https://git.kernel.org/stable/c/289b58f8ff3198d091074a751d6b8f6827726f3e"
},
{
"url": "https://git.kernel.org/stable/c/369bf6e241506583f4ee7593c53b92e5a9f271b4"
},
{
"url": "https://git.kernel.org/stable/c/4a81f78caa53e0633cf311ca1526377d9bff7479"
}
],
"title": "pcmcia: Add error handling for add_interval() in do_validate_mem()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39920",
"datePublished": "2025-10-01T07:55:15.731Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-11-03T17:44:40.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39900 (GCVE-0-2025-39900)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y
syzbot reported a WARNING in est_timer() [1]
Problem here is that with CONFIG_PREEMPT_RT=y, timer callbacks
can be preempted.
Adopt preempt_disable_nested()/preempt_enable_nested() to fix this.
[1]
WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline]
WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93
Modules linked in:
CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline]
RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93
Call Trace:
<TASK>
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers kernel/time/timer.c:2372 [inline]
__run_timer_base+0x648/0x970 kernel/time/timer.c:2384
run_timer_base kernel/time/timer.c:2393 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
handle_softirqs+0x22c/0x710 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
run_ktimerd+0xcf/0x190 kernel/softirq.c:1043
smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gen_estimator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a22ec2ee824be30803068a52f78f7ffe3bc879fb",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
},
{
"lessThan": "e79923824c48b930609680be04cb29253fc4a17d",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
},
{
"lessThan": "9f74c0ea9b26d1505d55b61e36b1623dd347e1d1",
"status": "affected",
"version": "d2d6422f8bd17c6bb205133e290625a564194496",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gen_estimator.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y\n\nsyzbot reported a WARNING in est_timer() [1]\n\nProblem here is that with CONFIG_PREEMPT_RT=y, timer callbacks\ncan be preempted.\n\nAdopt preempt_disable_nested()/preempt_enable_nested() to fix this.\n\n[1]\n WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 __seqprop_assert include/linux/seqlock.h:221 [inline]\n WARNING: CPU: 0 PID: 16 at ./include/linux/seqlock.h:221 est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93\nModules linked in:\nCPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:__seqprop_assert include/linux/seqlock.h:221 [inline]\n RIP: 0010:est_timer+0x6dc/0x9f0 net/core/gen_estimator.c:93\nCall Trace:\n \u003cTASK\u003e\n call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n expire_timers kernel/time/timer.c:1798 [inline]\n __run_timers kernel/time/timer.c:2372 [inline]\n __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n run_timer_base kernel/time/timer.c:2393 [inline]\n run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n handle_softirqs+0x22c/0x710 kernel/softirq.c:579\n __do_softirq kernel/softirq.c:613 [inline]\n run_ktimerd+0xcf/0x190 kernel/softirq.c:1043\n smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:47.785Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a22ec2ee824be30803068a52f78f7ffe3bc879fb"
},
{
"url": "https://git.kernel.org/stable/c/e79923824c48b930609680be04cb29253fc4a17d"
},
{
"url": "https://git.kernel.org/stable/c/9f74c0ea9b26d1505d55b61e36b1623dd347e1d1"
}
],
"title": "net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39900",
"datePublished": "2025-10-01T07:42:47.785Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:47.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39921 (GCVE-0-2025-39921)
Vulnerability from cvelistv5
Published
2025-10-01 07:55
Modified
2025-10-01 07:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback
In commit 13529647743d9 ("spi: microchip-core-qspi: Support per spi-mem
operation frequency switches") the logic for checking the viability of
op->max_freq in mchp_coreqspi_setup_clock() was copied into
mchp_coreqspi_supports_op(). Unfortunately, op->max_freq is not valid
when this function is called during probe but is instead zero.
Accordingly, baud_rate_val is calculated to be INT_MAX due to division
by zero, causing probe of the attached memory device to fail.
Seemingly spi-microchip-core-qspi was the only driver that had such a
modification made to its supports_op callback when the per_op_freq
capability was added, so just remove it to restore prior functionality.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-microchip-core-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ac8a13f35d5b8996582b3f97b924838a5c570c18",
"status": "affected",
"version": "13529647743d906ed3cf991f1d77727e7ff1fb6f",
"versionType": "git"
},
{
"lessThan": "89e7353f522f5cf70cb48c01ce2dcdcb275b8022",
"status": "affected",
"version": "13529647743d906ed3cf991f1d77727e7ff1fb6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-microchip-core-qspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: microchip-core-qspi: stop checking viability of op-\u003emax_freq in supports_op callback\n\nIn commit 13529647743d9 (\"spi: microchip-core-qspi: Support per spi-mem\noperation frequency switches\") the logic for checking the viability of\nop-\u003emax_freq in mchp_coreqspi_setup_clock() was copied into\nmchp_coreqspi_supports_op(). Unfortunately, op-\u003emax_freq is not valid\nwhen this function is called during probe but is instead zero.\nAccordingly, baud_rate_val is calculated to be INT_MAX due to division\nby zero, causing probe of the attached memory device to fail.\n\nSeemingly spi-microchip-core-qspi was the only driver that had such a\nmodification made to its supports_op callback when the per_op_freq\ncapability was added, so just remove it to restore prior functionality."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:55:16.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ac8a13f35d5b8996582b3f97b924838a5c570c18"
},
{
"url": "https://git.kernel.org/stable/c/89e7353f522f5cf70cb48c01ce2dcdcb275b8022"
}
],
"title": "spi: microchip-core-qspi: stop checking viability of op-\u003emax_freq in supports_op callback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39921",
"datePublished": "2025-10-01T07:55:16.540Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T07:55:16.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39901 (GCVE-0-2025-39901)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: remove read access to debugfs files
The 'command' and 'netdev_ops' debugfs files are a legacy debugging
interface supported by the i40e driver since its early days by commit
02e9c290814c ("i40e: debugfs interface").
Both of these debugfs files provide a read handler which is mostly useless,
and which is implemented with questionable logic. They both use a static
256 byte buffer which is initialized to the empty string. In the case of
the 'command' file this buffer is literally never used and simply wastes
space. In the case of the 'netdev_ops' file, the last command written is
saved here.
On read, the files contents are presented as the name of the device
followed by a colon and then the contents of their respective static
buffer. For 'command' this will always be "<device>: ". For 'netdev_ops',
this will be "<device>: <last command written>". But note the buffer is
shared between all devices operated by this module. At best, it is mostly
meaningless information, and at worse it could be accessed simultaneously
as there doesn't appear to be any locking mechanism.
We have also recently received multiple reports for both read functions
about their use of snprintf and potential overflow that could result in
reading arbitrary kernel memory. For the 'command' file, this is definitely
impossible, since the static buffer is always zero and never written to.
For the 'netdev_ops' file, it does appear to be possible, if the user
carefully crafts the command input, it will be copied into the buffer,
which could be large enough to cause snprintf to truncate, which then
causes the copy_to_user to read beyond the length of the buffer allocated
by kzalloc.
A minimal fix would be to replace snprintf() with scnprintf() which would
cap the return to the number of bytes written, preventing an overflow. A
more involved fix would be to drop the mostly useless static buffers,
saving 512 bytes and modifying the read functions to stop needing those as
input.
Instead, lets just completely drop the read access to these files. These
are debug interfaces exposed as part of debugfs, and I don't believe that
dropping read access will break any script, as the provided output is
pretty useless. You can find the netdev name through other more standard
interfaces, and the 'netdev_ops' interface can easily result in garbage if
you issue simultaneous writes to multiple devices at once.
In order to properly remove the i40e_dbg_netdev_ops_buf, we need to
refactor its write function to avoid using the static buffer. Instead, use
the same logic as the i40e_dbg_command_write, with an allocated buffer.
Update the code to use this instead of the static buffer, and ensure we
free the buffer on exit. This fixes simultaneous writes to 'netdev_ops' on
multiple devices, and allows us to remove the now unused static buffer
along with removing the read access.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "70d3dad7d5ad077965d7a63eed1942b7ba49bfb4",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
},
{
"lessThan": "7d190963b80f4cd99d7008615600aa7cc993c6ba",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
},
{
"lessThan": "9fcdb1c3c4ba134434694c001dbff343f1ffa319",
"status": "affected",
"version": "02e9c290814cc143ceccecb14eac3e7a05da745e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: remove read access to debugfs files\n\nThe \u0027command\u0027 and \u0027netdev_ops\u0027 debugfs files are a legacy debugging\ninterface supported by the i40e driver since its early days by commit\n02e9c290814c (\"i40e: debugfs interface\").\n\nBoth of these debugfs files provide a read handler which is mostly useless,\nand which is implemented with questionable logic. They both use a static\n256 byte buffer which is initialized to the empty string. In the case of\nthe \u0027command\u0027 file this buffer is literally never used and simply wastes\nspace. In the case of the \u0027netdev_ops\u0027 file, the last command written is\nsaved here.\n\nOn read, the files contents are presented as the name of the device\nfollowed by a colon and then the contents of their respective static\nbuffer. For \u0027command\u0027 this will always be \"\u003cdevice\u003e: \". For \u0027netdev_ops\u0027,\nthis will be \"\u003cdevice\u003e: \u003clast command written\u003e\". But note the buffer is\nshared between all devices operated by this module. At best, it is mostly\nmeaningless information, and at worse it could be accessed simultaneously\nas there doesn\u0027t appear to be any locking mechanism.\n\nWe have also recently received multiple reports for both read functions\nabout their use of snprintf and potential overflow that could result in\nreading arbitrary kernel memory. For the \u0027command\u0027 file, this is definitely\nimpossible, since the static buffer is always zero and never written to.\nFor the \u0027netdev_ops\u0027 file, it does appear to be possible, if the user\ncarefully crafts the command input, it will be copied into the buffer,\nwhich could be large enough to cause snprintf to truncate, which then\ncauses the copy_to_user to read beyond the length of the buffer allocated\nby kzalloc.\n\nA minimal fix would be to replace snprintf() with scnprintf() which would\ncap the return to the number of bytes written, preventing an overflow. A\nmore involved fix would be to drop the mostly useless static buffers,\nsaving 512 bytes and modifying the read functions to stop needing those as\ninput.\n\nInstead, lets just completely drop the read access to these files. These\nare debug interfaces exposed as part of debugfs, and I don\u0027t believe that\ndropping read access will break any script, as the provided output is\npretty useless. You can find the netdev name through other more standard\ninterfaces, and the \u0027netdev_ops\u0027 interface can easily result in garbage if\nyou issue simultaneous writes to multiple devices at once.\n\nIn order to properly remove the i40e_dbg_netdev_ops_buf, we need to\nrefactor its write function to avoid using the static buffer. Instead, use\nthe same logic as the i40e_dbg_command_write, with an allocated buffer.\nUpdate the code to use this instead of the static buffer, and ensure we\nfree the buffer on exit. This fixes simultaneous writes to \u0027netdev_ops\u0027 on\nmultiple devices, and allows us to remove the now unused static buffer\nalong with removing the read access."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:48.606Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/70d3dad7d5ad077965d7a63eed1942b7ba49bfb4"
},
{
"url": "https://git.kernel.org/stable/c/7d190963b80f4cd99d7008615600aa7cc993c6ba"
},
{
"url": "https://git.kernel.org/stable/c/9fcdb1c3c4ba134434694c001dbff343f1ffa319"
}
],
"title": "i40e: remove read access to debugfs files",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39901",
"datePublished": "2025-10-01T07:42:48.606Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:48.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39903 (GCVE-0-2025-39903)
Vulnerability from cvelistv5
Published
2025-10-01 07:42
Modified
2025-10-01 07:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
of_numa: fix uninitialized memory nodes causing kernel panic
When there are memory-only nodes (nodes without CPUs), these nodes are not
properly initialized, causing kernel panic during boot.
of_numa_init
of_numa_parse_cpu_nodes
node_set(nid, numa_nodes_parsed);
of_numa_parse_memory_nodes
In of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes
containing CPUs. Memory-only nodes should have been updated in
of_numa_parse_memory_nodes, but they weren't.
Subsequently, when free_area_init() attempts to access NODE_DATA() for
these uninitialized memory nodes, the kernel panics due to NULL pointer
dereference.
This can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:
qemu-system-aarch64 \
-cpu host -nographic \
-m 4G -smp 1 \
-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \
-object memory-backend-ram,size=2G,id=mem0 \
-object memory-backend-ram,size=2G,id=mem1 \
-numa node,nodeid=0,memdev=mem0 \
-numa node,nodeid=1,memdev=mem1 \
-kernel $IMAGE \
-hda $DISK \
-append "console=ttyAMA0 root=/dev/vda rw earlycon"
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]
[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025
[ 0.000000] KASLR enabled
[ 0.000000] random: crng init done
[ 0.000000] Machine model: linux,dummy-virt
[ 0.000000] efi: UEFI not found.
[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '')
[ 0.000000] printk: legacy bootconsole [pl11] enabled
[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT
[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]
[ 0.000000] node 1 must be removed before remove section 23
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]
[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]
[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[ 0.000000] Mem abort info:
[ 0.000000] ESR = 0x0000000096000004
[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.000000] SET = 0, FnV = 0
[ 0.000000] EA = 0, S1PTW = 0
[ 0.000000] FSC = 0x04: level 0 translation fault
[ 0.000000] Data abort info:
[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 0.000000] [00000000000000a0] user address but active_mm is swapper
[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP
[ 0.000000] Modules linked in:
[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT
[ 0.000000] Hardware name: linux,dummy-virt (DT)
[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.000000] pc : free_area_init+0x50c/0xf9c
[ 0.000000] lr : free_area_init+0x5c0/0xf9c
[ 0.000000] sp : ffffa02ca0f33c00
[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000
[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000
[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368
[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002
[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001
[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002
[ 0.0
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/of/of_numa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c2daa6eb4740720b5bd0e06267d7c93a3eed844e",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
},
{
"lessThan": "f3286ad8eeae15fd4bd5c12f9adfe888b26baf62",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
},
{
"lessThan": "ee4d098cbc9160f573b5c1b5a51d6158efdb2896",
"status": "affected",
"version": "767507654c22578ea0b51d181211b2e7714ea7cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/of/of_numa.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nof_numa: fix uninitialized memory nodes causing kernel panic\n\nWhen there are memory-only nodes (nodes without CPUs), these nodes are not\nproperly initialized, causing kernel panic during boot.\n\nof_numa_init\n\tof_numa_parse_cpu_nodes\n\t\tnode_set(nid, numa_nodes_parsed);\n\tof_numa_parse_memory_nodes\n\nIn of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes\ncontaining CPUs. Memory-only nodes should have been updated in\nof_numa_parse_memory_nodes, but they weren\u0027t.\n\nSubsequently, when free_area_init() attempts to access NODE_DATA() for\nthese uninitialized memory nodes, the kernel panics due to NULL pointer\ndereference.\n\nThis can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:\n\nqemu-system-aarch64 \\\n-cpu host -nographic \\\n-m 4G -smp 1 \\\n-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \\\n-object memory-backend-ram,size=2G,id=mem0 \\\n-object memory-backend-ram,size=2G,id=mem1 \\\n-numa node,nodeid=0,memdev=mem0 \\\n-numa node,nodeid=1,memdev=mem1 \\\n-kernel $IMAGE \\\n-hda $DISK \\\n-append \"console=ttyAMA0 root=/dev/vda rw earlycon\"\n\n[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]\n[ 0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025\n[ 0.000000] KASLR enabled\n[ 0.000000] random: crng init done\n[ 0.000000] Machine model: linux,dummy-virt\n[ 0.000000] efi: UEFI not found.\n[ 0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options \u0027\u0027)\n[ 0.000000] printk: legacy bootconsole [pl11] enabled\n[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT\n[ 0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]\n[ 0.000000] node 1 must be removed before remove section 23\n[ 0.000000] Zone ranges:\n[ 0.000000] DMA [mem 0x0000000040000000-0x00000000ffffffff]\n[ 0.000000] DMA32 empty\n[ 0.000000] Normal [mem 0x0000000100000000-0x000000013fffffff]\n[ 0.000000] Movable zone start for each node\n[ 0.000000] Early memory node ranges\n[ 0.000000] node 0: [mem 0x0000000040000000-0x00000000bfffffff]\n[ 0.000000] node 1: [mem 0x00000000c0000000-0x000000013fffffff]\n[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]\n[ 0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[ 0.000000] Mem abort info:\n[ 0.000000] ESR = 0x0000000096000004\n[ 0.000000] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 0.000000] SET = 0, FnV = 0\n[ 0.000000] EA = 0, S1PTW = 0\n[ 0.000000] FSC = 0x04: level 0 translation fault\n[ 0.000000] Data abort info:\n[ 0.000000] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[ 0.000000] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 0.000000] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 0.000000] [00000000000000a0] user address but active_mm is swapper\n[ 0.000000] Internal error: Oops: 0000000096000004 [#1] SMP\n[ 0.000000] Modules linked in:\n[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT\n[ 0.000000] Hardware name: linux,dummy-virt (DT)\n[ 0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 0.000000] pc : free_area_init+0x50c/0xf9c\n[ 0.000000] lr : free_area_init+0x5c0/0xf9c\n[ 0.000000] sp : ffffa02ca0f33c00\n[ 0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000\n[ 0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000\n[ 0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368\n[ 0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002\n[ 0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001\n[ 0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002\n[ 0.0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T07:42:50.215Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c2daa6eb4740720b5bd0e06267d7c93a3eed844e"
},
{
"url": "https://git.kernel.org/stable/c/f3286ad8eeae15fd4bd5c12f9adfe888b26baf62"
},
{
"url": "https://git.kernel.org/stable/c/ee4d098cbc9160f573b5c1b5a51d6158efdb2896"
}
],
"title": "of_numa: fix uninitialized memory nodes causing kernel panic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39903",
"datePublished": "2025-10-01T07:42:50.215Z",
"dateReserved": "2025-04-16T07:20:57.146Z",
"dateUpdated": "2025-10-01T07:42:50.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-39926 (GCVE-0-2025-39926)
Vulnerability from cvelistv5
Published
2025-10-01 08:07
Modified
2025-10-01 08:07
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
genetlink: fix genl_bind() invoking bind() after -EPERM
Per family bind/unbind callbacks were introduced to allow families
to track multicast group consumer presence, e.g. to start or stop
producing events depending on listeners.
However, in genl_bind() the bind() callback was invoked even if
capability checks failed and ret was set to -EPERM. This means that
callbacks could run on behalf of unauthorized callers while the
syscall still returned failure to user space.
Fix this by only invoking bind() after "if (ret) break;" check
i.e. after permission checks have succeeded.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netlink/genetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98c9d884047a3051c203708914a874dece3cbe54",
"status": "affected",
"version": "3de21a8990d3c2cc507e9cc4ed00f36358d5b93e",
"versionType": "git"
},
{
"lessThan": "8858c1e9405906c09589d7c336f04058ea198207",
"status": "affected",
"version": "3de21a8990d3c2cc507e9cc4ed00f36358d5b93e",
"versionType": "git"
},
{
"lessThan": "1dbfb0363224f6da56f6655d596dc5097308d6f5",
"status": "affected",
"version": "3de21a8990d3c2cc507e9cc4ed00f36358d5b93e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netlink/genetlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.48",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.48",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.8",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenetlink: fix genl_bind() invoking bind() after -EPERM\n\nPer family bind/unbind callbacks were introduced to allow families\nto track multicast group consumer presence, e.g. to start or stop\nproducing events depending on listeners.\n\nHowever, in genl_bind() the bind() callback was invoked even if\ncapability checks failed and ret was set to -EPERM. This means that\ncallbacks could run on behalf of unauthorized callers while the\nsyscall still returned failure to user space.\n\nFix this by only invoking bind() after \"if (ret) break;\" check\ni.e. after permission checks have succeeded."
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T08:07:13.883Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98c9d884047a3051c203708914a874dece3cbe54"
},
{
"url": "https://git.kernel.org/stable/c/8858c1e9405906c09589d7c336f04058ea198207"
},
{
"url": "https://git.kernel.org/stable/c/1dbfb0363224f6da56f6655d596dc5097308d6f5"
}
],
"title": "genetlink: fix genl_bind() invoking bind() after -EPERM",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39926",
"datePublished": "2025-10-01T08:07:13.883Z",
"dateReserved": "2025-04-16T07:20:57.147Z",
"dateUpdated": "2025-10-01T08:07:13.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…